WG300 A22 - Web server system files must conform to minimum file permission requirements - apache

Information

This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account that runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Solution

Use the chmod command to set permissions on the web server system directories and files as follows.

root dir
apache root WebAdmin 771/660
/apache/cgi-bin root WebAdmin 775/775
/apache/bin root WebAdmin 550/550
/apache/config root WebAdmin 770/660
/apache/htdocs root WebAdmin 775/664
/apache/logs root WebAdmin 750/640

See Also

https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_UNIX_V1R11_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, Rule-ID|SV-32938r2_rule, STIG-ID|WG300_A22, Vuln-ID|V-2259

Plugin: Unix

Control ID: 3d4a4fc87a06a2b97aff1d578f3c5b78cef482d34b7e476e171e5bc5245103c6