Nonprivileged accounts on the hosting system must only access Automation Controller NGINX web server security-relevant information and functions through a distinct administrative account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256960	APWS-AT-000700	SV-256960r903547_rule		Medium

Description
It is important that Automation Controller NGINX web server security features are separated from nonprivileged users. Special “privileged” roles need to be developed so that only they can have access to those features and administer the web server, when necessary. These privileged roles will be better trained in the security features and will limit loss of data for forensic analysis and limits accidental changes to the web server. Without isolating privileged users from nonprivileged users when administering to the web server, organizations run the risk of having limited access to forensic data, as well as increased risk of accidental changes, by nonprivileged and presumably less-trained individuals. Satisfies: SRG-APP-000340-WSR-000029, SRG-APP-000211-WSR-000031

Description

It is important that Automation Controller NGINX web server security features are separated from nonprivileged users. Special “privileged” roles need to be developed so that only they can have access to those features and administer the web server, when necessary. These privileged roles will be better trained in the security features and will limit loss of data for forensic analysis and limits accidental changes to the web server. Without isolating privileged users from nonprivileged users when administering to the web server, organizations run the risk of having limited access to forensic data, as well as increased risk of accidental changes, by nonprivileged and presumably less-trained individuals. Satisfies: SRG-APP-000340-WSR-000029, SRG-APP-000211-WSR-000031

STIG	Date
Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide	2023-03-15

Details

Check Text ( C-60635r903547_chk )
As a system administrator, for each Automation Controller NGINX web server host, inspect the current permissions and owner of Tower's web server configuration directory: stat -c "%a %U %G" /etc/nginx \| grep -q "755 root root" \|\| echo "FAILED" stat -c "%a %U %G" /etc/nginx/conf.d \| grep -q "755 root root" \|\| echo "FAILED" stat -c "%a %U %G" /etc/nginx/nginx.conf \| grep -q "644 root root" \|\| echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller web server program configuration files: stat -c "%a %U %G" /usr/lib/systemd/system/nginx.service \| grep -q "644 root root" \|\| echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller application content directory: stat -c "%a %U %G" /var/lib/awx/public/static \| grep -q "755 root awx" \|\| echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller web server log directory: stat -c "%a %U %G" /var/log/nginx\| grep -q "770 nginx root" \|\| echo "FAILED" If "FAILED" is displayed, this is a finding.

Check Text ( C-60635r903547_chk )

As a system administrator, for each Automation Controller NGINX web server host, inspect the current permissions and owner of Tower's web server configuration directory:

stat -c "%a %U %G" /etc/nginx | grep -q "755 root root" || echo "FAILED"
stat -c "%a %U %G" /etc/nginx/conf.d | grep -q "755 root root" || echo "FAILED"
stat -c "%a %U %G" /etc/nginx/nginx.conf | grep -q "644 root root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller web server program configuration files:

stat -c "%a %U %G" /usr/lib/systemd/system/nginx.service | grep -q "644 root root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller application content directory:

stat -c "%a %U %G" /var/lib/awx/public/static | grep -q "755 root awx" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller web server log directory:

stat -c "%a %U %G" /var/log/nginx| grep -q "770 nginx root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Fix Text (F-60577r902393_fix)
As a system administrator, for each Automation Controller NGINX web server host, set the permissions and owner of Automation Controller web server program configuration directory: sudo chown -R root:root /etc/nginx/ sudo chmod 755 /etc/nginx /etc/nginx sudo chmod 755 /etc/nginx /etc/nginx/conf.d sudo chmod 644 /etc/nginx/nginx.conf As a system administrator, for each Automation Controller NGINX web server program configuration files. sudo chown root:root /usr/lib/systemd/system/nginx.service sudo chmod 644 /usr/lib/systemd/system/nginx.service Set the permissions and owner of Automation Controller application content directory: sudo chmod 755 /var/lib/awx/public/static sudo chown root:awx /var/lib/awx/public/static

Fix Text (F-60577r902393_fix)

As a system administrator, for each Automation Controller NGINX web server host, set the permissions and owner of Automation Controller web server program configuration directory:

sudo chown -R root:root /etc/nginx/
sudo chmod 755 /etc/nginx /etc/nginx
sudo chmod 755 /etc/nginx /etc/nginx/conf.d
sudo chmod 644 /etc/nginx/nginx.conf

As a system administrator, for each Automation Controller NGINX web server program configuration files.

sudo chown root:root /usr/lib/systemd/system/nginx.service
sudo chmod 644 /usr/lib/systemd/system/nginx.service

Set the permissions and owner of Automation Controller application content directory:

sudo chmod 755 /var/lib/awx/public/static
sudo chown root:awx /var/lib/awx/public/static