CIS NGINX Benchmark v2.1.0 L1 Webserver

Audit Details

Name: CIS NGINX Benchmark v2.1.0 L1 Webserver

Updated: 10/2/2024

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 36

File Details

Filename: CIS_NGINX_v2.1.0_Level_1_Webserver.audit

Size: 104 kB

MD5: 4042157b363f646f435fb2344c21c07b
SHA256: e7c8767b5c3a74b0748cf8647ce6302438389253202f48be1e12516116876e32

Audit Items

DescriptionCategories
1.1.1 Ensure NGINX is installed

SYSTEM AND SERVICES ACQUISITION

1.2.1 Ensure package manager repositories are properly configured

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.2.2 Ensure the latest software package is installed

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

2.1.4 Ensure the autoindex module is disabled

CONFIGURATION MANAGEMENT

2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account

ACCESS CONTROL

2.2.2 Ensure the NGINX service account is locked

ACCESS CONTROL, MEDIA PROTECTION

2.2.3 Ensure the NGINX service account has an invalid shell

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.1 Ensure NGINX directories and files are owned by root

ACCESS CONTROL, MEDIA PROTECTION

2.3.2 Ensure access to NGINX directories and files is restricted

ACCESS CONTROL, MEDIA PROTECTION

2.3.3 Ensure the NGINX process ID (PID) file is secured

ACCESS CONTROL, MEDIA PROTECTION

2.3.4 Ensure the core dump directory is secured

ACCESS CONTROL, MEDIA PROTECTION

2.4.1 Ensure NGINX only listens for network connections on authorized ports

PLANNING, SYSTEM AND SERVICES ACQUISITION

2.4.2 Ensure requests for unknown host names are rejected

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0

SYSTEM AND SERVICES ACQUISITION

2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0

SYSTEM AND SERVICES ACQUISITION

2.5.1 Ensure server_tokens directive is set to 'off'

SYSTEM AND SERVICES ACQUISITION

2.5.2 Ensure default error and index.html pages do not reference NGINX

SYSTEM AND SERVICES ACQUISITION

3.1 Ensure detailed logging is enabled

AUDIT AND ACCOUNTABILITY

3.2 Ensure access logging is enabled

AUDIT AND ACCOUNTABILITY

3.3 Ensure error logging is enabled and set to the info logging level

AUDIT AND ACCOUNTABILITY

3.4 Ensure log files are rotated

AUDIT AND ACCOUNTABILITY

4.1.1 Ensure HTTP is redirected to HTTPS

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.2 Ensure a trusted certificate and trust chain is installed

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.3 Ensure private key permissions are restricted

ACCESS CONTROL, MEDIA PROTECTION

4.1.4 Ensure only modern TLS protocols are used

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.5 Disable weak ciphers

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.6 Ensure custom Diffie-Hellman parameters are used

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.2 Ensure only approved HTTP methods are allowed

PLANNING, SYSTEM AND SERVICES ACQUISITION

5.2.1 Ensure timeout values for reading the client header and body are set correctly

SYSTEM AND SERVICES ACQUISITION

5.2.2 Ensure the maximum request body size is set correctly

SYSTEM AND SERVICES ACQUISITION

5.2.3 Ensure the maximum buffer size for URIs is defined

SYSTEM AND SERVICES ACQUISITION

5.3.1 Ensure X-Frame-Options header is configured and enabled

SYSTEM AND SERVICES ACQUISITION

5.3.2 Ensure X-Content-Type-Options header is configured and enabled

SYSTEM AND SERVICES ACQUISITION

CIS_NGINX_v2.1.0_Level_1_Webserver.audit from CIS NGINX Benchmark v2.1.0