1.1.1 Ensure NGINX is installed | SYSTEM AND SERVICES ACQUISITION |
1.2.1 Ensure package manager repositories are properly configured | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
1.2.2 Ensure the latest software package is installed | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
2.1.4 Ensure the autoindex module is disabled | CONFIGURATION MANAGEMENT |
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account | ACCESS CONTROL |
2.2.2 Ensure the NGINX service account is locked | ACCESS CONTROL, MEDIA PROTECTION |
2.2.3 Ensure the NGINX service account has an invalid shell | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.3.1 Ensure NGINX directories and files are owned by root | ACCESS CONTROL, MEDIA PROTECTION |
2.3.2 Ensure access to NGINX directories and files is restricted | ACCESS CONTROL, MEDIA PROTECTION |
2.3.3 Ensure the NGINX process ID (PID) file is secured | ACCESS CONTROL, MEDIA PROTECTION |
2.3.4 Ensure the core dump directory is secured | ACCESS CONTROL, MEDIA PROTECTION |
2.4.1 Ensure NGINX only listens for network connections on authorized ports | PLANNING, SYSTEM AND SERVICES ACQUISITION |
2.4.2 Ensure requests for unknown host names are rejected | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 | SYSTEM AND SERVICES ACQUISITION |
2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 | SYSTEM AND SERVICES ACQUISITION |
2.5.1 Ensure server_tokens directive is set to 'off' | SYSTEM AND SERVICES ACQUISITION |
2.5.2 Ensure default error and index.html pages do not reference NGINX | SYSTEM AND SERVICES ACQUISITION |
3.1 Ensure detailed logging is enabled | AUDIT AND ACCOUNTABILITY |
3.2 Ensure access logging is enabled | AUDIT AND ACCOUNTABILITY |
3.3 Ensure error logging is enabled and set to the info logging level | AUDIT AND ACCOUNTABILITY |
3.4 Ensure log files are rotated | AUDIT AND ACCOUNTABILITY |
4.1.1 Ensure HTTP is redirected to HTTPS | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.2 Ensure a trusted certificate and trust chain is installed | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.3 Ensure private key permissions are restricted | ACCESS CONTROL, MEDIA PROTECTION |
4.1.4 Ensure only modern TLS protocols are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.5 Disable weak ciphers | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.6 Ensure custom Diffie-Hellman parameters are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.1.2 Ensure only approved HTTP methods are allowed | PLANNING, SYSTEM AND SERVICES ACQUISITION |
5.2.1 Ensure timeout values for reading the client header and body are set correctly | SYSTEM AND SERVICES ACQUISITION |
5.2.2 Ensure the maximum request body size is set correctly | SYSTEM AND SERVICES ACQUISITION |
5.2.3 Ensure the maximum buffer size for URIs is defined | SYSTEM AND SERVICES ACQUISITION |
5.3.1 Ensure X-Frame-Options header is configured and enabled | SYSTEM AND SERVICES ACQUISITION |
5.3.2 Ensure X-Content-Type-Options header is configured and enabled | SYSTEM AND SERVICES ACQUISITION |
CIS_NGINX_v2.1.0_Level_1_Webserver.audit from CIS NGINX Benchmark v2.1.0 | |