The Automation Controller NGINX web server must use cryptography on all remote connections.

STIG ID: APWS-AT-000040  |  SRG: SRG-APP-000015-WSR-000014 |  Severity: medium |  CCI: CCI-001453 |  Vulnerability Id: V-256942 | 

Vulnerability Discussion

Nondisplayed data on a web page may expose information that could put the organization at risk and negatively affect data integrity.

Automation Controller's web server must be configured such that all connections, regardless of their origin, between the server and the user are encrypted using cryptography.

Check

As any user, execute the following command, substituting "" for the hostname of the Automation Controller:

curl -s -w '%{redirect_url}\n' -o /dev/null http:///api/v2/ping/ | grep '^https' >/dev/null || echo FAILED

If "FAILED" is displayed, this is a finding.

Fix

As a System Administrator, locate the inventory file used to install Ansible Automation Platform (usually in the installer directory). Edit this file and ensure the "nginx_disable_https" variable is absent or is set to "false".

Run the setup.sh command in the installer directory to reconfigure the controller to use the new setting:

sudo ./setup.sh
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.