Secure Core Dump Directory #5
Description
Draft CIS Benchmark 1.1.6
Description
The working\_directory directive is used to specify the directory NGINX attempts to create the core dump. Core dumps will be disabled if the directory is not writable by the NGINX user. It is recommended that the working\_directory directive be set to a directory that is owned by the root user, owned by the group the NGINX process executes as, and be unaccessible to other users.
Rationale
Core dumps are snapshots of memory and may contain sensitive information that should not be accessible by other accounts on the system.
Remediation
Either remove the working\_directory directive from the NGINX configuration files or ensure that the configured directory meets the following requirements. 1. working\_directory is not to be within the NGINX web document root ($NGINX\_PREFIX/html) 2. Must be owned by root and have a group ownership of the NGINX group (primary group for nginx user) # chown root:nginx /var/log/nginx 3. Must have no read-write-search access permission for other users. # chmod o-rwx /var/log/nginx
Audit
Verify that either the working\_directory directive is not enabled in any of the NGINX configuration files or that the configured directory meets the following requirements: 1. working\_directory is not within the NGINX web document root ($NGINX_PREFIX/html) 2. Must be owned by root and have a group ownership of the NGINX group (primary group for nginx user). 3. Must have no read-write-search access permission for other users. (e.g. o=rwx)