Restrict Write Access on NGINX Directories and Files #4
Description
Draft CIS Benchmark 1.1.5
Description
Permissions on NGINX directories should generally be rwxr-xr-x (755) and file permissions should be similar except not executable if executable is not appropriate. This applies to all of the NGINX software directories and files installed with the possible exception of the web document root $NGINX\_PREFIX/html. The directories and files in the web document root may have a designated group with write access to allow web content to be updated. In summary, the minimum recommendation is to not allow write access by other.
Rationale
Restricting write permissions on the NGINX files and directories can help mitigate attacks that modify web content to provide unauthorized access, or to attack web clients.
Remediation
Perform the following to remove other write access on the $NGINX_PREFIX directories: # chmod -R o-w $NGINX_PREFIX
Audit
Identify files or directories in the NGINX directory with other write access, excluding symbolic links: # find -L $NGINX_PREFIX \! -type l \! -type s -perm /o=w -ls