Adobe 38043740 Lockdown Guide - Page 52

We must also apply the proper SELinux context to the files that mod_jk writes to: chcon --reference=/var/log/httpd/access_log /opt/coldfusion10/config/wsconfig/1/mod_jk.log chcon --reference=/var/log/httpd/access_log /opt/coldfusion10/config/wsconfig/1/jk_shm Finally we need to allow Apache to make network connections so mod_jk can talk to ColdFusion: setsebool httpd_can_network_connect 1 4.2.5 Create a virtual mapping for /CFIDE/scripts If you are using cfform or Ajax Tags you will need to allow access to the files in /CFIDE/scripts/. Because files in that directory have contained vulnerabilities in the past it is recommended to only allow access if you require it, and if so, specify an alternate location. In this example we choose /cf-scripts/ you are encouraged to pick a unique value for this alias. Add the following to your httpd.conf file: Alias /cf-scripts /opt/coldfusion10/cfusion/wwwroot/CFIDE/scripts/ In the above line we have created a virtual mapping /cf-scripts/ and pointed it to the file path corresponding to the /CFIDE/scripts/ directory. You will need to specify the mapping you used in the ColdFusion administrator in the Default ScriptSrc Directory on the Server Settings > Settings Page. 4.2.6 Update Java Virtual Machine The Java Virtual Machine included with the ColdFusion installer may not be the latest JVM supported by Adobe. Download the RPM for the JVM from java.oracle.com. After you run the binary the JVM is installed in /usr/java/ a symbolic link is created pointing to the latest installed version /usr/java/latest/ you point ColdFusion to this path to simplify future JVM updates. Locate the jvm.config file, (by default it is located in /opt/coldfusion10/cfusion/bin/) and make a backup: 52