Run httpd in a chroot Jail if Practical
An XCCDF Group
Description
Running httpd
inside a chroot
jail is designed to isolate the
web server process to a small section of the filesystem, limiting the damage if
it is compromised. Versions of Apache greater than 2.2.10 (such as the one
included with Ubuntu 20.04) provide the ChrootDir
directive. To run Apache
inside a chroot jail in /chroot/apache
, add the following line to
/etc/httpd/conf/httpd.conf
:
ChrootDir /chroot/apacheThis necessitates placing all files required by
httpd
inside
/chroot/apache
, including httpd
's binaries, modules,
configuration files, and served web pages. The details of this configuration
are beyond the scope of this guide. This may also require additional SELinux
configuration.
- ID
- xccdf_org.ssgproject.content_group_httpd_chroot
- Child Items
- Updated