HAProxy files must be verified for their integrity (checksums) before being added to the build systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-89149 | VRAU-HA-000115 | SV-99799r1_rule | Medium |
| Description |
|---|
| Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. The HAProxy web server files on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity. |
| STIG | Date |
|---|---|
| VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88841r1_chk ) |
|---|
| Interview the ISSO. Determine whether web server files are verified/validated before being implemented into the production environment. If the web server files are not verified or validated before being implemented into the production environment, this is a finding. |
| Fix Text (F-95891r1_fix) |
|---|
| Ensure web server files are verified or validated before being implemented the production environment. |