Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication. The following parameters must be set: OAuth 2 Timeout Settings < 1800 seconds (No more than 30 minutes). The maximum number of simultaneous logged session must not be less than 0 (The default is -1) and must not match the organizationally defined maximum. Disable the built-in authentication system = ON Enable HTTP Basic Auth = Off OAuth 2 Timeout settings: "ACCESS_TOKEN_EXPIRE_SECONDS": 31536000000, "AUTHORIZATION_CODE_EXPIRE_SECONDS": 600, "REFRESH_TOKEN_EXPIRE_SECONDS": 2628000 Allow External Users to Create OAuth2 Tokens = Off Login redirect override URL = Not Configured or Blank Social Auth Organization Map = Null Social Auth Team Map = Null Social Auth User Fields = Null If any of these settings are incorrect, this is a finding.
Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication. Click "Edit". Set the following parameters: OAuth 2 Timeout Settings < 1800 seconds. The maximum number of simultaneous logged session must equal 0 or the organizationally defined maximum. Disable the built-in authentication system = ON Enable HTTP Basic Auth = Off Access Token Expiration = 31536000000 Authorization Code Expiration = 600 Refresh Token Expiration = 2628000 Allow External Users to Create OAuth2 Tokens = Off Login redirect override URL = Not Configured or Blank Social Auth Organization Map = Null Social Auth Team Map = Null Social Auth User Fields = Null Click "Save".
As a System Administrator for each Automation Controller NGINX web server, a TLS Configuration Check validates the TLS version used by the server: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}') sudo grep ssl_protocols ${NGINXCONF} | grep 'ssl_protocols TLSv1.2;' || echo "FAILED" If "FAILED" is displayed, this is a finding. A TLS Configuration Check validates the ciphers used for the web server are provided by the underlying host operating system: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}') sudo grep ssl_ciphers ${NGINXCONF} | grep -q '^ *ssl_ciphers PROFILE=SYSTEM;' || echo "FAILED" If "FAILED" is displayed, this is a finding. A Database TLS Configuration Check validates connections to required resources use TLS connections. Automation Controller may be configured to connect to PostgreSQL databases with or without TLS. The Administrator must check the contents of the file at /etc/tower/conf.d/postgres.py with root permissions to determine if pg_sslmode was configured with "verify-full" for any external databases at the time of installation. Execute the following command to test the client-side database configuration: sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); [print(DATABASES[db]["OPTIONS"]["sslmode"]) for db in DATABASES if DATABASES[db]["HOST"] not in ("127.0.0.1", "localhost")]' | grep 'verify-full' || echo "FAILED" If "FAILED" is displayed, this is a finding. Execute the following commands to test the server-side database configuration: PGCON=`sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read());print(":".join((DATABASES["default"]["HOST"],DATABASES["default"]["PORT"])))'` psql "postgresql://${PGCON}/postgres?sslmode=require" 2>/dev/null || echo FAILED If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller Web Server, reconfigure the TLS versions or ciphers used in Automation Controller's web server: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` sudo -e ${NGINXCONF} Replace the line beginning with "ssl_protocols" to match (note the leading spaces): " ssl_protocols TLSv1.2;" If the "ssl_protocols" variable does not exist, add the line after the line beginning with "ssl_ciphers". Replace the line beginning with "ssl_ciphers" to match (note the leading spaces): " ssl_ciphers PROFILE=SYSTEM;" Save the file and exit the text editor. To apply these changes to the running service immediately, restart the NGINX service with the following command: sudo systemctl restart nginx Database TLS Configuration Fix: Locate the inventory file used to install Ansible Automation Platform and edit it, ensuring that the following variables are set: pg_sslmode='verify-full' postgres_use_ssl=true Run the setup.sh command in the installer bundle directory to reconfigure the controller to use the new setting: sudo ./setup.sh
As any user, execute the following command, substituting "<controller_fqdn>" for the hostname of the Automation Controller: curl -s -w '%{redirect_url}\n' -o /dev/null http://<controller_fqdn>/api/v2/ping/ | grep '^https' >/dev/null || echo FAILED If "FAILED" is displayed, this is a finding.
