Details
The nginx user account should have a valid password, but the account should be locked.
NOTE: If a different account is used to run nginx, that account’s name should be substituted for nginx in the audit and remediation procedures.
Rationale:
As a defense-in-depth measure, the nginx user account should be locked to prevent logins and to prevent someone from switching users to nginx using the password. In general, there shouldn’t be a need for anyone to have to su as nginx, and when there is a need, sudo should be used instead, which would not require the nginx account password.
Solution
Use the ‘passwd’ command to lock the nginx service account:
passwd -l nginx
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.