#TRUSTED a447f4e690fb0af43a55e95ce0c860b029b0c8236061b14ec0858b10473bf7d044bf781f58f2f0781cd9eab1fe44e63f152759ffe4c8cf70e44bf7a77183e0c58c3b699a1630fca765741d3753befe8a7c10d4f46b68fb2451127424868901b4ff7309ca5b415898e5fe037a3498d31ec72faf6da79ab1278f138c42f7a8253ac1f8447e1bd61623bf11283ed599d42b3925110cb9f64a4470d1b114b33a9177db7ec968ee0fb17c73041bfd2d9c6501a3cfa3e1acfbed600fe7f4620f0a51d6955ed1c70ee074cc4bda2c28aa9f392f8e3d560c8ab77331914711b7c61649efddc3004a22af38bd4880afb8dbfac6da3a223ef239bc334c9425978ef7bd14436f5aed0f2b450c84bb3b1ecec85c00d820326bd87ab604ad63a04961637ef566f8aa04e93dfbe08bac5ccb53a74256c3beedc6c51a2e7e28b42919eb157fd54bf7721f8b1ecfc9403cb83f9b34f1429557a396494956fcb3307e63b8eb3fcd231bd631dd2d279ad9a7be39a6c9b2de5a324c2d8494b450d789e431ab0e203eee0214c7f1613c5217d012c74f996f2c3789092f0412593d6704d24adeb92082eb1d09b1a8cd595efc29290a57d6e1ba21141d1b4949bc20d886f64cd89be7e29b34b25a23ce59ee53babe2d5ac2bd2bcf1f19d70d14b48449e624661c932676972e811b336b2a99f50ea6f2c6ada432c5c3c70fda18588bd1bb6fc2019048f4e6
#TRUST-RSA-SHA256 2909d5fb34f24c872b2a3ee6b723725e4491cc2b5779137740c065d8af2915f90f0c9f2ab9633c97dda1d94dad0c86d2650fa55e080e245131adc58da897d5351db817dae02a03294ffdc22ea5a2fb06a7f5425e9e60091c442622a354b65f2055ae3ed0d467c2680464ad342a2a9230cc5d17282f6ee71d8bfb81133a9855f9b15995addfefd0964d70b15cfdd2b13bd52ad7c45c5c8ecfceea41ec116f0cbdd06ac9c67cea0690e97a7b40e29fc7c2d26f94929fdcb3a454bf95d48e6cbe6464a194f9cac046396db0e4f183a295aa4e7d3f2ec648da4af3ebdc965031e31addfef8f3a8468bffd93860a5d5b327e3c568fee0005cdcc1a473ea53521ee9d760da857fcde010fa4cc68897100286764a454a9b4a3d3cf9dd6c6dae7204e77e4c466ea253b488e5295a1eee273afb40763dfc3c1dfb8eb0df4a7b7724dee52a143ed43acfb4db1df17f9f538066a83cae87dda88f05b929b74de4183bfc8fe58fe2673a5045feb71c3a778ffc643b46eefeba810180fbefe7cf0749f9fe9aee2c0854572af4940bb1a9af8c30d6619c7e3ad69b079b4539ba0bfb7cc636c6a9d13cb5757cdcfa2a9f0f0a1635c0e60763fcef270d4b109cf691bc0f2e14559fd6375a271a60d587a4d89d5165dcd5991e48dda99faba66692f0e32f9b5a394bcd2780f9f7266e1ea2cfc36340efc790a0803eadc48f5e254d4b52e1e0ea1cbb
#
# This script is Copyright (C) 2004-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.0 $
# $Date: 2023/08/21 $
#
# description : This document implements the security configuration as recommended by the
# CIS NGINX Benchmark v2.0.1
#
#
#CIS NGINX Benchmark v2.0.1 L1 Webserver
#
# CIS
# NGINX L1 Webserver
# 2.0.1
# https://workbench.cisecurity.org/files/4538
#
#nginx,webserver,agent,unix,update_20230227
#CCE,CSCv6,CSCv7,CSCv8,LEVEL
#
#
# CLIENT_MAX_BODY_SIZE
# 100K
# Client Max Body Size
# Limiting the size of the request body helps prevent unexpectedly long or large client requests from being passed to an application to perform buffer overflow attacks.
# STRING
#
#
# LARGE_CLIENT_HEADER_BUFFERS
# 2 1k
# Large Client Header Buffers
# The large_client_header_buffers directive may assist in preventing buffer overflow attacks that leverage long URI query parameters.
# STRING
#
#
# LOGROTATE_ROTATE
# 13
# Logrotate Rotate Number
# Log files are rotated this number of times before being removed.
# INTEGER
#
#
# NGINX_CONFIG_DIR
# /etc/nginx
# NGINX configuration directory
# The location of NGINX configuration files.
# UNIX_FILE_PATH
#
#
# NGINX_KEY
# /etc/nginx/nginx.key
# NGINX key file
# The location of NGINX server private key file.
# UNIX_FILE_PATH
#
#
# NGINX_USER
# nginx
# NGINX user account
# The user which the NGINX process runs as.
# UNIX_ACCT
#
#
#
type : CMD_EXEC
description : "Check if NGINX installed"
cmd : "nginx -v"
expect : "nginx[\\s]+version[\\s]*:"
description : "CIS_NGINX_v2.0.1_Level_1_Webserver.audit from CIS NGINX Benchmark v2.0.1"
see_also : "https://workbench.cisecurity.org/files/4538"
system : "Linux"
type : CMD_EXEC
description : "1.1.1 Ensure NGINX is installed"
info : "The CIS NGINX Benchmark recommends using the NGINX binary provided by your vendor for most situations.
As an alternative, packages from nginx.org are available for a variety of platforms, including Linux and FreeBSD.
Rationale:
The main benefits of using NGINX packages from your vendor are:
Ease of installation
Dependency resolution
Increased effectiveness of maintenance and security patches
Q&A procedures carried out by your vendor"
solution : "Configure and setup Nginx
sudo su
dnf update -y && dnf install dnf-utils -y
cat << EOF > /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/rhel/8/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
dnf install nginx -y
Default Value:
NGINX is not installed by default."
reference : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1A"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -v"
expect : "nginx[\\s]+version[\\s]*:"
dont_echo_cmd : YES
type : FILE_CHECK
description : "1.2.1 Check for dnf"
file : "/usr/bin/dnf"
system : "Linux"
type : CMD_EXEC
description : "1.2.1 Ensure package manager repositories are properly configured"
info : "Systems need to have package manager repositories properly configured to ensure they receive the latest patches and updates.
Rationale:
If a system's package manager repositories are misconfigured, important patches may not be identified, or a rogue repository could introduce compromised software."
solution : "Configure your package manager repositories according to your vendor.
As an alternative, package manager repositories from nginx.org are available for a variety of Linux platforms."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/dnf repolist -v nginx-stable"
expect : "Repo-status[\\s]*:[\\s]*enabled"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "1.2.2 Ensure the latest software package is installed"
info : "As new security vulnerabilities are discovered, the corresponding fixes are implemented by your NGINX software package provider. Installing the latest software version ensures these fixes are available on your system.
