Red Hat Ansible Automation Controller App Server STIG V2R1

View as table

Automation Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

STIG ID: APAS-AT-000010 |  SRG: SRG-APP-000001-AS-000001 |  Severity: medium  |  CCI: CCI-000054,CCI-002361 |  Vulnerability Id: V-256896 | 

Vulnerability Discussion

Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in limiting risks related to denial-of-service attacks.

Automation Controllers host and expose business logic and application processes.

Automation Controller limits the maximum number of concurrent sessions in a manner that affects the entire application server or on an individual application basis.

The settings must follow DOD-recommended values, but the settings should be configurable to allow for future DOD direction.

While the DOD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.

Satisfies: SRG-APP-000001-AS-000001, SRG-APP-000295-AS-000263

Check

As a System Administrator for each Automation Controller host, navigate to the Automation Controller web administrator console:
Settings >> System >> Miscellaneous Authentication settings.

Verify the "Maximum Number of simultaneous logged in sessions" field is set according to policy.

If this configuration setting does not match the organizationally defined maximum, or is set to -1 (negative one), this is a finding.

Fix

As a System Administrator for each Automation Controller host, navigate to the Automation Controller web administrator console:
Settings >> System >> Miscellaneous Authentication settings.

Click "Edit".

Change "Maximum Number of simultaneous logged in sessions" to match the organizationally defined maximum or greater than 0.

Click "Save".

Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.

STIG ID: APAS-AT-000011 |  SRG: SRG-APP-000014-AS-000009 |  Severity: medium  |  CCI: CCI-000068,CCI-000197,CCI-000382,CCI-002420,CCI-002422 |  Vulnerability Id: V-256897 | 

Vulnerability Discussion

Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing Automation Controller. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.

Automation Controller is accessed via standard HTTP (redirect)/HTTPS on standard ports, provided by NGINX. A self-signed certificate/key is installed by default; however, a user can provide a locally appropriate certificate and key per their organizational policy. SSL/TLS algorithm support is configured in the /etc./nginx/nginx.conf configuration file.

Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000142-AS-000014, SRG-APP-000172-AS-000120, SRG-APP-000441-AS-000258, SRG-APP-000442-AS-000259

Check

As an unauthenticated user, open a new web browser and go to http://

If not redirected to https://, this is a finding.

Fix

Enable HTTPS by running the following command:

./setup.sh -e nginx_disable_https=false

The "nginx_disable_https" variable disables HTTPS traffic through NGINX, this is useful if offloading HTTPS to a load balancer.

By default, this variable is set to false in the installers "roles/nginx/defaults/main.yml" file. If a load balancer is not needed, ensure this value has not been set to true.

Automation Controller must implement cryptography mechanisms to protect the integrity of information.

STIG ID: APAS-AT-000012 |  SRG: SRG-APP-000015-AS-000010 |  Severity: high  |  CCI: CCI-000803,CCI-001188,CCI-001199,CCI-001453,CCI-002418,CCI-002421,CCI-002450,CCI-002475,CCI-002476 |  Vulnerability Id: V-256898 | 

Vulnerability Discussion

Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify Automation Controller configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk.

Automation Controller utilizes a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS and scripted access requires using SSH or some other form of approved cryptography. Automation Controller must have the ability to enable a secure remote admin capability.

FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.

Automation Controller requires the use of Red Hat Enterprise Linux as an operating system and its underlying FIPS validated cryptographic modules to ensure it meets FIPS 140-2 criteria.

Satisfies: SRG-APP-000015-AS-000010, SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000231-AS-000133, SRG-APP-000231-AS-000156, SRG-APP-000416-AS-000140, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157, SRG-APP-000439-AS-000274, SRG-APP-000440-AS-000167, SRG-APP-000514-AS-000136

Check

As a System administrator for each Automation Controller host, check if the Operating System is FIPS enabled:

sysctl crypto.fips_enabled

If fips_enabled is not 1, this is a finding.

Verify the installed volume for Automation Controller is on a LUKS encrypted volume command:

AAPROOT='/var/lib/awx' && cryptsetup status `df -T ${AAPROOT} | cut -d ' ' -f 1 | tail -n 1 ` | grep type | grep -i luks || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Verify this LUKS encrypted volume is using FIPS-compliant cryptographic functions command:

allowed_FIPS_ciphers=('aes.*\(256\|384\|512\)') ; echo "${allowed_FIPS_ciphers[*]}" | tr ' ' '\n' >tempfile && cryptsetup status `df -T ${AAPROOT} | cut -d ' ' -f 1 | tail -n 1 ` | grep -e '\(cipher\|keysize\)' | awk '{print $2}' | paste -s -d '-' | grep -f tempfile 1>/dev/null || echo "FAILED" && rm -f tempfile

If the output is not 1, this is a finding.

Fix

As an administrator for each Automation Controller host, configure the Operating System to be FIPS enabled command:

sudo fips-mode-setup --enable

Reboot each system.

Configure Ansible Automation Platform installation location to reside on a LUKS encrypted volume:

Add a LUKS volume using default or other encrypted volume in accordance with organizationally defined policy. The '/var/lib/awx' filesystem must reside on this volume.

Reinstall the Ansible Automation Platform.

Note: The phrasing "Reinstall the Ansible Automation Platform." is applicable here; the installer cannot just be rerun on the same system.

Reinstall the operating system on the Automation Controller server with FIPS mode enabled at install time by following the guidance located here:
https://access.redhat.com/solutions/5416081
OR
Enable FIPS mode without reinstalling the operating system by following the guidance located here:
https://access.redhat.com/solutions/137833

If the operating system was reinstalled, reinstall Automation Controller by following the guidance located here:
https://docs.ansible.com/ansible-tower/latest/html/installandreference/index.html

The Automation Controller management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.

STIG ID: APAS-AT-000015 |  SRG: SRG-APP-000068-AS-000035 |  Severity: medium  |  CCI: CCI-000048,CCI-000050 |  Vulnerability Id: V-256899 | 

Vulnerability Discussion

Automation Controller is required to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance that states that:

(i) users are accessing a U.S. Government information system;
(ii) system usage may be monitored, recorded, and subject to audit;
(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
(iv) the use of the system indicates consent to monitoring and recording.

System use notification messages can be implemented in the form of warning banners displayed when individuals log on to the information system.

System use notification is intended only for information system access including an interactive logon interface with a human user, and is not required when an interactive interface does not exist.

Automation Controller supports displaying the Standard Mandatory DOD Notice and Consent Banner prior to logging in via the web console.

Satisfies: SRG-APP-000068-AS-000035, SRG-APP-000069-AS-000036

Check

Navigate to the Automation Controller login page.

Verify that the Standard Mandatory DOD Notice and Consent Banner is displayed with the following text:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the required DOD banner is not displayed on the login page or the CUSTOM_LOGIN_INFO does not contain the correct text, this is a finding.

Alternatively, verify the setting CUSTOM_LOGIN_INFO setting in the REST API at /api/v2/settings/ui by running the following command:

curl https:///api/v2/settings/ui

Fix

Navigate to the Automation Controller web administrator console:

Settings >> System >> User Interface settings.

Click "Edit".

In the Custom Login Info field, set the following text:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Click "Save".

Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.

STIG ID: APAS-AT-000017 |  SRG: SRG-APP-000080-AS-000045 |  Severity: medium  |  CCI: CCI-000139,CCI-000166,CCI-000172,CCI-000174,CCI-001348,CCI-001851,CCI-001876 |  Vulnerability Id: V-256900 | 

Vulnerability Discussion

Automation Controller must be configured to use external logging to compile log records from multiple components within the server. The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet certain tolerance criteria. For instance, DOD may define that the time stamps of different logged events must not differ by any amount greater than ten seconds. Automation Controller must utilize an external logging tool that provides this capability.

Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000086-AS-000048, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000181-AS-000255, SRG-APP-000358-AS-000064, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231, SRG-APP-000515-AS-000203

Check

Log in to Automation Controller as an administrator.

Navigate to Settings >> System >> Logging setting.

The following parameters must be set:

Enable External Logging = On

Logging Aggregator Level Threshold = DEBUG

TCP Connection Timeout = 5 (default) or the organizational timeout

Enable/disable HTTPS certificate verification = On

Logging Aggregator <> (Default) "Not configured"

If any of these settings are incorrect, this is a finding.

Fix

Log in to Automation Controller as an administrator.

Navigate to Settings >> System >> Logging setting.

Click "Edit" and set the following fields:

Enable External Logging = On

Logging Aggregator Level Threshold = DEBUG

TCP Connection Timeout = 5 (default) or the organizational timeout

Enable/disable HTTPS certificate verification = On

Logging Aggregator <> (Default) "Not configured"

Click "Save".

Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern).

STIG ID: APAS-AT-000031 |  SRG: SRG-APP-000109-AS-000068 |  Severity: medium  |  CCI: CCI-000140,CCI-001849 |  Vulnerability Id: V-256901 | 

Vulnerability Discussion

It is critical that when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. During a failure, the application server must be configured to shut down unless the application server is part of a high availability system.

When availability is an overriding concern, other approved actions in response to a log failure are as follows:

(i) If the failure was caused by the lack of log record storage capacity, the application must continue generating log records if possible (automatically restarting the log service if necessary), overwriting the oldest log records in a first-in-first-out manner.

(ii) If log records are sent to a centralized collection server and communication with this server is lost or the server fails, the application must queue log records locally until communication is restored or until the log records are retrieved manually. Upon restoration of the connection to the centralized collection server, action must be taken to synchronize the local log data with the collection server.

Satisfies: SRG-APP-000109-AS-000068, SRG-APP-000357-AS-000038

Check

Administrator must check, for each Automation Controller host, the rsyslog configuration to verify the log rollover against an organizationally defined log capture size.

Check LOG_AGGREGATOR_MAX_DISK_USAGE_GB field in the Automation Controller configuration.

On the host, execute:

awx-manage print_settings LOG_AGGREGATOR_MAX_DISK_USAGE_GB

If this field is not set to the organizationally defined log capture size, this is a finding.

Check LOG_AGGREGATOR_MAX_DISK_USAGE_PATH field in the Automation Controller configuration for the log file location to "/var/lib/awx".

On the host, execute:
awx-manage print_settings LOG_AGGREGATOR_MAX_DISK_USAGE_PATH

If this field is not set to "/var/lib/awx", this is a finding.

Fix

Open a web browser and navigate to: https:///api/v2/settings/logging/

(If the "Log In" button is displayed, click it, enter an Automation Controller administrator's credentials, and continue.)

In the Content section, modify the following values:

LOG_AGGREGATOR_MAX_DISK_USAGE_GB = organization-defined requirement for log buffering.

LOG_AGGREGATOR_MAX_DISK_USAGE_PATH = "/var/lib/awx"

Click "PUT".

Automation Controller must be configured to fail over to another system in the event of log subsystem failure.

STIG ID: APAS-AT-000032 |  SRG: SRG-APP-000109-AS-000070 |  Severity: medium  |  CCI: CCI-000140,CCI-001190,CCI-002385 |  Vulnerability Id: V-256902 | 

Vulnerability Discussion

Automation Controller hosts must be capable of failing over to another Automation Controller host which can handle application and logging functions upon detection of an application log processing failure. This will allow continual operation of the application and logging functions while minimizing the loss of operation for the users and loss of log data.

Satisfies: SRG-APP-000109-AS-000070, SRG-APP-000225-AS-000154, SRG-APP-000435-AS-000069

Check

The Administrator must check the Automation Controller is deployed in an HA configuration.

Administrator must check Automation Controller host via the REST API at api/v2/ping/ HA field for HA configuration.

If this field is not true, indicating Automation Controller is in an HA configuration, this is a finding.

Fix

If Automation Controller is not in an HA configuration, the administrator must reinstall Automation Controller.

Automation Controller's log files must be accessible by explicitly defined privilege.

STIG ID: APAS-AT-000034 |  SRG: SRG-APP-000118-AS-000078 |  Severity: medium  |  CCI: CCI-000162,CCI-000163,CCI-000164,CCI-001314,CCI-001493,CCI-001494,CCI-001495 |  Vulnerability Id: V-256903 | 

Vulnerability Discussion

A failure of the confidentiality of Automation Controller log files would enable an attacker to identify key information about the system that they might not otherwise be able to obtain that would enable them to enumerate more information to enable escalation or lateral movement.

Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000267-AS-000170

Check

As an administrator, log into each Automation Controller host. Inspect the current permissions and owner of Automation Controller's NGINX log directory:
stat -c "%a %U %G" /var/log/nginx/ | grep "770 nginx root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller's log directory:
$ stat -c "%a %U %G" /var/log/tower/ | grep "750 awx awx" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller's supervisor log directory:
stat -c "%a %U %G" /var/log/supervisor/ | grep "770 root root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Fix

As a system administrator for each Automation Controller host, set the permissions and owner of Automation Controller's NGINX log directory:
chmod 770 /var/log/nginx
chown nginx:root /var/log/nginx

Set the permissions and owner of Automation Controller's log directory:
chmod 770 /var/log/tower
chown awx:awx /var/log/tower

Set the permissions and owner of Automation Controller's supervisor log directory:
chmod 770 /var/log/supervisor/
chown root:root /var/log/supervisor/

Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades.

STIG ID: APAS-AT-000044 |  SRG: SRG-APP-000133-AS-000093 |  Severity: medium  |  CCI: CCI-001499 |  Vulnerability Id: V-256904 | 

Vulnerability Discussion

Any changes to the components of Automation Controller can have significant effects on the overall security of the system.

In order to ensure a prompt response to failed application installations and application server upgrades, Automation Controller must provide an automated rollback capability that allows Automation Controller to be restored to a previous known good configuration state prior to the application installation or application server upgrade.

Check

The administrator must make a backup of the last known good configuration of the Automation Controller on each host.

Locate the installer bundle directory that contains the inventory file used to install Ansible Automation Platform.

Verify a backup of the last known good configuration has been made and stored in accordance with the Automation Controller Documentation and organizationally defined policy:
https://docs.ansible.com/automation-controller/latest/html/administration/backup_restore.html

If no such backup has been made, this is a finding.

Fix

As System Administrator login to the Controller. Locate the installer bundle directory that contains the inventory file used to install Ansible Automation Platform. From there, run the setup.sh command with the "-b" option to perform a backup.
Example: "[[installation directory]]/setup.sh -b"

Note: To revert from a backup, refer to:
https://docs.ansible.com/automation-controller/latest/html/administration/backup_restore.html

Automation Controller must be configured to use an enterprise user management system.

STIG ID: APAS-AT-000047 |  SRG: SRG-APP-000148-AS-000101 |  Severity: medium  |  CCI: CCI-000187,CCI-000764,CCI-000765,CCI-001953,CCI-001954,CCI-004068,CCI-002007,CCI-002009,CCI-002010,CCI-004083,CCI-004085 |  Vulnerability Id: V-256905 | 

Vulnerability Discussion

Unauthenticated application servers render the organization subject to exploitation. Therefore, application servers must be uniquely identified and authenticated to prevent unauthorized access.

Satisfies: SRG-APP-000148-AS-000101, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000177-AS-000126, SRG-APP-000389-AS-000253, SRG-APP-000390-AS-000254, SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000400-AS-000246, SRG-APP-000401-AS-000243, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250

Check

The Administrator must check the Automation Controller web administrator console and verify the appropriate authentication provider is configured and the associated fields are complete and accurate.

