NGINX must prevent the execution of unapproved modules.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278387 | NGNX-APP-000370 | SV-278387r1172701_rule | CCI-001695 | medium |
| Description | ||||
| Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Actions enforced before executing mobile code include prompting users prior to opening email attachments and disabling automatic execution. Usage restrictions and implementation guidance apply to both the selection and using the mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and antivirus applications). | ||||
| STIG | Date | |||
| F5 NGINX Security Technical Implementation Guide | 2026-01-07 | |||
Details
Check Text (C-278387r1172701_chk)
Check nginx.conf for external modules being loaded (grep load_module).
If additional modules are being loaded, confirm the directory does not include write or execute for other users.
Determine the path to nginx config file(s):
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
# grep load_module /etc/nginx/nginx.conf
load_module modules/ngx_http_app_protect_module.so;
# ls -la /etc/nginx/modules
lrwxrwxrwx 1 root root 22 Oct 10 2023 modules -> /usr/lib/nginx/modules
# ls -la /usr/lib/nginx
drwxr-xr-x root root 4096 Jan 30 2024 modules
If directory where modules are loaded is writeable by other, this is a finding.
Fix Text (F-82826r1171912_fix)
Set permissions on directory containing external modules to read only for "Other" only.
The directory may be organizationally defined. The default path is /usr/lib/nginx/modules.
# chmod o-wx /usr/lib/nginx/modules