Rationale:
Up-to-date software provides the best possible protection against exploitation of security vulnerabilities, such as the execution of malicious code."
solution : "To install the latest NGINX package, run the following command:
Redhat:
dnf update nginx -y"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/dnf info nginx | grep 'Available Packages' | awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
dont_echo_cmd : YES
type : FILE_CHECK
description : "1.2.1 Check for yum"
file : "/usr/bin/yum"
system : "Linux"
type : CMD_EXEC
description : "1.2.1 Ensure package manager repositories are properly configured"
info : "Systems need to have package manager repositories properly configured to ensure they receive the latest patches and updates.
Rationale:
If a system's package manager repositories are misconfigured, important patches may not be identified, or a rogue repository could introduce compromised software."
solution : "Configure your package manager repositories according to your vendor.
As an alternative, package manager repositories from nginx.org are available for a variety of Linux platforms."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/yum repolist -v nginx-stable"
expect : "Repo-status[\\s]*:[\\s]*enabled"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "1.2.2 Ensure the latest software package is installed"
info : "As new security vulnerabilities are discovered, the corresponding fixes are implemented by your NGINX software package provider. Installing the latest software version ensures these fixes are available on your system.
Rationale:
Up-to-date software provides the best possible protection against exploitation of security vulnerabilities, such as the execution of malicious code."
solution : "To install the latest NGINX package, run the following command:
Redhat:
dnf update nginx -y"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/yum info nginx | grep 'Available Packages' | awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
dont_echo_cmd : YES
type : FILE_CHECK
description : "1.2.1 Check for apt-cache"
file : "/usr/bin/apt-cache"
system : "Linux"
type : CMD_EXEC
description : "1.2.1 Ensure package manager repositories are properly configured"
info : "Systems need to have package manager repositories properly configured to ensure they receive the latest patches and updates.
Rationale:
If a system's package manager repositories are misconfigured, important patches may not be identified, or a rogue repository could introduce compromised software."
solution : "Configure your package manager repositories according to your vendor.
As an alternative, package manager repositories from nginx.org are available for a variety of Linux platforms."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/apt-cache policy | grep nginx"
expect : "http://nginx.org/packages"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "1.2.2 Ensure the latest software package is installed"
info : "As new security vulnerabilities are discovered, the corresponding fixes are implemented by your NGINX software package provider. Installing the latest software version ensures these fixes are available on your system.
Rationale:
Up-to-date software provides the best possible protection against exploitation of security vulnerabilities, such as the execution of malicious code."
solution : "To install the latest NGINX package, run the following command:
Redhat:
dnf update nginx -y"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/apt list nginx"
expect : "\\[installed.*\\]"
dont_echo_cmd : YES
type : FILE_CHECK
description : "1.2.1 Check for zypper"
file : "/usr/bin/zypper"
system : "Linux"
type : CMD_EXEC
description : "1.2.1 Ensure package manager repositories are properly configured"
info : "Systems need to have package manager repositories properly configured to ensure they receive the latest patches and updates.
Rationale:
If a system's package manager repositories are misconfigured, important patches may not be identified, or a rogue repository could introduce compromised software."
solution : "Configure your package manager repositories according to your vendor.
As an alternative, package manager repositories from nginx.org are available for a variety of Linux platforms."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/zypper repos nginx"
expect : "Enabled[\\s]*:[\\s]*Yes"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "1.2.2 Ensure the latest software package is installed"
info : "As new security vulnerabilities are discovered, the corresponding fixes are implemented by your NGINX software package provider. Installing the latest software version ensures these fixes are available on your system.
Rationale:
Up-to-date software provides the best possible protection against exploitation of security vulnerabilities, such as the execution of malicious code."
solution : "To install the latest NGINX package, run the following command:
Redhat:
dnf update nginx -y"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "/usr/bin/zypper info nginx"
expect : "Status[\\s]*:[\\s]*up-to-date"
dont_echo_cmd : YES
description : "1.2.1 Ensure package manager repositories are properly configured"
info : "Systems need to have package manager repositories properly configured to ensure they receive the latest patches and updates.
Rationale:
If a system's package manager repositories are misconfigured, important patches may not be identified, or a rogue repository could introduce compromised software.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Configure your package manager repositories according to your vendor.
As an alternative, package manager repositories from nginx.org are available for a variety of Linux platforms."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
description : "1.2.2 Ensure the latest software package is installed"
info : "As new security vulnerabilities are discovered, the corresponding fixes are implemented by your NGINX software package provider. Installing the latest software version ensures these fixes are available on your system.
Rationale:
Up-to-date software provides the best possible protection against exploitation of security vulnerabilities, such as the execution of malicious code.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "To install the latest NGINX package, run the following command:
Redhat:
dnf update nginx -y"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4538"
system : "Linux"
type : CMD_EXEC
description : "2.1.4 Ensure the autoindex module is disabled"
info : "The autoindex module processes requests ending with the slash character. This feature enables directory listing, which could be useful in attacker reconnaissance, so it should be disabled.
Rationale:
Automated directory listings may reveal information helpful to an attacker, such as naming conventions and directory paths. Directory listings may also reveal files that were not intended to be revealed."
solution : "Perform the following to disable the autoindex module:
Search the NGINX configuration files (nginx.conf and any included configuration files) to find autoindex directives.
egrep -i '^\s*autoindex\s+' /etc/nginx/nginx.conf
egrep -i '^\s*autoindex\s+' /etc/nginx/conf.d/*
Set the value for all autoindex directives to off, or remove those directives.
Default Value:
This module is not enabled by default."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,800-53|CM-7(1),800-53r5|CM-7,800-53r5|CM-7(1),CSCv7|2.8,CSCv8|2.6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|CM-7(1),LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*autoindex[ ]*on' | awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
system : "Linux"
type : CMD_EXEC
description : "2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf"
info : "The nginx user directive designates which user account nginx worker processes run under. Ensuring a non-privileged, dedicated service account is used is a defense in depth measure to limit what an attacker who compromises the account can do.
Rationale:
Running a web server under a non-privileged, dedicated service account helps mitigate the risk of lateral movement to other services or processes in the event the user account running the web services is compromised. The default user nobody is typically used for several processes, and if this is compromised, it could allow an attacker to have access to all processes running as that user."
solution : "Add a system account for the nginx user with a home directory of /var/cache/nginx and a shell of /sbin/nologin so it does not have the ability to log in, then add the nginx user to be used by nginx:
useradd nginx -r -g nginx -d /var/cache/nginx -s /sbin/nologin
Then add the nginx user to /etc/nginx/nginx.conf by adding the user directive as shown below:
user nginx;
Default Value:
By default, if nginx is compiled from source, the user and group are nobody. If downloaded from dnf, the user and group nginx and the account are not privileged."
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*user'"
expect : "^[\\s]*user[\\s]+@NGINX_USER@[\\s]*;"
system : "Linux"
type : CMD_EXEC
description : "2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo"
info : "The nginx user directive designates which user account nginx worker processes run under. Ensuring a non-privileged, dedicated service account is used is a defense in depth measure to limit what an attacker who compromises the account can do.
Rationale:
Running a web server under a non-privileged, dedicated service account helps mitigate the risk of lateral movement to other services or processes in the event the user account running the web services is compromised. The default user nobody is typically used for several processes, and if this is compromised, it could allow an attacker to have access to all processes running as that user."
solution : "Add a system account for the nginx user with a home directory of /var/cache/nginx and a shell of /sbin/nologin so it does not have the ability to log in, then add the nginx user to be used by nginx:
useradd nginx -r -g nginx -d /var/cache/nginx -s /sbin/nologin
Then add the nginx user to /etc/nginx/nginx.conf by adding the user directive as shown below:
user nginx;
Default Value:
By default, if nginx is compiled from source, the user and group are nobody. If downloaded from dnf, the user and group nginx and the account are not privileged."
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "sudo -l -U @NGINX_USER@ 2>&1"
expect : "(not allowed to run sudo|not found)"
system : "Linux"
type : CMD_EXEC
description : "2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups"
info : "The nginx user directive designates which user account nginx worker processes run under. Ensuring a non-privileged, dedicated service account is used is a defense in depth measure to limit what an attacker who compromises the account can do.
Rationale:
Running a web server under a non-privileged, dedicated service account helps mitigate the risk of lateral movement to other services or processes in the event the user account running the web services is compromised. The default user nobody is typically used for several processes, and if this is compromised, it could allow an attacker to have access to all processes running as that user."
solution : "Add a system account for the nginx user with a home directory of /var/cache/nginx and a shell of /sbin/nologin so it does not have the ability to log in, then add the nginx user to be used by nginx:
useradd nginx -r -g nginx -d /var/cache/nginx -s /sbin/nologin
Then add the nginx user to /etc/nginx/nginx.conf by adding the user directive as shown below:
user nginx;
Default Value:
By default, if nginx is compiled from source, the user and group are nobody. If downloaded from dnf, the user and group nginx and the account are not privileged."
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "groups @NGINX_USER@"
expect : "^[\\s]*nginx[\\s]*:[\\s]*[^\\s]+[\\s]*$"
system : "Linux"
type : CMD_EXEC
description : "2.2.2 Ensure the NGINX service account is locked"
info : "The nginx user account should have a valid password, but the account should be locked.
NOTE: If a different account is used to run nginx, that account's name should be substituted for nginx in the audit and remediation procedures.
Rationale:
As a defense-in-depth measure, the nginx user account should be locked to prevent logins and to prevent someone from switching users to nginx using the password. In general, there shouldn't be a need for anyone to have to su as nginx, and when there is a need, sudo should be used instead, which would not require the nginx account password.
Impact:
This ensures the nginx user account may not be used by a human user."
solution : "Use the passwd command to lock the nginx service account:
passwd -l '$(awk '$1~/^\s*user\s*$/ {print $2}' /etc/nginx/nginx.conf | sed -r 's/;.*//g')'
Default Value:
The nginx user is locked by default."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "passwd -S @NGINX_USER@"
expect : "nginx[\\s]+(L|LK)[\\s]+"
dont_echo_cmd : YES
system : "Linux"
type : FILE_CONTENT_CHECK
description : "2.2.3 Ensure the NGINX service account has an invalid shell - /etc/passwd"
info : "The nginx account should not have the ability to log in, so the /sbin/nologin shell should be set for the account.
Rationale:
The account used for nginx should only be used for the nginx service and does not need to have the ability to log in. This prevents an attacker who compromises the account to log in with it."
solution : "Change the login shell for the nginx account to /sbin/nologin by using the following command:
usermod -s /sbin/nologin nginx
Default Value:
The nginx user has a shell of /sbin/nologin by default on RHEL systems."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4538"
file : "/etc/passwd"
regex : "^@NGINX_USER@:"
expect : "^@NGINX_USER@:.*:/sbin/nologin$"
system : "Linux"
type : CMD_EXEC
description : "2.2.3 Ensure the NGINX service account has an invalid shell - script"
info : "The nginx account should not have the ability to log in, so the /sbin/nologin shell should be set for the account.
Rationale:
The account used for nginx should only be used for the nginx service and does not need to have the ability to log in. This prevents an attacker who compromises the account to log in with it."
solution : "Change the login shell for the nginx account to /sbin/nologin by using the following command:
usermod -s /sbin/nologin nginx
Default Value:
The nginx user has a shell of /sbin/nologin by default on RHEL systems."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "l_output=\"\" l_output2=\"\" l_out=\"\"; if [ -f /etc/nginx/nginx.conf ]; then l_user=\"$(awk '$1~/^\s*user\s*$/ {print $2}' /etc/nginx/nginx.conf | sed -r 's/;.*//g')\"; l_valid_shells=\"^($( sed -rn '/^\/{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$\"; l_out=\"$(awk -v pat=\"$l_valid_shells\" -v ngusr=\"$l_user\" -F: '($(NF) ~ pat && $1==ngusr) { print $(NF) }' /etc/passwd)\"; if [ -z \"$l_out\" ]; then l_output=\" - NGINX user account: \"$l_user\" has an invalid shell\"; else l_output2=\" - NGINX user account: \"$l_user\" has a valid shell: \"$l_out\"\"; fi; else l_output2=\" - NGINX user account can not be determined.; - file: \"/etc/nginx/nginx.conf\" is missing\"; fi; if [ -z \"$l_output2\" ]; then echo \" - Audit Result: ** PASS ** $l_output\"; else echo \" - Audit Result: ** FAIL ** - Reason(s) for audit failure: $l_output2\"; fi"
expect : "[\\s]*-[\\s]*Audit Result:[\\s]*\\*\\*[\\s]*PASS[\\s]*\\*\\*.*"
system : "Linux"
type : FILE_CHECK
description : "2.3.1 Ensure NGINX directories and files are owned by root"
info : "The owner and group of the /etc/nginx directory and its files should be root.
Rationale:
Setting ownership to only those users in the root group and the root user will reduce the likelihood of unauthorized modifications to the nginx configuration files."
solution : "Run the following command to ensure ownership and group ownership is set to root:
chown -R root:root /etc/nginx
Default Value:
The default ownership and group for nginx is root."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
file : "@NGINX_CONFIG_DIR@"
owner : "root"
group : "root"
system : "Linux"
type : CMD_EXEC
description : "2.3.2 Ensure access to NGINX directories and files is restricted - Directories"
info : "Permissions on the /etc/nginx directory should enforce the principle of least privilege.
Rationale:
This ensures that only users who need access to configuration files are able to view them, thus preventing unauthorized access. Other users will need to use sudo in order to access these files."
solution : "Permissions are set with the ability to read as other by default on all configuration files: -rw-r--r--
Permissions are set with the ability to read and execute as other by default on all directories: drwxr-xr-x
To set permissions to least privilege on the nginx configuration files, issue these commands:
find /etc/nginx -type d -exec chmod go-w {} +
find /etc/nginx -type f -exec chmod ug-x,o-rwx {} +
Default Value:
Permissions are set with the ability to read as other by default on all configuration files: -rw-r--r--
Permissions are set with the ability to read and execute as other by default on all directories: drwxr-xr-x"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "find /etc/nginx -type d -perm /g+w,o+w -exec stat -Lc \"%n %a\" {} + | awk '{print} END {if (NR == 0) print \"Directories have proper restrictions\"}'"
expect : "Directories have proper restrictions"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "2.3.2 Ensure access to NGINX directories and files is restricted - Files"
info : "Permissions on the /etc/nginx directory should enforce the principle of least privilege.
