NGINX must be configured to expire cached authenticators after an organization-defined time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278401 | NGNX-APP-001690 | SV-278401r1171955_rule | CCI-002007 | medium |
| Description | ||||
| If cached authentication information is out of date, the validity of the authentication information may be questionable. | ||||
| STIG | Date | |||
| F5 NGINX Security Technical Implementation Guide | 2026-01-07 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
IA-5(13)
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002007
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-278401r1171955_chk)
If a keyval store is not used to store tokens, this is not applicable.
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Determine if a keyval store is used and no timeout is specified:
grep keyval <location of config>
Example:
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
If a timeout is not specified to an organization defined timeout value, this is a finding.
Fix Text (F-82840r1171954_fix)
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Edit the config and set a timeout on any keyval storing credentials:
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
Restart NGINX:
nginx -s reload