UCF STIG Viewer Logo

Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.


Overview

Finding ID Version Rule ID IA Controls Severity
V-234257 LVDA-VD-000030 SV-234257r628796_rule High
Description
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000039, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442
STIG Date
Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide 2021-02-01

Details

Check Text ( C-37442r612325_chk )
On the Delivery Controller, ensure the SSL encryption has been enabled for the delivery group (HdxSslEnabled:True) and the Delivery Controller uses FQDN of Linux VDA to contact target Linux VDA (DnsResolutionEnabled:True).

Execute the following commands in a PowerShell window on the Delivery Controller:
# Asnp citrix.*
# Get-BrokerAccessPolicyRule –DesktopGroupName ‘’ | format-list HdxSslEnabled
Where is the target Delivery Group name.

On Linux VDA, check the following:
Check if SSL listener is up and running; run following command:
# netstat -lptn|grep ctxhdx
to see that the ctxhdx process is listening on an SSL port (443, by default).

If, on the Delivery Controller, HdxSslEnabled is not set to "true", this is a finding.
If, on the Delivery Controller, DnsResolutionEnabled is not set to "true", this is a finding.
If, on the Linux VDS, the ctxhdx process is not listening on an SSL port (443 by default, or other approved port), this is a finding.
Fix Text (F-37407r612326_fix)
To enable TLS encryption on the Linux VDA, a server certificate must be installed on the Citrix Broker (DDC), each Linux VDA server and root certificates must be installed on each Linux VDA server and client per DoD guidelines.
On the Linux VDA, use the enable_vdassl.sh tool to enable (or disable) TLS encryption. The tool is located in the /opt/Citrix/VDA/sbin directory. For information about options available in the tool, run the /opt/Citrix/VDA/sbin/enable_vdassl.sh -help command.

To enable TLS 1.2 on Linux VDA OS - # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLMinVersion" -d 0x00000004
To enable GOV ciphersuites only:
# /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLCipherSuite" -d 0x00000001
thes restart service
# sudo /sbin/service ctxhdx restart
[root@ LVDA]# sudo /sbin/service ctxhdx restart