Rationale:
This ensures that only users who need access to configuration files are able to view them, thus preventing unauthorized access. Other users will need to use sudo in order to access these files."
solution : "Permissions are set with the ability to read as other by default on all configuration files: -rw-r--r--
Permissions are set with the ability to read and execute as other by default on all directories: drwxr-xr-x
To set permissions to least privilege on the nginx configuration files, issue these commands:
find /etc/nginx -type d -exec chmod go-w {} +
find /etc/nginx -type f -exec chmod ug-x,o-rwx {} +
Default Value:
Permissions are set with the ability to read as other by default on all configuration files: -rw-r--r--
Permissions are set with the ability to read and execute as other by default on all directories: drwxr-xr-x"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "find /etc/nginx -type f -perm /u+x,g+wx,o+wx -exec stat -Lc \"%n %a\" {} + | awk '{print} END {if (NR == 0) print \"Files have proper restrictions\"}'"
expect : "Files have proper restrictions"
dont_echo_cmd : YES
system : "Linux"
type : FILE_CHECK
description : "2.3.3 Ensure the NGINX process ID (PID) file is secured"
info : "The PID file stores the main process ID of the nginx process. This file should be protected from unauthorized modification.
Rationale:
The PID file should be owned by root and the group root. It should also be readable to everyone, but only writable by root (permissions 644). This will prevent unauthorized modification of the PID file, which could cause a denial of service."
solution : "If the PID file is not owned by root, issue this command:
chown root:root /var/run/nginx.pid
If the PID file has permissions greater than 644, issue this command:
chmod u-x,go-wx /var/run/nginx.pid
Default Value:
The PID file is owned by root and has permissions 644 by default when building using dnf."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
file : "/var/run/nginx.pid"
owner : "root"
mask : "133"
group : "root"
system : "Linux"
type : CMD_EXEC
description : "2.3.4 Ensure the core dump directory is secured"
info : "Core dumps are snapshots of memory. The working_directory directive is used to specify the directory NGINX attempts to create core dumps in. Core dumps will be disabled if the directory is not writable by the NGINX user. It is recommended that the working_directory directive be set to a directory that is owned by the root user and the group the NGINX process executes as, and is inaccessible to other users. Usually, production systems should not have this enabled.
Rationale:
Core dumps may contain sensitive information that should not be accessible by other accounts on the system.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Either remove the working_directory directive from the NGINX configuration files or ensure that the configured directory meets the following requirements:
It is not within the NGINX web document root.
It is owned by root and has a group ownership of the NGINX group:
chown root:nginx /var/log/nginx
It has no read-write-search access permission for other users:
chmod o-rwx /var/log/nginx
Default Value:
The working_directory value is not set by default."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*working_directory[ ]*' | awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
dont_echo_cmd : YES
severity : MEDIUM
system : "Linux"
type : CMD_EXEC
description : "2.4.1 Ensure NGINX only listens for network connections on authorized ports"
info : "NGINX can be configured to listen on any port, but it should be configured to listen on authorized ports only.
Rationale:
Limiting the listening ports to only those that are authorized helps to ensure no unauthorized services are running through the use of NGINX.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "If any ports are listening that are not authorized, comment out or delete the associated configuration for that listener.
Default Value:
Only port 80 is listening by default."
reference : "800-171|3.13.1,800-171|3.13.2,800-53|PL-8,800-53|SA-8,800-53r5|PL-8,800-53r5|SA-8,CSCv7|9.2,CSCv8|16.10,CSF|ID.AM-3,CSF|PR.IP-2,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ITSG-33|SA-8,ITSG-33|SA-8a.,LEVEL|1M,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|SS3,NIAv2|VL2,QCSC-v1|4.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*listen[^;]*;' | awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "Manual Review Required"
dont_echo_cmd : YES
severity : MEDIUM
description : "2.4.2 Ensure requests for unknown host names are rejected"
info : "星空体育手机端 host header should be part of a predefined allowlist of known good hosts, which enables blocking access to other hosts. You should treat the host header as another input to be validated, as it is defined by the user agent.
Rationale:
Allowlisting specific hosts and blocking access to all other hosts, you help to mitigate host header injection attacks against your server. Such attacks could be used by an attacker to redirect you to a rogue host and execute scripts or get you to input credentials.
Impact:
If you are in an environment such as the cloud, you should not put an IP address or default hostname as your server_name because these addresses are often ephemeral in nature. Additionally, you will be blocked from accessing your site if you use a means of access that does not directly reference names in the server_name directive. You should reserve a DNS name to use for implementing this recommendation.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Ensure your first server block mirrors the below in your nginx configuration, either at /etc/nginx/nginx.conf or any included file within your nginx config:
server {
return 404;
}
Then investigate each server block to ensure the server_name directive is explicitly defined. Each server block should look similar to the below with the defined hostname of the associated server block in the server_name directive. For example, if your server is cisecurity.org, the configuration should look like the below example:
server {
listen 443;
server_name cisecurity.org;
.....
}
Default Value:
This is not set by default."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4538"
system : "Linux"
type : CMD_EXEC
description : "2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0"
info : "Persistent connections are leveraged by all modern browsers to facilitate greater web performance. The keep-alive timeout limits the time a persistent connection may remain open. Setting the keep-alive timeout allows this timeout to be controlled on the server side.
Rationale:
Setting a keep-alive timeout on the server side helps mitigate denial of service attacks that establish too many persistent connections, exhausting server resources."
solution : "Find the HTTP or server block of your nginx configuration, and add the keepalive_timeout directive. Set it to 10 seconds or less, but not 0. This example command sets it to 10 seconds:
keepalive_timeout 10;
Default Value:
By default, this timeout is dictated by the user agent and varies. It is not set on the server side by default."
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*keepalive_timeout[ ]*'"
expect : "^[\\s]*keepalive_timeout[\\s]+(10|[0-9]);"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0"
info : "The send_timeout directive sets a timeout for transmitting a response to the client between two successive write operations.
Rationale:
Setting the send_timeout directive on the server side helps mitigate slow HTTP denial of service attacks by ensuring write operations taking up large amounts of time are closed."
solution : "Find the HTTP or server block of your nginx configuration, and add the send_timeout directive. Set it to 10 seconds or less, but not 0.
send_timeout 10;
Default Value:
send_timeout 60s;"
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*send_timeout[ ]*'"
expect : "^[\\s]*send_timeout[\\s]+(10|[0-9]);"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "2.5.1 Ensure server_tokens directive is set to 'off'"
info : "The server_tokens directive is responsible for displaying the NGINX version number and operating system version on error pages and in the Server HTTP response header field. This information should not be displayed.
