Automation Controller NGINX web servers must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

STIG ID: APWS-AT-000940  |  SRG: SRG-APP-000456-WSR-000187 |  Severity: medium |  CCI: CCI-002605 |  Vulnerability Id: V-256966 | 

Vulnerability Discussion

Security flaws with software applications are discovered daily. Red Hat constantly updates and patches Automation Controller to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.

The Automation Controller NGINX web server will be configured to check for and install security-relevant software updates from an authoritative source within an organizationally identified time period from the availability of the update. By default, this time period will be every 24 hours.

Check

As a System Administrator for each Automation Controller NGINX web server host, verify the system is configured to receive updates from an organizationally defined source for authoritative system updates:

yum -v repolist

If each URL is not valid and consistent with organizationally defined requirements, this is a finding.

If each repository is not enabled in accordance with organizationally defined requirements, this is a finding.

If the system is not configured to automatically receive and apply system updates from this source at least every 30 days, or manually receive and apply updates at least every 30 days, this is a finding.

Fix

As a system administrator, for each Automation Controller NGINX web server host, perform the following:

1. Either configure update repositories in accordance with organizationally defined requirements or subscribe to Red Hat update repositories for the underlying operating system.

2. Execute an update from these repositories:

$ yum update -y

3. Perform one of the following:

3.1. Schedule an update to occur every 30 days, or in accordance with organizationally defined policy:

$ yum install -y dnf-automatic && sed -i '/apply_updates/s/no/yes/' /etc/dnf/automatic.conf && sed -i '/OnCalendar/s/^OnCalendar\s*=.*/OnCalendar=*-1-* 6:00/' /usr/lib/systemd/system/dnf-automatic.timer && systemctl enable --now dnf-automatic.timer

3.2. Schedule manual updates to occur at least every 30 days, or in accordance with organizationally defined policy.

4. Restart the Automation Controller NGINX web server host.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.