Detections
Analytics

CIS NGINX Benchmark v2.1.0 L1 Webserver

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS NGINX Benchmark v2.1.0 L1 Webserver

Updated: 3/23/2026

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 36

File Details

Filename: CIS_NGINX_v2.1.0_Level_1_Webserver.audit

Size: 74.1 kB

MD5: 4a5d50c436bc2665eb83315204d35921
SHA256: 07cd6fbfba22882e6a19577923ec5a3c8f08a9bf49400b9b3ba699e690b118d5

Audit Items

DescriptionCategories
1.1.1 Ensure NGINX is installed
1.2.1 Ensure package manager repositories are properly configured
1.2.2 Ensure the latest software package is installed
2.1.4 Ensure the autoindex module is disabled
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account
2.2.2 Ensure the NGINX service account is locked
2.2.3 Ensure the NGINX service account has an invalid shell
2.3.1 Ensure NGINX directories and files are owned by root
2.3.2 Ensure access to NGINX directories and files is restricted
2.3.3 Ensure the NGINX process ID (PID) file is secured
2.3.4 Ensure the core dump directory is secured
2.4.1 Ensure NGINX only listens for network connections on authorized ports
2.4.2 Ensure requests for unknown host names are rejected
2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0
2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0
2.5.1 Ensure server_tokens directive is set to 'off'
2.5.2 Ensure default error and index.html pages do not reference NGINX
3.1 Ensure detailed logging is enabled
3.2 Ensure access logging is enabled
3.3 Ensure error logging is enabled and set to the info logging level
3.4 Ensure log files are rotated
4.1.1 Ensure HTTP is redirected to HTTPS
4.1.2 Ensure a trusted certificate and trust chain is installed
4.1.3 Ensure private key permissions are restricted
4.1.4 Ensure only modern TLS protocols are used
4.1.5 Disable weak ciphers
4.1.6 Ensure custom Diffie-Hellman parameters are used
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled
4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled
5.1.2 Ensure only approved HTTP methods are allowed
5.2.1 Ensure timeout values for reading the client header and body are set correctly
5.2.2 Ensure the maximum request body size is set correctly
5.2.3 Ensure the maximum buffer size for URIs is defined
5.3.1 Ensure X-Frame-Options header is configured and enabled
5.3.2 Ensure X-Content-Type-Options header is configured and enabled
CIS_NGINX_v2.1.0_Level_1_Webserver.audit from CIS NGINX Benchmark v2.1.0