AS24-U1-000690 – Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.

Details

By separating Apache web server security functions from non-privileged users, roles can be developed that can then be used to administer the Apache web server. Forcing users to change from a non-privileged account to a privileged account when operating on the Apache web server or on security-relevant information forces users to only operate as a Web Server Administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the Apache web server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Restrict access to the web administration tool to only the System Administrator, Web Manager, or the Web Manager designees.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_UNIX_Y22M01_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-6(10)
CAT|II
CCI|CCI-002235
Rule-ID|SV-214261r612240_rule
STIG-ID|AS24-U1-000690
STIG-Legacy|SV-102801
STIG-Legacy|V-92713
Vuln-ID|V-214261

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles