| 1.1.1 Ensure NGINX is installed | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| 1.2.1 Ensure package manager repositories are properly configured | CIS NGINX v3.0.0 L1 Webserver | Unix | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.2 Ensure the latest software package is installed | CIS NGINX v3.0.0 L1 Webserver | Unix | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.1 Ensure only required dynamic modules are loaded | CIS NGINX v3.0.0 L1 Webserver | Unix | CONFIGURATION MANAGEMENT |
| 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL |
| 2.2.2 Ensure the NGINX service account is locked | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.3 Ensure the NGINX service account has an invalid shell | CIS NGINX v3.0.0 L1 Webserver | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.1 Ensure NGINX directories and files are owned by root | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.2 Ensure access to NGINX directories and files is restricted | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.3 Ensure the NGINX process ID (PID) file is secured | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 2.4.1 Ensure NGINX only listens for network connections on authorized ports | CIS NGINX v3.0.0 L1 Webserver | Unix | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 2.4.2 Ensure requests for unknown host names are rejected | CIS NGINX v3.0.0 L1 Webserver | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| 2.5.1 Ensure server_tokens directive is set to `off` | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| 2.5.2 Ensure default error and index.html pages do not reference NGINX | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| 2.5.3 Ensure hidden file serving is disabled | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| 3.2 Ensure access logging is enabled | CIS NGINX v3.0.0 L1 Webserver | Unix | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure error logging is enabled and set to the info logging level | CIS NGINX v3.0.0 L1 Webserver | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.1 Ensure HTTP is redirected to HTTPS | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2 Ensure a trusted certificate and trust chain is installed | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.3 Ensure private key permissions are restricted | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.4 Ensure only modern TLS protocols are used | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.5 Disable weak ciphers | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.6 Ensure awareness of TLS 1.3 new Diffie-Hellman parameters | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.11 Ensure Secure Session Resumption is Enabled | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2.2 Ensure the maximum request body size is set correctly | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| 5.2.3 Ensure the maximum buffer size for URIs is defined | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| 5.3.1 Ensure X-Content-Type-Options header is configured and enabled | CIS NGINX v3.0.0 L1 Webserver | Unix | SYSTEM AND SERVICES ACQUISITION |
| CIS_Apple_macOS_10.14_v2.0.0_L1.audit from CIS Apple macOS 10.14 Benchmark v2.0.0 | CIS Apple macOS 10.14 v2.0.0 L1 | Unix | |
| CIS_Apple_macOS_10.14_v2.0.0_L2.audit from CIS Apple macOS 10.14 Benchmark v2.0.0 | CIS Apple macOS 10.14 v2.0.0 L2 | Unix | |
| CIS_CentOS_8_Server_L2_v2.0.0.audit from CIS CentOS Linux 8 Benchmark v2.0.0 | CIS CentOS Linux 8 Server L2 v2.0.0 | Unix | |
| CIS_CentOS_8_Workstation_L2_v2.0.0.audit from CIS CentOS Linux 8 Benchmark v2.0.0 | CIS CentOS Linux 8 Workstation L2 v2.0.0 | Unix | |
| CIS_CentOS_Linux_8_v2.0.0_L1_Server.audit from CIS CentOS Linux 8 Benchmark v2.0.0 | CIS CentOS Linux 8 Server L1 v2.0.0 | Unix | |
| CIS_CentOS_Linux_8_v2.0.0_L1_Workstation.audit from CIS CentOS Linux 8 Benchmark v2.0.0 | CIS CentOS Linux 8 Workstation L1 v2.0.0 | Unix | |
| CIS_Fedora_28_Family_Linux_Server_L1_v2.0.0.audit from CIS Fedora 28 Family Linux Benchmark v2.0.0 | CIS Fedora 28 Family Linux Workstation L1 v2.0.0 | Unix | |
| CIS_Fedora_28_Family_Linux_Server_L1_v2.0.0.audit from CIS Fedora 28 Family Linux Benchmark v2.0.0 | CIS Fedora 28 Family Linux Server L1 v2.0.0 | Unix | |
| CIS_Fedora_28_Family_Linux_Server_L1_v2.0.0.audit from CIS Fedora 28 Family Linux Benchmark v2.0.0 | CIS Fedora 28 Family Linux Server L2 v2.0.0 | Unix | |
| CIS_Fedora_28_Family_Linux_Server_L1_v2.0.0.audit from CIS Fedora 28 Family Linux Benchmark v2.0.0 | CIS Fedora 28 Family Linux Workstation L2 v2.0.0 | Unix | |
| CIS_MacOS_Safari_Benchmark_v2.0.0_L1.audit from CIS MacOS Safari Benchmark v2.0.0 | CIS MacOS Safari v2.0.0 L1 | Unix | |
| CIS_MacOS_Safari_Benchmark_v2.0.0_L2.audit from CIS MacOS Safari Benchmark v2.0.0 | CIS MacOS Safari v2.0.0 L2 | Unix | |
| CIS_Oracle_Linux_6_v2.0.0_Server_L1.audit from CIS Oracle Linux 6 Benchmark v2.0.0 | CIS Oracle Linux 6 Server L1 v2.0.0 | Unix | |
| CIS_Oracle_Linux_6_v2.0.0_Server_L2.audit from CIS Oracle Linux 6 Benchmark v2.0.0 | CIS Oracle Linux 6 Server L2 v2.0.0 | Unix | |
| CIS_Oracle_Linux_6_v2.0.0_Workstation_L1.audit from CIS Oracle Linux 6 Benchmark v2.0.0 | CIS Oracle Linux 6 Workstation L1 v2.0.0 | Unix | |
| CIS_Oracle_Linux_6_v2.0.0_Workstation_L2.audit from CIS Oracle Linux 6 Benchmark v2.0.0 | CIS Oracle Linux 6 Workstation L2 v2.0.0 | Unix | |
| CIS_Ubuntu_16.04_LTS_Server_v2.0.0_L1.audit from CIS Ubuntu 16.04 LTS Server Benchmark L1 v2.0.0 | CIS Ubuntu Linux 16.04 LTS Server L1 v2.0.0 | Unix | |
| CIS_Ubuntu_16.04_LTS_Server_v2.0.0_L2.audit from CIS Ubuntu 16.04 LTS Server Benchmark L2 v2.0.0 | CIS Ubuntu Linux 16.04 LTS Server L2 v2.0.0 | Unix | |
| CIS_Ubuntu_16.04_LTS_Workstation_v2.0.0_L1.audit from CIS Ubuntu 16.04 LTS Workstation Benchmark L1 v2.0.0 | CIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0 | Unix | |
| CIS_Ubuntu_16.04_LTS_Workstation_v2.0.0_L2.audit from CIS Ubuntu 16.04 LTS Workstation Benchmark L2 v2.0.0 | CIS Ubuntu Linux 16.04 LTS Workstation L2 v2.0.0 | Unix | |
