V-2259

Discussion

This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account that runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Check Content

Apache directory and file permissions and ownership should be set per the following table.. The installation directories may vary from one installation to the next.  If used, the WebAmins group should contain only accounts of persons authorized to manage the web server configuration, otherwise the root group should own all Apache files and directories. 

Note: This check also applies to any other directory where CGI scripts are located. There may be additional directories based the local implementation, and permissions should apply to directories of similar content. Ex. all web content directories should follow the permissions for /htdocs.

If the files and directories are not set to the following permissions or more restrictive, this is a finding.

To locate the ServerRoot directory enter the following command.
grep ^ ServerRoot /usr/local/apache2/conf/httpd.conf

/Server
root dir
apache	      root	WebAdmin	771/660

/apache/cgi-bin    root	WebAdmin	775/775
/apache/bin	       root	WebAdmin	550/550
/apache/config     root	WebAdmin	770/660
/apache/htdocs    root	WebAdmin	775/664
/apache/logs       root	WebAdmin	750/640

NOTE:  The permissions are noted as directories / files.