May 2, 2023 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Apr 12, 2023 Functional Update- 1.1.1 Ensure NGINX is installed
- 1.2.1 Ensure package manager repositories are properly configured
- 1.2.2 Ensure the latest software package is installed
- 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups
- 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf
- 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo
- 2.2.2 Ensure the NGINX service account is locked
- 2.2.3 Ensure the NGINX service account has an invalid shell
- 2.3.1 Ensure NGINX directories and files are owned by root
- 2.3.2 Ensure access to NGINX directories and files is restricted
- 2.3.3 Ensure the NGINX process ID (PID) file is secured
- 2.4.1 Ensure NGINX only listens for network connections on authorized ports
- 2.4.2 Ensure requests for unknown host names are rejected
- 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
- 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
- 2.5.2 Ensure default error and index.html pages do not reference NGINX
- 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - Server
- 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - X-Powered-By
- 3.1 Ensure detailed logging is enabled
- 3.2 Ensure access logging is enabled
- 3.3 Ensure error logging is enabled and set to the info logging level
- 3.4 Ensure log files are rotated - rotate
- 3.4 Ensure log files are rotated - weekly
- 3.7 Ensure proxies pass source IP information
- 3.7 Ensure proxies pass source IP information - X-Real-IP
- 4.1.1 Ensure HTTP is redirected to HTTPS
- 4.1.10 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate
- 4.1.10 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate_key
- 4.1.2 Ensure a trusted certificate and trust chain is installed
- 4.1.3 Ensure private key permissions are restricted
- 4.1.4 Ensure only modern TLS protocols are used
- 4.1.5 Disable weak ciphers - proxy_ssl_ciphers
- 4.1.5 Disable weak ciphers - ssl_prefer_server_ciphers
- 4.1.6 Ensure custom Diffie-Hellman parameters are used
- 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling
- 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify
- 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
- 5.1.2 Ensure only whitelisted HTTP methods are allowed
- 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout
- 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout
- 5.2.2 Ensure the maximum request body size is set correctly
- 5.2.3 Ensure the maximum buffer size for URIs is defined
Informational Update- 1.2.1 Ensure package manager repositories are properly configured
- 1.2.2 Ensure the latest software package is installed
Removed- CIS_NGINX_Level_1_Loadbalancer_v1.0.0.audit from CIS NGINX Benchmark v1.0.0
|
Mar 7, 2023 Miscellaneous- Metadata updated.
- References updated.
|
Jan 4, 2023 |
Dec 7, 2022 |
Aug 9, 2022 Informational Update- 1.1.1 Ensure NGINX is installed
|
Apr 25, 2022 |
Mar 29, 2022 Miscellaneous- Metadata updated.
- References updated.
|
Jun 17, 2021 Miscellaneous- Metadata updated.
- References updated.
|
Oct 5, 2020 Functional Update- 1.1.1 Ensure NGINX is installed
- 1.2.1 Ensure package manager repositories are properly configured
- 1.2.2 Ensure the latest software package is installed
- 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups
- 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf
- 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo
- 2.2.2 Ensure the NGINX service account is locked
- 2.2.3 Ensure the NGINX service account has an invalid shell
- 2.3.1 Ensure NGINX directories and files are owned by root
- 2.3.2 Ensure access to NGINX directories and files is restricted
- 2.3.3 Ensure the NGINX process ID (PID) file is secured
- 2.4.1 Ensure NGINX only listens for network connections on authorized ports
- 2.4.2 Ensure requests for unknown host names are rejected
- 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
- 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
- 2.5.2 Ensure default error and index.html pages do not reference NGINX
- 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - Server
- 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - X-Powered-By
- 3.1 Ensure detailed logging is enabled
- 3.2 Ensure access logging is enabled
- 3.3 Ensure error logging is enabled and set to the info logging level
- 3.4 Ensure log files are rotated - rotate
- 3.4 Ensure log files are rotated - weekly
- 3.7 Ensure proxies pass source IP information
- 3.7 Ensure proxies pass source IP information - X-Real-IP
- 4.1.1 Ensure HTTP is redirected to HTTPS
- 4.1.10 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate
- 4.1.10 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate_key
- 4.1.2 Ensure a trusted certificate and trust chain is installed
- 4.1.3 Ensure private key permissions are restricted
- 4.1.4 Ensure only modern TLS protocols are used
- 4.1.5 Disable weak ciphers - proxy_ssl_ciphers
- 4.1.5 Disable weak ciphers - ssl_prefer_server_ciphers
- 4.1.6 Ensure custom Diffie-Hellman parameters are used
- 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling
- 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify
- 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
- 5.1.2 Ensure only whitelisted HTTP methods are allowed
- 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout
- 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout
- 5.2.2 Ensure the maximum request body size is set correctly
- 5.2.3 Ensure the maximum buffer size for URIs is defined
|
