All Automation Controller NGINX front-end web servers must not perform user management for hosted applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256946	APWS-AT-000250	SV-256946r902352_rule		Medium

Description
Web servers require enterprise-wide user management capability in order to prevent unauthorized access, with features like attempt lockouts and password complexity requirements. Unauthorized access to the web server makes the web server and the organization vulnerable to attack. Note: The underlying NGINX web server does not perform user management or authentication. The Automation Controller includes user management and authentication capabilities. However, the user management controls built into Automation Controller may not be sufficient to enforce the appropriate level of password, sessions, and other policies required. It is strongly recommended that Automation Controller be configured to use the organization's Identity Management/Authentication Service. This may be an AD/LDAP service, OIDC, or other supported authentication service.

Description

Web servers require enterprise-wide user management capability in order to prevent unauthorized access, with features like attempt lockouts and password complexity requirements. Unauthorized access to the web server makes the web server and the organization vulnerable to attack. Note: The underlying NGINX web server does not perform user management or authentication. The Automation Controller includes user management and authentication capabilities. However, the user management controls built into Automation Controller may not be sufficient to enforce the appropriate level of password, sessions, and other policies required. It is strongly recommended that Automation Controller be configured to use the organization's Identity Management/Authentication Service. This may be an AD/LDAP service, OIDC, or other supported authentication service.

STIG	Date
Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide	2023-03-15

Details

Check Text ( C-60621r902350_chk )
As a system administrator for each Automation Controller NGINX web server host, navigate to Settings >> Authentication. Review the configuration and verify that the appropriate authentication service is configured. If no authentication service is configured, this is a finding.

Fix Text (F-60563r902351_fix)
As a system administrator for each Automation Controller NGINX web server host, navigate to Settings >> Authentication. Configure the appropriate authentication service.