Rationale:
Attackers can conduct reconnaissance on a website using these response headers, then target attacks for specific known vulnerabilities associated with the underlying technologies. Hiding the version will slow down and deter some potential attackers."
solution : "To disable the server_tokens directive, set it to off inside of every server block in your nginx.conf or in the http block:
server {
...
server_tokens off;
...
}
Default Value:
The default value of server_tokens is on."
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*server_tokens[ ]*'"
expect : "^[\\s]*server_tokens[\\s]+off[\\s]*;"
system : "Linux"
type : CMD_EXEC
description : "2.5.2 Ensure default error and index.html pages do not reference NGINX"
info : "The default error and index.html pages for NGINX reveal that the server is NGINX. These default pages should be removed or modified so they do not advertise the underlying infrastructure of the server.
Rationale:
By gathering information about the server, attackers can target attacks against its known vulnerabilities. Removing pages that disclose the server runs NGINX helps reduce targeted attacks on the server."
solution : "Edit /usr/share/nginx/html/index.html and usr/share/nginx/html/50x.html and remove any lines that reference NGINX."
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "grep -i nginx /usr/share/nginx/html/*.html | awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
dont_echo_cmd : YES
description : "3.1 Ensure detailed logging is enabled"
info : "System logging should be configured to meet your organizational security and privacy policies. Enabling detailed logging to include information about events, event sources, timestamps, and users may assist in incident response activities.
NOTE: Aim to keep sensitive information out of logs. For example, keep sensitive information out of query strings and URIs to avoid this.
Rationale:
Performing detailed logging ensures that incident responders, auditors, and others are able to clearly view the activity that has occurred on your server. CIS control 8.5: 'Collect Detailed Audit Logs' recommends that you configure detailed audit logging for enterprise assets containing sensitive data. It further recommends you include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Edit the log format directive in /etc/nginx/nginx.conf so it logs everything needed to meet your organizational policies.
Default Value:
log_format main '$remote_addr - $remote_user [$time_local] '$request' ' '$status $body_bytes_sent '$http_referer' '
''$http_user_agent' '$http_x_forwarded_for'';"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/4538"
system : "Linux"
type : CMD_EXEC
description : "3.2 Ensure access logging is enabled"
info : "The access_log directive should be on for every core site. It is enabled by default.
Rationale:
Access logging allows incident responders and auditors to investigate access to a system in the event of an incident."
solution : "Ensure the access_log directive is configured for every core site your organization requires logging for.
This should look similar to the below configuration snippet. You may use different log file locations based on your needs.
access_log /var/log/nginx/host.access.log main;
Default Value:
The access log is enabled by default."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*access_log[ ]*off' | awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "3.3 Ensure error logging is enabled and set to the info logging level"
info : "All errors for applications should be logged.
Rationale:
Error logging can be useful in identifying an attacker attempting to exploit a system and recreating an attacker's steps. Error logging also helps with identifying possible issues with an application."
solution : "Edit /etc/nginx/nginx.conf so the error_log directive is present and not commented out. The error_log should be configured to the logging location of your choice. The configuration should look similar to the below:
error_log /var/log/nginx/error_log.log info;"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*error_log[ ]*'"
expect : "^[\\s]*error_log[\\s]+[^\\s]+[\\s]+info[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : FILE_CONTENT_CHECK
description : "3.4 Ensure log files are rotated - weekly"
info : "Log rotation ensures log files do not consume excessive disk space, potentially causing a denial of service.
Rationale:
Log files are important to track activity that occurs on your server, but they take up significant amounts of space. Log rotation should be configured in order to ensure the logs do not consume so much disk space that logging becomes unavailable."
solution : "Follow the below procedure to change the default configuration to the recommended log rotation configuration. You may need to manually edit or change the below command if the configuration is not the default.
To change log compression from daily to weekly:
sed -i 's/daily/weekly/' /etc/logrotate.d/nginx
To change log rotation from every year to every 13 weeks:
sed -i 's/rotate 52/rotate 13/' /etc/logrotate.d/nginx
Default Value:
cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
if [ -f /var/run/nginx.pid ]; then
kill -USR1 'cat /var/run/nginx.pid'
fi
endscript
}
Additional Information:
You should always comply with your organizational log retention policy."
reference : "800-53|AU-4,800-53r5|AU-4,CSCv7|6.4,CSCv8|8.3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-4,LEVEL|1A,NESA|T3.3.1,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4538"
file : "/etc/logrotate.d/nginx"
regex : "^[\\s]*weekly"
expect : "^[\\s]*weekly[\\s]*$"
system : "Linux"
type : FILE_CONTENT_CHECK
description : "3.4 Ensure log files are rotated - rotate"
info : "Log rotation ensures log files do not consume excessive disk space, potentially causing a denial of service.
Rationale:
Log files are important to track activity that occurs on your server, but they take up significant amounts of space. Log rotation should be configured in order to ensure the logs do not consume so much disk space that logging becomes unavailable."
solution : "Follow the below procedure to change the default configuration to the recommended log rotation configuration. You may need to manually edit or change the below command if the configuration is not the default.
To change log compression from daily to weekly:
sed -i 's/daily/weekly/' /etc/logrotate.d/nginx
To change log rotation from every year to every 13 weeks:
sed -i 's/rotate 52/rotate 13/' /etc/logrotate.d/nginx
Default Value:
cat /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
if [ -f /var/run/nginx.pid ]; then
kill -USR1 'cat /var/run/nginx.pid'
fi
endscript
}
Additional Information:
You should always comply with your organizational log retention policy."
reference : "800-53|AU-4,800-53r5|AU-4,CSCv7|6.4,CSCv8|8.3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-4,LEVEL|1A,NESA|T3.3.1,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4538"
file : "/etc/logrotate.d/nginx"
regex : "^[\\s]*rotate"
expect : "^[\\s]*rotate[\\s]+@LOGROTATE_ROTATE@[\\s]*$"
system : "Linux"
type : CMD_EXEC
description : "4.1.1 Ensure HTTP is redirected to HTTPS"
info : "Browsers and clients establish encrypted connections with servers by leveraging HTTPS. Requests leveraging HTTP are unencrypted. Unencrypted requests should be redirected so they are encrypted. Any listening HTTP port on your web server should redirect to a server profile that uses encryption. The default HTTP (unencrypted) port is 80.
Rationale:
Redirecting user agent traffic to HTTPS helps to ensure all user traffic is encrypted. Modern browsers alert users that your website is insecure when HTTPS is not used. This can decrease user trust in your website and ultimately result in decreased use of your web services. Redirection from HTTP to HTTPS couples security with usability; users are able to access your website even if they lack the security awareness to use HTTPS over HTTP when requesting your website.
Impact:
Use of HTTPS does result in a performance reduction in traffic to your website, however, due to the increased value of the security, many businesses consider this to be a cost of doing business."
solution : "Edit your web server or proxy configuration file to redirect all unencrypted listening ports, such as port 80, using a redirection through the return directive (cisecurity.org is used as an example server name).
server {
listen 80;
server_name cisecurity.org;
return 301 https://$host$request_uri;
}
Default Value:
NGINX is not configured to use HTTPS or redirect to it by default."