As a System Administrator, locate the inventory file used to install Ansible Automation Platform (usually in the installer directory). Edit this file and ensure the "nginx_disable_https" variable is absent or is set to "false". Run the setup.sh command in the installer directory to reconfigure the controller to use the new setting: sudo ./setup.sh
For each Automation Controller host, determine whether the web server is logging all content related to user sessions. Log in to Automation Controller as an administrator and navigate to console Settings >> System >> Miscellaneous System. Verify the following settings: Enable Activity Stream = On Enable Activity Stream for Inventory Sync = On Organization Admins Can Manage Users and Teams = On All Users Visible to Organization Admins = On If the configuration settings are not as above, this is a finding.
As a System Administrator, for each Automation Controller host, navigate to console Settings >> System >> Miscellaneous System. Click "Edit". Set the following: Enable Activity Stream = On Enable Activity Stream for Inventory Sync = On Organization Admins Can Manage Users and Teams = On All Users Visible to Organization Admins = On Click "Save".
As a System Administrator, for each Automation Controller NGINX web server host, verify the integrity of the Automation Controller NGINX web server hosts files: aide --check Verify the displayed checksums against previously reserved checksums of the Advanced Intrusion Detection Environment (AIDE) database. If there are any unauthorized or unexplained changes against previous checksums, this is a finding.
As a System Administrator, for each Automation Controller NGINX web server host, check for existing or install AIDE: yum install -y aide Create or update the AIDE database immediately after initial installation of each Automation Controller NGINX web server host: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Accept any expected changes to the host by updating the AIDE database: aide --update The output will provide checksums for the AIDE database. Save in a protected location.
The Automation Controller does not require any nginx dynamic expansion modules to function. Determine if any dynamic modules are specified in the nginx configuration. As a system administrator for each Automation Controller NGINX web server host, execute the following: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` NGINXMODPATH=`nginx -V 2>&1 | tr ' ' '\n' | grep modules-path | sed -ne '/modules-path/{s/.*modules-path=\(.*\)/\1/;p}'` NGINXMODINC=`grep include /etc/nginx/nginx.conf | grep modules | awk '{print $2}' | xargs dirname` grep -q load_module ${NGINXCONF} && echo FAILED [ `ls -1 $NGINXMODPATH | wc -l` == 0 ] || echo FAILED [ `ls -1 $NGINXMODINC | wc -l` == 0 ] || echo FAILED If "FAILED" is displayed, this is a finding.
As a system administrator for each Automation Controller NGINX web server host, execute the following: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` NGINXMODPATH=`nginx -V 2>&1 | tr ' ' '\n' | grep modules-path | sed -ne '/modules-path/{s/.*modules-path=\(.*\)/\1/;p}'` NGINXMODINC=`grep include /etc/nginx/nginx.conf | grep modules | awk '{print $2}' | xargs dirname` sudo rm -f ${NGINXMODPATH}/* sudo rm -f ${NGINXMODINC}/* sudo -e ${NGINXCONF} In the editor, remove any lines that contain "load_module". Save the file and exit the text editor. Run the following command to apply the changes: sudo systemctl restart nginx
As a system administrator for each Automation Controller NGINX web server host, navigate to Settings >> Authentication. Review the configuration and verify that the appropriate authentication service is configured. If no authentication service is configured, this is a finding.
As a system administrator for each Automation Controller NGINX web server host, navigate to Settings >> Authentication. Configure the appropriate authentication service.
