PCI DSS company want apache updated


I’m doing the usual tidying up for a securitymetrics PCI DSS security scan. The final issues is with Apache.

I know that the fixes are backported to 2.2.3-63.1 but they are telling me that httpd-2.2.3-65.el5_8.3.src.rpm is available and has to be installed to be compliant.

I’m fine with installing it but since this isn’t a virtualmin rpm I was wondering how much it would break if I installed it? Is there any config files I’d need to backup and restore after etc?



It shouldn’t cause any problems to update to that… though I’ll talk to Joe to make sure the Virtualmin repo’s have the latest Apache version in it.


Thanks. Reading my post again I didn’t mention I was using Centos 5.8.

Hmm. Build the src rpm and installed - it appeared to go ok. Couldn’t view any websites though. Checked the logs and there was a suexec error “command not in docroot”.

I reinstalled the original virtualmin RPMs through yum and everything is works again (apart from PCI DSS compliance obviouslly).

A quick search shows that the docroot is changed in the virtualmin rpms - is there anyway to do this on the src rpm I downloaded and build from http://vault.centos.org/5.8/updates/SRPMS/ ?


My apologies, I keep forgetting that the Apache in CentOS is different than the one included in Ubuntu/Debian.

With Ubuntu/Debian, the suexec settings are independent of the Apache package.

With CentOS, the “suexec” binary would need to be compiled to use “/home” as it’s base, rather than “/var/www”.

However, since this should all be temporary (until Joe updates the CentOS package), you should be able to replace the file “/usr/sbin/suexec” with the one included in the Virtualmin package.

You’d want to make sure the permissions look like this:

$ ls -l /usr/sbin/suexec -r-s--x---. 1 root apache 13984 May 16 2012 /usr/sbin/suexec

What I always do for PCI compliance tests is reconfigure Apache to not give out its version number, this fixes that problem. Its also good in general for security purposes. No functionality is lost by making these changes, and they won’t get overwritten in future updates.


ServerTokens ProductOnly
ServerSignature Off

And to cloak PHP

/etc/php.ini & /home/*/etc/php.ini

expose_php = Off