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1M,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*return[ ]*'"
expect : "^[\\s]*return[\\s]+[0-9]+[\\s]+https://.*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "4.1.2 Ensure a trusted certificate and trust chain is installed"
info : "Certificates and their trust chains are needed to establish the identity of a web server as legitimate and trusted. Certificate authorities validate a web server's identity and that you are the owner of that web server domain name.
Rationale:
Without a certificate and full trust chain installed on your web server, modern browsers will flag your web server as untrusted.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Use the following procedure to install a certificate and its signing certificate chain onto your web server, load balancer, or proxy.
Step 1: Create the server's private key and a certificate signing request.
The following command will create your certificate's private key with 2048-bit key strength. Optionally, this parameter may be changed to 4096 for greater security. It will also output your certificate signing request to the nginx.csr file in your present working directory.
openssl req -new -newkey rsa:2048 -keyout nginx.key -out nginx.csr
Enter the below information about your private key:
Country Name (2 letter code) [XX]: 星空体育手机端 Country
State or Province Name (full name) []: 星空体育手机端 State
Locality Name (eg, city) [Default City]: 星空体育手机端 City
Organization Name (eg, company) [Default Company Ltd]: 星空体育手机端 City
Organizational Unit Name (eg, section) []: 星空体育手机端 Organizational Unit
Common Name (eg, your name or your server's hostname) []: 星空体育手机端 server's DNS name
Email Address []: 星空体育手机端 email address
Step 2: Obtain a signed certificate from your certificate authority.
Provide your chosen certificate authority with your certificate signing request. Follow your certificate authority's signing procedures in order to obtain a certificate and the certificate's trust chain. A full trust chain is typically delivered in .pem format.
Step 3: Install certificate and signing certificate chain on your web server.
Place the .pem file from your certificate authority into the directory of your choice. Locate your created key file from the command you used to generate your certificate signing request. Open your website configuration file and edit your encrypted listener to leverage the ssl_certificate and ssl_certificate_key directives for a web server as shown below. You should also inspect include files inside your nginx.conf. This should be part of the server block.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/nginx.key;
...
}
After editing this file, you must recycle nginx services for these changes to take effect. This can be done with the following command:
sudo systemctl restart nginx
Default Value:
No certificate is installed by default."
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1M,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*ssl_certificate[ ]*'"
expect : "Manual Review Required"
dont_echo_cmd : YES
severity : MEDIUM
system : "Linux"
type : FILE_CHECK
description : "4.1.3 Ensure private key permissions are restricted"
info : "The server's private key should be protected from unauthorized access by limiting access based on the principle of least privilege.
Rationale:
A server's private key file should be restricted to 400 permissions. This ensures only the owner of the private key file can access it. This is the minimum necessary permissions for the server to operate. If the private key file is not protected, an unauthorized user with access to the server may be able to find the private key file and use it to decrypt traffic sent to your server.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Run the following command to remove excessive permissions on key files in the '/etc/nginx/ directory.
Note: The directory /etc/nginx/ should be replaced with the location of your key file.
find /etc/nginx/ -name '*.key' -exec chmod u-wx,go-rwx {} +
Default Value:
The default permissions on the server's private key are 644 or -rw-r--r--.
Additional Information:
Important Note: This recommendation should be applied to both the keys of your server certificate and the key of your client certificate if you are looking to mutually authenticate a proxy server."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4538"
file : "@NGINX_KEY@"
mask : "377"
severity : MEDIUM
system : "Linux"
type : CMD_EXEC
description : "4.1.4 Ensure only modern TLS protocols are used"
info : "Only modern TLS protocols should be enabled in NGINX for all client connections and upstream connections. Removing legacy TLS and SSL protocols (SSL 3.0, TLS 1.0 and 1.1), and enabling emerging and stable TLS protocols (TLS 1.2, and TLS 1.3), ensures users are able to take advantage of strong security capabilities and protects them from insecure legacy protocols.
Rationale:
Why disable SSL 3.0: The POODLE Vulnerability allowed attackers to exploit SSL 3.0 to obtain cleartext information by exploiting weaknesses in CBC in 2014. SSL 3.0 is also no longer FIPS 140-2 compliant.
Why disable TLS 1.0: TLS 1.0 was deprecated from use when PCI DSS Compliance mandated that it not be used for any applications processing credit card numbers in June 2018. TLS 1.0 does not make use of modern protections, and almost all user agents that do not support TLS 1.2 or higher are no longer supported by their vendor.
Why disable TLS 1.1: Because of the increased security associated with higher versions of TLS, TLS 1.0 should be disabled. Modern browsers will begin to flag TLS 1.1 as deprecated in early 2019.
Why enable TLS 1.2: TLS 1.2 takes advantage of several security features including modern cipher suites, perfect forward security, and authenticated encryption.
Why enable TLS 1.3: TLS 1.3 improves security by removing several insecure cipher suites by default and adding several more secure algorithms. All public-key exchange mechanisms support perfect forward secrecy in this version of TLS. Additionally, TLS 1.3 makes drastic performance improvements by removing a full round trip in the TLS handshake.
Impact:
Disabling certain TLS may not allow legacy user agents to connect to your server. Disabling negotiation of specific protocols with your backend server may also limit your ability to connect with legacy servers. You should always consider if you need to support legacy user agents or servers when selecting your TLS protocols."
solution : "Run the following commands to change your ssl_protocols if they are already configured. This remediation advice assumes your nginx configuration file does not include server configuration outside of /etc/nginx/nginx.conf. You may have to also inspect the include files in your nginx.conf to ensure this is properly implemented.
Web Server:
sed -i 's/ssl_protocols[^;]*;/ssl_protocols TLSv1.2 TLSv1.3;/' /etc/nginx/nginx.conf
Proxy:
sed -i 's/proxy_ssl_protocols[^;]*;/proxy_ssl_protocols TLSv1.2 TLSv1.3;/' /etc/nginx/nginx.conf
If your ssl_protocols are not already configured, this can be accomplished manually by opening your web server or proxy server configuration file and manually adding the directives.
Web Server:
server {
ssl_protocols TLSv1.2 TLSv1.3;
}
Proxy:
location / {
proxy_pass cisecurity.org;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
}
Default Value:
By default, NGINX does not specify the TLS protocol and accepts all TLS versions, except for TLS 1.3, which must be enabled by an administrator to take effect.
Defaults: ssl_protocols TLSv1.0 TLSv1.1 TLSv1.2 proxy_ssl_protocols TLSv1.0 TLSv1.1 TLSv1.2"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*ssl_protocols[ ]*'"
expect : "^[\\s]*ssl_protocols[\\s]+TLSv1.2[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "4.1.5 Disable weak ciphers"
info : "The ssl_ciphers directive should be used to configure the available ciphers on your web server, and the proxy_ssl_ciphers directive should be used to configure the available ciphers for your proxy. Weak ciphers should be disabled based on your company's policy or an industry best practice compliance profile.
The ssl_prefer_server_ciphers should be used to ensure the user agent respects the server's preferred cipher order and does not set its own. If you are using a proxy or load balancer, you should use the proxy_ssl_ciphers directive to ensure your upstream connections are negotiated using secure ciphers.