As a system administrator for each Automation Controller NGINX web server host, ensure that the only upstream servers configured are for the Automation Controller ASGI and WSGI modules: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` sudo grep -E 'proxy_pass|uwsgi_pass' $NGINXCONF | grep -Pqz '^\s+proxy_pass http://daphne;\n\s+uwsgi_pass uwsgi;\n$' || echo FAILED [ "`sudo grep -Pzo 'upstream\s+daphne\s+{[^}]+}' $NGINXCONF | grep -a server | grep -v 'server unix:/var/run/tower/daphne.sock;'`" == '' ] || echo FAILED [ "`sudo grep -Pzo 'upstream\s+uwsgi\s+{[^}]+}' $NGINXCONF | grep -a server | grep -v 'server unix:/var/run/tower/uwsgi.sock;'`" == '' ] || echo FAILED If "FAILED" is displayed, this is a finding. Ensure all locations are served by either these upstream servers or other well-known content: [ "`sudo grep location $NGINXCONF | grep -v '^\s*#' | grep -Ev '^\s+location\s+/(favicon.ico|static|websocket)?\s+{'`" == "" ] || echo "FAILED" sudo grep -Eq 'location\s+/favicon.ico\s+{\s+alias\s+/var/lib/awx/public/static/media/favicon.ico;\s+}' $NGINXCONF || echo "FAILED" sudo grep -Eq 'location\s+/static\s+{\s+alias\s+/var/lib/awx/public/static;\s+}' $NGINXCONF || echo "FAILED" sudo grep -Pzo 'location\s+/websocket\s+({([^{}]|(?1))*})' $NGINXCONF | grep -Eq '^\s+proxy_pass\s+http://daphne;' || echo "FAILED" sudo grep -Pzo 'location\s+/\s+({([^{}]|(?1))*})' $NGINXCONF | grep -Eq '^\s+uwsgi_pass\s+uwsgi;' || echo "FAILED" If "FAILED" is displayed, this is a finding. Verify the content present and served from the static content location (/var/lib/awx/public/static) is acceptable per organizationally defined policy. If any content present in this location (or its subdirectories) is not acceptable per organizationally defined policy, this is a finding.
As a System Administrator, remove any content present and served from the static content location (/var/lib/awx/public/static) that is not acceptable per organizationally defined policy. Run the setup.sh command in the Ansible Automation Platform installer directory to reconfigure the controller to the default state, which only contains the required configuration: sudo ./setup.sh
As a System Administrator for each Automation Controller NGINX web server, examine NGINX users in /etc/passwd. Verify a single user "nginix" exists using the command: [ `grep -c nginx /etc/passwd` == 1 ] || echo FAILED If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server, reinstall Automation Controller if no "nginx" users exist in /etc/passwd. Review all users enumerated in /etc/passwd, and remove any that are not attributable to RHEL or Automation Controller and/or organizationally disallowed.
As a System Administrator for each Automation Controller NGINX web server, check the allowed mime types and associated shell applications: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; MIME_TYPES=`grep mime $NGINXCONF | awk '{printf $2}' | sed 's/;$//' ` ; disallowed_mime_types=('application.*\sbin' 'application.*\sexe' 'application.*\srpm' 'application.*\smsi' 'application.*\smsp application.*\smsm' 'application.*\sjs') ; echo "${disallowed_mime_types[*]}" | tr ' ' '\n' >tempfile ; cat $MIME_TYPES | grep -f tempfile 1>/dev/null && echo "FAILED"; rm -f tempfile If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server, remove the disallowed mime types: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; MIME_TYPES=`grep mime $NGINXCONF | awk '{printf $2}' | sed 's/;$//' ` ; disallowed_mime_types=('application.*\sbin' 'application.*\sexe' 'application.*\srpm' 'application.*\smsi' 'application.*\smsp application.*\smsm' 'application.*\sjs') ; echo "${disallowed_mime_types[*]}" | tr ' ' '\n' >tempfile ; cat $MIME_TYPES | grep -vf tempfile >$MIME_TYPES; rm -f tempfile Restart NGINX.
As a system administrator, for each Automation Controller NGINX web server host, check the Automation Controller NGINX web server configuration for WebDAV modules: disallowed_modules=(nginx-dav-ext-module headers-more-nginx-module) ; echo "${disallowed_modules[*]}" | tr ' ' '\n' >tempfile ; nginx -V 2>&1 | grep module | tr ' ' '\n' | grep module | grep -v modules-path | grep -Ff tempfile && echo "FAILED"; rm -f tempfile If "FAILED" is displayed, this is a finding. Check the Automation Controller NGINX web server configuration for WebDAV modules for disallowed WebDAV verbs, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep dev_(.*)methods $NGINXCONF | grep 'COPY|MOVE|MKCO|PROPFIND|PROPPATCH|LOCK|UNLOCK' && echo 'FAILED' If "FAILED" is displayed, this is a finding.
As a system administrator, for each Automation Controller nginx web server host, remove all WebDAV modules from the NGINX configuration file (nominally /etc/nginx/nginx.conf). Reload the NGINX server configurations for all NGINX processes: $ pkill -HUP nginx
As a system administrator for each Automation Controller NGINX web server host, check if SELinux is enabled in enforcing mode: getenforce | grep Enforcing >/dev/null || echo FAILED If "FAILED" is displayed, this is a finding.
As a system administrator for each Automation Controller NGINX web server host, place the server in SELinux enforcing mode: setenforce 1
As a System Administrator for each Automation Controller NGINX web server host, verify the web server is configured to use a static IP address and port. NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep '^\s*listen\s*\*\|\s*listen\s*\[.*\]\|\s*listen\s*0\.0\.0\.0\|\s*listen\s*\[.*\]|^\s*listen\s\+.*:[^[:digit:]\s]\+.*' $NGINXCONF && echo FAILED If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, identify the allowed and/or designated IP address(es) for the Automation Controller system. Replace any wildcard or ranged IP address references in the NGINX configuration with IP addresses from the pool of allowed and/or designated address. Reload the NGINX server configurations for all NGINX processes: $ pkill -HUP nginx
As a System Administrator for each Automation Controller NGINX web server host, verify the location of the NGINX configuration: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` TOWER_KEY=`sed -n 's/^\s*ssl_certificate_key\s*\(.*\);/\1/p' $NGINXCONF` stat -c "%a %U %G" $TOWER_KEY| grep "600 root awx" || echo "FAILED" If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, set the permissions: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` TOWER_KEY=`sed -n 's/^\s*ssl_certificate_key\s*\(.*\);/\1/p' $NGINXCONF` sudo chown root:awx $TOWER_KEY sudo chmod 600 $TOWER_KEY
As a system administrator for each Automation Controller NGINX web server host, enumerate all (nonroot) privileged users on the system: allowed_privileged_users=('root') ; echo "${allowed_privileged_users}" | tr ' ' '\n' >/tmp/allowed_privileged_users ; getent passwd | cut -f1 -d ':' | sudo xargs -L1 sudo -l -U | grep -v 'not allowed' | tail -n +3 | sed -n '/^User/s/User\s*\(\w*\).*/\1/p' | grep -v -f /tmp/allowed_privileged_users 1>/dev/null && echo "FAILED" ; rm -f /tmp/allowed_privileged_users If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, enumerate all (nonroot) privileged users on the system: getent passwd | cut -f1 -d ':' | sudo xargs -L1 sudo -l -U | grep -v 'not allowed' | tail -n +3 | sed -n '/^User/s/User\s*\(\w*\).*/\1/p' | grep -v root For each user shown, perform one of the following actions: - Remove the indicated user from the system; - Remove the indicated user from any privileged groups (wheel); - Remove login access for the user; - Verify via organizationally defined procedures the indicated user is an authorized administrative account.
The Automation Controller application configures cookie properties appropriately by default. Any local modifications to cookie-related settings must be located and removed. As a System Administrator for each Automation Controller NGINX web server host, search for modified cookie variables in the Automation Controller configuration: sudo grep -r -E '(CSRF|SESSION)_COOKIE_(HTTPONLY|SECURE|SAMESITE)' /etc/tower/settings.py /etc/tower/conf.d/ If any output is shown, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, remove any local variable changes related to cookie properties: sudo grep -r -E '(CSRF|SESSION)_COOKIE_(HTTPONLY|SECURE|SAMESITE)' /etc/tower/settings.py /etc/tower/conf.d/ For each result, edit the relevant file. For example, if a variable is found in /etc/tower/settings.py, edit the file with the following command: sudo -e /etc/tower.settings.py Remove any line where the following variables are defined: SESSION_COOKIE_HTTPONLY SESSION_COOKIE_SECURE SESSION_COOKIE_SAMESITE CSRF_COOKIE_HTTPONLY CSRF_COOKIE_SECURE CSRF_COOKIE_SAMESITE Execute the following command to restart the Automation Controller service: sudo automation-controller-service restart
Automation Controller serves static public content from the directory /var/lib/awx/public. As a System Administrator for each Automation Controller NGINX web server host, verify that a separate file system/partition has been created for /var/lib/awx/public: [[ $(sudo awk '$0~"/var/lib/awx/public" {print $2}' /etc/fstab) == "/var/lib/awx/public" ]] || echo "FAILED" If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, migrate the "/var/lib/awx/public" path onto a separate file system. No automated fix is available for this action.
