The Automation Controller web server must manage sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256940	APWS-AT-000020	SV-256940r903545_rule		Medium

Description
Session management on client and server is required to protect identity and authorization information. Sessions for the Automation Controller web server, if compromised, could lead to execution of jobs on remote endpoints as if authenticated. Satisfies: SRG-APP-000001-WSR-000002, SRG-APP-000001-WSR-000001, SRG-APP-000295-WSR-000012, SRG-APP-000295-WSR-000134

STIG	Date
Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide	2023-03-15

Details

Check Text ( C-60615r903545_chk )
Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication. The following parameters must be set: OAuth 2 Timeout Settings < 1800 seconds (No more than 30 minutes). The maximum number of simultaneous logged session must not be less than 0 (The default is -1) and must not match the organizationally defined maximum. Disable the built-in authentication system = ON Enable HTTP Basic Auth = Off OAuth 2 Timeout settings: "ACCESS_TOKEN_EXPIRE_SECONDS": 31536000000, "AUTHORIZATION_CODE_EXPIRE_SECONDS": 600, "REFRESH_TOKEN_EXPIRE_SECONDS": 2628000 Allow External Users to Create OAuth2 Tokens = Off Login redirect override URL = Not Configured or Blank Social Auth Organization Map = Null Social Auth Team Map = Null Social Auth User Fields = Null If any of these settings are incorrect, this is a finding.

Check Text ( C-60615r903545_chk )

Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication.

The following parameters must be set:

OAuth 2 Timeout Settings < 1800 seconds (No more than 30 minutes).

The maximum number of simultaneous logged session must not be less than 0 (The default is -1) and must not match the organizationally defined maximum.

Disable the built-in authentication system = ON

Enable HTTP Basic Auth = Off

OAuth 2 Timeout settings:

"ACCESS_TOKEN_EXPIRE_SECONDS": 31536000000,
"AUTHORIZATION_CODE_EXPIRE_SECONDS": 600,
"REFRESH_TOKEN_EXPIRE_SECONDS": 2628000

Allow External Users to Create OAuth2 Tokens = Off

Login redirect override URL = Not Configured or Blank

Social Auth Organization Map = Null

Social Auth Team Map = Null

Social Auth User Fields = Null

If any of these settings are incorrect, this is a finding.

Fix Text (F-60557r903541_fix)
Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication. Click "Edit". Set the following parameters: OAuth 2 Timeout Settings < 1800 seconds. The maximum number of simultaneous logged session must equal 0 or the organizationally defined maximum. Disable the built-in authentication system = ON Enable HTTP Basic Auth = Off Access Token Expiration = 31536000000 Authorization Code Expiration = 600 Refresh Token Expiration = 2628000 Allow External Users to Create OAuth2 Tokens = Off Login redirect override URL = Not Configured or Blank Social Auth Organization Map = Null Social Auth Team Map = Null Social Auth User Fields = Null Click "Save".

Fix Text (F-60557r903541_fix)

Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication.

Click "Edit".

Set the following parameters:

OAuth 2 Timeout Settings < 1800 seconds.

The maximum number of simultaneous logged session must equal 0 or the organizationally defined maximum.

Disable the built-in authentication system = ON

Enable HTTP Basic Auth = Off

Access Token Expiration = 31536000000

Authorization Code Expiration = 600

Refresh Token Expiration = 2628000

Allow External Users to Create OAuth2 Tokens = Off

Login redirect override URL = Not Configured or Blank

Social Auth Organization Map = Null

Social Auth Team Map = Null

Social Auth User Fields = Null

Click "Save".