CIS NGINX Benchmark v2.1.0 L1 Proxy

Audit Details

Name: CIS NGINX Benchmark v2.1.0 L1 Proxy

Updated: 10/2/2024

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 34

File Details

Filename: CIS_NGINX_v2.1.0_Level_1_Proxy.audit

Size: 104 kB

MD5: b40c2f4d142fbff27d43c3e71fd19b11
SHA256: c1b2a345a4a033483c418c365880fed73d71a9c07ede33b04474087a6ead5bc9

Audit Items

DescriptionCategories
1.1.1 Ensure NGINX is installed

SYSTEM AND SERVICES ACQUISITION

1.2.1 Ensure package manager repositories are properly configured

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.2.2 Ensure the latest software package is installed

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account

ACCESS CONTROL

2.2.2 Ensure the NGINX service account is locked

ACCESS CONTROL, MEDIA PROTECTION

2.2.3 Ensure the NGINX service account has an invalid shell

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.1 Ensure NGINX directories and files are owned by root

ACCESS CONTROL, MEDIA PROTECTION

2.3.2 Ensure access to NGINX directories and files is restricted

ACCESS CONTROL, MEDIA PROTECTION

2.3.3 Ensure the NGINX process ID (PID) file is secured

ACCESS CONTROL, MEDIA PROTECTION

2.4.1 Ensure NGINX only listens for network connections on authorized ports

PLANNING, SYSTEM AND SERVICES ACQUISITION

2.4.2 Ensure requests for unknown host names are rejected

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0

SYSTEM AND SERVICES ACQUISITION

2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0

SYSTEM AND SERVICES ACQUISITION

2.5.2 Ensure default error and index.html pages do not reference NGINX

SYSTEM AND SERVICES ACQUISITION

2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure

SYSTEM AND SERVICES ACQUISITION

3.1 Ensure detailed logging is enabled

AUDIT AND ACCOUNTABILITY

3.2 Ensure access logging is enabled

AUDIT AND ACCOUNTABILITY

3.3 Ensure error logging is enabled and set to the info logging level

AUDIT AND ACCOUNTABILITY

3.4 Ensure log files are rotated

AUDIT AND ACCOUNTABILITY

3.7 Ensure proxies pass source IP information - X-Real-IP

AUDIT AND ACCOUNTABILITY

4.1.1 Ensure HTTP is redirected to HTTPS

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.2 Ensure a trusted certificate and trust chain is installed

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.3 Ensure private key permissions are restricted

ACCESS CONTROL, MEDIA PROTECTION

4.1.4 Ensure only modern TLS protocols are used

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.5 Disable weak ciphers

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.6 Ensure custom Diffie-Hellman parameters are used

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.9 Ensure upstream server traffic is authenticated with a client certificate

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.2 Ensure only approved HTTP methods are allowed

PLANNING, SYSTEM AND SERVICES ACQUISITION

5.2.1 Ensure timeout values for reading the client header and body are set correctly

SYSTEM AND SERVICES ACQUISITION

5.2.2 Ensure the maximum request body size is set correctly

SYSTEM AND SERVICES ACQUISITION

5.2.3 Ensure the maximum buffer size for URIs is defined

SYSTEM AND SERVICES ACQUISITION

CIS_NGINX_v2.1.0_Level_1_Proxy.audit from CIS NGINX Benchmark v2.1.0