All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

STIG ID: APWS-AT-000230  |  SRG: SRG-APP-000131-WSR-000051 |  Severity: high |  CCI: CCI-001749 |  Vulnerability Id: V-256944 | 

Vulnerability Discussion

Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and nonrepudiation of the information.

The Automation Controller NGINX web server host must have a mechanism to verify that files are valid prior to installation.

Check

As a System Administrator, for each Automation Controller NGINX web server host, verify the integrity of the Automation Controller NGINX web server hosts files:

aide --check

Verify the displayed checksums against previously reserved checksums of the Advanced Intrusion Detection Environment (AIDE) database.

If there are any unauthorized or unexplained changes against previous checksums, this is a finding.

Fix

As a System Administrator, for each Automation Controller NGINX web server host, check for existing or install AIDE:

yum install -y aide

Create or update the AIDE database immediately after initial installation of each Automation Controller NGINX web server host:

aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Accept any expected changes to the host by updating the AIDE database:

aide --update

The output will provide checksums for the AIDE database. Save in a protected location.