2.1.18 Ensure web server services are not in use

Information

Web servers provide the ability to host web site content.

Unless there is a local site approved requirement to run a web server service on the system, web server packages should be removed to reduce the potential attack surface.

Solution

Run the following commands to stop httpd.socket httpd.service and nginx.service and remove httpd and nginx packages:

# systemctl stop httpd.socket httpd.service nginx.service
# dnf remove httpd nginx

- OR -

- IF - a package is installed and is required for dependencies:

Run the following commands to stop and mask httpd.socket httpd.service and nginx.service :

# systemctl stop httpd.socket httpd.service nginx.service
# systemctl mask httpd.socket httpd.service nginx.service

Note: Other web server packages may exist. If not required and authorized by local site policy, they should also be removed. If the package is required for a dependency, the service and socket should be stopped and masked.

Impact:

Removal of web server packages will remove that ability for the server to host web services.

- IF - the web server package is required for a dependency, any related service or socket should be stopped and masked.

Note: If the remediation steps to mask a service are followed and that package is not installed on the system, the service and/or socket will still be masked. If the package is installed due to an approved requirement to host a web server, the associated service and/or socket would need to be unmasked before it could be enabled and/or started.

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: b1a43bfe9c0bfd8978a9fca48318a94717de96f697237c53e68dc31fa033dba3