CIS NGINX Benchmark v2.0.1 L1 Loadbalancer

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS NGINX Benchmark v2.0.1 L1 Loadbalancer

Updated: 10/2/2024

Authority: CIS

Plugin: Unix

Revision: 1.2

Estimated Item Count: 44

File Details

Filename: CIS_NGINX_v2.0.1_Level_1_Loadbalancer.audit

Size: 85.3 kB

MD5: 45bfd74347d9ceaab59660a3784c8b34
SHA256: 21ee760ca2f1f80ff5ec3de89c0e0521a068321f2e8b14b2ea27cd57176e08b1

Audit Items

DescriptionCategories
1.1.1 Ensure NGINX is installed
1.2.1 Ensure package manager repositories are properly configured
1.2.2 Ensure the latest software package is installed
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo
2.2.2 Ensure the NGINX service account is locked
2.2.3 Ensure the NGINX service account has an invalid shell - /etc/passwd
2.2.3 Ensure the NGINX service account has an invalid shell - script
2.3.1 Ensure NGINX directories and files are owned by root
2.3.2 Ensure access to NGINX directories and files is restricted - Directories
2.3.2 Ensure access to NGINX directories and files is restricted - Files
2.3.3 Ensure the NGINX process ID (PID) file is secured
2.4.1 Ensure NGINX only listens for network connections on authorized ports
2.4.2 Ensure requests for unknown host names are rejected
2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
2.5.2 Ensure default error and index.html pages do not reference NGINX
2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - Server
2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - X-Powered-By
3.1 Ensure detailed logging is enabled
3.2 Ensure access logging is enabled
3.3 Ensure error logging is enabled and set to the info logging level
3.4 Ensure log files are rotated - rotate
3.4 Ensure log files are rotated - weekly
3.7 Ensure proxies pass source IP information
3.7 Ensure proxies pass source IP information - X-Real-IP
4.1.1 Ensure HTTP is redirected to HTTPS
4.1.2 Ensure a trusted certificate and trust chain is installed
4.1.3 Ensure private key permissions are restricted
4.1.4 Ensure only modern TLS protocols are used
4.1.5 Disable weak ciphers
4.1.6 Ensure custom Diffie-Hellman parameters are used
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify
4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
4.1.9 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate
4.1.9 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate_key
5.1.2 Ensure only approved HTTP methods are allowed
5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout
5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout
5.2.2 Ensure the maximum request body size is set correctly
5.2.3 Ensure the maximum buffer size for URIs is defined
CIS_NGINX_v2.0.1_Level_1_Loadbalancer.audit from CIS NGINX Benchmark v2.0.1