Detections
Analytics

CIS NGINX Benchmark v2.1.0 L1 Loadbalancer

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS NGINX Benchmark v2.1.0 L1 Loadbalancer

Updated: 3/23/2026

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 34

File Details

Filename: CIS_NGINX_v2.1.0_Level_1_Loadbalancer.audit

Size: 73.6 kB

MD5: dcbd903abe4133530792abdf864df017
SHA256: c44836835b4474f497a8d242db9695e4f1836110da1004d240159e2b093d8a93

Audit Items

DescriptionCategories
1.1.1 Ensure NGINX is installed
1.2.1 Ensure package manager repositories are properly configured
1.2.2 Ensure the latest software package is installed
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account
2.2.2 Ensure the NGINX service account is locked
2.2.3 Ensure the NGINX service account has an invalid shell
2.3.1 Ensure NGINX directories and files are owned by root
2.3.2 Ensure access to NGINX directories and files is restricted
2.3.3 Ensure the NGINX process ID (PID) file is secured
2.4.1 Ensure NGINX only listens for network connections on authorized ports
2.4.2 Ensure requests for unknown host names are rejected
2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
2.5.2 Ensure default error and index.html pages do not reference NGINX
2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure
3.1 Ensure detailed logging is enabled
3.2 Ensure access logging is enabled
3.3 Ensure error logging is enabled and set to the info logging level
3.4 Ensure log files are rotated
3.7 Ensure proxies pass source IP information - X-Real-IP
4.1.1 Ensure HTTP is redirected to HTTPS
4.1.2 Ensure a trusted certificate and trust chain is installed
4.1.3 Ensure private key permissions are restricted
4.1.4 Ensure only modern TLS protocols are used
4.1.5 Disable weak ciphers
4.1.6 Ensure custom Diffie-Hellman parameters are used
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled
4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
4.1.9 Ensure upstream server traffic is authenticated with a client certificate
5.1.2 Ensure only approved HTTP methods are allowed
5.2.1 Ensure timeout values for reading the client header and body are set correctly
5.2.2 Ensure the maximum request body size is set correctly
5.2.3 Ensure the maximum buffer size for URIs is defined
CIS_NGINX_v2.1.0_Level_1_Loadbalancer.audit from CIS NGINX Benchmark v2.1.0