HP UX Bastille User Manual page 40

Apache.chrootapache
Headline
Default
Description
Actions
Apache.deactivate_hpws_apache
Headline
Default
Description
Actions
DNS.chrootbind
Headline
Default
Description
40 Question modules
Applies chroot to your HP Web Services Apache Server.
N
The HP Web Services versions of the Apache web server for HP-UX is available
free for download at www.hp.com/go/softwaredepot. A chroot script is built
into the distribution. This script makes a copy of Apache and related binaries
and libraries and places them inside of a chroot jail. This allows Apache to
run with limited file system access. If you are not currently running the Apache
web server, answer no to this question. The Apache server, httpd, is given
access to several compilers and system libraries so it can process cgi's, login
attempts, and so forth. One way to lessen the risk presented by this special
status is to lock the daemon (httpd) into a "chroot jail." In this case, the daemon
has access to only a small segment of the file system, a directory created
specifically for the purpose of giving the daemon access to only the files it
needs. The adjective "chroot'ed" is derived from "change root", since HP-UX
Bastille sets the daemon's root directory ( / ) to some child node in the directory
tree. A root process can break out of a chroot jail, but this is still an effective
deterrent since HP-UX Bastille limits the number of common root attack vectors
within the jail. If a security vulnerability is found in one of the files that has
been placed inside of the "chroot jail", that file must be manually patched by
copying the fixed file(s) into the jail. This chroot script was written to provide
for a fully functional web server inside of a chroot'ed environment. For
additional security, remove unneeded libraries and compilers that are not
used by your Apache server.
IMPORTANT:
Manual action is required to complete this configuration. See
the TODO.txt file for details.
Makes a copy of Apache and related binaries and libraries and places them
inside of a chroot jail.
Deactivate the HP Web Services Apache Web Server.
Y
If you do not plan to use this system as a web server, HP recommends that
you deactivate your Apache web server. Programs that require an Apache
server installation but do not bind to port 80 can still start their own instances
of the web server. If you do not plan to use your Apache server immediately,
then you should deactivate it until needed. This item does not turn off copies
of Apache or other web servers if they are supplied with individual products,
nor does it disable APACHE_SSL.
Stop the Apache server if it is running. Set HPWS_APACHE_START=0 in the
/etc/rc.config.d/hpws_apacheconf file.
Names and sets chroot to run as a non-root user.
N
The name server "named" usually runs with privileged access. This allows
"named" to function correctly, but increases the security risk if any
vulnerabilities are found. Decrease this risk by running "named" as a
non-privileged user and by putting its files in a restricted file system called a
chroot jail. If a security vulnerability is found in one of the files that has been
placed inside of the chroot jail, that file must be manually patched by copying
the fixed file(s) into the jail. For security reasons, restrict every process which