Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
All Automation Controller NGINX web servers must be configured to use a specified IP address and port.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-256952 | APWS-AT-000370 | SV-256952r903524_rule | Medium |
| Description |
|---|
| From a security perspective, it is important that all Automation Controller NGINX web servers are configured to use a specified IP address and port because “listening” on all IP addresses poses a vulnerability to the web server. Not confining the web server to a specified IP address and port puts all web server content at risk of access by bad actors wanting to take advantage of those resources. |
| STIG | Date |
|---|---|
| Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide | 2023-03-15 |
Details
| Check Text ( C-60627r903524_chk ) |
|---|
| As a System Administrator for each Automation Controller NGINX web server host, verify the web server is configured to use a static IP address and port. NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep '^\s*listen\s*\*\|\s*listen\s*\[.*\]\|\s*listen\s*0\.0\.0\.0\|\s*listen\s*\[.*\]|^\s*listen\s\+.*:[^[:digit:]\s]\+.*' $NGINXCONF && echo FAILED If "FAILED" is displayed, this is a finding. |
| Fix Text (F-60569r902369_fix) |
|---|
| As a System Administrator for each Automation Controller NGINX web server host, identify the allowed and/or designated IP address(es) for the Automation Controller system. Replace any wildcard or ranged IP address references in the NGINX configuration with IP addresses from the pool of allowed and/or designated address. Reload the NGINX server configurations for all NGINX processes: $ pkill -HUP nginx |