| 1.1.1 Ensure NGINX is installed | SYSTEM AND SERVICES ACQUISITION |
| 1.2.1 Ensure package manager repositories are properly configured | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.2 Ensure the latest software package is installed | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - groups | ACCESS CONTROL |
| 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - nginx.conf | ACCESS CONTROL |
| 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account - sudo | ACCESS CONTROL |
| 2.2.2 Ensure the NGINX service account is locked | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.3 Ensure the NGINX service account has an invalid shell - /etc/passwd | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.2.3 Ensure the NGINX service account has an invalid shell - script | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.1 Ensure NGINX directories and files are owned by root | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.2 Ensure access to NGINX directories and files is restricted - Directories | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.2 Ensure access to NGINX directories and files is restricted - Files | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.3 Ensure the NGINX process ID (PID) file is secured | ACCESS CONTROL, MEDIA PROTECTION |
| 2.4.1 Ensure NGINX only listens for network connections on authorized ports | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 2.4.2 Ensure requests for unknown host names are rejected | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 | SYSTEM AND SERVICES ACQUISITION |
| 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 | SYSTEM AND SERVICES ACQUISITION |
| 2.5.2 Ensure default error and index.html pages do not reference NGINX | SYSTEM AND SERVICES ACQUISITION |
| 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - Server | SYSTEM AND SERVICES ACQUISITION |
| 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure - X-Powered-By | SYSTEM AND SERVICES ACQUISITION |
| 3.1 Ensure detailed logging is enabled | AUDIT AND ACCOUNTABILITY |
| 3.2 Ensure access logging is enabled | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure error logging is enabled and set to the info logging level | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure log files are rotated - rotate | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure log files are rotated - weekly | AUDIT AND ACCOUNTABILITY |
| 3.7 Ensure proxies pass source IP information | AUDIT AND ACCOUNTABILITY |
| 3.7 Ensure proxies pass source IP information - X-Real-IP | AUDIT AND ACCOUNTABILITY |
| 4.1.1 Ensure HTTP is redirected to HTTPS | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2 Ensure a trusted certificate and trust chain is installed | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.3 Ensure private key permissions are restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.4 Ensure only modern TLS protocols are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.5 Disable weak ciphers | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.6 Ensure custom Diffie-Hellman parameters are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled - ssl_stapling_verify | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.9 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.9 Ensure upstream server traffic is authenticated with a client certificate - proxy_ssl_certificate_key | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.2 Ensure only approved HTTP methods are allowed | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout | SYSTEM AND SERVICES ACQUISITION |
| 5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_header_timeout | SYSTEM AND SERVICES ACQUISITION |
| 5.2.2 Ensure the maximum request body size is set correctly | SYSTEM AND SERVICES ACQUISITION |
| 5.2.3 Ensure the maximum buffer size for URIs is defined | SYSTEM AND SERVICES ACQUISITION |
| CIS_NGINX_v2.0.1_Level_1_Proxy.audit from CIS NGINX Benchmark v2.0.1 | |