As a System Administrator for each Automation Controller NGINX web server, verify the configuration requires a charset is mandatory. NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep 'charset_required' $NGINXCONF || echo "FAILED" If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server, verify the NGINX web server configuration file in use is located at '/etc/nginx/nginx.conf' NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; Add the directive to the NGINX configuration to force a required charset. sed -i '/location/i charset_required; ' $NGINXCONF Reload the NGINX server configurations for all NGINX processes. $ pkill -HUP nginx
For each Automation Controller NGINX web server, a system administrator must view to see whether autoindex is turned on or off (autoindex on/autoindex off): NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep -E 'autoindex\s+on' $NGINXCONF && echo "FAILED" If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller nginx web server host, remove any configuration that turns the autoindexing on: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; sed -Ei -e '/autoindex\s+on/d;' $NGINXCONF To apply these changes to the running service immediately, restart the NGINX service with the following command: sudo systemctl restart nginx
For each Automation Controller NGINX web server, a system administrator must check to determine if any error or debug information is being logged or generated: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; cat $NGINXCONF | grep '^\s*error_log' && echo FAILED If "FAILED" is displayed, this is a finding.
For each Automation Controller NGINX web server, a system administrator must complete the following steps. Verify the NGINX configuration file in use: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; echo $NGINXCONF Remove the error_log directive from the NGINX configuration file. Cause NGINX to reload its configuration file: pkill -HUP nginx
As a system administrator, for each Automation Controller NGINX web server host, inspect the current permissions and owner of Tower's web server configuration directory: stat -c "%a %U %G" /etc/nginx | grep -q "755 root root" || echo "FAILED" stat -c "%a %U %G" /etc/nginx/conf.d | grep -q "755 root root" || echo "FAILED" stat -c "%a %U %G" /etc/nginx/nginx.conf | grep -q "644 root root" || echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller web server program configuration files: stat -c "%a %U %G" /usr/lib/systemd/system/nginx.service | grep -q "644 root root" || echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller application content directory: stat -c "%a %U %G" /var/lib/awx/public/static | grep -q "755 root awx" || echo "FAILED" If "FAILED" is displayed, this is a finding. Inspect the current permissions and owner of Automation Controller web server log directory: stat -c "%a %U %G" /var/log/nginx| grep -q "770 nginx root" || echo "FAILED" If "FAILED" is displayed, this is a finding.
As a system administrator, for each Automation Controller NGINX web server host, set the permissions and owner of Automation Controller web server program configuration directory: sudo chown -R root:root /etc/nginx/ sudo chmod 755 /etc/nginx /etc/nginx sudo chmod 755 /etc/nginx /etc/nginx/conf.d sudo chmod 644 /etc/nginx/nginx.conf As a system administrator, for each Automation Controller NGINX web server program configuration files. sudo chown root:root /usr/lib/systemd/system/nginx.service sudo chmod 644 /usr/lib/systemd/system/nginx.service Set the permissions and owner of Automation Controller application content directory: sudo chmod 755 /var/lib/awx/public/static sudo chown root:awx /var/lib/awx/public/static
As a System Administrator for each Automation Controller NGINX web server host, check that the file permissions for the web server components require privileged access: $ [ `find /etc/nginx -type f -not -perm 644 | wc -l` -gt 0 ] && echo "FAILED" If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, modify the file permissions for the web server components require privileged access: chmod -R 644 /etc/nginx && chown -R nginx /etc/nginx
As a System Administrator for each Automation Controller NGINX web server host, verify required service definition is protected from unprivileged users: stat -c "%a %U %G" /usr/lib/systemd/system/automation-controller.service | grep -q "644 root root" || echo "FAILED" stat -c "%a %U %G" /usr/lib/systemd/system/supervisord.service | grep -q "644 root root" || echo "FAILED" stat -c "%a %U %G" /usr/lib/systemd/system/nginx.service | grep -q "644 root root" || echo "FAILED" If "FAILED" is displayed, this is a finding. Verify the required services are enabled: systemctl is-enabled automation-controller.service >/dev/null || echo FAILED systemctl is-enabled supervisord.service >/dev/null || echo FAILED systemctl is-enabled nginx.service >/dev/null || echo FAILED If "FAILED" is displayed, this is a finding. Verify application services are correctly managed by supervisord. Verify protection of and capture supervisord configuration. stat -c "%a %U %G" /etc/supervisord.d/*.ini | grep -q "644 root root" || echo "FAILED" cat /etc/supervisord.d/*.ini | sed -n -E "/^\[.*\]/{s/\[(.*)\]/\1/;h;n;};/^[a-zA-Z]/{s/#.*//;G;s/([^ ]*) *= *(.*)\n(.*)/\3_\1='\2'/;p;}" > /tmp/supervisord.parsed.conf Verify specific start and restart properties for application services: application_services=(program:awx-dispatcher_autostart program:awx-dispatcher_autorestart program:awx-wsbroadcast_autostart program:awx-wsbroadcast_autorestart program:awx-uwsgi_autostart program:awx-uwsgi_autorestart program:awx-daphne_autostart program:awx-daphne_autorestart program:awx-rsyslogd_autostart program:awx-rsyslogd_autorestart) for SUPERVISOR_CHECK in ${application_services[@]}; do grep $SUPERVISOR_CHECK /tmp/supervisord.parsed.conf | grep -q true || echo "FAILED" ; done rm /tmp/supervisord.parsed.conf If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, set the permissions correctly on the nginx service file: sudo chown root:root /usr/lib/systemd/system/nginx.service sudo chmod 644 /usr/lib/systemd/system/nginx.service Reset the Ansible Automation Platform configuration to the defaults, which meet the requirements for the supervisord and automation-controller services. Locate the inventory file used to install Ansible Automation Platform (usually in the installer directory). Run the setup.sh command in the installer directory to reconfigure the controller to use the new setting: sudo ./setup.sh
As a System Administrator for each Automation Controller NGINX web server host, enumerate all available server connections: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}') grep '\s*listen' NGINXCONF | grep -v ssl Ensure each available server connection that does not use SSL upgrades this connection to use SSL via an allowed method: - is redirected to an SSL server connection, e.g., "return 301 https://$host:443$request_uri"; - is rewritten to an SSL server URL, e.g., "rewrite ^ https://$host$request_uri? permanent;"; - is dropped silently; - or used other organizationally approved connection handling. Examine the NGINX configuration, for example: vi $NGINXCONF If any available server connection is not handled or upgraded to SSL via an organizationally approved method, this is a finding. vi $NGINXCONF If any available server connection is not handled or upgraded to SSL via an organizationally approved method, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, for each available server connection that is not handled or upgraded to SSL via an organizationally approved method, perform one of the following actions: Remove the available server connections. OR Upgrade the connection via redirect to an SSL server connection. OR Rewrite the connection URL to an HTTPS server connection. OR Other organizationally defined handling method. Reload the NGINX server configuration by executing the following: pkill -HUP nginx (Alternatively, reinstall Automation Controller for each web server host.)
As a System Administrator, for each Automation Controller NGINX web server, a TLS Configuration Check validates the TLS version used by the server: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` sudo grep ssl_protocols ${NGINXCONF} | grep -E 'ssl_protocols\s+TLSv1.2;' || echo "FAILED" If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller Web Server, reconfigure the TLS versions or ciphers used in Automation Controller's web server: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` sudo -e ${NGINXCONF} Replace the line beginning with "ssl_protocols" to match (note the leading spaces): " ssl_protocols TLSv1.2;" If the "ssl_protocols" variable does not exist, add it after the line beginning with "ssl_ciphers". Save the file and exit the text editor. To apply these changes to the running service immediately, restart the NGINX service with the following command: sudo systemctl restart nginx
As a System Administrator for each Automation Controller NGINX web server host, verify the NGINX web server configuration file in use is located at "/etc/nginx.nginx.conf": NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` If the file does not exist, this is a finding. Verify the use of only dynamic modules witch are allowed by organizational policy: allowed_modules=(ssl_module http_v2_module http_realip_module http_addition_module http_xslt_module=dynamic http_image_filter_module=dynamic http_sub_module http_dav_module http_mp4_module http_gunzip_module http_gzip_static_module http_random_index_module http_secure_link_module http_degradation_module http_slice_module http_stub_status_module http_perl_module=dynamic http_auth_request_module mail_ssl_module stream_ssl_preread_module http_flv_module) ; echo "${allowed_modules[*]}" | tr ' ' '\n' >/tmp/allowed_modules ; nginx -V 2>&1 | grep module | tr ' ' '\n' | grep module | grep -v modules-path | grep -v -Ff /tmp/allowed_modules && echo "FAILED"; Verify the use of only runtime modules which are allowed by organizational policy: grep load_module $NGINXCONF | sed -n 's/^\s*load_module\s*\(.*\)/\1/p' | grep -v -Ff /tmp/allowed_modules && echo "FAILED" ; rm -f /tmp/allowed_modules If the output shows "FAILED", this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, verify the NGINX web server configuration file in use is located at "/etc/nginx.nginx.conf": NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; Verify the location of the NGINX modules libraries: pushd `nginx -V 2>&1 | grep module | tr ' ' '\n' | grep module | sed -n 's/.*modules-path.*=\s*\(.*\)/\1/p'` Remove all modules that violate organizationally defined policy. Examine runtime loaded modules: grep load_module nginx.conf.test | sed -n 's/^\s*load_module\s*\(.*\)/\1/p' Remove all modules that violate organizationally defined policy. Examine the remainder of the modules: nginx -V 2>&1 | grep module | tr ' ' '\n' | grep module | grep -v modules-path These modules are compiled into the core NGINX binaries are cannot be removed. Use of any these modules that violate organizationally defined policy must be mitigated. To apply these changes to the running service immediately, restart the NGINX service with the following command: sudo systemctl restart nginx Alternatively, reinstall Automation Controller for each web server host.
As a System Administrator for each Automation Controller NGINX web server host, verify the system is configured to receive updates from an organizationally defined source for authoritative system updates: yum -v repolist If each URL is not valid and consistent with organizationally defined requirements, this is a finding. If each repository is not enabled in accordance with organizationally defined requirements, this is a finding. If the system is not configured to automatically receive and apply system updates from this source at least every 30 days, or manually receive and apply updates at least every 30 days, this is a finding.
As a system administrator, for each Automation Controller NGINX web server host, perform the following: 1. Either configure update repositories in accordance with organizationally defined requirements or subscribe to Red Hat update repositories for the underlying operating system. 2. Execute an update from these repositories: $ yum update -y 3. Perform one of the following: 3.1. Schedule an update to occur every 30 days, or in accordance with organizationally defined policy: $ yum install -y dnf-automatic && sed -i '/apply_updates/s/no/yes/' /etc/dnf/automatic.conf && sed -i '/OnCalendar/s/^OnCalendar\s*=.*/OnCalendar=*-1-* 6:00/' /usr/lib/systemd/system/dnf-automatic.timer && systemctl enable --now dnf-automatic.timer 3.2. Schedule manual updates to occur at least every 30 days, or in accordance with organizationally defined policy. 4. Restart the Automation Controller NGINX web server host.
As a System Administrator for each Automation Controller NGINX web server host, verify the NGINX account is configured to disallow interactive login" grep '^nginx.*\(/sbin/nologin$\|/bin/false$\)' /etc/passwd If "FAILED" is displayed, this is a finding.
As a System Administrator for each Automation Controller NGINX web server host, change the NGINX account to disallow interactive login: $ usermod -s /sbin/nologin nginx