Detections
Analytics

CIS NGINX Benchmark v2.0.0 L1 Proxy

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS NGINX Benchmark v2.0.0 L1 Proxy

Updated: 8/21/2023

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 44

File Details

Filename: CIS_NGINX_v2.0.0_Level_1_Proxy.audit

Size: 85.1 kB

MD5: ad3d037fe0ed6fb5000274f460dcf43d
SHA256: 1d0b57201a278b716b9b449db7887a06252dec3561896655e6655a6387c38d65

Audit Items

DescriptionCategories
1.1.1 Ensure NGINX is installed
1.2.1 Ensure package manager repositories are properly configured
1.2.2 Ensure the latest software package is installed
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo
2.2.2 Ensure the NGINX service account is locked
2.2.3 Ensure the NGINX service account has an invalid shell - /etc/passwd
2.2.3 Ensure the NGINX service account has an invalid shell - script
2.3.1 Ensure NGINX directories and files are owned by root
2.3.2 Ensure access to NGINX directories and files is restricted - Directories
2.3.2 Ensure access to NGINX directories and files is restricted - Files
2.3.3 Ensure the NGINX process ID (PID) file is secured
2.4.1 Ensure NGINX only listens for network connections on authorized ports
2.4.2 Ensure requests for unknown host names are rejected
2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
2.5.2 Ensure default error and index.html pages do not reference NGINX
2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - Server
2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - X-Powered-By
3.1 Ensure detailed logging is enabled
3.2 Ensure access logging is enabled
3.3 Ensure error logging is enabled and set to the info logging level
3.4 Ensure log files are rotated - rotate
3.4 Ensure log files are rotated - weekly
3.7 Ensure proxies pass source IP information
3.7 Ensure proxies pass source IP information - X-Real-IP
4.1.1 Ensure HTTP is redirected to HTTPS
4.1.2 Ensure a trusted certificate and trust chain is installed
4.1.3 Ensure private key permissions are restricted
4.1.4 Ensure only modern TLS protocols are used
4.1.5 Disable weak ciphers - proxy_ssl_ciphers
4.1.6 Ensure custom Diffie-Hellman parameters are used
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify
4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
4.1.9 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate
4.1.9 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate_key
5.1.2 Ensure only approved HTTP methods are allowed
5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout
5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout
5.2.2 Ensure the maximum request body size is set correctly
5.2.3 Ensure the maximum buffer size for URIs is defined
CIS_NGINX_v2.0.0_Level_1_Proxy.audit from CIS NGINX Benchmark v2.0.0