Nonprivileged accounts on the hosting system must only access Automation Controller NGINX web server security-relevant information and functions through a distinct administrative account.

STIG ID: APWS-AT-000700  |  SRG: SRG-APP-000340-WSR-000029 |  Severity: medium |  CCI: CCI-001082,CCI-002235 |  Vulnerability Id: V-256960 | 

Vulnerability Discussion

It is important that Automation Controller NGINX web server security features are separated from nonprivileged users. Special “privileged” roles need to be developed so that only they can have access to those features and administer the web server, when necessary. These privileged roles will be better trained in the security features and will limit loss of data for forensic analysis and limits accidental changes to the web server.

Without isolating privileged users from nonprivileged users when administering to the web server, organizations run the risk of having limited access to forensic data, as well as increased risk of accidental changes, by nonprivileged and presumably less-trained individuals.

Satisfies: SRG-APP-000340-WSR-000029, SRG-APP-000211-WSR-000031

Check

As a system administrator, for each Automation Controller NGINX web server host, inspect the current permissions and owner of Tower's web server configuration directory:

stat -c "%a %U %G" /etc/nginx | grep -q "755 root root" || echo "FAILED"
stat -c "%a %U %G" /etc/nginx/conf.d | grep -q "755 root root" || echo "FAILED"
stat -c "%a %U %G" /etc/nginx/nginx.conf | grep -q "644 root root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller web server program configuration files:

stat -c "%a %U %G" /usr/lib/systemd/system/nginx.service | grep -q "644 root root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller application content directory:

stat -c "%a %U %G" /var/lib/awx/public/static | grep -q "755 root awx" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Inspect the current permissions and owner of Automation Controller web server log directory:

stat -c "%a %U %G" /var/log/nginx| grep -q "770 nginx root" || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Fix

As a system administrator, for each Automation Controller NGINX web server host, set the permissions and owner of Automation Controller web server program configuration directory:

sudo chown -R root:root /etc/nginx/
sudo chmod 755 /etc/nginx /etc/nginx
sudo chmod 755 /etc/nginx /etc/nginx/conf.d
sudo chmod 644 /etc/nginx/nginx.conf

As a system administrator, for each Automation Controller NGINX web server program configuration files.

sudo chown root:root /usr/lib/systemd/system/nginx.service
sudo chmod 644 /usr/lib/systemd/system/nginx.service

Set the permissions and owner of Automation Controller application content directory:

sudo chmod 755 /var/lib/awx/public/static
sudo chown root:awx /var/lib/awx/public/static