Details

The user account under which Apache runs should not have a valid password, but should be locked.

Rationale:

As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from ‘su’-ing to ‘apache’ using the password. In general, there shouldn’t be a need for anyone to have to ‘su’ as ‘apache’, and when there is a need, ‘sudo’ should be used instead, which would not require the ‘apache’ account password.

Solution

Use the ‘passwd’ command to lock the ‘apache’ account:

# passwd -l apache

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2378

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-2(3)
• CSCv6|16
• CSCv7|16.8

Source

• Tenable.com/audits