Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide


This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].


Version / Release: V1R1

Published: 2023-03-15

Updated At: 2023-05-04 00:37:29




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-256896r903543_rule APAS-AT-000010 CCI-000054 MEDIUM Automation Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in limiting risks related to denial-of-service attacks. Aut
    SV-256897r903510_rule APAS-AT-000011 CCI-000068 MEDIUM Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions. Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing Automation Controller. If cryptography is not used, then the se
    SV-256898r903553_rule APAS-AT-000012 CCI-000803 HIGH Automation Controller must implement cryptography mechanisms to protect the integrity of information. Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify Automation Controller configuration. The use of cryptography for ensuring integrity of remote ac
    SV-256899r903511_rule APAS-AT-000015 CCI-000048 MEDIUM The Automation Controller management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. Automation Controller is required to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices consistent with applicable federal laws, Executive Orders,
    SV-256900r903512_rule APAS-AT-000017 CCI-000139 MEDIUM Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation. Automation Controller must be configured to use external logging to compile log records from multiple components within the server. The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation m
    SV-256901r903513_rule APAS-AT-000031 CCI-000140 MEDIUM Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern). It is critical that when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity bein
    SV-256902r902276_rule APAS-AT-000032 CCI-000140 MEDIUM Automation Controller must be configured to fail over to another system in the event of log subsystem failure. Automation Controller hosts must be capable of failing over to another Automation Controller host which can handle application and logging functions upon detection of an application log processing failure. This will allow continual operation of the applic
    SV-256903r903539_rule APAS-AT-000034 CCI-000162 MEDIUM Automation Controller's log files must be accessible by explicitly defined privilege. A failure of the confidentiality of Automation Controller log files would enable an attacker to identify key information about the system that they might not otherwise be able to obtain that would enable them to enumerate more information to enable escala
    SV-256904r902282_rule APAS-AT-000044 CCI-001499 MEDIUM Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades. Any changes to the components of Automation Controller can have significant effects on the overall security of the system. In order to ensure a prompt response to failed application installations and application server upgrades, Automation Controller mus
    SV-256905r903508_rule APAS-AT-000047 CCI-000187 MEDIUM Automation Controller must be configured to use an enterprise user management system. Unauthenticated application servers render the organization subject to exploitation. Therefore, application servers must be uniquely identified and authenticated to prevent unauthorized access. Satisfies: SRG-APP-000148-AS-000101, SRG-APP-000149-AS-00010
    SV-256906r902288_rule APAS-AT-000050 CCI-000770 MEDIUM Automation Controller must be configured to authenticate users individually, prior to using a group authenticator. Default superuser accounts, such as "root", are considered group authenticators. In the case of Automation Controller this is the "admin" account.
    SV-256907r903514_rule APAS-AT-000055 CCI-000197 MEDIUM Automation Controller must utilize encryption when using LDAP for authentication. To avoid access with malicious intent, passwords will need to be protected at all times. This includes transmission where passwords must be encrypted for security.
    SV-256908r902294_rule APAS-AT-000078 CCI-001496 MEDIUM Automation Controller must use cryptographic mechanisms to protect the integrity of log tools. Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log data includes all information (e.g., log records, log settings, and log reports) needed to successfully log information system ac
    SV-256909r902297_rule APAS-AT-000093 CCI-001891 MEDIUM Automation Controller must compare internal application server clocks at least every 24 hours with an authoritative time source. When conducting forensic analysis and investigating system events, it is critical that timestamps accurately reflect the time of application events. If timestamps are not deemed to be accurate, the integrity of the forensic analysis and the associated det
    SV-256910r902300_rule APAS-AT-000110 CCI-002450 MEDIUM Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions. An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of confidentiality, etc. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137
    SV-256911r902303_rule APAS-AT-000122 CCI-002605 MEDIUM Automation Controller must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). Security relevant software updates must be installed within the timeframes directed by an authoritative source in order to maintain the integrity and confidentiality of the system and its organizational assets.