Detections
Analytics

Revision 1.4

Oct 5, 2020
Functional Update
  • 1.1.1 Ensure NGINX is installed
  • 1.2.1 Ensure package manager repositories are properly configured
  • 1.2.2 Ensure the latest software package is installed
  • 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups
  • 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf
  • 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo
  • 2.2.2 Ensure the NGINX service account is locked
  • 2.2.3 Ensure the NGINX service account has an invalid shell
  • 2.3.1 Ensure NGINX directories and files are owned by root
  • 2.3.2 Ensure access to NGINX directories and files is restricted
  • 2.3.3 Ensure the NGINX process ID (PID) file is secured
  • 2.4.1 Ensure NGINX only listens for network connections on authorized ports
  • 2.4.2 Ensure requests for unknown host names are rejected
  • 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
  • 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
  • 2.5.2 Ensure default error and index.html pages do not reference NGINX
  • 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - Server
  • 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - X-Powered-By
  • 3.1 Ensure detailed logging is enabled
  • 3.2 Ensure access logging is enabled
  • 3.3 Ensure error logging is enabled and set to the info logging level
  • 3.4 Ensure log files are rotated - rotate
  • 3.4 Ensure log files are rotated - weekly
  • 3.7 Ensure proxies pass source IP information
  • 3.7 Ensure proxies pass source IP information - X-Real-IP
  • 4.1.1 Ensure HTTP is redirected to HTTPS
  • 4.1.10 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate
  • 4.1.10 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate_key
  • 4.1.2 Ensure a trusted certificate and trust chain is installed
  • 4.1.3 Ensure private key permissions are restricted
  • 4.1.4 Ensure only modern TLS protocols are used
  • 4.1.5 Disable weak ciphers - proxy_ssl_ciphers
  • 4.1.5 Disable weak ciphers - ssl_prefer_server_ciphers
  • 4.1.6 Ensure custom Diffie-Hellman parameters are used
  • 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling
  • 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify
  • 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
  • 5.1.2 Ensure only whitelisted HTTP methods are allowed
  • 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout
  • 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout
  • 5.2.2 Ensure the maximum request body size is set correctly
  • 5.2.3 Ensure the maximum buffer size for URIs is defined