Vulnerability Discussion
Session management on client and server is required to protect identity and authorization information.
Sessions for the Automation Controller web server, if compromised, could lead to execution of jobs on remote endpoints as if authenticated.
Satisfies: SRG-APP-000001-WSR-000002, SRG-APP-000001-WSR-000001, SRG-APP-000295-WSR-000012, SRG-APP-000295-WSR-000134
Check
Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication.
The following parameters must be set:
OAuth 2 Timeout Settings < 1800 seconds (No more than 30 minutes).
The maximum number of simultaneous logged session must not be less than 0 (The default is -1) and must not match the organizationally defined maximum.
Disable the built-in authentication system = ON
Enable HTTP Basic Auth = Off
OAuth 2 Timeout settings:
"ACCESS_TOKEN_EXPIRE_SECONDS": 31536000000,
"AUTHORIZATION_CODE_EXPIRE_SECONDS": 600,
"REFRESH_TOKEN_EXPIRE_SECONDS": 2628000
Allow External Users to Create OAuth2 Tokens = Off
Login redirect override URL = Not Configured or Blank
Social Auth Organization Map = Null
Social Auth Team Map = Null
Social Auth User Fields = Null
If any of these settings are incorrect, this is a finding.
Fix
Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication.
Click "Edit".
Set the following parameters:
OAuth 2 Timeout Settings < 1800 seconds.
The maximum number of simultaneous logged session must equal 0 or the organizationally defined maximum.
Disable the built-in authentication system = ON
Enable HTTP Basic Auth = Off
Access Token Expiration = 31536000000
Authorization Code Expiration = 600
Refresh Token Expiration = 2628000
Allow External Users to Create OAuth2 Tokens = Off
Login redirect override URL = Not Configured or Blank
Social Auth Organization Map = Null
Social Auth Team Map = Null
Social Auth User Fields = Null
Click "Save".