Log in to Automation Controller as an administrator and navigate to Settings >> Authentication.

If the organization-defined identity provider is not configured, or any associated fields are incomplete or inaccurate, this is a finding.

Fix

Log in to Automation Controller as an administrator and navigate to Settings >> Authentication.

Configure the appropriate authentication provider and associated fields for the organization-defined identity provider:

Click on LDAP settings.

Click "Edit".

Configure/complete the fields.

Click "Save".

Automation Controller must be configured to authenticate users individually, prior to using a group authenticator.

STIG ID: APAS-AT-000050 |  SRG: SRG-APP-000153-AS-000104 |  Severity: medium  |  CCI: CCI-004045 |  Vulnerability Id: V-256906 | 

Vulnerability Discussion

Default superuser accounts, such as "root", are considered group authenticators. In the case of Automation Controller this is the "admin" account.

Check

Log in to the Automation Controller web console as an administrator and navigate to Access >> Users.

The only local user allowed is the default/breakglass "admin". All other users need to come from an external authentication source. If any other local users exist, this is a finding.

Fix

Log in to the Automation Controller web console as an administrator and navigate to Access >> Users.

Click the Username to be removed.

Select "Delete" and confirm.

Automation Controller must utilize encryption when using LDAP for authentication.

STIG ID: APAS-AT-000055 |  SRG: SRG-APP-000172-AS-000121 |  Severity: medium  |  CCI: CCI-000197 |  Vulnerability Id: V-256907 | 

Vulnerability Discussion

To avoid access with malicious intent, passwords will need to be protected at all times. This includes transmission where passwords must be encrypted for security.

Check

Log in to Automation Controller as an administrator and navigate to Settings >> Authentication >> LDAP settings.

If an LDAP server is configured but the "LDAP SERVER URI" field does not start with "ldaps://", this is a finding.

Fix

Log in to Automation Controller as an administrator and navigate to Settings >> Authentication >> LDAP settings.

Click "Edit".

Modify the "LDAP SERVER URI" field so that it begins with "ldaps://".

Click "Save".

Automation Controller must use cryptographic mechanisms to protect the integrity of log tools.

STIG ID: APAS-AT-000078 |  SRG: SRG-APP-000290-AS-000174 |  Severity: medium  |  CCI: CCI-001496 |  Vulnerability Id: V-256908 | 

Vulnerability Discussion

Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log data includes all information (e.g., log records, log settings, and log reports) needed to successfully log information system activity.

It is not uncommon for attackers to replace the log tools or inject code into the existing tools for the purpose of providing the capability to hide or erase system activity from the logs.

To address this risk, log tools must be cryptographically signed in order to provide the capability to identify when the log tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Automation Controller server log tools must use cryptographic mechanisms to protect the integrity of the tools or allow cryptographic protection mechanisms to be applied to their tools.

Check

As an administrator, log in to each Automation Controller host.

Verify the correct Red Hat RPM signing key is available on each host by listing the keys using the following command:

rpm -qa gpg-pubkey*

Manually inspect against publicly listed keys on https://www.redhat.com. If the keys do not match, this is a finding.

Import the key using the following command:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Verify the signatures of installed RPMs necessary for Automation Controller:

For RPM in $(rpm -qa); do rpm -K --nosignature ${RPM} | grep "NOT OK" && return 1; done ; echo "FAILED"

If this outputs "FAILED", this is a finding.

Fix

The administrator must reinstall all Automation Controller hosts and Automation Controller.

Automation Controller must compare internal application server clocks at least every 24 hours with an authoritative time source.

