User IDs which disclose the privileges associated with it, should not be created. 'lock'

Information

The best way to reduce exposure to attack when running Apache web server is to create a unique unprivileged userid and group for the application. Once the server's startup tasks are complete, all active instances can run as the unprivileged user. The web user account should not be allowed shell login.

Solution

Use low privileged account and group for Apache server.
Assign no shell to the Apache user account and lock this account. To lock the user account, add /sbin/nologin at the end of the username line.

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: Unix

Control ID: 1c1fe8cec81a72bfdd6244fcd3bfbe4807855ca7968e22d680dd45460bc5a649