Files with 644 permissions and owner apache:apache are still failing Security Review module

I am using Drupal 7 and just installed Security Review. According to this page, the files should be 644. I tried that but I am still failing Security Review (I'm getting hundreds of files under the section "The following files and directories appear to be writeable by your web server." I assume this is because the files are owned by apache:apache. What are the correct file ownership and file group membership settings for these files so I can pass the Security Review?

The important thing is to make sure your web server user cannot write to the document root, except for public/private file folders.

There are many, many different configurations that can allow for that (e.g. you might leave the perms at 644 and change user ownership; or you might not change ownership but change perms to 444, or any number of other things).

Ultimately, you should ask your server admin to recommend an appropriate configuration for your OS and the software/accounts that are installed and enabled on it. Crowdsourcing an answer to a question which affects the fundamental security of your website, and potentially server, isn't guaranteed to end well.

As long as the user and the group ownership aren't the ones used to run the web server, any value is fine, for the Security Review module. Even the values set when the files have been created would be fine, as long as they aren't the same used to run the web server.

Those files are already owned by apache:apache, which means that either the web server (or PHP) created them, or the user and the group ownership have been changed after the files were created. In both the cases, changing user and the group ownership won't probably resolve the real issue.