3.7 Ensure the Core Dump Directory Is Secured

Information

The CoreDumpDirectory directive is used to specify the directory Apache attempts to switch to before creating the core dump. Core dumps will be disabled if the directory is not writable by the Apache user. Also, core dumps will be disabled if the server is started as root and switches to a non-root user, as is typical. It is recommended that the CoreDumpDirectory directive be set to a directory that is owned by the root user, owned by the group the Apache HTTPD process executes as, and be inaccessible to other users.

Rationale:

Core dumps are snapshots of memory and may contain sensitive information that should not be accessible by other accounts on the system.

Solution

Either remove the CoreDumpDirectory directive from the Apache configuration files or ensure that the configured directory meets the following requirements.


CoreDumpDirectory is not to be within the Apache web document root ($APACHE_PREFIX/htdocs)

Must be owned by root and have a group ownership of the Apache group (as defined via the Group directive)

# chown root:apache /var/log/httpd

Must have no read-write-search access permission for other users.

# chmod o-rwx /var/log/httpd

Default Value:

The default core dump directory is the ServerRoot directory.

See Also

https://workbench.cisecurity.org/files/4548