Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide

V1R2 · · · Released 25 Oct 2023 · 55 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 28 Sep 2018 +55 −54

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 55

  • V-240039 Medium HAProxy must limit the amount of time that an http request can be received.
  • V-240040 Medium HAProxy must enable cookie-based persistence in a backend.
  • V-240041 Medium HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-240042 Medium HAProxy must be configured to use TLS for https connections.
  • V-240043 Medium HAProxy must be configured to use syslog.
  • V-240044 Medium HAProxy must generate log records for system startup and shutdown.
  • V-240045 Medium HAProxy must log what type of events occurred.
  • V-240046 Medium HAProxy must log when events occurred.
  • V-240047 Medium HAProxy must log where events occurred.
  • V-240048 Medium HAProxy must log the source of events.
  • V-240049 Medium HAProxy must log the outcome of events.
  • V-240050 Medium HAProxy must log the session ID from the request headers.
  • V-240051 Medium HAProxy must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
  • V-240052 Medium HAProxy log files must not be accessible to unauthorized users.
  • V-240053 Medium HAProxy log files must be protected from unauthorized modification.
  • V-240054 Medium HAProxy log files must be protected from unauthorized deletion.
  • V-240055 Medium HAProxy log files must be backed up onto a different system or media.
  • V-240056 Medium HAProxy files must be verified for their integrity (checksums) before being added to the build systems.
  • V-240057 Medium HAProxy expansion modules must be verified for their integrity (checksums) before being added to the build systems.
  • V-240058 Medium HAProxy must limit access to the statistics feature.
  • V-240059 High HAProxy must not contain any documentation, sample code, example applications, and tutorials.
  • V-240060 Medium HAProxy must be run in a chroot jail.
  • V-240061 Medium HAProxy frontend servers must be bound to a specific port.
  • V-240062 Medium HAProxy must use SSL/TLS protocols in order to secure passwords during transmission from the client.
  • V-240063 Medium HAProxy must perform RFC 5280-compliant certification path validation if PKI is being used.
  • V-240064 Medium HAProxys private key must have access restricted.
  • V-240065 Medium HAProxy must be configured to use only FIPS 140-2 approved ciphers.
  • V-240066 High HAProxy must prohibit anonymous users from editing system files.
  • V-240067 Medium The HAProxy baseline must be documented and maintained.
  • V-240068 Medium HAProxy must be configured to validate the configuration files during start and restart events.
  • V-240069 Medium HAProxy must limit the amount of time that half-open connections are kept alive.
  • V-240070 Medium HAProxy must provide default error files.
  • V-240071 Medium HAProxy must not be started with the debug switch.
  • V-240072 Medium HAProxy must set an absolute timeout on sessions.
  • V-240073 Medium HAProxy must set an inactive timeout on sessions.
  • V-240074 High HAProxy must redirect all http traffic to use https.
  • V-240075 Medium HAProxy must restrict inbound connections from nonsecure zones.
  • V-240076 Medium HAProxy must be configured to use syslog.
  • V-240077 Medium HAProxy must not impede the ability to write specified log record content to an audit log server.
  • V-240078 Medium HAProxy must be configurable to integrate with an organizations security infrastructure.
  • V-240079 Medium HAProxy must use the httplog option.
  • V-240080 Medium HAProxy libraries, and configuration files must only be accessible to privileged users.
  • V-240081 Medium HAProxy psql-local frontend must be bound to port 5433.
  • V-240082 Medium HAProxy vcac frontend must be bound to ports 80 and 443.
  • V-240083 Medium HAProxy vro frontend must be bound to the correct port 8283.
  • V-240084 Medium HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-240085 Medium HAProxy must be protected from being stopped by a non-privileged user.
  • V-240086 Medium HAProxy must be configured to use SSL/TLS.
  • V-240087 Medium HAProxy session IDs must be sent to the client using SSL/TLS.
  • V-240088 High HAProxy must set the no-sslv3 value on all client ports.
  • V-240089 Medium HAProxy must remove all export ciphers.
  • V-240090 Medium HAProxy must maintain the confidentiality and integrity of information during reception.
  • V-240091 Medium HAProxy must have the latest approved security-relevant software updates installed.
  • V-240092 Medium HAProxy must set the maxconn value.
  • V-258451 High The version of vRealize Automation 7.x HA Proxy running on the system must be a supported version.

Removed rules 54

  • V-89139 Medium HAProxy must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
  • V-89141 Medium HAProxy log files must not be accessible to unauthorized users.
  • V-89143 Medium HAProxy log files must be protected from unauthorized modification.
  • V-89145 Medium HAProxy log files must be protected from unauthorized deletion.
  • V-89147 Medium HAProxy log files must be backed up onto a different system or media.
  • V-89149 Medium HAProxy files must be verified for their integrity (checksums) before being added to the build systems.
  • V-89151 Medium HAProxy expansion modules must be verified for their integrity (checksums) before being added to the build systems.
  • V-89153 Medium HAProxy must limit access to the statistics feature.
  • V-89155 High HAProxy must not contain any documentation, sample code, example applications, and tutorials.
  • V-89157 Medium HAProxy must be run in a chroot jail.
  • V-89159 Medium HAProxy frontend servers must be bound to a specific port.
  • V-89161 Medium HAProxy must use SSL/TLS protocols in order to secure passwords during transmission from the client.
  • V-89163 Medium HAProxy must perform RFC 5280-compliant certification path validation if PKI is being used.
  • V-89165 Medium HAProxys private key must have access restricted.
  • V-89167 Medium HAProxy must be configured to use only FIPS 140-2 approved ciphers.
  • V-89169 High HAProxy must prohibit anonymous users from editing system files.
  • V-89171 Medium The HAProxy baseline must be documented and maintained.
  • V-89173 Medium HAProxy must be configured to validate the configuration files during start and restart events.
  • V-89175 Medium HAProxy must limit the amount of time that half-open connections are kept alive.
  • V-89177 Medium HAProxy must provide default error files.
  • V-89179 Medium HAProxy must not be started with the debug switch.
  • V-89181 Medium HAProxy must set an absolute timeout on sessions.
  • V-89183 Medium HAProxy must set an inactive timeout on sessions.
  • V-89185 High HAProxy must redirect all http traffic to use https.
  • V-89187 Medium HAProxy must restrict inbound connections from nonsecure zones.
  • V-89189 Medium HAProxy must be configured to use syslog.
  • V-89191 Medium HAProxy must not impede the ability to write specified log record content to an audit log server.
  • V-89193 Medium HAProxy must be configurable to integrate with an organizations security infrastructure.
  • V-89195 Medium HAProxy must use the httplog option.
  • V-89197 Medium HAProxy libraries, and configuration files must only be accessible to privileged users.
  • V-89199 Medium HAProxy psql-local frontend must be bound to port 5433.
  • V-89201 Medium HAProxy vcac frontend must be bound to ports 80 and 443.
  • V-89203 Medium HAProxy vro frontend must be bound to the correct port 8283.
  • V-89205 Medium HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-89207 Medium HAProxy must be protected from being stopped by a non-privileged user.
  • V-89209 Medium HAProxy must be configured to use SSL/TLS.
  • V-89211 High HAProxy must set the no-sslv3 value on all client ports.
  • V-89213 Medium HAProxy must remove all export ciphers.
  • V-89215 Medium HAProxy must have the latest approved security-relevant software updates installed.
  • V-89217 Medium HAProxy must set the maxconn value.
  • V-90297 Medium HAProxy must limit the amount of time that an http request can be received.
  • V-90299 Medium HAProxy must enable cookie-based persistence in a backend.
  • V-90301 Medium HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-90303 Medium HAProxy must be configured to use TLS for https connections.
  • V-90305 Medium HAProxy must be configured to use syslog.
  • V-90307 Medium HAProxy must generate log records for system startup and shutdown.
  • V-90309 Medium HAProxy must log what type of events occurred.
  • V-90311 Medium HAProxy must log when events occurred.
  • V-90313 Medium HAProxy must log where events occurred.
  • V-90315 Medium HAProxy must log the source of events.
  • V-90317 Medium HAProxy must log the outcome of events.
  • V-90319 Medium HAProxy must log the session ID from the request headers.
  • V-90321 Medium HAProxy session IDs must be sent to the client using SSL/TLS.
  • V-90323 Medium HAProxy must maintain the confidentiality and integrity of information during reception.
Sort by
b
HAProxy must limit the amount of time that an http request can be received.
AC-10 - Medium - CCI-000054 - V-240039 - SV-240039r879511_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
VRAU-HA-000005
Vuln IDs
  • V-240039
  • V-90297
Rule IDs
  • SV-240039r879511_rule
  • SV-100947
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive). HAProxy provides an http-request timeout parameter that set the maximum allowed time to wait for a complete HTTP request. Setting this parameter will mitigate slowloris DoS attacks. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request.
Checks: C-43272r665284_chk

At the command prompt, execute the following command: grep 'timeout http-request' /etc/haproxy/haproxy.cfg If the value of ''timeout http-request" is not set to "5000", is commented out, or is missing, this is a finding.

