Created
February 22, 2024 01:03
-
-
Save dmc5179/a33a6ed69f7e19e21b6fb28e2e50505f to your computer and use it in GitHub Desktop.
NGINX STIG Check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
DETAILS=$(nginx -V 2>&1) | |
# 2.1.1 Ensure only required modules are installed (Manual) | |
#echo $DETAILS | |
# 2.1.2 Ensure HTTP WebDAV module is not installed (Automated) | |
echo -n '2.1.2: ' | |
if [[ $DETAILS =~ 'http_dav_module' ]]; then echo 'fail'; else echo 'pass'; fi | |
# 2.1.3 Ensure modules with gzip functionality are disabled (Automated) | |
echo -n '2.1.3: ' | |
if [[ $DETAILS =~ 'http_gzip_module' || $DETAILS =~ 'http_gzip_static_module' ]]; then echo 'fail'; else echo 'pass'; fi | |
#nginx -V 2>&1 | grep -E '(http_gzip_module|http_gzip_static_module)' | |
# 2.1.4 Ensure the autoindex module is disabled (Automated) | |
echo -n '2.1.4: ' | |
if [[ `egrep -i '^\s*autoindex\s+' /etc/nginx/nginx.conf` ]]; then echo 'fail'; else echo 'pass'; fi | |
# 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Automated) | |
echo -n '2.2.1: ' | |
if [[ `grep -Pi -- '^\h*user\h+[^;\n\r]+\h*;.*$' /etc/nginx/nginx.conf` ]]; then echo 'pass'; else echo 'fail'; fi | |
# 2.2.2 Ensure the NGINX service account is locked (Automated) | |
echo -n "Check 2.2.2: " | |
if [[ `passwd -S nginx | grep -i locked` ]]; then echo 'pass'; else echo 'fail'; fi | |
# 2.2.3 Ensure the NGINX service account has an invalid shell (Automated) | |
echo -n "Check 2.2.3: " | |
if [[ `grep nginx /etc/passwd | grep nologin` ]]; then echo 'pass'; else echo 'fail'; fi | |
# 2.3.1 Ensure NGINX directories and files are owned by root (Automated) | |
echo -n "Check 2.3.1: " | |
#stat /etc/nginx | |
# 2.3.2 Ensure access to NGINX directories and files is restricted (Automated) | |
echo -n "Check 2.3.2: " | |
#find /etc/nginx -type d -exec stat -Lc "%n %a" {} + # 755 or more retrictive | |
#find /etc/nginx -type f -exec stat -Lc "%n %a" {} + # 660 or more restrictive | |
# 2.3.3 Ensure the NGINX process ID (PID) file is secured (Automated) | |
echo -n "Check 2.3.3: " | |
#stat -L -c "%U:%G" /var/run/nginx.pid && stat -L -c "%a" /var/run/nginx.pid # root and 644 | |
# 2.3.4 Ensure the core dump directory is secured (Manual) | |
echo -n "Check 2.3.4: " | |
#grep working_directory /etc/nginx/nginx.conf # Note: this is disabled in the container | |
# 2.4.1 Ensure NGINX only listens for network connections on authorized ports (Manual) | |
echo -n "Check 2.4.1: " | |
#grep -ir "listen[^;]*;" /etc/nginx | |
# 2.4.2 Ensure requests for unknown host names are rejected (Automated) | |
echo -n "Check 2.4.2: " | |
#curl -k -v https://127.0.0.1 -H 'Host: invalid.host.com' | |
# 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir keepalive_timeout /etc/nginx # default is 65 seconds | |
# 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir send_timeout /etc/nginx | |
# 2.5.1 Ensure server_tokens directive is set to `off` (Automated) # Do not show things like; Server: nginx/1.22.0 | |
echo -n "Check 2.2.3: " | |
#curl -I 127.0.0.1 | grep -i server | |
# 2.5.2 Ensure default error and index.html pages do not reference NGINX (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -i nginx /usr/share/nginx/html/index.html | |
#grep -i nginx /usr/share/nginx/html/50x.html | |
# 2.5.3 Ensure hidden file serving is disabled (Manual) | |
echo -n "Check 2.2.3: " | |
#echo 'Check 2.5.3:' | |
#grep location /etc/nginx/nginx.conf | |
# 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Automated) | |
echo -n "Check 2.2.3: " | |
#grep proxy_hide_header /etc/nginx/nginx.conf | |
# 3.1 Ensure detailed logging is enabled (Manual) | |
echo -n "Check 2.2.3: " | |
# 3.2 Ensure access logging is enabled (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir access_log /etc/nginx | |
# 3.3 Ensure error logging is enabled and set to the info logging level (Automated) | |
echo -n "Check 2.2.3: " | |
#grep error_log /etc/nginx/nginx.conf | |
# 3.4 Ensure log files are rotated (Automated) | |
echo -n "Check 2.2.3: " | |
#cat /etc/logrotate.d/nginx | grep weekly | |
#cat /etc/logrotate.d/nginx | grep rotate | |
# 3.5 Ensure error logs are sent to a remote syslog server (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir syslog /etc/nginx | |
# 3.6 Ensure access logs are sent to a remote syslog server (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir syslog /etc/nginx | |
# 3.7 Ensure proxies pass source IP information (Manual) | |
echo -n "Check 2.2.3: " | |
#proxy_set_header X-Real-IP $remote_addr; | |
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
# 4.1.1 Ensure HTTP is redirected to HTTPS (Manual) | |
echo -n "Check 2.2.3: " | |
# 4.1.2 Ensure a trusted certificate and trust chain is installed (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir ssl_certificate /etc/nginx/ | |
# 4.1.3 Ensure private key permissions are restricted (Automated) | |
echo -n "Check 2.2.3: " | |
#find /etc/nginx/ -name '*.key' -exec stat -Lc "%n %a" {} + | |
# 4.1.4 Ensure only modern TLS protocols are used (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir ssl_protocol /etc/nginx | |
# 4.1.5 Disable weak ciphers (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir ssl_ciphers /etc/nginx/ | |
#grep -ir proxy_ssl_ciphers /etc/nginx | |
# 4.1.6 Ensure custom Diffie-Hellman parameters are used (Automated) | |
echo -n "Check 2.2.3: " | |
#grep ssl_dhparam /etc/nginx/nginx.conf | |
# 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir ssl_stapling /etc/nginx | |
# 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir Strict-Transport-Security /etc/nginx | |
# 4.1.9 Ensure upstream server traffic is authenticated with a client certificate (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir proxy_ssl_certificate /etc/nginx | |
# 4.1.10 Ensure the upstream traffic server certificate is trusted (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir proxy_ssl_trusted_certificate /etc/nginx | |
#grep -ir proxy_ssl_verify /etc/nginx | |
# 4.1.11 Ensure your domain is preloaded (Manual) | |
echo -n "Check 2.2.3: " | |
# 4.1.12 Ensure session resumption is disabled to enable perfect forward security (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir ssl_session_tickets /etc/nginx | |
# 4.1.13 Ensure HTTP/2.0 is used (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir http2 /etc/nginx | |
# 4.1.14 Ensure only Perfect Forward Secrecy Ciphers are Leveraged (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir ssl_ciphers /etc/nginx/ | |
#grep -ir proxy_ssl_ciphers /etc/nginx | |
# 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Manual) | |
echo -n "Check 2.2.3: " | |
# 5.1.2 Ensure only approved HTTP methods are allowed (Manual) | |
echo -n "Check 2.2.3: " | |
# 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir timeout /etc/nginx | |
# 5.2.2 Ensure the maximum request body size is set correctly (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir client_max_body_size /etc/nginx | |
# 5.2.3 Ensure the maximum buffer size for URIs is defined (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir large_client_header_buffers /etc/nginx/ | |
# 5.2.4 Ensure the number of connections per IP address is limited (Manual) | |
echo -n "Check 2.2.3: " | |
# 5.2.5 Ensure rate limits by IP address are set (Manual) | |
echo -n "Check 2.2.3: " | |
# 5.3.1 Ensure X-Frame-Options header is configured and enabled (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir X-Frame-Options /etc/nginx | |
# 5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Automated) | |
echo -n "Check 2.2.3: " | |
#grep -ir X-Content-Type-Options /etc/nginx | |
# 5.3.3 Ensure that Content Security Policy (CSP) is enabled and configured properly (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -ir Content-Security-Policy /etc/nginx | |
# 5.3.4 Ensure the Referrer Policy is enabled and configured properly (Manual) | |
echo -n "Check 2.2.3: " | |
#grep -r Referrer-Policy /etc/nginx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment