Red Hat Ansible Automation Controller Application Server V2R1

b

Automation Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

AC-10 - Medium - CCI-000054 - V-256896 - SV-256896r960735_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

APAS-AT-000010

Vuln IDs

V-256896

Rule IDs

SV-256896r960735_rule

Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in limiting risks related to denial-of-service attacks. Automation Controllers host and expose business logic and application processes. Automation Controller limits the maximum number of concurrent sessions in a manner that affects the entire application server or on an individual application basis. The settings must follow DOD-recommended values, but the settings should be configurable to allow for future DOD direction. While the DOD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system. Satisfies: SRG-APP-000001-AS-000001, SRG-APP-000295-AS-000263

Checks: C-60571r903542_chk

As a System Administrator for each Automation Controller host, navigate to the Automation Controller web administrator console: Settings >> System >> Miscellaneous Authentication settings. Verify the "Maximum Number of simultaneous logged in sessions" field is set according to policy. If this configuration setting does not match the organizationally defined maximum, or is set to -1 (negative one), this is a finding.

Fix: F-60513r903543_fix

As a System Administrator for each Automation Controller host, navigate to the Automation Controller web administrator console: Settings >> System >> Miscellaneous Authentication settings. Click "Edit". Change "Maximum Number of simultaneous logged in sessions" to match the organizationally defined maximum or greater than 0. Click "Save".

b

Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.

AC-17 - Medium - CCI-000068 - V-256897 - SV-256897r960759_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000068

Version

APAS-AT-000011

Vuln IDs

V-256897

Rule IDs

SV-256897r960759_rule

Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing Automation Controller. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Automation Controller is accessed via standard HTTP (redirect)/HTTPS on standard ports, provided by NGINX. A self-signed certificate/key is installed by default; however, a user can provide a locally appropriate certificate and key per their organizational policy. SSL/TLS algorithm support is configured in the /etc./nginx/nginx.conf configuration file. Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000142-AS-000014, SRG-APP-000172-AS-000120, SRG-APP-000441-AS-000258, SRG-APP-000442-AS-000259

Checks: C-60572r903510_chk

As an unauthenticated user, open a new web browser and go to http://<Automation Controller HOST> If not redirected to https://<Automation Controller HOST>, this is a finding.

Fix: F-60514r902260_fix

Enable HTTPS by running the following command: ./setup.sh -e nginx_disable_https=false The "nginx_disable_https" variable disables HTTPS traffic through NGINX, this is useful if offloading HTTPS to a load balancer. By default, this variable is set to false in the installers "roles/nginx/defaults/main.yml" file. If a load balancer is not needed, ensure this value has not been set to true.

c

Automation Controller must implement cryptography mechanisms to protect the integrity of information.

IA-7 - High - CCI-000803 - V-256898 - SV-256898r960762_rule

RMF Control

IA-7

Severity

H

CCI

CCI-000803

Version

APAS-AT-000012

Vuln IDs

V-256898

Rule IDs

SV-256898r960762_rule

Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify Automation Controller configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Automation Controller utilizes a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS and scripted access requires using SSH or some other form of approved cryptography. Automation Controller must have the ability to enable a secure remote admin capability. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. Automation Controller requires the use of Red Hat Enterprise Linux as an operating system and its underlying FIPS validated cryptographic modules to ensure it meets FIPS 140-2 criteria. Satisfies: SRG-APP-000015-AS-000010, SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000231-AS-000133, SRG-APP-000231-AS-000156, SRG-APP-000416-AS-000140, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157, SRG-APP-000439-AS-000274, SRG-APP-000440-AS-000167, SRG-APP-000514-AS-000136

Checks: C-60573r903538_chk

As a System administrator for each Automation Controller host, check if the Operating System is FIPS enabled: sysctl crypto.fips_enabled If fips_enabled is not 1, this is a finding. Verify the installed volume for Automation Controller is on a LUKS encrypted volume command: AAPROOT='/var/lib/awx' && cryptsetup status `df -T ${AAPROOT} | cut -d ' ' -f 1 | tail -n 1 ` | grep type | grep -i luks || echo "FAILED" If "FAILED" is displayed, this is a finding. Verify this LUKS encrypted volume is using FIPS-compliant cryptographic functions command: allowed_FIPS_ciphers=('aes.*$256\|384\|512$') ; echo "${allowed_FIPS_ciphers[*]}" | tr ' ' '\n' >tempfile && cryptsetup status `df -T ${AAPROOT} | cut -d ' ' -f 1 | tail -n 1 ` | grep -e '$cipher\|keysize$' | awk '{print $2}' | paste -s -d '-' | grep -f tempfile 1>/dev/null || echo "FAILED" && rm -f tempfile If the output is not 1, this is a finding.

