Debugging and trace information, within Automation Controller NGINX web server, used to diagnose the web server must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256959	APWS-AT-000640	SV-256959r961167_rule		Medium

Description
It is important that Automation Controller NGINX web server debugging and trace information used to diagnose the web server is disabled, because debugging information can yield information about the Automation Controller NGINX webserver, like web server type, version, patches installed, plugins, modules, the hosted app’s code type. Back ends used for storage could be revealed, as well. An attacker would not need to cause an error condition to gain this information because they could reside in logs and general messages. If debugging/trace information is enabled, attackers could get the information from logs and general information, without drawing attention to themselves via an error message.

Description

It is important that Automation Controller NGINX web server debugging and trace information used to diagnose the web server is disabled, because debugging information can yield information about the Automation Controller NGINX webserver, like web server type, version, patches installed, plugins, modules, the hosted app’s code type. Back ends used for storage could be revealed, as well. An attacker would not need to cause an error condition to gain this information because they could reside in logs and general messages. If debugging/trace information is enabled, attackers could get the information from logs and general information, without drawing attention to themselves via an error message.

STIG	Date
Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-60634r902389_chk )
For each Automation Controller NGINX web server, a system administrator must check to determine if any error or debug information is being logged or generated: NGINXCONF=`nginx -V 2>&1 \| tr ' ' '\n' \| sed -ne '/conf-path/{s/.conf-path=$.$/\1/;p}' ` ; cat $NGINXCONF \| grep '^\s*error_log' && echo FAILED If "FAILED" is displayed, this is a finding.

Fix Text (F-60576r902390_fix)
For each Automation Controller NGINX web server, a system administrator must complete the following steps. Verify the NGINX configuration file in use: NGINXCONF=`nginx -V 2>&1 \| tr ' ' '\n' \| sed -ne '/conf-path/{s/.conf-path=$.$/\1/;p}' ` ; echo $NGINXCONF Remove the error_log directive from the NGINX configuration file. Cause NGINX to reload its configuration file: pkill -HUP nginx