Information
The Apache 2.4 modules for authentication and authorization are grouped and named to provide both granularity and a consistent naming convention to simplify configuration. The 'authn_*' modules provide authentication, while the 'authz_*' modules provide authorization. Apache provides two types of authentication - basic and digest. Review the Apache Authentication and Authorization how-to documentation [http://httpd.apache.org/docs/2.4/howto/auth.html](http://httpd.apache.org/docs/2.2/howto/auth.html) and enable only the modules that are required.
Rationale:
Authentication and authorization are the front doors to the protected information in your web site. Most installations only need a small subset of the modules available. By minimizing the enabled modules to those that are actually used, we reduce the number of 'doors' and therefore reduce the attack surface of the web site. Likewise, having fewer modules means less software that could have vulnerabilities.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Consult Apache module documentation for descriptions of each module in order to determine the necessary modules for the specific installation. The unnecessary static compiled modules are disabled through compile time configuration options. The dynamically loaded modules are disabled by commenting out or removing the 'LoadModule' directive from the Apache configuration files (typically 'httpd.conf'). Some modules may be separate packages and may be removed.