Automation Controller NGINX web servers must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256964 | APWS-AT-000900 | SV-256964r961632_rule | CCI-002418 | medium |
| Description | ||||
| Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. | ||||
| STIG | Date | |||
| Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide | 2024-08-27 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-8
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.8
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002418
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-256964r961632_chk)
As a System Administrator, for each Automation Controller NGINX web server, a TLS Configuration Check validates the TLS version used by the server:
NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' `
sudo grep ssl_protocols ${NGINXCONF} | grep -E 'ssl_protocols\s+TLSv1.2;' || echo "FAILED"
If "FAILED" is displayed, this is a finding.
Fix Text (F-60581r902405_fix)
As a System Administrator for each Automation Controller Web Server, reconfigure the TLS versions or ciphers used in Automation Controller's web server:
NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' `
sudo -e ${NGINXCONF}
Replace the line beginning with "ssl_protocols" to match (note the leading spaces):
" ssl_protocols TLSv1.2;"
If the "ssl_protocols" variable does not exist, add it after the line beginning with "ssl_ciphers".
Save the file and exit the text editor. To apply these changes to the running service immediately, restart the NGINX service with the following command:
sudo systemctl restart nginx