2.3.2 Ensure access to NGINX directories and files is restricted

Information

Permissions on the /etc/nginx directory should enforce the principle of least privilege.

Rationale:

This ensures that only users who need access to configuration files are able to view them, thus preventing unauthorized access. Other users will need to use sudo in order to access these files.

Solution

Permissions are set with the ability to read as other by default on all configuration files: -rw-r--r--
Permissions are set with the ability to read and execute as other by default on all directories: drwxr-xr-x
To set permissions to least privilege on the nginx configuration files, issue these commands:

find /etc/nginx -type d -exec chmod go-w {} +
find /etc/nginx -type f -exec chmod ug-x,o-rwx {} +

Default Value:

Permissions are set with the ability to read as other by default on all configuration files: -rw-r--r--

Permissions are set with the ability to read and execute as other by default on all directories: drwxr-xr-x

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 2eae352e8e03eaf613697edde561770c9c88f6a8e6bd14f05fa873c42b0dc85a