← Back to F5 NGINX Security Technical Implementation Guide

V-278401

CAT II (Medium)

NGINX must be configured to expire cached authenticators after an organization-defined time period.

Rule ID

SV-278401r1171955_rule

STIG

F5 NGINX Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002007

Discussion

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Check Content

If a keyval store is not used to store tokens, this is not applicable.

Determine path to NGINX config file:

# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:

Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.

Determine if a keyval store is used and no timeout is specified:

grep keyval <location of config>

Example:

keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;

If a timeout is not specified to an organization defined timeout value, this is a finding.

Fix Text

Determine path to NGINX config file:

# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:

Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.

Edit the config and set a timeout on any keyval storing credentials:

keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;

Restart NGINX:

nginx -s reload