2.2.2 Ensure the NGINX service account is locked

Information

The nginx user account should have a valid password, but the account should be locked.

NOTE: If a different account is used to run nginx, that account's name should be substituted for nginx in the audit and remediation procedures.

Rationale:

As a defense-in-depth measure, the nginx user account should be locked to prevent logins and to prevent someone from switching users to nginx using the password. In general, there shouldn't be a need for anyone to have to su as nginx, and when there is a need, sudo should be used instead, which would not require the nginx account password.

Impact:

This ensures the nginx user account may not be used by a human user.

Solution

Use the passwd command to lock the nginx service account:

passwd -l '$(awk '$1~/^s*users*$/ {print $2}' /etc/nginx/nginx.conf | sed -r 's/;.*//g')'

Default Value:

The nginx user is locked by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 2c11cc80d0e75db5ee32eb0ff53869ca260c3d207692d0447178ddc6af3ab7fa