UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256897 APAS-AT-000011 SV-256897r903510_rule Medium
Description
Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing Automation Controller. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Automation Controller is accessed via standard HTTP (redirect)/HTTPS on standard ports, provided by NGINX. A self-signed certificate/key is installed by default; however, a user can provide a locally appropriate certificate and key per their organizational policy. SSL/TLS algorithm support is configured in the /etc./nginx/nginx.conf configuration file. Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000142-AS-000014, SRG-APP-000172-AS-000120, SRG-APP-000441-AS-000258, SRG-APP-000442-AS-000259
STIG Date
Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide 2023-03-15

Details

Check Text ( C-60572r903510_chk )
As an unauthenticated user, open a new web browser and go to http://

If not redirected to https://, this is a finding.
Fix Text (F-60514r902260_fix)
Enable HTTPS by running the following command:

./setup.sh -e nginx_disable_https=false

The "nginx_disable_https" variable disables HTTPS traffic through NGINX, this is useful if offloading HTTPS to a load balancer.

By default, this variable is set to false in the installers "roles/nginx/defaults/main.yml" file. If a load balancer is not needed, ensure this value has not been set to true.