STIG ID: APAS-AT-000093 |  SRG: SRG-APP-000371-AS-000077 |  Severity: medium  |  CCI: CCI-004923,CCI-004926 |  Vulnerability Id: V-256909 | 

Vulnerability Discussion

When conducting forensic analysis and investigating system events, it is critical that timestamps accurately reflect the time of application events. If timestamps are not deemed to be accurate, the integrity of the forensic analysis and the associated determinations are at stake. This leaves the organization and the system vulnerable to intrusions.

Satisfies: SRG-APP-000371-AS-000077, SRG-APP-000372-AS-000212

Check

As a system administrator for each Automation Controller host, ensure the NTP client is configured to synchronize to an organizationally defined NTP server:

chronyc sources

If the Automation Controller host is not configured to use an organizationally defined NTP server, this is a finding.

Ensure the NTP time synchronization is operational:

chronyc activity | head -n 1 | grep "200 OK" >/dev/null || echo "FAILED"
sudo systemctl is-active chrony > /dev/null|| echo "FAILED"

If "FAILED" is displayed, this is a finding.

Fix

As a system administrator, for each Automation Controller host, configure the NTP client to synchronize to an organizationally defined NTP server:

vi /etc/chrony.conf

Restart the Automation Controller host:

$ shutdown -r

Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

STIG ID: APAS-AT-000110 |  SRG: SRG-APP-000427-AS-000264 |  Severity: medium  |  CCI: CCI-002450,CCI-002470 |  Vulnerability Id: V-256910 | 

Vulnerability Discussion

An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of confidentiality, etc.

Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

Check

The Administrator must check the Automation Controller configuration.

Download the latest DOD PKI CA certificate bundle:

curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.zip && gunzip /root/certificates_pkcs7_DOD.zip

Check the certificate at /etc/tower/tower.cert:

openssl verify -verbose -x509_strict -CAfile /root/certificates_pkcs7_DOD.pem -CApath nosuchdir <(cat /etc/tower/tower.cert >>>>)

If the >>>> does not exist, this is a finding.

Check the certificate at /etc/tower/tower.key:
openssl verify -CAfile /root/certificates_pkcs7_DOD.pem /etc/tower/tower.cert

If the >>>> does not exist, this is a finding.

Check the trusted ca certificate:

openssl x509 -in /etc/pki/ca-trust/tls-ca-bundle.pam custom_ca_cert

If the >>>> does not exist, this is a finding.

If the >>>> does not exist, this is a finding.

Fix

For each Automation Controller host, the administrator must:

Download the >>>>;

Generate the appropriate /etc/tower/tower.key files, certificates, and CSRs and have the organizationally defined PKI authority issue a certificate signed by the >>>>;

Place the signed certificate in /etc/tower/tower.cert.

Place the >>>> in /etc/pki/ca-trust/source/anchors.

Execute:
update-ca-trust extract && update-ca-trust;

Download the latest DOD PKI CA certificate bundle:

curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.z && gunzip /root/certificates_pkcs7_DOD.z > /etc/pki/ca-trust/source/anchors

Install trusted root and intermediate CA certificates:

update-ca-trust extract && update-ca-trust;

Automation Controller must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

STIG ID: APAS-AT-000122 |  SRG: SRG-APP-000456-AS-000266 |  Severity: medium  |  CCI: CCI-002605 |  Vulnerability Id: V-256911 | 

Vulnerability Discussion

Security relevant software updates must be installed within the timeframes directed by an authoritative source in order to maintain the integrity and confidentiality of the system and its organizational assets.

Check

As a system administrator for each Automation Controller host inspect the status of the DNF Automatic timer:

systemctl status dnf-automatic.timer

If "Active: active" is not included in the output, this is a finding.

Inspect the configuration of DNF Automatic:

grep apply_updates /etc/dnf/automatic.conf

If "apply_updates = yes" is not displayed, this is a finding.

Fix

Install and enable DNF Automatic:

dnf install dnf-automatic
(run the install)
systemctl enable --now dnf-automatic.timer

Modify /etc/dnf/automatic.conf and set "apply_updates = yes".