Fix: F-43231r665285_fix

Navigate to and open /etc/haproxy/haproxy.cfg Configure the haproxy.cfg file with the following value in the global section: 'timeout http-request 5000'

b
HAProxy must enable cookie-based persistence in a backend.
AC-10 - Medium - CCI-000054 - V-240040 - SV-240040r879511_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
VRAU-HA-000010
Vuln IDs
  • V-240040
  • V-90299
Rule IDs
  • SV-240040r879511_rule
  • SV-100949
Session management is the practice of protecting the bulk of the user authorization and identity information. As a load balancer, HAProxy must participate in session management in order to set the session management cookie. Additionally, HAProxy must also ensure that the backend server which started the session with the client is forwarded subsequent requests from the client.
Checks: C-43273r665287_chk

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Verify that each backend is configured with the following: cookie JSESSIONID prefix If "cookie" is not set for each backend, this is a finding.

Fix: F-43232r665288_fix

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Configure each backend with the following value: 'cookie JSESSIONID prefix'

b
HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.
AC-17 - Medium - CCI-000068 - V-240041 - SV-240041r879519_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
VRAU-HA-000015
Vuln IDs
  • V-240041
  • V-90301
Rule IDs
  • SV-240041r879519_rule
  • SV-100951
Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.
Checks: C-43274r665290_chk

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Verify that each frontend is configured with the following: bind :<port> ssl crt <pemfile> ciphers FIPS:+3DES:!aNULL no-sslv3 Note: <port> and <pemfile> will be different for each frontend. If the ciphers listed are not as shown above, this is a finding.

Fix: F-43233r665291_fix

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Configure the bind option for each frontend with the following ciphers parameter: 'ciphers FIPS:+3DES:!aNULL'.

b
HAProxy must be configured to use TLS for https connections.
AC-17 - Medium - CCI-001453 - V-240042 - SV-240042r879520_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
VRAU-HA-000020
Vuln IDs
  • V-240042
  • V-90303
Rule IDs
  • SV-240042r879520_rule
  • SV-100953
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.
Checks: C-43275r665293_chk

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Verify that each frontend is configured with the following: bind :<port> ssl crt <pemfile> ciphers FIPS:+3DES:!aNULL no-sslv3 Note: <port> and <pemfile> will be different for each frontend. If "ssl" is not set for the bind option for each frontend, this is a finding.

Fix: F-43234r665294_fix

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Configure the bind option for each frontend with the "ssl" parameter.

b
HAProxy must be configured to use syslog.
AC-17 - Medium - CCI-000067 - V-240043 - SV-240043r879521_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
VRAU-HA-000025
Vuln IDs
  • V-240043
  • V-90305
Rule IDs
  • SV-240043r879521_rule
  • SV-100955
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server.
Checks: C-43276r665296_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the "globals" section will contain the following: defaults log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to the each frontend section. Verify that the log keyword has not been set for each frontend. If the log keyword is resent in a frontend, this is a finding. Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging start and stop events to the log file. If the log file is not recording HAProxy start and stop events, this is a finding.

Fix: F-43235r665297_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to each frontend section. Remove any log options from each frontend.

b
HAProxy must generate log records for system startup and shutdown.
AU-12 - Medium - CCI-000169 - V-240044 - SV-240044r879559_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
VRAU-HA-000035
Vuln IDs
  • V-240044
  • V-90307
Rule IDs
  • SV-240044r879559_rule
  • SV-100957
Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Recording the start and stop events of HAProxy will provide useful information to investigators.
Checks: C-43277r665299_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the globals section will contain the following: defaults log global option httplog Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging start and stop events to the log file. If the log file is not recording HAProxy start and stop events, this is a finding.

