NGINX must be configured to expire cached authenticators after an organization-defined time period.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-278401 | SRG-APP-000400 | NGNX-APP-001690 | SV-278401r1171955_rule | 2026-01-07 | 1 |
| Description |
|---|
| If cached authentication information is out of date, the validity of the authentication information may be questionable. |
| ℹ️ Check |
|---|
| If a keyval store is not used to store tokens, this is not applicable. Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Determine if a keyval store is used and no timeout is specified: grep keyval <location of config> Example: keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h; If a timeout is not specified to an organization defined timeout value, this is a finding. |
| ✔️ Fix |
|---|
| Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Edit the config and set a timeout on any keyval storing credentials: keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h; Restart NGINX: nginx -s reload |