NGINX STIG Check

nginx_stig.sh

#!/bin/bash

DETAILS=$(nginx -V 2>&1)

# 2.1.1 Ensure only required modules are installed (Manual)
#echo $DETAILS

# 2.1.2 Ensure HTTP WebDAV module is not installed (Automated)
echo -n '2.1.2: '
if [[ $DETAILS =~ 'http_dav_module' ]]; then echo 'fail'; else echo 'pass'; fi

# 2.1.3 Ensure modules with gzip functionality are disabled (Automated)
echo -n '2.1.3: '
if [[ $DETAILS =~ 'http_gzip_module' || $DETAILS =~ 'http_gzip_static_module' ]]; then echo 'fail'; else echo 'pass'; fi
#nginx -V 2>&1 | grep -E '(http_gzip_module|http_gzip_static_module)'

# 2.1.4 Ensure the autoindex module is disabled (Automated)
echo -n '2.1.4: '
if [[ `egrep -i '^\s*autoindex\s+' /etc/nginx/nginx.conf` ]]; then echo 'fail'; else echo 'pass'; fi

# 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Automated)
echo -n '2.2.1: '
if [[ `grep -Pi -- '^\h*user\h+[^;\n\r]+\h*;.*$' /etc/nginx/nginx.conf` ]]; then echo 'pass'; else echo 'fail'; fi

# 2.2.2 Ensure the NGINX service account is locked (Automated)
echo -n "Check 2.2.2: "
if [[ `passwd -S nginx | grep -i locked` ]]; then echo 'pass'; else echo 'fail'; fi

# 2.2.3 Ensure the NGINX service account has an invalid shell (Automated)
echo -n "Check 2.2.3: "
if [[ `grep nginx /etc/passwd | grep nologin` ]]; then echo 'pass'; else echo 'fail'; fi





# 2.3.1 Ensure NGINX directories and files are owned by root (Automated)
echo -n "Check 2.3.1: "
#stat /etc/nginx

# 2.3.2 Ensure access to NGINX directories and files is restricted (Automated)
echo -n "Check 2.3.2: "
#find /etc/nginx -type d -exec stat -Lc "%n %a" {} +  # 755 or more retrictive
#find /etc/nginx -type f -exec stat -Lc "%n %a" {} +  # 660 or more restrictive

# 2.3.3 Ensure the NGINX process ID (PID) file is secured (Automated)
echo -n "Check 2.3.3: "
#stat -L -c "%U:%G" /var/run/nginx.pid && stat -L -c "%a" /var/run/nginx.pid # root and 644

# 2.3.4 Ensure the core dump directory is secured (Manual)
echo -n "Check 2.3.4: "
#grep working_directory /etc/nginx/nginx.conf  # Note: this is disabled in the container

# 2.4.1 Ensure NGINX only listens for network connections on authorized ports (Manual)
echo -n "Check 2.4.1: "
#grep -ir "listen[^;]*;" /etc/nginx

# 2.4.2 Ensure requests for unknown host names are rejected (Automated)
echo -n "Check 2.4.2: "
#curl -k -v https://127.0.0.1 -H 'Host: invalid.host.com'

# 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Automated)
echo -n "Check 2.2.3: "
#grep -ir keepalive_timeout /etc/nginx  # default is 65 seconds

# 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Automated)
echo -n "Check 2.2.3: "
#grep -ir send_timeout /etc/nginx

# 2.5.1 Ensure server_tokens directive is set to `off` (Automated) # Do not show things like; Server: nginx/1.22.0
echo -n "Check 2.2.3: "
#curl -I 127.0.0.1 | grep -i server

# 2.5.2 Ensure default error and index.html pages do not reference NGINX (Automated)
echo -n "Check 2.2.3: "
#grep -i nginx /usr/share/nginx/html/index.html
#grep -i nginx /usr/share/nginx/html/50x.html

# 2.5.3 Ensure hidden file serving is disabled (Manual)
echo -n "Check 2.2.3: "
#echo 'Check 2.5.3:'
#grep location /etc/nginx/nginx.conf

# 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Automated)
echo -n "Check 2.2.3: "
#grep proxy_hide_header /etc/nginx/nginx.conf

# 3.1 Ensure detailed logging is enabled (Manual)
echo -n "Check 2.2.3: "

# 3.2 Ensure access logging is enabled (Manual)
echo -n "Check 2.2.3: "
#grep -ir access_log /etc/nginx

# 3.3 Ensure error logging is enabled and set to the info logging level (Automated)
echo -n "Check 2.2.3: "
#grep error_log /etc/nginx/nginx.conf

