Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.

STIG ID: APAS-AT-000011  |  SRG: SRG-APP-000014-AS-000009 |  Severity: medium |  CCI: CCI-000068,CCI-000197,CCI-000382,CCI-002420,CCI-002422 |  Vulnerability Id: V-256897 | 

Vulnerability Discussion

Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing Automation Controller. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.

Automation Controller is accessed via standard HTTP (redirect)/HTTPS on standard ports, provided by NGINX. A self-signed certificate/key is installed by default; however, a user can provide a locally appropriate certificate and key per their organizational policy. SSL/TLS algorithm support is configured in the /etc./nginx/nginx.conf configuration file.

Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000142-AS-000014, SRG-APP-000172-AS-000120, SRG-APP-000441-AS-000258, SRG-APP-000442-AS-000259

Check

As an unauthenticated user, open a new web browser and go to http://

If not redirected to https://, this is a finding.

Fix

Enable HTTPS by running the following command:

./setup.sh -e nginx_disable_https=false

The "nginx_disable_https" variable disables HTTPS traffic through NGINX, this is useful if offloading HTTPS to a load balancer.

By default, this variable is set to false in the installers "roles/nginx/defaults/main.yml" file. If a load balancer is not needed, ensure this value has not been set to true.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.