All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-256944 | APWS-AT-000230 | SV-256944r902346_rule | High |
| Description |
|---|
| Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and nonrepudiation of the information. The Automation Controller NGINX web server host must have a mechanism to verify that files are valid prior to installation. |
| STIG | Date |
|---|---|
| Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide | 2023-03-15 |
Details
| Check Text ( C-60619r902344_chk ) |
|---|
| As a System Administrator, for each Automation Controller NGINX web server host, verify the integrity of the Automation Controller NGINX web server hosts files: aide --check Verify the displayed checksums against previously reserved checksums of the Advanced Intrusion Detection Environment (AIDE) database. If there are any unauthorized or unexplained changes against previous checksums, this is a finding. |
| Fix Text (F-60561r902345_fix) |
|---|
| As a System Administrator, for each Automation Controller NGINX web server host, check for existing or install AIDE: yum install -y aide Create or update the AIDE database immediately after initial installation of each Automation Controller NGINX web server host: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Accept any expected changes to the host by updating the AIDE database: aide --update The output will provide checksums for the AIDE database. Save in a protected location. |