Title

NGINX must be configured to pass security attributes to proxies. (Cat II impact)

Discussion

If security attributes are not associated with the information being transmitted between components, then access control policies and information flows that depend on these security attributes will not function and unauthorized access may result. Security attributes are values associated with data content/structure and source/destination objects. These attributes are bound to the user and data objects and may include information about the data's purpose, creator, origin, access restrictions, access permissions, or classification. Specific security attributes used depend on the application or technology context. However, these attributes are used in information systems to implement security policy for access control and flow control for users, data, and traffic. Security attributes may be explicitly or implicitly associated with the information contained within the information system. This requirement applies to those applications that transmit or receive data between components. Information system components include, for example, mainframes, workstations, servers (e.g., database, email, authentication, web, proxy, file, domain name), input/output devices (e.g., scanners, copiers, printers), network components (e.g., firewalls, routers, gateways, voice and data switches, process controllers, wireless access points, network appliances, sensors), operating systems, virtual machines, middleware, and applications.

Check Content

Determine the path to NGINX config file(s): nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify the embedded security attributes are present as HTTP Headers: server { listen 443 ssl; server_name secure-api.example.com; location /data { proxy_pass http://backend_service; proxy_set_header X-Security-Classification "Confidential"; proxy_set_header X-Data-Origin "Internal-System"; proxy_set_header X-Access-Permissions "Read,Write"; } } If the "proxy_pass" variable is not set nor the "proxy_set_header" is not set for the required headers, this is a finding.

Fix Text

Determine the path to NGINX config file(s): nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Include the "proxy_pass" service as well as the "proxy_set_header" values as required: proxy_pass http://backend_service; proxy_set_header X-Security-Classification "Confidential"; proxy_set_header X-Data-Origin "Internal-System"; proxy_set_header X-Access-Permissions "Read,Write"; After saving the configuration, reload NGINX: # nginx -s reload

Additional Identifiers

Rule ID: SV-278402r1171958_rule

Vulnerability ID: V-278402

Group Title: SRG-APP-000419

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.