NGINX must be configured to expire cached authenticators after an organization-defined time period.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-278401 | SRG-APP-000400 | NGNX-APP-001690 | SV-278401r1171955_rule | 2026-01-07 | 1 |
Description
If cached authentication information is out of date, the validity of the authentication information may be questionable.
ℹ️ Check
If a keyval store is not used to store tokens, this is not applicable.
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Determine if a keyval store is used and no timeout is specified:
grep keyval <location of config>
Example:
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
If a timeout is not specified to an organization defined timeout value, this is a finding.
✔️ Fix
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Edit the config and set a timeout on any keyval storing credentials:
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
Restart NGINX:
nginx -s reload