Fix: F-60515r903515_fix

As an administrator for each Automation Controller host, configure the Operating System to be FIPS enabled command: sudo fips-mode-setup --enable Reboot each system. Configure Ansible Automation Platform installation location to reside on a LUKS encrypted volume: Add a LUKS volume using default or other encrypted volume in accordance with organizationally defined policy. The '/var/lib/awx' filesystem must reside on this volume. Reinstall the Ansible Automation Platform. Note: The phrasing "Reinstall the Ansible Automation Platform." is applicable here; the installer cannot just be rerun on the same system. Reinstall the operating system on the Automation Controller server with FIPS mode enabled at install time by following the guidance located here: https://access.redhat.com/solutions/5416081 OR Enable FIPS mode without reinstalling the operating system by following the guidance located here: https://access.redhat.com/solutions/137833 If the operating system was reinstalled, reinstall Automation Controller by following the guidance located here: https://docs.ansible.com/ansible-tower/latest/html/installandreference/index.html

b

The Automation Controller management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.

AC-8 - Medium - CCI-000048 - V-256899 - SV-256899r960843_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

APAS-AT-000015

Vuln IDs

V-256899

Rule IDs

SV-256899r960843_rule

Automation Controller is required to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance that states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) the use of the system indicates consent to monitoring and recording. System use notification messages can be implemented in the form of warning banners displayed when individuals log on to the information system. System use notification is intended only for information system access including an interactive logon interface with a human user, and is not required when an interactive interface does not exist. Automation Controller supports displaying the Standard Mandatory DOD Notice and Consent Banner prior to logging in via the web console. Satisfies: SRG-APP-000068-AS-000035, SRG-APP-000069-AS-000036

Checks: C-60574r902265_chk

Navigate to the Automation Controller login page. Verify that the Standard Mandatory DOD Notice and Consent Banner is displayed with the following text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the required DOD banner is not displayed on the login page or the CUSTOM_LOGIN_INFO does not contain the correct text, this is a finding. Alternatively, verify the setting CUSTOM_LOGIN_INFO setting in the REST API at /api/v2/settings/ui by running the following command: curl https://<Automation Controller HOST>/api/v2/settings/ui

Fix: F-60516r903511_fix

Navigate to the Automation Controller web administrator console: Settings >> System >> User Interface settings. Click "Edit". In the Custom Login Info field, set the following text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Click "Save".

b

Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.

AU-5 - Medium - CCI-000139 - V-256900 - SV-256900r960864_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

APAS-AT-000017

Vuln IDs

V-256900

Rule IDs

SV-256900r960864_rule

Automation Controller must be configured to use external logging to compile log records from multiple components within the server. The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet certain tolerance criteria. For instance, DOD may define that the time stamps of different logged events must not differ by any amount greater than ten seconds. Automation Controller must utilize an external logging tool that provides this capability. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000086-AS-000048, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000181-AS-000255, SRG-APP-000358-AS-000064, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231, SRG-APP-000515-AS-000203

Checks: C-60575r902268_chk

Log in to Automation Controller as an administrator. Navigate to Settings >> System >> Logging setting. The following parameters must be set: Enable External Logging = On Logging Aggregator Level Threshold = DEBUG TCP Connection Timeout = 5 (default) or the organizational timeout Enable/disable HTTPS certificate verification = On Logging Aggregator <> (Default) "Not configured" If any of these settings are incorrect, this is a finding.

Fix: F-60517r903512_fix

Log in to Automation Controller as an administrator. Navigate to Settings >> System >> Logging setting. Click "Edit" and set the following fields: Enable External Logging = On Logging Aggregator Level Threshold = DEBUG TCP Connection Timeout = 5 (default) or the organizational timeout Enable/disable HTTPS certificate verification = On Logging Aggregator <> (Default) "Not configured" Click "Save".

b

Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern).

AU-5 - Medium - CCI-000140 - V-256901 - SV-256901r960915_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

APAS-AT-000031

Vuln IDs

V-256901

Rule IDs

SV-256901r960915_rule

It is critical that when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. During a failure, the application server must be configured to shut down unless the application server is part of a high availability system. When availability is an overriding concern, other approved actions in response to a log failure are as follows: (i) If the failure was caused by the lack of log record storage capacity, the application must continue generating log records if possible (automatically restarting the log service if necessary), overwriting the oldest log records in a first-in-first-out manner. (ii) If log records are sent to a centralized collection server and communication with this server is lost or the server fails, the application must queue log records locally until communication is restored or until the log records are retrieved manually. Upon restoration of the connection to the centralized collection server, action must be taken to synchronize the local log data with the collection server. Satisfies: SRG-APP-000109-AS-000068, SRG-APP-000357-AS-000038

Checks: C-60576r927140_chk

Administrator must check, for each Automation Controller host, the rsyslog configuration to verify the log rollover against an organizationally defined log capture size. Check LOG_AGGREGATOR_MAX_DISK_USAGE_GB field in the Automation Controller configuration. On the host, execute: awx-manage print_settings LOG_AGGREGATOR_MAX_DISK_USAGE_GB If this field is not set to the organizationally defined log capture size, this is a finding. Check LOG_AGGREGATOR_MAX_DISK_USAGE_PATH field in the Automation Controller configuration for the log file location to "/var/lib/awx". On the host, execute: awx-manage print_settings LOG_AGGREGATOR_MAX_DISK_USAGE_PATH If this field is not set to "/var/lib/awx", this is a finding.

Fix: F-60518r927141_fix

Open a web browser and navigate to: https://<Automation Controller server>/api/v2/settings/logging/ (If the "Log In" button is displayed, click it, enter an Automation Controller administrator's credentials, and continue.) In the Content section, modify the following values: LOG_AGGREGATOR_MAX_DISK_USAGE_GB = organization-defined requirement for log buffering. LOG_AGGREGATOR_MAX_DISK_USAGE_PATH = "/var/lib/awx" Click "PUT".

b

Automation Controller must be configured to fail over to another system in the event of log subsystem failure.

AU-5 - Medium - CCI-000140 - V-256902 - SV-256902r960915_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

APAS-AT-000032

Vuln IDs

V-256902

Rule IDs

SV-256902r960915_rule

Automation Controller hosts must be capable of failing over to another Automation Controller host which can handle application and logging functions upon detection of an application log processing failure. This will allow continual operation of the application and logging functions while minimizing the loss of operation for the users and loss of log data. Satisfies: SRG-APP-000109-AS-000070, SRG-APP-000225-AS-000154, SRG-APP-000435-AS-000069

Checks: C-60577r902274_chk

The Administrator must check the Automation Controller is deployed in an HA configuration. Administrator must check Automation Controller host via the REST API at api/v2/ping/ HA field for HA configuration. If this field is not true, indicating Automation Controller is in an HA configuration, this is a finding.

Fix: F-60519r902275_fix

If Automation Controller is not in an HA configuration, the administrator must reinstall Automation Controller.

b

Automation Controller's log files must be accessible by explicitly defined privilege.

AU-9 - Medium - CCI-000162 - V-256903 - SV-256903r960930_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

APAS-AT-000034

Vuln IDs

V-256903

Rule IDs

SV-256903r960930_rule

A failure of the confidentiality of Automation Controller log files would enable an attacker to identify key information about the system that they might not otherwise be able to obtain that would enable them to enumerate more information to enable escalation or lateral movement. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000267-AS-000170

Checks: C-60578r903539_chk

As an administrator, log into each Automation Controller host. Inspect the current permissions and owner of Automation Controller's NGINX log directory: stat -c "%a %U %G" /var/log/nginx/ | grep "770 nginx root" || echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller's log directory: $ stat -c "%a %U %G" /var/log/tower/ | grep "750 awx awx" || echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller's supervisor log directory: stat -c "%a %U %G" /var/log/supervisor/ | grep "770 root root" || echo "FAILED" If "FAILED" is displayed, this is a finding.

Fix: F-60520r902278_fix

As a system administrator for each Automation Controller host, set the permissions and owner of Automation Controller's NGINX log directory: chmod 770 /var/log/nginx chown nginx:root /var/log/nginx Set the permissions and owner of Automation Controller's log directory: chmod 770 /var/log/tower chown awx:awx /var/log/tower Set the permissions and owner of Automation Controller's supervisor log directory: chmod 770 /var/log/supervisor/ chown root:root /var/log/supervisor/

b

Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades.

CM-5 - Medium - CCI-001499 - V-256904 - SV-256904r960960_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001499

Version

APAS-AT-000044

Vuln IDs

V-256904

Rule IDs

SV-256904r960960_rule

Any changes to the components of Automation Controller can have significant effects on the overall security of the system. In order to ensure a prompt response to failed application installations and application server upgrades, Automation Controller must provide an automated rollback capability that allows Automation Controller to be restored to a previous known good configuration state prior to the application installation or application server upgrade.

Checks: C-60579r902280_chk

The administrator must make a backup of the last known good configuration of the Automation Controller on each host. Locate the installer bundle directory that contains the inventory file used to install Ansible Automation Platform. Verify a backup of the last known good configuration has been made and stored in accordance with the Automation Controller Documentation and organizationally defined policy: https://docs.ansible.com/automation-controller/latest/html/administration/backup_restore.html If no such backup has been made, this is a finding.

Fix: F-60521r902281_fix

As System Administrator login to the Controller. Locate the installer bundle directory that contains the inventory file used to install Ansible Automation Platform. From there, run the setup.sh command with the "-b" option to perform a backup. Example: "[[installation directory]]/setup.sh -b" Note: To revert from a backup, refer to: https://docs.ansible.com/automation-controller/latest/html/administration/backup_restore.html

b

Automation Controller must be configured to use an enterprise user management system.

IA-5 - Medium - CCI-000187 - V-256905 - SV-256905r986179_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000187

Version

APAS-AT-000047

Vuln IDs

V-256905

Rule IDs

SV-256905r986179_rule

Unauthenticated application servers render the organization subject to exploitation. Therefore, application servers must be uniquely identified and authenticated to prevent unauthorized access. Satisfies: SRG-APP-000148-AS-000101, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000177-AS-000126, SRG-APP-000389-AS-000253, SRG-APP-000390-AS-000254, SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000400-AS-000246, SRG-APP-000401-AS-000243, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250

Checks: C-60580r902283_chk

The Administrator must check the Automation Controller web administrator console and verify the appropriate authentication provider is configured and the associated fields are complete and accurate. Log in to Automation Controller as an administrator and navigate to Settings >> Authentication. If the organization-defined identity provider is not configured, or any associated fields are incomplete or inaccurate, this is a finding.

Fix: F-60522r986178_fix

Log in to Automation Controller as an administrator and navigate to Settings >> Authentication. Configure the appropriate authentication provider and associated fields for the organization-defined identity provider: Click on LDAP settings. Click "Edit". Configure/complete the fields. Click "Save".

b

Automation Controller must be configured to authenticate users individually, prior to using a group authenticator.

Medium - CCI-004045 - V-256906 - SV-256906r986176_rule

RMF Control

Severity

M

CCI

CCI-004045

Version

APAS-AT-000050

Vuln IDs

V-256906

Rule IDs

SV-256906r986176_rule

Default superuser accounts, such as "root", are considered group authenticators. In the case of Automation Controller this is the "admin" account.

Checks: C-60581r902286_chk

Log in to the Automation Controller web console as an administrator and navigate to Access >> Users. The only local user allowed is the default/breakglass "admin". All other users need to come from an external authentication source. If any other local users exist, this is a finding.

Fix: F-60523r902287_fix

Log in to the Automation Controller web console as an administrator and navigate to Access >> Users. Click the Username to be removed. Select "Delete" and confirm.

b

Automation Controller must utilize encryption when using LDAP for authentication.

IA-5 - Medium - CCI-000197 - V-256907 - SV-256907r961029_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000197

Version

APAS-AT-000055

Vuln IDs

V-256907

Rule IDs

SV-256907r961029_rule

To avoid access with malicious intent, passwords will need to be protected at all times. This includes transmission where passwords must be encrypted for security.

Checks: C-60582r902289_chk

Log in to Automation Controller as an administrator and navigate to Settings >> Authentication >> LDAP settings. If an LDAP server is configured but the "LDAP SERVER URI" field does not start with "ldaps://", this is a finding.

Fix: F-60524r903514_fix

Log in to Automation Controller as an administrator and navigate to Settings >> Authentication >> LDAP settings. Click "Edit". Modify the "LDAP SERVER URI" field so that it begins with "ldaps://". Click "Save".

b

Automation Controller must use cryptographic mechanisms to protect the integrity of log tools.

AU-9 - Medium - CCI-001496 - V-256908 - SV-256908r961206_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001496

Version

APAS-AT-000078

Vuln IDs

V-256908

Rule IDs

SV-256908r961206_rule

Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log data includes all information (e.g., log records, log settings, and log reports) needed to successfully log information system activity. It is not uncommon for attackers to replace the log tools or inject code into the existing tools for the purpose of providing the capability to hide or erase system activity from the logs. To address this risk, log tools must be cryptographically signed in order to provide the capability to identify when the log tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. Automation Controller server log tools must use cryptographic mechanisms to protect the integrity of the tools or allow cryptographic protection mechanisms to be applied to their tools.

Checks: C-60583r902292_chk

As an administrator, log in to each Automation Controller host. Verify the correct Red Hat RPM signing key is available on each host by listing the keys using the following command: rpm -qa gpg-pubkey* Manually inspect against publicly listed keys on https://www.redhat.com. If the keys do not match, this is a finding. Import the key using the following command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Verify the signatures of installed RPMs necessary for Automation Controller: For RPM in $(rpm -qa); do rpm -K --nosignature ${RPM} | grep "NOT OK" && return 1; done ; echo "FAILED" If this outputs "FAILED", this is a finding.

Fix: F-60525r902293_fix

The administrator must reinstall all Automation Controller hosts and Automation Controller.

b

Automation Controller must compare internal application server clocks at least every 24 hours with an authoritative time source.

Medium - CCI-004923 - V-256909 - SV-256909r986177_rule

RMF Control

Severity

M

CCI

CCI-004923

Version

APAS-AT-000093

Vuln IDs

V-256909

Rule IDs

SV-256909r986177_rule

When conducting forensic analysis and investigating system events, it is critical that timestamps accurately reflect the time of application events. If timestamps are not deemed to be accurate, the integrity of the forensic analysis and the associated determinations are at stake. This leaves the organization and the system vulnerable to intrusions. Satisfies: SRG-APP-000371-AS-000077, SRG-APP-000372-AS-000212

Checks: C-60584r902295_chk

As a system administrator for each Automation Controller host, ensure the NTP client is configured to synchronize to an organizationally defined NTP server: chronyc sources If the Automation Controller host is not configured to use an organizationally defined NTP server, this is a finding. Ensure the NTP time synchronization is operational: chronyc activity | head -n 1 | grep "200 OK" >/dev/null || echo "FAILED" sudo systemctl is-active chrony > /dev/null|| echo "FAILED" If "FAILED" is displayed, this is a finding.

Fix: F-60526r902296_fix

As a system administrator, for each Automation Controller host, configure the NTP client to synchronize to an organizationally defined NTP server: vi /etc/chrony.conf Restart the Automation Controller host: $ shutdown -r

b

Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

SC-13 - Medium - CCI-002450 - V-256910 - SV-256910r961596_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

APAS-AT-000110

Vuln IDs

V-256910

Rule IDs

SV-256910r961596_rule

An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of confidentiality, etc. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

Checks: C-60585r902298_chk

The Administrator must check the Automation Controller configuration. Download the latest DOD PKI CA certificate bundle: curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.zip && gunzip /root/certificates_pkcs7_DOD.zip Check the certificate at /etc/tower/tower.cert: openssl verify -verbose -x509_strict -CAfile /root/certificates_pkcs7_DOD.pem -CApath nosuchdir <(cat /etc/tower/tower.cert >><organizationally defined intermediate certificate file in PEM format>>>) If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding. Check the certificate at /etc/tower/tower.key: openssl verify -CAfile /root/certificates_pkcs7_DOD.pem /etc/tower/tower.cert If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding. Check the trusted ca certificate: openssl x509 -in /etc/pki/ca-trust/tls-ca-bundle.pam custom_ca_cert If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding. If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding.

Fix: F-60527r902299_fix

For each Automation Controller host, the administrator must: Download the >><organizationally defined intermediate certificate file in PEM format>>>; Generate the appropriate /etc/tower/tower.key files, certificates, and CSRs and have the organizationally defined PKI authority issue a certificate signed by the >><organizationally defined intermediate certificate file in PEM format>>>; Place the signed certificate in /etc/tower/tower.cert. Place the >><organizationally defined intermediate certificate file in PEM format>>> in /etc/pki/ca-trust/source/anchors. Execute: update-ca-trust extract && update-ca-trust; Download the latest DOD PKI CA certificate bundle: curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.z && gunzip /root/certificates_pkcs7_DOD.z > /etc/pki/ca-trust/source/anchors Install trusted root and intermediate CA certificates: update-ca-trust extract && update-ca-trust;

b

Automation Controller must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

SI-2 - Medium - CCI-002605 - V-256911 - SV-256911r961683_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

APAS-AT-000122

Vuln IDs

V-256911

Rule IDs

SV-256911r961683_rule

Security relevant software updates must be installed within the timeframes directed by an authoritative source in order to maintain the integrity and confidentiality of the system and its organizational assets.

Checks: C-60586r902301_chk

As a system administrator for each Automation Controller host inspect the status of the DNF Automatic timer: systemctl status dnf-automatic.timer If "Active: active" is not included in the output, this is a finding. Inspect the configuration of DNF Automatic: grep apply_updates /etc/dnf/automatic.conf If "apply_updates = yes" is not displayed, this is a finding.

Fix: F-60528r902302_fix

Install and enable DNF Automatic: dnf install dnf-automatic (run the install) systemctl enable --now dnf-automatic.timer Modify /etc/dnf/automatic.conf and set "apply_updates = yes".

Checks: C-60571r903542_chk

Fix: F-60513r903543_fix

Generate Mitigation Statement:

Checks: C-60572r903510_chk

Fix: F-60514r902260_fix

Generate Mitigation Statement:

Checks: C-60573r903538_chk

Fix: F-60515r903515_fix

Generate Mitigation Statement:

Checks: C-60574r902265_chk

Fix: F-60516r903511_fix

Generate Mitigation Statement:

Checks: C-60575r902268_chk

Fix: F-60517r903512_fix

Generate Mitigation Statement:

Checks: C-60576r927140_chk

Fix: F-60518r927141_fix

Generate Mitigation Statement:

Checks: C-60577r902274_chk

Fix: F-60519r902275_fix

Generate Mitigation Statement:

Checks: C-60578r903539_chk

Fix: F-60520r902278_fix

Generate Mitigation Statement:

Checks: C-60579r902280_chk

Fix: F-60521r902281_fix

Generate Mitigation Statement:

Checks: C-60580r902283_chk

Fix: F-60522r986178_fix

Generate Mitigation Statement:

Checks: C-60581r902286_chk

Fix: F-60523r902287_fix

Generate Mitigation Statement:

Checks: C-60582r902289_chk

Fix: F-60524r903514_fix

Generate Mitigation Statement:

Checks: C-60583r902292_chk

Fix: F-60525r902293_fix

Generate Mitigation Statement:

Checks: C-60584r902295_chk

Fix: F-60526r902296_fix

Generate Mitigation Statement:

Checks: C-60585r902298_chk

Fix: F-60527r902299_fix

Generate Mitigation Statement:

Checks: C-60586r902301_chk

Fix: F-60528r902302_fix

Generate Mitigation Statement: