2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account

Information

The nginx user directive designates which user account nginx worker processes run under. Ensuring a non-privileged, dedicated service account is used is a defense in depth measure to limit what an attacker who compromises the account can do.

Rationale:

Running a web server under a non-privileged, dedicated service account helps mitigate the risk of lateral movement to other services or processes in the event the user account running the web services is compromised. The default user nobody is typically used for several processes, and if this is compromised, it could allow an attacker to have access to all processes running as that user.

Solution

Add a system account for the nginx user with a home directory of /var/cache/nginx and a shell of /sbin/nologin so it does not have the ability to log in, then add the nginx user to be used by nginx:

useradd nginx -r -g nginx -d /var/cache/nginx -s /sbin/nologin

Then add the nginx user to /etc/nginx/nginx.conf by adding the user directive as shown below:

user nginx;

Default Value:

By default, if nginx is compiled from source, the user and group are nobody. If downloaded from dnf, the user and group nginx and the account are not privileged.

See Also

https://workbench.cisecurity.org/benchmarks/17381