The Automation Controller NGINX web server must employ cryptographic mechanisms (TLS/DTLS/SSL) to prevent the unauthorized disclosure of information during transmission.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256963	APWS-AT-000850	SV-256963r902403_rule		Medium

Description
Preventing the disclosure of transmitted information requires that the Automation Controller web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information. Satisfies: SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113

Description

Preventing the disclosure of transmitted information requires that the Automation Controller web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information. Satisfies: SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113

STIG	Date
Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide	2023-03-15

Details

Check Text ( C-60638r902401_chk )
As a System Administrator for each Automation Controller NGINX web server host, enumerate all available server connections: NGINXCONF=`nginx -V 2>&1 \| tr ' ' '\n' \| sed -ne '/conf-path/{s/.conf-path=\(.\)/\1/;p}' ` ; grep '\s*listen' NGINXCONF \| grep -v ssl Ensure each available server connection that does not use SSL upgrades this connection to use SSL via an allowed method: - is redirected to an SSL server connection, e.g., "return 301 https://$host:443$request_uri"; - is rewritten to an SSL server URL, e.g., "rewrite ^ https://$host$request_uri? permanent;"; - is dropped silently; - or used other organizationally approved connection handling. Examine the NGINX configuration, for example: vi $NGINXCONF If any available server connection is not handled or upgraded to SSL via an organizationally approved method, this is a finding.

Check Text ( C-60638r902401_chk )

As a System Administrator for each Automation Controller NGINX web server host, enumerate all available server connections:

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=$.*$/\1/;p}' ` ; grep '\s*listen'
NGINXCONF | grep -v ssl

Ensure each available server connection that does not use SSL upgrades this connection to use SSL via an allowed method:

- is redirected to an SSL server connection, e.g., "return 301 https://$host:443$request_uri";
- is rewritten to an SSL server URL, e.g., "rewrite ^ https://$host$request_uri? permanent;";
- is dropped silently;
- or used other organizationally approved connection handling.

Examine the NGINX configuration, for example:

vi $NGINXCONF

If any available server connection is not handled or upgraded to SSL via an organizationally approved method, this is a finding.

Fix Text (F-60580r902402_fix)
As a System Administrator for each Automation Controller NGINX web server host, for each available server connection that is not handled or upgraded to SSL via an organizationally approved method, perform one of the following actions: Remove the available server connections. OR Upgrade the connection via redirect to an SSL server connection. OR Rewrite the connection URL to an HTTPS server connection. OR Other organizationally defined handling method. Reload the NGINX server configuration. pkill -HUP nginx Alternatively, reinstall Automation Controller for each web server host.

Fix Text (F-60580r902402_fix)

As a System Administrator for each Automation Controller NGINX web server host, for each available server connection that is not handled or upgraded to SSL via an organizationally approved method, perform one of the following actions:

Remove the available server connections.
OR
Upgrade the connection via redirect to an SSL server connection.
OR
Rewrite the connection URL to an HTTPS server connection.
OR
Other organizationally defined handling method.

Reload the NGINX server configuration.

pkill -HUP nginx

Alternatively, reinstall Automation Controller for each web server host.