TickYouOff
Sign in
Back
🔒

F5 NGINX STIG

Hard 18 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates the F5 NGINX STIG (Ver 1, Rel 1) into practical, actionable hardening steps for administrators and security engineers. Use it to inventory, configure, and validate NGINX instances against DISA guidance and common best practices.

Source: https://ncp.nist.gov/checklist/1320

Progress
0 / 18
  1. Download and review the F5 NGINX STIG document — Obtain Ver 1, Rel 1 from DISA or public.cyber.mil and read scope/requirements.
  2. Inventory NGINX instances and versions — List hosts, roles (proxy/load balancer/app server), and installed NGINX variants.
  3. Backup current NGINX configuration and certificates — Export nginx.conf, vhosts, TLS certs, and related files to secure storage.
  4. Apply system and NGINX security patches — Update OS packages and NGINX to latest stable or STIG-approved releases.
  5. Enforce least privilege on NGINX files and directories — Set correct ownership and restrictive permissions for configs, logs, and web roots.
  6. Disable unused NGINX modules and features — Remove or turn off modules not required by your deployment to reduce attack surface.
  7. Configure strong TLS settings — Apply STIG-recommended TLS controls for confidentiality and integrity.
  8. Set minimum TLS version to TLS 1.2 or higher — Enforce ssl_protocols TLSv1.2 TLSv1.3 (or per STIG guidance).
  9. Enable strong cipher suites and disable weak ciphers — Configure ssl_ciphers and prefer_server_ciphers to STIG-approved lists.
  10. Enable OCSP stapling and HSTS where appropriate — Turn on stapling and set HSTS only for HTTPS sites that support it.
  11. Implement access controls for management interfaces — Restrict admin UI/API by IP, use strong auth and MFA for management accounts.
  12. Enable and centralize access and error logging — Configure detailed logs and forward to SIEM or centralized syslog for analysis.
  13. Configure rate limiting and connection limits — Use limit_req, limit_conn and worker_connections to mitigate abuse and DoS.
  14. Harden HTTP headers and disable information leakage — Disable server tokens and add X-Frame-Options, X-Content-Type-Options, CSP.
  15. Enable WAF or application-layer protections — Activate ModSecurity or F5 WAF and apply rulesets appropriate to apps.
  16. Automate configuration backups and change tracking — Use version control and scheduled exports for nginx configs and certs.
  17. Perform vulnerability scan and review CVEs — Scan instances and consult NIST/NVD and DISA for applicable advisories.
  18. Validate STIG compliance and document exceptions — Run STIG tools, record findings, and document any accepted waivers or mitigations.
Sign in to save
📝 My Notes