An error occurred:

Check: NGNX-APP-000370

F5 NGINX STIG: NGNX-APP-000370 (in version v1 r1)

Title

NGINX must prevent the execution of unapproved modules. (Cat II impact)

Discussion

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Actions enforced before executing mobile code include prompting users prior to opening email attachments and disabling automatic execution. Usage restrictions and implementation guidance apply to both the selection and using the mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and antivirus applications).

Check Content

Check nginx.conf for external modules being loaded (grep load_module). If additional modules are being loaded, confirm the directory does not include write or execute for other users. Determine the path to nginx config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. # grep load_module /etc/nginx/nginx.conf load_module modules/ngx_http_app_protect_module.so; # ls -la /etc/nginx/modules lrwxrwxrwx 1 root root 22 Oct 10 2023 modules -> /usr/lib/nginx/modules # ls -la /usr/lib/nginx drwxr-xr-x root root 4096 Jan 30 2024 modules If directory where modules are loaded is writeable by other, this is a finding.

Fix Text

Set permissions on directory containing external modules to read only for "Other" only. The directory may be organizationally defined. The default path is /usr/lib/nginx/modules. # chmod o-wx /usr/lib/nginx/modules

Additional Identifiers

Rule ID: SV-278387r1172701_rule

Vulnerability ID: V-278387

Group Title: SRG-APP-000112

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001695

Prevent the execution of organization-defined unacceptable mobile code.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-18(3)

Prevent Downloading and Execution