Set Permissions on All Configuration Files Inside /etc/httpd/conf/

An XCCDF Rule

Description

To properly set the permissions of /etc/http/conf/*, run the command:

$ sudo chmod 0640 /etc/http/conf/*

Rationale

Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files.

ID: xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files
Severity: Unknown
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

AC-6(1) CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3
Updated: about 1 year ago






find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;

- name: Find /etc/httpd/conf/ file(s)
  command: find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f
    -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false  check_mode: false
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - file_permissions_httpd_server_conf_files
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - unknown_severity

- name: Set permissions for /etc/httpd/conf/ file(s)
  file:
    path: '{{ item }}'
    mode: u-xs,g-xws,o-xwrt
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - file_permissions_httpd_server_conf_files
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - unknown_severity

Set Permissions on All Configuration Files Inside /etc/httpd/conf/

Description

Rationale

Remediation - Shell Script

Remediation - Ansible