Title

NGINX must be configured to expire cached authenticators after an organization-defined time period. (Cat II impact)

Discussion

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Check Content

If a keyval store is not used to store tokens, this is not applicable. Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Determine if a keyval store is used and no timeout is specified: grep keyval <location of config> Example: keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h; If a timeout is not specified to an organization defined timeout value, this is a finding.

Fix Text

Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Edit the config and set a timeout on any keyval storing credentials: keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h; Restart NGINX: nginx -s reload

Additional Identifiers

Rule ID: SV-278401r1171955_rule

Vulnerability ID: V-278401

Group Title: SRG-APP-000400

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.