I did my research and found that people are unsure if chroot is helpful in security. I have these questions left unanswered. Is chrooting worthwhile if yes can it be done for httpd 2.4 on rhel 7?Please share any resource or reference. If not what can be an equivalent way to secure the web server?
Thanks in Advance.
This has been discussed before: How to chroot Apache on CentOS?
Yes, it's possible to chroot apache. In apache 2.4 you need the mod_unixd module (https://httpd.apache.org/docs/2.4/mod/mod_unixd.html). This page explains how to do it: https://www.howtoforge.com/tutorial/chrooting-apache-2.4-with-mod_unixd-on-debian-8-jessie/ Despite it claiming to be a guide for Debian, it should still work for RHEL, since the guide simply mentions what directives to use in apache 2.4.
That being said, I don't think the perceived benefits are worth the costs. This ancient (May 2004) document discusses pros/cons of chrooting apache. One key phrase from the article:
Installing Apache in a chroot jail does not make Apache itself any more secure. Rather, it serves to restrict the access of Apache and its child processes to a small subset of the filesystem. The advantage in chrooting a process is not in preventing a breakin, but rather in containing a potential threat.
And, as the aforementioned question/answer says, a much better method to containing breakins is to use the already provided security feature of RHEL: SELinux. Most administrators simply turn this off at installation so they don't have to deal with the headache. However, a bit of time learning this powerful feature will save a lot more headache down the road.
If you really want to harden your system, consider using SELinux and an Apache chroot jail. RHEL7 is similar to centos7, they both run apache 2.4 so this may help:
