The web server, although started by superuser or privileged account, will run using a non-privileged account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13619 | WG275 | SV-14200r3_rule | ECLP-1 | Medium |
| Description |
|---|
| Running the web server with excessive privileges presents an increased risk to the web server. In the event the web server’s services are compromised, the context by which the web server is running will determine the amount of damage that may be caused by the attacker. If the web server is run as an administrator or as an equivalent account, the attacker will gain administrative access through the web server. If, on the other hand, the web server is running with least privilege required to function, the capabilities of the attacker will be greatly decreased. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-30935r1_chk ) |
|---|
| The reviewer will need to determine which account the web server is using to run and determine the privileges that account has. If the account has administrative or superuser privilege, the SA will need to provide justification showing that this type of account is necessary for the function and operation of the web server. Use the command ps -ef to get a list of processes and to determine the account that is being used to run the web server. Use the command more /etc/passwd to examine the account and to determine if it is running as a privileged account. If the account has an ID of 100 or greater, the account is not privileged. If the account is a member of a privileged group such as Administrators, and the web server is running with this account, this is a finding. If the web server is being run with excessive privileges, this is a finding. |
| Fix Text (F-26855r1_fix) |
|---|
| Configure the web server to run using a non-privileged account. |