Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: scelza
scelza Author
User level: Level 1
9 points

Upgrade or Remove Apache Web Server - macOS Catalina

Our security team runs weekly vulnerability scans via Tenable/Nessus on our environment and all of our Macs have been coming up with multiple vulnerabilities related to the native Apache Web Server being out of date. I am trying to find a way to either update it to a suitable version or remove it entirely from the systems. We do not have a need the Apache web server or related services as we do not do any development that warrants its use, so upgrading it really has no benefit, it would only be to stop the alerts.


I have been in search for a few months trying to come up with a solution to no avail. We are in the process of getting our environment PCI-DSS compliant, and as such, can't ignore this weekly alert. We also cannot upgrade all of our systems to Big Sur just to get around this one issue, that would cause even more issues for the compliance at this stage. One solution that was offered was to ensure the local web server was disabled and to just block the executables from ever running, which we did, but that still left the files on our systems and they continue to pop up each week, which is still a problem for the compliance.


More information from Tenable can be found here: https://www.tenable.com/plugins/nessus/139574


Thanks for any input you might have!

Posted on Apr 16, 2021 7:16 AM

Reply

Similar questions

4 replies
User profile for user: MoonJ.
MoonJ.
User level: Community Specialist

Apr 17, 2021 10:37 AM in response to scelza

Hello scelza! Thank you for participating in the Apple Support Communities.


We understand that you've been trying to find a solution to your Mac computers coming up with multiple vulnerabilities relating to the native Apache Web Server being outdated.


Apple has a developer forum where you can post questions to fellow developers and Apple engineers on a variety of development topics such as this one. You can find those forums by going to the following link: Support - Apple Developer


Make it a great day!

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,620 points

Apr 17, 2021 2:02 PM in response to scelza

Did you remove /usr/sbin/httpd?


To get rid of all Apache2 files would be a waste of time, but when you are forced to follow guidelines developed by people that only carry a wallet sized photo of the big picture, you will have to delete some other directories including /etc/apache2/, /Library/WebServer/, each user's Sites folder, and maybe the manuals in /System/Library/Templates/Data/Library/Webserver.

Does it tell you which files are triggering those alerts?


My guess is you will have to disable SIP in order to remove them, and then re-enable SIP.

Does Tenable even care if you disable SIP?

Reply
User profile for user: scelza
scelza Author
User level: Level 1
9 points

Apr 17, 2021 2:25 PM in response to Barney-15E

It does appear to only be httpd which is triggering the alert in all of these instances.


I’ve considered turning off SIP to remove the file itself and then re-enabling SIP as a potential workaround. Tenable shouldn’t notice it being disabled, as long as it was enabled by the following weeks’ scan.


Assuming it doesn’t break anything tangential, this might be the only course of action, even if it means having to be physically in front of each system and getting into recovery mode, something that could be done over time.


I was just hoping by now someone would have also run into this issue in an enterprise environment with the similar compliances and stipulations, and possibly have found some other workaround.


Thanks for your input, it’s infinitely better than most answers I’ve seen relating to this, which usually amount to “ignore your scanner because it’s making you worry about nothing” or “just update the OS”. Both are far easier said than done.

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,620 points

Apr 17, 2021 3:04 PM in response to scelza

scelza wrote:

It does appear to only be httpd which is triggering the alert in all of these instances.

Well, that is what runs the web server, so if it isn't triggering the alerts, the scanner is pretty much useless.

’ve considered turning off SIP to remove the file itself and then re-enabling SIP as a potential workaround. Tenable shouldn’t notice it being disabled, as long as it was enabled by the following weeks’ scan.

I meant, does it even understand the point of SIP?

Assuming it doesn’t break anything tangential, this might be the only course of action, even if it means having to be physically in front of each system and getting into recovery mode, something that could be done over time.

If it isn't triggering the alerts, I'm not sure what the point would be in removing it. However, it is the problem the scanner is trying to highlight.

was just hoping by now someone would have also run into this issue in an enterprise environment with the similar compliances and stipulations, and possibly have found some other workaround.

I'm merely aware of those types of requirements and how stupidly they are designed.

hanks for your input, it’s infinitely better than most answers I’ve seen relating to this, which usually amount to “ignore your scanner

Well, I understand you are not allowed to ignore it, but it appears it doesn't even know what it is doing. If the actual web server isn't flagged, how well do you trust it to find anything else vulnerable.

Reply

Upgrade or Remove Apache Web Server - macOS Catalina

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up