Title

NGINX must be configured to require SSL sessions to reauthenticate no longer than 15 minutes. (Cat II impact)

Discussion

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances. (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.

Check Content

Determine the path to NGINX config file(s): nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Examine the SSL configuration settings: grep -R 'ssl_' /etc/nginx/nginx.conf Verify that "ssl_session_timeout" is not set to greater than 15. If "ssl_session_timeout" directive is missing or set to greater than 15, this is a finding.

Fix Text

Set the ssl_session_timeout directive to 15 or less. Note: The default setting is five minutes and meets the control, but this STIG explicitly sets the variable to not rely on a default which may change in future versions.

Additional Identifiers

Rule ID: SV-278399r1172775_rule

Vulnerability ID: V-278399

Group Title: SRG-APP-000389

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.