3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Group permissions on Apache directories should generally be r-x and file permissions should be similar except not executable if executable is not appropriate. This applies to all of the Apache software directories and files installed with the possible exception of the web document root $DOCROOT defined by Apache DocumentRoot and defaults to $APACHE_PREFIX/htdocs. The directories and files in the web document root may have a designated web development group with write access to allow web content to be updated.

Rationale:

Restricting write permissions on the Apache files and directories can help mitigate attacks that modify web content to provide unauthorized access, or to attack web clients.

Solution

Perform the following to remove group write access on the $APACHE_PREFIX directories.

# chmod -R g-w $APACHE_PREFIX

See Also

https://workbench.cisecurity.org/files/3021