Title

The ScoreBoard file must be properly secured. (Cat II impact)

Discussion

The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the configured file for the inter-process communication. Therefore if it is specified it needs to be located in a secure directory. If the ScoreBoard file is placed in openly writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a file with the same name, and or users could monitor and disrupt the communication between the processes by reading and writing to the file.

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: ScoreBoardFile If the ScoreBoardFile directive is found uncommented note the directory specified in the directive statement that holds the Scoreboard file. If the ScoreBoardFile directive is not found enabled in the conf file use \logs as the directory containing the Scoreboard file. If any users other than administrator or the account used to run the web server has permission to the scoreboard file directory, this is a finding. If the ScoreBoard file is located in the web server document root this is finding.

Fix Text

Modify the location and/or permissions for the ScoreBoard file and/or folder.

Additional Identifiers

Rule ID: SV-33178r2_rule

Vulnerability ID: V-26322

Group Title: WA00535

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.