CIS NGINX Benchmark v2.0.0 L1 Webserver

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS NGINX Benchmark v2.0.0 L1 Webserver

Updated: 8/21/2023

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 43

Audit Items

DescriptionCategories
1.1.1 Ensure NGINX is installed
1.2.1 Ensure package manager repositories are properly configured
1.2.2 Ensure the latest software package is installed
2.1.4 Ensure the autoindex module is disabled
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo
2.2.2 Ensure the NGINX service account is locked
2.2.3 Ensure the NGINX service account has an invalid shell - /etc/passwd
2.2.3 Ensure the NGINX service account has an invalid shell - script
2.3.1 Ensure NGINX directories and files are owned by root
2.3.2 Ensure access to NGINX directories and files is restricted - Directories
2.3.2 Ensure access to NGINX directories and files is restricted - Files
2.3.3 Ensure the NGINX process ID (PID) file is secured
2.3.4 Ensure the core dump directory is secured
2.4.1 Ensure NGINX only listens for network connections on authorized ports
2.4.2 Ensure requests for unknown host names are rejected
2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
2.5.1 Ensure server_tokens directive is set to 'off'
2.5.2 Ensure default error and index.html pages do not reference NGINX
3.1 Ensure detailed logging is enabled
3.2 Ensure access logging is enabled
3.3 Ensure error logging is enabled and set to the info logging level
3.4 Ensure log files are rotated - rotate
3.4 Ensure log files are rotated - weekly
4.1.1 Ensure HTTP is redirected to HTTPS
4.1.2 Ensure a trusted certificate and trust chain is installed
4.1.3 Ensure private key permissions are restricted
4.1.4 Ensure only modern TLS protocols are used
4.1.5 Disable weak ciphers - ssl_ciphers
4.1.6 Ensure custom Diffie-Hellman parameters are used
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify
4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
5.1.2 Ensure only approved HTTP methods are allowed
5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout
5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout
5.2.2 Ensure the maximum request body size is set correctly
5.2.3 Ensure the maximum buffer size for URIs is defined
5.3.1 Ensure X-Frame-Options header is configured and enabled
5.3.2 Ensure X-Content-Type-Options header is configured and enabled
CIS_NGINX_v2.0.0_Level_1_Webserver.audit from CIS NGINX Benchmark v2.0.0