Skip to content

Refactor nginx conf #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 78 commits into from
Closed

Refactor nginx conf #20

Changes from 1 commit
Commits
Show all changes
78 commits
Select commit Hold shift + click to select a range
642e0c5
test
rx294 Jun 5, 2017
0452177
test fix
rx294 Jun 5, 2017
e7df604
V-2246 - Web server software must be a vendor-supported version.
rx294 Jun 6, 2017
80b26d7
V-2232 - The web server password(s) must be entrusted to the SA or We…
rx294 Jun 6, 2017
1d26d17
V-2236 - Installation of a compiler on production web server is prohi…
rx294 Jun 6, 2017
7da8c95
V-2242 - A public web server, if hosted on the NIPRNet, must be isola…
rx294 Jun 6, 2017
6d2d4c6
V-2243 - A private web server must be located on a separate controlle…
rx294 Jun 6, 2017
c3c0c08
V-2247 - Administrators must be the only users allowed access to the …
rx294 Jun 6, 2017
7592718
V-2248 - Web administration tools must be restricted to the web manag…
rx294 Jun 6, 2017
8f0add0
V-2251 - All utility programs, not necessary for operations, must be …
rx294 Jun 6, 2017
2a82306
V-2255 - The web server’s htpasswd files (if present) must reflect pr…
rx294 Jun 6, 2017
d18c821
V-2246 - Web server software must be a vendor-supported version.
rx294 Jun 6, 2017
610e4ee
V-2246.rb update
rx294 Jun 8, 2017
e688167
V-2246.rb update
rx294 Jun 8, 2017
188b465
Attribute File
rx294 Jun 8, 2017
25572d0
V-2246.rb update
rx294 Jun 8, 2017
2c8af33
Attribute File
rx294 Jun 8, 2017
a1488e1
V-2255.rb update
rx294 Jun 8, 2017
dd4285e
V-2255.rb update
rx294 Jun 8, 2017
7338868
V-2256.rb update
rx294 Jun 9, 2017
0dc5c9d
V-2256.rb update
rx294 Jun 9, 2017
47fae4a
V-2261.rb need fixing
rx294 Jun 9, 2017
d905711
V-6724.rb
rx294 Jun 9, 2017
f6af0ab
V-2261.rb need fixing
rx294 Jun 9, 2017
7b21555
update
rx294 Jun 9, 2017
6b2b55b
updates
rx294 Jun 9, 2017
1a7edd9
updates
rx294 Jun 9, 2017
69ac3c0
V-13727 inital
rx294 Jun 9, 2017
d9d1f49
V-13732 initial
rx294 Jun 9, 2017
7643edb
V-13735 initial
rx294 Jun 9, 2017
63475a6
V-13736.rb initial
rx294 Jun 12, 2017
53205a1
V-13738.rb initial
rx294 Jun 12, 2017
f376d44
V-26285.rb initial
rx294 Jun 12, 2017
80804ee
V-26285.rb initial
rx294 Jun 12, 2017
62f19fc
V-26287.rb Initial
rx294 Jun 12, 2017
38cfb50
V-26294.rb Initial
rx294 Jun 12, 2017
5adec75
V-26299.rb Initial
rx294 Jun 12, 2017
fd38d6e
V-26305.rb Initial
rx294 Jun 12, 2017
07264c1
V-26326.rb Initial
rx294 Jun 12, 2017
183b8ad
V-26368.rb Initial
rx294 Jun 12, 2017
71bf27b
V-26396.rb Initial
rx294 Jun 12, 2017
f65fc71
V-60707.rb Initial
rx294 Jun 12, 2017
3a1cf6c
V-13737.rb Complete
rx294 Jun 12, 2017
1b010aa
V-13738.rb Complete
rx294 Jun 12, 2017
16633b5
V-26285 complete
rx294 Jun 12, 2017
0d32b5b
V-26287.rb Complete
rx294 Jun 12, 2017
6de2886
V-26294.rb Complete
rx294 Jun 12, 2017
c1bea1a
V-26299.rb Complete
rx294 Jun 12, 2017
fbc49e9
V-26305.rb Complete
rx294 Jun 12, 2017
62cb70f
Control Updates
rx294 Jul 12, 2017
66a575a
Updates to controls
rx294 Jul 19, 2017
317b681
Updates
rx294 Jul 19, 2017
e76331a
Updates
rx294 Jul 22, 2017
216c4ef
Updates:
rx294 Jul 24, 2017
e33eaf1
Updates
rx294 Jul 26, 2017
d7ea1dd
Updates
rx294 Jul 26, 2017
418d476
Merge branch 'master' of https://github.com/aaronlippold/nginx-baseline
rx294 Jul 26, 2017
85a26c1
Updates
rx294 Jul 31, 2017
152bd42
Updates
rx294 Jul 31, 2017
b78cbd3
Updates
rx294 Jul 31, 2017
46c2786
Updates
rx294 Aug 3, 2017
566ea2c
Updates
rx294 Aug 8, 2017
1eb76b8
Updates
rx294 Aug 15, 2017
ac8a09a
Updates
rx294 Aug 15, 2017
e3902b9
Merge branch 'master' of https://github.com/aaronlippold/nginx-baseline
rx294 Aug 16, 2017
eac7e4f
Merge branch 'master' of https://github.com/aaronlippold/nginx-baseline
rx294 Aug 16, 2017
c56c391
Merge branch 'master' of https://github.com/aaronlippold/nginx-baseline
rx294 Aug 16, 2017
0afa179
Updates
rx294 Aug 16, 2017
b7db619
Updates
rx294 Aug 18, 2017
146209a
Updates
rx294 Aug 18, 2017
65b2c7d
Updates
rx294 Aug 18, 2017
e57ba22
Updates
rx294 Aug 18, 2017
eb67272
Updates
rx294 Aug 31, 2017
5e7af3a
Merge branch 'master' of https://github.com/aaronlippold/nginx-baseline
rx294 Aug 31, 2017
7587996
Refactor to use new nginx_conf
rx294 Sep 19, 2017
547a5d2
refactor for faster run
rx294 Sep 19, 2017
7b34f1e
bug fix
rx294 Sep 19, 2017
8c06cb2
Updates
rx294 Sep 19, 2017
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
V-26326.rb Initial
  • Loading branch information
@rx294
rx294 committed Jun 12, 2017
commit 07264c16a4bd77bb01754031042bd8edec7ff1db
70 changes: 70 additions & 0 deletions controls/V-26326.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# encoding: utf-8
#
=begin
-----------------
Benchmark: APACHE SERVER 2.2 for Unix
Status: Accepted

All directives specified in this STIG must be specifically set (i.e. the
server is not allowed to revert to programmed defaults for these directives).
Included files should be reviewed if they are used. Procedures for reviewing
included files are included in the overview document. The use of .htaccess
files are not authorized for use according to the STIG. However, if they are
used, there are procedures for reviewing them in the overview document. The
Web Policy STIG should be used in addition to the Apache Site and Server STIGs
in order to do a comprehensive web server review.

Release Date: 2015-08-28
Version: 1
Publisher: DISA
Source: STIG.DOD.MIL
uri: http://iase.disa.mil
-----------------
=end

control "V-26326" do
title "The web server must be configured to listen on a specific IP address and port."

desc "The nginx listen directive specifies the IP addresses and port numbers
the nginx web server will listen for requests. Rather than be unrestricted
to listen on all IP addresses available to the system, the specific IP
address or addresses intended must be explicitly specified. Specifically a
Listen directive with no IP address specified, or with an IP address of
zero’s should not be used. Having multiple interfaces on web servers is
fairly common, and without explicit Listen directives, the web server is
likely to be listening on an inappropriate IP address / interface that were
not intended for the web server. Single homed system with a single IP
addressed are also required to have an explicit IP address in the Listen
directive, in case additional interfaces are added to the system at a later
date."

impact 0.5
tag "severity": "medium"
tag "gtitle": "WA00555"
tag "gid": "V-26326"
tag "rid": "SV-33228r1_rule"
tag "stig_id": "WA00555 A22"
tag "nist": ["CM-7", "Rev_4"]

tag "check": "Enter the following command:

grep ""Listen""on the nginx.conf file and any separate included
configuration files.

Review the results for the followingdirective: listen

For any enabled Listen directives ensure they specify both an IP address and
port number.

If the Listen directive is found with only an IP address, or only a port
number specified, this is finding. If the IP address is all zeros (i.e.
0.0.0.0:80 or [::ffff:0.0.0.0]:80, this is a finding. If the Listen
directive does not exist, this is a finding."

tag "fix": "Edit the nginx.conf file and set the ""listen"" directive to
listen on a specific IP address and port. "

# START_DESCRIBE V-26326
# STOP_DESCRIBE V-26326

end