Headline | Applies chroot to your HP Web Services Apache Server. |
Default | N |
Description | The HP Web Services versions of the Apache web server for |
| free for download at www.hp.com/go/softwaredepot. A chroot script is built |
| into the distribution. This script makes a copy of Apache and related binaries |
| and libraries and places them inside of a chroot jail. This allows Apache to |
| run with limited file system access. If you are not currently running the Apache |
| web server, answer no to this question. The Apache server, httpd, is given |
| access to several compilers and system libraries so it can process cgi's, login |
| attempts, and so forth. One way to lessen the risk presented by this special |
| status is to lock the daemon (httpd) into a "chroot jail." In this case, the daemon |
| has access to only a small segment of the file system, a directory created |
| specifically for the purpose of giving the daemon access to only the files it |
| needs. The adjective "chroot'ed" is derived from "change root", since |
| Bastille sets the daemon's root directory ( / ) to some child node in the directory |
| tree. A root process can break out of a chroot jail, but this is still an effective |
| deterrent since |
| within the jail. If a security vulnerability is found in one of the files that has |
| been placed inside of the "chroot jail", that file must be manually patched by |
| copying the fixed file(s) into the jail. This chroot script was written to provide |
| for a fully functional web server inside of a chroot'ed environment. For |
| additional security, remove unneeded libraries and compilers that are not |
| used by your Apache server. |
|
|
| IMPORTANT: Manual action is required to complete this configuration. See |
| the TODO.txt file for details. |
|
|
Actions | Makes a copy of Apache and related binaries and libraries and places them |
| inside of a chroot jail. |
| Apache.deactivate_hpws_apache | |
Headline | Deactivate the HP Web Services Apache Web Server. |
Default | Y |
Description | If you do not plan to use this system as a web server, HP recommends that |
| you deactivate your Apache web server. Programs that require an Apache |
| server installation but do not bind to port 80 can still start their own instances |
| of the web server. If you do not plan to use your Apache server immediately, |
| then you should deactivate it until needed. This item does not turn off copies |
| of Apache or other web servers if they are supplied with individual products, |
| nor does it disable APACHE_SSL. |
Actions | Stop the Apache server if it is running. Set HPWS_APACHE_START=0 in the |
| /etc/rc.config.d/hpws_apacheconf file. |
| DNS.chrootbind | |
Headline | Names and sets chroot to run as a |
Default | N |
Description | The name server "named" usually runs with privileged access. This allows |
| "named" to function correctly, but increases the security risk if any |
| vulnerabilities are found. Decrease this risk by running "named" as a |
40 Question modules