NGINX must be configured to expire cached authenticators after an organization-defined time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278401 | NGNX-APP-001690 | SV-278401r1171955_rule | CCI-002007 | medium |
| Description | ||||
| If cached authentication information is out of date, the validity of the authentication information may be questionable. | ||||
| STIG | Date | |||
| F5 NGINX Security Technical Implementation Guide | 2026-01-07 | |||
Details
Check Text (C-278401r1171955_chk)
If a keyval store is not used to store tokens, this is not applicable.
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Determine if a keyval store is used and no timeout is specified:
grep keyval <location of config>
Example:
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
If a timeout is not specified to an organization defined timeout value, this is a finding.
Fix Text (F-82840r1171954_fix)
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Edit the config and set a timeout on any keyval storing credentials:
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
Restart NGINX:
nginx -s reload