Rationale:
The use of strong ciphers is critical to maintaining strong encryption on your web server, load balancer, or proxy. Weak ciphers may compromise the security of your site or your users by allowing legacy user agents to connect to your site in a vulnerable way. You may also meet compliance concerns by ensuring that your upstream connections meet the same level of security if using a proxy or load balancer. The server should enforce the cipher preference on the server side to protect users from malicious actors on the client side.
Impact:
Strong cipher configurations may not allow legacy user agents or user agents with weak configurations to connect to your site. If your server must also pass to a legacy upstream server, this may prevent it from being able to negotiate a cipher upstream."
solution : "The following procedures may be used to implement industry standard cipher profiles if you have an existing profile defined. These profiles may be modified to meet the requirements defined in your company's policy. This procedure assumes that all server blocks will be in /etc/nginx/nginx.conf and not inside any included files in the configuration.
Set the ssl_cipher directive as part of your server block, and set the proxy_ssl_ciphers directive as part of the location block for your upstream server.
This should look similar to the below examples:
Server block configuration for client connectivity to web server, proxy, or load balancer:
server {
ssl_ciphers ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4;
}
Proxy or load balancer configuration for defined upstream negotiation:
location / {
proxy_pass https://cisecurity.org;
proxy_ssl_ciphers ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4;
}
The below procedure assumes the default configuration profile. If you do not have ssl_ciphers or proxy_ssl_ciphers defined, add the directives to your proxy or web server configuration profile, then run the below commands to configure them to your selected profile.
No weak ciphers SSLLABS proxy configuration
sed -i 's/proxy_ssl_ciphers[^;]*;/proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;/' /etc/nginx/nginx.conf
No weak ciphers SSLLABS web server configuration:
sed -i 's/ssl_ciphers[^;]*;/ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;/' /etc/nginx/nginx.conf
For changes to take effect, you must recycle nginx:
systemctl restart nginx
Default Value:
These directives are not specified by default and are set to the default of HIGH:!aNULL:!MD5."
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1M,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*ssl_ciphers[ ]*'"
expect : "^[\\s]*ssl_ciphers[\\s]+ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "4.1.6 Ensure custom Diffie-Hellman parameters are used"
info : "Custom Diffie-Hellman (DH) key exchange parameters should be used. DH Ephemeral (DHE) parameters with at least 2048 bits should be generated.
Rationale:
Backward-compatible Perfect Forward Secrecy (PFS) ciphers (e.g. DHE-RSA-AES128-SHA256) should use strong and unique parameters. By default, NGINX will generate 1024-bit RSA keys for PFS ciphers; stronger alternatives should be used instead to provide better protection for data protected by encryption."
solution : "Generate strong DHE (Ephemeral Diffie-Hellman) parameters using the following commands:
mkdir /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
chmod 400 /etc/nginx/ssl/dhparam.pem
Alter the server configuration to use the new parameters:
http {
server {
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
}
}"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*ssl_dhparam[ ]*'"
expect : "^[\\s]*ssl_dhparam"
system : "Linux"
type : CMD_EXEC
description : "4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling"
info : "OCSP allows a user's browser or another user agent to verify the certificate it is seeing is not revoked. OCSP stapling ensures your server presents this information to the user's browser in a way that best meets the performance and security needs of your website. It polls the Certificate Authority's (CA) OCSP server at regular intervals to ensure it is continuously kept up to date. OCSP stapling helps improve performance and security, so it should be enabled.
Rationale:
OCSP stapling protects your users from accessing a website where a private key is believed to be compromised. If a private key is compromised, an attacker may be able to obtain unauthorized access to the encrypted data transmitted by a user.
Note: OCSP stapling, while a step forward from the older certificate revocation list model, does share similar risks. Between the time a certificate is revoked and the point where a new signed OCSP profile is requested, if a server's certificate has been revoked a user agent may not be informed."
solution : "Follow this procedure to enable OCSP validation:
Step 1: Ensure your NGINX server has access to your CA's OCSP server.
星空体育手机端 CA's OCSP server may be found on your CA's website and will vary depending on your CA vendor. Issue the following command in order to check your connectivity to their site:
curl -I 'insert certificate authority ocsp server here'
If you get a 200 code response, your server has access.
Step 2: Enable OCSP on nginx.
Implement the ssl_stapling and ssl_stapling_verify directives. The directive ssl_stapling enables OCSP stapling, and the directive ssl_stapling_verify enables verification of the OCSP responses on nginx.
server {
ssl_stapling on;
ssl_stapling_verify on;
}
Default Value:
OCSP stapling is not enabled by default."
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*ssl_stapling[ ]*'"
expect : "^[\\s]*ssl_stapling[\\s]+on[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify"
info : "OCSP allows a user's browser or another user agent to verify the certificate it is seeing is not revoked. OCSP stapling ensures your server presents this information to the user's browser in a way that best meets the performance and security needs of your website. It polls the Certificate Authority's (CA) OCSP server at regular intervals to ensure it is continuously kept up to date. OCSP stapling helps improve performance and security, so it should be enabled.
Rationale:
OCSP stapling protects your users from accessing a website where a private key is believed to be compromised. If a private key is compromised, an attacker may be able to obtain unauthorized access to the encrypted data transmitted by a user.
Note: OCSP stapling, while a step forward from the older certificate revocation list model, does share similar risks. Between the time a certificate is revoked and the point where a new signed OCSP profile is requested, if a server's certificate has been revoked a user agent may not be informed."
solution : "Follow this procedure to enable OCSP validation:
Step 1: Ensure your NGINX server has access to your CA's OCSP server.
星空体育手机端 CA's OCSP server may be found on your CA's website and will vary depending on your CA vendor. Issue the following command in order to check your connectivity to their site:
curl -I 'insert certificate authority ocsp server here'
If you get a 200 code response, your server has access.
Step 2: Enable OCSP on nginx.
Implement the ssl_stapling and ssl_stapling_verify directives. The directive ssl_stapling enables OCSP stapling, and the directive ssl_stapling_verify enables verification of the OCSP responses on nginx.
server {
ssl_stapling on;
ssl_stapling_verify on;
}
Default Value:
OCSP stapling is not enabled by default."
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*ssl_stapling_verify[ ]*'"
expect : "^[\\s]*ssl_stapling_verify[\\s]+on[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled"
info : "HTTP Strict Transport Security (HSTS) headers instruct a user agent on how to communicate with a web server. HSTS headers ensure the strict transport security policies built into browsers and other user agents are informed only to communicate over HTTPS. HSTS with long validity periods should be used to most effectively secure your user population.
Strict-Transport-Security should have a long max-age, which is recommended to be at least six months in length. This ensures the browser remembers your website should only be accessible via HTTPS for this amount of time.
Rationale:
HSTS headers help protect a server's users from accessing the server over unencrypted protocols. This header helps to prevent HTTP downgrade attacks."
solution : "Ensure the below snippet of code can be found in your server configuration for your proxy or web server. This will ensure the HSTS header is set with a validity period of six months, or 15768000 seconds.
server {
add_header Strict-Transport-Security 'max-age=15768000;' always;
}
Default Value:
HSTS headers are not set by default."
