| V-89155 | High | HAProxy must not contain any documentation, sample code, example applications, and tutorials. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production... |
| V-89211 | High | HAProxy must set the no-sslv3 value on all client ports. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-89169 | High | HAProxy must prohibit anonymous users from editing system files. | Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a... |
| V-89185 | High | HAProxy must redirect all http traffic to use https. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89153 | Medium | HAProxy must limit access to the statistics feature. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to be accessible on a production DoD system.
HAProxy provide a statistics... |
| V-89151 | Medium | HAProxy expansion modules must be verified for their integrity (checksums) before being added to the build systems. | Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the... |
| V-89157 | Medium | HAProxy must be run in a chroot jail. | Chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and... |
| V-89141 | Medium | HAProxy log files must not be accessible to unauthorized users. | The HAProxy log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid... |
| V-89175 | Medium | HAProxy must limit the amount of time that half-open connections are kept alive. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-89159 | Medium | HAProxy frontend servers must be bound to a specific port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-89171 | Medium | The HAProxy baseline must be documented and maintained. | Without maintenance of a baseline of current HAProxy software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to HAProxy could be the... |
| V-90319 | Medium | HAProxy must log the session ID from the request headers. | Ascertaining the identity of the requestor of an event is important during forensic analysis. The correct determination of identity of the requestor of the event and its outcome is important in... |
| V-89173 | Medium | HAProxy must be configured to validate the configuration files during start and restart events. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality,... |
| V-89139 | Medium | HAProxy must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure. | An accurate and current audit trail is essential for maintaining a record of system activity. If the logging system fails, the SA must be notified and must take prompt action to correct the... |
| V-89177 | Medium | HAProxy must provide default error files. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or... |
| V-89143 | Medium | HAProxy log files must be protected from unauthorized modification. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89179 | Medium | HAProxy must not be started with the debug switch. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89197 | Medium | HAProxy libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the... |
| V-89215 | Medium | HAProxy must have the latest approved security-relevant software updates installed. | All vRA components, to include Lighttpd, are under VMware configuration management control. The CM process ensures that all patches, functions, and modules have been thoroughly tested before being... |
| V-89195 | Medium | HAProxy must use the httplog option. | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-89217 | Medium | HAProxy must set the maxconn value. | Limiting the total number of connections that a server is allowed to open prevents an attacker from overloading a web server. Overloading the server will prevent it from managing other tasks... |
| V-89193 | Medium | HAProxy must be configurable to integrate with an organizations security infrastructure. | A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic... |
| V-89191 | Medium | HAProxy must not impede the ability to write specified log record content to an audit log server. | Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency... |
| V-89213 | Medium | HAProxy must remove all export ciphers. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with... |
| V-89199 | Medium | HAProxy psql-local frontend must be bound to port 5433. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production... |
| V-90323 | Medium | HAProxy must maintain the confidentiality and integrity of information during reception. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-90321 | Medium | HAProxy session IDs must be sent to the client using SSL/TLS. | The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the... |
| V-89163 | Medium | HAProxy must perform RFC 5280-compliant certification path validation if PKI is being used. | The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA).... |
| V-90305 | Medium | HAProxy must be configured to use syslog. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-90311 | Medium | HAProxy must log when events occurred. | Ascertaining when an event occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at... |
| V-90309 | Medium | HAProxy must log what type of events occurred. | Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events... |
| V-89161 | Medium | HAProxy must use SSL/TLS protocols in order to secure passwords during transmission from the client. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Even when data is... |
| V-89145 | Medium | HAProxy log files must be protected from unauthorized deletion. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89147 | Medium | HAProxy log files must be backed up onto a different system or media. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89205 | Medium | HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections. | Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required.
Without the use of TLS, the... |
| V-90301 | Medium | HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections. | Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required.
Without the use of TLS, the... |
| V-90303 | Medium | HAProxy must be configured to use TLS for https connections. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-89167 | Medium | HAProxy must be configured to use only FIPS 140-2 approved ciphers. | Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken... |
| V-89165 | Medium | HAProxys private key must have access restricted. | HAProxy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients.
Only... |
| V-90317 | Medium | HAProxy must log the outcome of events. | Ascertaining the outcome of an event is important during forensic analysis. The correct determination of the event and its outcome is important in relation to other events that happened at that... |
| V-90315 | Medium | HAProxy must log the source of events. | Ascertaining the source of an event is important during forensic analysis. The correct determination of the event and what client requested the resource is important in relation to other events... |
| V-90313 | Medium | HAProxy must log where events occurred. | Ascertaining where an event occurred is important during forensic analysis. The correct determination of the event and where on the web server it occurred is important in relation to other events... |
| V-90307 | Medium | HAProxy must generate log records for system startup and shutdown. | Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Recording the start and stop events of HAProxy will provide useful information to investigators. |
| V-89207 | Medium | HAProxy must be protected from being stopped by a non-privileged user. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
To prohibit... |
| V-90297 | Medium | HAProxy must limit the amount of time that an http request can be received. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include... |
| V-89149 | Medium | HAProxy files must be verified for their integrity (checksums) before being added to the build systems. | Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the... |
| V-89187 | Medium | HAProxy must restrict inbound connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89203 | Medium | HAProxy vro frontend must be bound to the correct port 8283. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production... |
| V-89181 | Medium | HAProxy must set an absolute timeout on sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-89201 | Medium | HAProxy vcac frontend must be bound to ports 80 and 443. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production... |
| V-89183 | Medium | HAProxy must set an inactive timeout on sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-89189 | Medium | HAProxy must be configured to use syslog. | There are many aspects of appropriate web server logging for security. Storage capacity must be adequate. ISSO and SA must receive warnings and alerts when storage capacity is filled to... |
| V-89209 | Medium | HAProxy must be configured to use SSL/TLS. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-90299 | Medium | HAProxy must enable cookie-based persistence in a backend. | Session management is the practice of protecting the bulk of the user authorization and identity information. As a load balancer, HAProxy must participate in session management in order to set the... |
