NGINX must be configured to require SSL sessions to reauthenticate no longer than 15 minutes.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278399	SRG-APP-000389	NGNX-APP-001640	SV-278399r1172775_rule	2026-01-07	1

Description
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances. (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.

Description

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances. (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.

ℹ️ Check
Determine the path to NGINX config file(s): nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Examine the SSL configuration settings: grep -R 'ssl_' /etc/nginx/nginx.conf Verify that "ssl_session_timeout" is not set to greater than 15. If "ssl_session_timeout" directive is missing or set to greater than 15, this is a finding.

ℹ️ Check

Determine the path to NGINX config file(s): nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Examine the SSL configuration settings: grep -R 'ssl_' /etc/nginx/nginx.conf Verify that "ssl_session_timeout" is not set to greater than 15. If "ssl_session_timeout" directive is missing or set to greater than 15, this is a finding.

✔️ Fix
Set the ssl_session_timeout directive to 15 or less. Note: The default setting is five minutes and meets the control, but this STIG explicitly sets the variable to not rely on a default which may change in future versions.