alivx.ansible_cis_nginx_hardening

Panoramica Versioni Approfondimenti

Ansible CIS Nginx Hardening Build Status (still under Testing Phase)

This project is based on the CIS NGINX Benchmark v1.0.0 - 02-28-2019.

Nginx is one of the most commonly used free and open-source web servers for hosting busy websites. It's known for its reliability, great performance, low resource usage, and easy configuration. However, the default settings aren't secure, so adjustments are necessary to protect the server against attacks. This role sets up a secure configuration for NGINX on Ubuntu.

Scoring Information

  • Scored (implemented in this role): Not following "Scored" recommendations will lower the benchmark score. Following them will raise the score.
  • Not Scored (not implemented in this role): Not following "Not Scored" recommendations won't affect the score either way.

Main Benefits of Using NGINX Packages from Your Vendor:

  • Simpler installation
  • Dependency management
  • Better maintenance and security updates
  • Quality checks by your vendor

Requirements

To use this role, install the latest Nginx package from the operating system's repository. It’s best to run this role on a fresh Nginx server, but it may work if Nginx is already installed.

Role Variables

Here are some configuration variables used in this role:

large_client_header_buffers: "2 1k"
client_max_body_size: "100K"
client_body_timeout: 10
client_header_timeout: 10
strict_transport_security_max_age: 15768000 # six months in seconds
nginx_site_config_dir: /etc/nginx/sites-available/
ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
nginx_key: /etc/ssl/private/nginx-selfsigned.key
nginx_cert: /etc/ssl/certs/nginx-selfsigned.crt
backendserver: http://localhost:3000
backendserver_ssl: True
access_log: /var/log/nginx/alivx.com.access.log
error_log: /var/log/nginx/alivx.com.error.log warn
domainName: 172.16.186.129

Dependencies

  • No specific dependencies listed.

Example Playbook

Here's an example of how to use this role in a playbook:

---
- hosts: host1
  become: yes
  remote_user: root
  gather_facts: no
  roles:
    - { role: "ansible-cis-nginx-hardening" }

Benchmarks

  1. Initial Setup
    • 1.1 Installation
      • Ensure NGINX is installed (Scored)
    • 1.2 Configure Software Updates
  2. Basic Configuration
    • Minimize NGINX Modules
      • Ensure HTTP WebDAV module is not installed (Scored)
      • Ensure gzip functionality modules are disabled (Scored)
      • Ensure autoindex module is disabled (Scored)
    • Account Security
      • Ensure the NGINX service account is locked (Scored)
      • Ensure the NGINX service account has an invalid shell (Scored)
    • Permissions and Ownership
      • Ensure NGINX directories and files are owned by root (Scored)
      • Ensure access to NGINX directories and files is restricted (Scored)
      • Ensure the PID file is secured (Scored)
    • Network Configuration
      • Ensure NGINX only listens on authorized ports (Not Scored)
      • Ensure keepalive_timeout is 10 seconds or less (Scored)
      • Ensure send_timeout is 10 seconds or less (Scored)
    • Information Disclosure
      • Ensure server_tokens directive is set to off (Scored)
      • Ensure default error and index.html pages don't mention NGINX (Scored)
      • Ensure reverse proxy doesn't enable information disclosure (Scored)
  3. Logging
    • Ensure access logging is enabled (Scored)
    • Ensure error logging is enabled (Scored)
    • Ensure log files are rotated (Scored)
    • Ensure proxies pass source IP information (Scored)
  4. Encryption
    • TLS / SSL Configuration
      • Ensure HTTP is redirected to HTTPS (Scored)
      • Ensure private key permissions are limited (Scored)
      • Ensure only modern TLS protocols are used (Scored)
      • Ensure weak ciphers are disabled (Scored)
      • Ensure custom Diffie-Hellman parameters are used (Scored)
      • Ensure OCSP stapling is enabled (Scored)
      • Ensure HSTS is enabled (Scored)
  5. Request Filtering and Restrictions
    • Access Control
    • Request Limits
      • Ensure timeout values for reading headers and body are correct (Scored)
      • Ensure maximum request body size is set correctly (Scored)
      • Ensure maximum buffer size for URIs is defined (Scored)
    • Browser Security
      • Ensure X-Frame-Options header is configured (Scored)
      • Ensure X-Content-Type-Options header is configured (Scored)
      • Ensure X-XSS-Protection header is enabled (Scored)

License

This project is licensed under the GNU General Public License.

Author Information

The role was originally developed by Ali Saleh Baker. If you wish to contribute, please discuss your planned changes with me first, via a GitHub issue, email, or other methods.

Informazioni sul progetto

Nginx CIS

role ansible cis cisecurity cloud hardening nginx security system ubuntu webserver
Installa
ansible-galaxy install alivx.ansible_cis_nginx_hardening
GitHub repository
5 stelle
4 fork
0 problemi aperti
Licenza
agpl-3.0
Download
132
Proprietario
Ali
Everything