2.3.3 Ensure the NGINX process ID (PID) file is secured

Information

The PID file stores the main process ID of the nginx process. This file should be protected from unauthorized modification.

Rationale:

The PID file should be owned by root and the group root. It should also be readable to everyone, but only writable by root (permissions 644). This will prevent unauthorized modification of the PID file, which could cause a denial of service.

Solution

If the PID file is not owned by root, issue this command:

chown root:root /var/run/nginx.pid

If the PID file has permissions greater than 644, issue this command:

chmod u-x,go-wx /var/run/nginx.pid

Default Value:

The PID file is owned by root and has permissions 644 by default when building using dnf.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 4de9eca8840c64a574fbc38fef80a2ce31ba2ac6c2d3d50537baf4f87e4dfd07