OpenControls Logo

STIG Viewer

NGINX must generate, manage, and protect from disclosure and misuse the cryptographic keys that protect access tokens.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-278410NGNX-APP-003220SV-278410r1172694_ruleCCI-005156medium
Description
Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. Satisfies: SRG-APP-000965, SRG-APP-000970
STIGDate
F5 NGINX Security Technical Implementation Guide2026-01-07

Details

Check Text (C-278410r1172694_chk)

Check SSL/TLS certificate and private key file permissions: # ls -la /home/ubuntu/nginx.com.crt # ls -la /home/ubuntu/nginx.com.key Verify: - Certificate file permissions are 644 or more restrictive. - Private key file permissions are 600 or more restrictive. - Files are owned by nginx user or root. - Files are not world-readable or group-writable. If these permissions are not set, this is a finding. Verify certificate validity and strength: # openssl x509 -in /home/ubuntu/nginx.com.crt -text -noout Verify: - Certificate is not expired. - Uses RSA key length of 2048 bits minimum or ECDSA P-256 minimum. - Signature algorithm is SHA-256 or stronger (not SHA-1 or MD5). - Certificate chain is complete and valid. If these values are not met, this is a finding. Verify private key strength and protection: # openssl rsa -in /home/ubuntu/nginx.com.key -text -noout -check Verify: - Key length is 2048 bits minimum. - Key is not encrypted with weak algorithms. - Key passes integrity check. If these key values are not set, this is a finding.

Fix Text (F-82849r1171981_fix)

Set proper file permissions for SSL certificate and private key: # chmod 644 /home/ubuntu/nginx.com.crt # chmod 600 /home/ubuntu/nginx.com.key # chown nginx:nginx /home/ubuntu/nginx.com.crt # chown nginx:nginx /home/ubuntu/nginx.com.key Move certificates to secure location: # mkdir -p /etc/nginx/ssl # mv /home/ubuntu/dev.sports.com.* /etc/nginx/ssl/ # chmod 700 /etc/nginx/ssl Update NGINX configuration to use secure certificate location: server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/nginx.com.crt; ssl_certificate_key /etc/nginx/ssl/nginx.com.key; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; } Generate strong DH parameters if not present: # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # chmod 644 /etc/nginx/ssl/dhparam.pem