# 3.4 Ensure log files are rotated (Automated)
echo -n "Check 2.2.3: "
#cat /etc/logrotate.d/nginx | grep weekly
#cat /etc/logrotate.d/nginx | grep rotate

# 3.5 Ensure error logs are sent to a remote syslog server (Manual)
echo -n "Check 2.2.3: "
#grep -ir syslog /etc/nginx

# 3.6 Ensure access logs are sent to a remote syslog server (Manual)
echo -n "Check 2.2.3: "
#grep -ir syslog /etc/nginx

# 3.7 Ensure proxies pass source IP information (Manual)
echo -n "Check 2.2.3: "
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# 4.1.1 Ensure HTTP is redirected to HTTPS (Manual)
echo -n "Check 2.2.3: "

# 4.1.2 Ensure a trusted certificate and trust chain is installed (Manual)
echo -n "Check 2.2.3: "
#grep -ir ssl_certificate /etc/nginx/

# 4.1.3 Ensure private key permissions are restricted (Automated)
echo -n "Check 2.2.3: "
#find /etc/nginx/ -name '*.key' -exec stat -Lc "%n %a" {} +

# 4.1.4 Ensure only modern TLS protocols are used (Automated)
echo -n "Check 2.2.3: "
#grep -ir ssl_protocol /etc/nginx

# 4.1.5 Disable weak ciphers (Manual)
echo -n "Check 2.2.3: "
#grep -ir ssl_ciphers /etc/nginx/
#grep -ir proxy_ssl_ciphers /etc/nginx

# 4.1.6 Ensure custom Diffie-Hellman parameters are used (Automated)
echo -n "Check 2.2.3: "
#grep ssl_dhparam /etc/nginx/nginx.conf

# 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Automated)
echo -n "Check 2.2.3: "
#grep -ir ssl_stapling /etc/nginx

# 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Automated)
echo -n "Check 2.2.3: "
#grep -ir Strict-Transport-Security /etc/nginx

# 4.1.9 Ensure upstream server traffic is authenticated with a client certificate (Automated)
echo -n "Check 2.2.3: "
#grep -ir proxy_ssl_certificate /etc/nginx

# 4.1.10 Ensure the upstream traffic server certificate is trusted (Manual)
echo -n "Check 2.2.3: "
#grep -ir proxy_ssl_trusted_certificate /etc/nginx
#grep -ir proxy_ssl_verify /etc/nginx

# 4.1.11 Ensure your domain is preloaded (Manual)
echo -n "Check 2.2.3: "

# 4.1.12 Ensure session resumption is disabled to enable perfect forward security (Automated)
echo -n "Check 2.2.3: "
#grep -ir ssl_session_tickets /etc/nginx

# 4.1.13 Ensure HTTP/2.0 is used (Automated)
echo -n "Check 2.2.3: "
#grep -ir http2 /etc/nginx

# 4.1.14 Ensure only Perfect Forward Secrecy Ciphers are Leveraged (Manual)
echo -n "Check 2.2.3: "
#grep -ir ssl_ciphers /etc/nginx/
#grep -ir proxy_ssl_ciphers /etc/nginx

# 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Manual)
echo -n "Check 2.2.3: "

# 5.1.2 Ensure only approved HTTP methods are allowed (Manual)
echo -n "Check 2.2.3: "

# 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Automated)
echo -n "Check 2.2.3: "
#grep -ir timeout /etc/nginx

# 5.2.2 Ensure the maximum request body size is set correctly (Automated)
echo -n "Check 2.2.3: "
#grep -ir client_max_body_size /etc/nginx

# 5.2.3 Ensure the maximum buffer size for URIs is defined (Automated)
echo -n "Check 2.2.3: "
#grep -ir large_client_header_buffers /etc/nginx/

# 5.2.4 Ensure the number of connections per IP address is limited (Manual)
echo -n "Check 2.2.3: "

# 5.2.5 Ensure rate limits by IP address are set (Manual)
echo -n "Check 2.2.3: "

# 5.3.1 Ensure X-Frame-Options header is configured and enabled (Automated)
echo -n "Check 2.2.3: "
#grep -ir X-Frame-Options /etc/nginx

# 5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Automated)
echo -n "Check 2.2.3: "
#grep -ir X-Content-Type-Options /etc/nginx

# 5.3.3 Ensure that Content Security Policy (CSP) is enabled and configured properly (Manual)
echo -n "Check 2.2.3: "
#grep -ir Content-Security-Policy /etc/nginx

# 5.3.4 Ensure the Referrer Policy is enabled and configured properly (Manual)
echo -n "Check 2.2.3: "
#grep -r Referrer-Policy /etc/nginx