Detections
Analytics

Revision 1.4

Oct 5, 2020
Functional Update
  • 1.1.1 Ensure NGINX is installed
  • 1.2.1 Ensure package manager repositories are properly configured
  • 1.2.2 Ensure the latest software package is installed
  • 2.1.4 Ensure the autoindex module is disabled
  • 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups
  • 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf
  • 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo
  • 2.2.2 Ensure the NGINX service account is locked
  • 2.2.3 Ensure the NGINX service account has an invalid shell
  • 2.3.1 Ensure NGINX directories and files are owned by root
  • 2.3.2 Ensure access to NGINX directories and files is restricted
  • 2.3.3 Ensure the NGINX process ID (PID) file is secured
  • 2.3.4 Ensure the core dump directory is secured
  • 2.4.1 Ensure NGINX only listens for network connections on authorized ports
  • 2.4.2 Ensure requests for unknown host names are rejected
  • 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
  • 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
  • 2.5.1 Ensure server_tokens directive is set to 'off'
  • 2.5.2 Ensure default error and index.html pages do not reference NGINX
  • 3.1 Ensure detailed logging is enabled
  • 3.2 Ensure access logging is enabled
  • 3.3 Ensure error logging is enabled and set to the info logging level
  • 3.4 Ensure log files are rotated - rotate
  • 3.4 Ensure log files are rotated - weekly
  • 4.1.1 Ensure HTTP is redirected to HTTPS
  • 4.1.2 Ensure a trusted certificate and trust chain is installed
  • 4.1.3 Ensure private key permissions are restricted
  • 4.1.4 Ensure only modern TLS protocols are used
  • 4.1.5 Disable weak ciphers - ssl_ciphers
  • 4.1.5 Disable weak ciphers - ssl_prefer_server_ciphers
  • 4.1.6 Ensure custom Diffie-Hellman parameters are used
  • 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling
  • 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify
  • 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
  • 5.1.2 Ensure only whitelisted HTTP methods are allowed
  • 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout
  • 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout
  • 5.2.2 Ensure the maximum request body size is set correctly
  • 5.2.3 Ensure the maximum buffer size for URIs is defined
  • 5.3.1 Ensure X-Frame-Options header is configured and enabled
  • 5.3.2 Ensure X-Content-Type-Options header is configured and enabled
  • 5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly