2.3.4 Ensure the core dump directory is secured

Information

Core dumps are snapshots of memory. The working_directory directive is used to specify the directory NGINX attempts to create core dumps in. Core dumps will be disabled if the directory is not writable by the NGINX user. It is recommended that the working_directory directive be set to a directory that is owned by the root user and the group the NGINX process executes as, and is inaccessible to other users. Usually, production systems should not have this enabled.

Rationale:

Core dumps may contain sensitive information that should not be accessible by other accounts on the system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Either remove the working_directory directive from the NGINX configuration files or ensure that the configured directory meets the following requirements:

It is not within the NGINX web document root.

It is owned by root and has a group ownership of the NGINX group:

chown root:nginx /var/log/nginx

It has no read-write-search access permission for other users:

chmod o-rwx /var/log/nginx

Default Value:

The working_directory value is not set by default.

See Also

https://workbench.cisecurity.org/files/4212