Debugging and trace information, within Automation Controller NGINX web server, used to diagnose the web server must be disabled.

STIG ID: APWS-AT-000640  |  SRG: SRG-APP-000266-WSR-000160 |  Severity: medium |  CCI: CCI-001312 |  Vulnerability Id: V-256959 | 

Vulnerability Discussion

It is important that Automation Controller NGINX web server debugging and trace information used to diagnose the web server is disabled, because debugging information can yield information about the Automation Controller NGINX webserver, like web server type, version, patches installed, plugins, modules, the hosted app’s code type. Back ends used for storage could be revealed, as well. An attacker would not need to cause an error condition to gain this information because they could reside in logs and general messages.

If debugging/trace information is enabled, attackers could get the information from logs and general information, without drawing attention to themselves via an error message.

Check

For each Automation Controller NGINX web server, a system administrator must check to determine if any error or debug information is being logged or generated:

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; cat $NGINXCONF | grep '^\s*error_log' && echo FAILED

If "FAILED" is displayed, this is a finding.

Fix

For each Automation Controller NGINX web server, a system administrator must complete the following steps.

Verify the NGINX configuration file in use:

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; echo $NGINXCONF

Remove the error_log directive from the NGINX configuration file.

Cause NGINX to reload its configuration file:

pkill -HUP nginx