3.8 Ensure the Lock File Is Secured - 'LockFile directory'

Information

The 'LockFile' directive sets the path to the lock file used when Apache uses 'fcntl(2)' or 'flock(2)' system calls to implement a mutex. Most Linux systems will default to using semaphores instead, so the directive may not apply. However, in the event a lock file is used, it is important for the lock file to be in a locally mounted directory that is not writable by other users.

Rationale:

If the 'LockFile' is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a lock file with the same name.

Solution

Perform these steps to properly secure the lock file:
1. Find the directory in which the 'LockFile' would be created. The default value is the 'ServerRoot/logs' directory.
2. Modify the directory for the 'LockFile' so it is not within the Apache 'DocumentRoot' and so it is on a locally mounted hard drive rather than an NFS mounted file system.
3. Change the ownership and group of the directory to be 'root:root'.
4. Change the permissions on the directory so it is only writable by root, or the user under which apache initially starts up (default is root).

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|18, CSCv7|14.6

Plugin: Unix

Control ID: bdd3381b68a85e6df0eeb41125c9b722e26584dfaf5da9f64662c4bfb0043500