Assuming that you got them from a later version of Ubuntu, probably a better way to go would be to add the repo (and the security repo) and pin those apache (and dependancy) packages to that repo (so it only updates apache and doesn't try to update everything). That way you can get updates in the normal way.
Otherwise as I said before you will not receive any security updates and will continuously and manually have to check all these packages for updates and go through this whole process regularly. Like I said this will add huge overheads to your maintenance schedule and actually make your server less secure (there will be greater gap between when security vulnerabilities are found and when you manually patch them, as opposed to automatically applied backported security patches - as is the case in a vanilla TKL appliance).
Did you speak with your security scan company? Because whilst this exercise may make your server 'compliant' in their eyes, realisticlly it is making your server less secure. So it depends on whether your aim to to find an 'easy' way to make your server compliant in their eyes, or whther you are actually trying to make your server as secure as possible...
Personally if they don't understand how security works in Linux (ie backported patches) then I'd be looking for a new security scan company. Considering that over half of the webservers online are running Linux surely there'd be some about that do understand it and would actually be properly testing for real vulnerabilities, not just checking versions...
Where did you get apache binaries from?
Assuming that you got them from a later version of Ubuntu, probably a better way to go would be to add the repo (and the security repo) and pin those apache (and dependancy) packages to that repo (so it only updates apache and doesn't try to update everything). That way you can get updates in the normal way.
Otherwise as I said before you will not receive any security updates and will continuously and manually have to check all these packages for updates and go through this whole process regularly. Like I said this will add huge overheads to your maintenance schedule and actually make your server less secure (there will be greater gap between when security vulnerabilities are found and when you manually patch them, as opposed to automatically applied backported security patches - as is the case in a vanilla TKL appliance).
Did you speak with your security scan company? Because whilst this exercise may make your server 'compliant' in their eyes, realisticlly it is making your server less secure. So it depends on whether your aim to to find an 'easy' way to make your server compliant in their eyes, or whther you are actually trying to make your server as secure as possible...
Personally if they don't understand how security works in Linux (ie backported patches) then I'd be looking for a new security scan company. Considering that over half of the webservers online are running Linux surely there'd be some about that do understand it and would actually be properly testing for real vulnerabilities, not just checking versions...