NGINX must prevent the execution of unapproved modules.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278387	SRG-APP-000112	NGNX-APP-000370	SV-278387r1172701_rule	2026-01-07	1

Description
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Actions enforced before executing mobile code include prompting users prior to opening email attachments and disabling automatic execution. Usage restrictions and implementation guidance apply to both the selection and using the mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and antivirus applications).

Description

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Actions enforced before executing mobile code include prompting users prior to opening email attachments and disabling automatic execution. Usage restrictions and implementation guidance apply to both the selection and using the mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and antivirus applications).

ℹ️ Check
Check nginx.conf for external modules being loaded (grep load_module). If additional modules are being loaded, confirm the directory does not include write or execute for other users. Determine the path to nginx config file(s): # nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. # grep load_module /etc/nginx/nginx.conf load_module modules/ngx_http_app_protect_module.so; # ls -la /etc/nginx/modules lrwxrwxrwx 1 root root 22 Oct 10 2023 modules -> /usr/lib/nginx/modules # ls -la /usr/lib/nginx drwxr-xr-x root root 4096 Jan 30 2024 modules If directory where modules are loaded is writeable by other, this is a finding.

ℹ️ Check

Check nginx.conf for external modules being loaded (grep load_module). If additional modules are being loaded, confirm the directory does not include write or execute for other users. Determine the path to nginx config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. # grep load_module /etc/nginx/nginx.conf load_module modules/ngx_http_app_protect_module.so; # ls -la /etc/nginx/modules lrwxrwxrwx 1 root root 22 Oct 10 2023 modules -> /usr/lib/nginx/modules # ls -la /usr/lib/nginx drwxr-xr-x root root 4096 Jan 30 2024 modules If directory where modules are loaded is writeable by other, this is a finding.

✔️ Fix
Set permissions on directory containing external modules to read only for "Other" only. The directory may be organizationally defined. The default path is /usr/lib/nginx/modules. # chmod o-wx /usr/lib/nginx/modules