3.10 Ensure the ScoreBoard File Is Secured

Information

The ScoreBoardFile directive sets a file path which the server will use for inter-process communication (IPC) among the Apache processes. On most Linux platforms, shared memory will be used instead of a file in the file system, so this directive is not generally needed and does not need to be specified. However, if the directive is specified, then Apache will use the configured file for the inter-process communication. Therefore, if it is specified, it needs to be located in a secure directory.

Rationale:

If the ScoreBoardFile is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a file with the same name, and users could monitor and disrupt the communication between the processes by reading and writing to the file.

Solution

Check to see if the ScoreBoardFile is specified in any of the Apache configuration files. If it is not present, no changes are required.

If the directive is present, find the directory in which the ScoreBoardFile would be created. The default value is the ServerRoot/logs directory.

Modify the directory if the ScoreBoardFile is in a directory within the Apache DocumentRoot

Change the ownership and group to be root:root, if not already.

Change the permissions so that the directory is only writable by root, or the user under which apache initially starts up (default is root),

Check that the scoreboard file directory is on a locally mounted hard drive rather than an NFS mounted file system.

Default Value:

The default scoreboard file is logs/apache_status.

See Also

https://workbench.cisecurity.org/files/4548