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '[ ]*Strict-Transport-Security[ ]*'"
expect : "^[\\s]*add_header[\\s]+Strict-Transport-Security[\\s]+[\"']max-age=(1576[8-9][0-9]{3}|157[6-9][0-9]{4}|15[7-9][0-9]{5}|1[5-9][0-9]{6}|[2-9][0-9]{7,});[\"'][\\s]+always[\\s]*;"
dont_echo_cmd : YES
description : "5.1.2 Ensure only approved HTTP methods are allowed"
info : "HTTP methods (also known as verbs) allow different actions to be requested from the web server at a specified path. Only the necessary methods should be enabled.
Rationale:
Most websites only require the methods GET, POST and HEAD to function correctly. Web applications may also require other verbs (e.g. DELETE). In order to narrow vectors of attack, it is recommended to only enable the required verbs.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "To remove unneeded methods and only allow required methods, add the following into a server or location block in your nginx.conf. The below snippet assumes only the methods GET, HEAD and POST are required for an application. The reason for 444 as a response is because it contains no information and can help mitigate automated attacks.
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}
Default Value:
All methods are allowed."
reference : "800-171|3.13.1,800-171|3.13.2,800-53|PL-8,800-53|SA-8,800-53r5|PL-8,800-53r5|SA-8,CSCv7|9.2,CSCv8|16.10,CSF|ID.AM-3,CSF|PR.IP-2,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ITSG-33|SA-8,ITSG-33|SA-8a.,LEVEL|1M,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|SS3,NIAv2|VL2,QCSC-v1|4.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2"
see_also : "https://workbench.cisecurity.org/files/4538"
system : "Linux"
type : CMD_EXEC
description : "5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout"
info : "The client_header_timeout and client_body_timeout directives define the time the server will wait for the header or body to be sent from the client. If the client does not send the entire header in this predefined timeframe, the server will send back a 408 request timeout error.
Rationale:
Setting the client header and body timeouts help your server mitigate possible denial of service attacks. By timing out a request, the server is able to free up resources that may be waiting for the body or header."
solution : "Find the HTTP or server block of your nginx configuration and add the client_header_timeout and client_body_timeout directives set to the configuration. The below example sets the timeouts to 10 seconds.
client_body_timeout 10;
client_header_timeout 10;
Default Value:
client_header_timeout 60; client_body_timeout 60;"
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*client_body_timeout[ ]*'"
expect : "^[\\s]*client_body_timeout[\\s]+([0-9]|10)[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout"
info : "The client_header_timeout and client_body_timeout directives define the time the server will wait for the header or body to be sent from the client. If the client does not send the entire header in this predefined timeframe, the server will send back a 408 request timeout error.
Rationale:
Setting the client header and body timeouts help your server mitigate possible denial of service attacks. By timing out a request, the server is able to free up resources that may be waiting for the body or header."
solution : "Find the HTTP or server block of your nginx configuration and add the client_header_timeout and client_body_timeout directives set to the configuration. The below example sets the timeouts to 10 seconds.
client_body_timeout 10;
client_header_timeout 10;
Default Value:
client_header_timeout 60; client_body_timeout 60;"
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*client_header_timeout[ ]*'"
expect : "^[\\s]*client_header_timeout[\\s]+([0-9]|10)[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "5.2.2 Ensure the maximum request body size is set correctly"
info : "The client_max_body_size directive sets the size of the request body that is allowed to read a client request. This defines the number of bytes allowed in a request and is equivalent to the Content-Length request header field.
Rationale:
Limiting the size of the request body helps prevent unexpectedly long or large client requests from being passed to an application to perform buffer overflow attacks. This value should be set low enough to protect the application but high enough not to interfere with functionality and block legitimate request bodies."
solution : "Find the HTTP or server block of your nginx configuration and add the client_max_body_size set to 100K in this block. The appropriate value may be different based on your application's needs.
client_max_body_size 100K;
Default Value:
client_max_body_size 1m;"
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*client_max_body_size[ ]*'"
expect : "^[\\s]*client_max_body_size[\\s]+@CLIENT_MAX_BODY_SIZE@"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "5.2.3 Ensure the maximum buffer size for URIs is defined"
info : "The large_client_header_buffers directive defines the number and size of buffers used within the URI. A request cannot exceed the size of this buffer when this directive is configured. The large_client_header_buffers directive should be set to restrict buffer usage. The number of buffers should generally set to two and the length be set to 1K; however, this may not be a good fit for your application and may need to be set differently.
Rationale:
The large_client_header_buffers directive may assist in preventing buffer overflow attacks that leverage long URI query parameters."
solution : "Open your nginx.conf file and locate your server or HTTP blocks. This may be added to the HTTP block for all configurations or the server block for more specific configurations to meet your needs. Add the below line to implement this recommendation:
large_client_header_buffers 2 1k;
Default Value:
large_client_header_buffers 4 8k;"
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '^[ ]*large_client_header_buffers[ ]*'"
expect : "^[\\s]*large_client_header_buffers[\\s]+@LARGE_CLIENT_HEADER_BUFFERS@;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "5.3.1 Ensure X-Frame-Options header is configured and enabled"
info : "The X-Frame-Options header should be set to allow specific websites or no sites at all to embed your website as an object within their own, depending on your organizational policy and application needs.
Rationale:
The X-Frame-Options header allows you to mitigate the risk of clickjacking attacks.
Impact:
Implementing this may block legitimate partner sites from embedding your website if this header is not configured properly."
solution : "Add the below to your server blocks in your nginx configuration. The policy should be configured to meet your organization's needs.
add_header X-Frame-Options 'SAMEORIGIN' always;
Default Value:
This is not configured by default."
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '[ ]*X-Frame-Options[ ]*'"
expect : "^[\\s]*add_header[\\s]+X-Frame-Options[\\s]+[\"']SAMEORIGIN[\"'][\\s]+always[\\s]*;"
dont_echo_cmd : YES
system : "Linux"
type : CMD_EXEC
description : "5.3.2 Ensure X-Content-Type-Options header is configured and enabled"
info : "The X-Content-Type-Options header should be used to force supported user agents to check an HTTP response's content type header with what is expected from the destination of the request.
Rationale:
Implementing the X-Content-Type-Options header with the 'nosniff' directive helps to prevent drive-by download attacks where a user agent is sniffing content types in responses."
solution : "Open the nginx configuration file that contains your server blocks. Add the below line into your server block to add X-Content-Type-Options header and direct your user agent to not sniff content types.
add_header X-Content-Type-Options 'nosniff' always;
Default Value:
This header is not implemented by default."
reference : "800-53|SA-3,800-53r5|SA-3,CSCv7|18.1,CSCv8|16.1,CSF|PR.IP-2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-3,LEVEL|1A,NESA|T7.2.1"
see_also : "https://workbench.cisecurity.org/files/4538"
cmd : "nginx -T | grep '[ ]*X-Content-Type-Options[ ]*'"
expect : "^[\\s]*add_header[\\s]+X-Content-Type-Options[\\s]+[\"']nosniff[\"']"
dont_echo_cmd : YES
description : "CIS_NGINX_v2.0.1_Level_1_Webserver.audit from CIS NGINX Benchmark v2.0.1"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/files/4538"