Fix: F-43236r665300_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must log what type of events occurred.
AU-3 - Medium - CCI-000130 - V-240045 - SV-240045r879563_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
VRAU-HA-000050
Vuln IDs
  • V-240045
  • V-90309
Rule IDs
  • SV-240045r879563_rule
  • SV-100959
Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. When configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the type of web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.
Checks: C-43278r665302_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the globals section will contain the following: defaults log global option httplog Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging the type of events to the log file. If the log file is not recording the type of events, this is a finding.

Fix: F-43237r665303_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must log when events occurred.
AU-3 - Medium - CCI-000131 - V-240046 - SV-240046r879564_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
VRAU-HA-000055
Vuln IDs
  • V-240046
  • V-90311
Rule IDs
  • SV-240046r879564_rule
  • SV-100961
Ascertaining when an event occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing when an event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. When configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the time of a web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.
Checks: C-43279r665305_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the globals section will contain the following: defaults log global option httplog Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging the time of events to the log file. If the log file is not recording the time of events, this is a finding.

Fix: F-43238r665306_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must log where events occurred.
AU-3 - Medium - CCI-000132 - V-240047 - SV-240047r879565_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000132
Version
VRAU-HA-000060
Vuln IDs
  • V-240047
  • V-90313
Rule IDs
  • SV-240047r879565_rule
  • SV-100963
Ascertaining where an event occurred is important during forensic analysis. The correct determination of the event and where on the web server it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing where an event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. When configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the local resource that was the target of a web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.
Checks: C-43280r665308_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the globals section will contain the following: defaults log global option httplog Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging where on the web server resources were requested to the log file. If the log file is not recording where the events occurred, this is a finding.

Fix: F-43239r665309_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must log the source of events.
AU-3 - Medium - CCI-000133 - V-240048 - SV-240048r879566_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
VRAU-HA-000065
Vuln IDs
  • V-240048
  • V-90315
Rule IDs
  • SV-240048r879566_rule
  • SV-100965
Ascertaining the source of an event is important during forensic analysis. The correct determination of the event and what client requested the resource is important in relation to other events that happened at that same time. Without sufficient information establishing the source of an event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. When configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the client IP address that requested the web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.
Checks: C-43281r665311_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the globals section will contain the following: defaults log global option httplog Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging the source of the event to the log file. If the log file is not recording the source of the event, this is a finding.

Fix: F-43240r665312_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must log the outcome of events.
AU-3 - Medium - CCI-000134 - V-240049 - SV-240049r879567_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000134
Version
VRAU-HA-000075
Vuln IDs
  • V-240049
  • V-90317
Rule IDs
  • SV-240049r879567_rule
  • SV-100967
Ascertaining the outcome of an event is important during forensic analysis. The correct determination of the event and its outcome is important in relation to other events that happened at that same time. Without sufficient information establishing the outcome of an event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. When configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the success or failure of the web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.
Checks: C-43282r665314_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the globals section will contain the following: defaults log global option httplog Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging the outcome of web server events to the log file. If the log file is not recording the outcome of events, this is a finding.

Fix: F-43241r665315_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must log the session ID from the request headers.
AU-3 - Medium - CCI-001487 - V-240050 - SV-240050r879568_rule
RMF Control
AU-3
Severity
M
CCI
CCI-001487
Version
VRAU-HA-000080
Vuln IDs
  • V-240050
  • V-90319
Rule IDs
  • SV-240050r879568_rule
  • SV-100969
Ascertaining the identity of the requestor of an event is important during forensic analysis. The correct determination of identity of the requestor of the event and its outcome is important in relation to other events that happened at that same time. Without sufficient information establishing the identity of the requestor of an event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. When configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the request headers of the web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.
Checks: C-43283r665317_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the globals section. Verify that the globals section contains the log keyword, and that the log option contains the local0 syslog facility as its parameter. If properly configured, the globals section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the defaults section. Verify that the defaults section contains the log keyword with the global value. Verify that an option keyword has been configured with the httplog value. If properly configured, the globals section will contain the following: defaults log global option httplog Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging request headers to include session ID to the log file. If the log file is not recording the session ID from the request headers, this is a finding.

Fix: F-43242r665318_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
AU-5 - Medium - CCI-000139 - V-240051 - SV-240051r879570_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000139
Version
VRAU-HA-000085
Vuln IDs
  • V-240051
  • V-89139
Rule IDs
  • SV-240051r879570_rule
  • SV-99789
An accurate and current audit trail is essential for maintaining a record of system activity. If the logging system fails, the SA must be notified and must take prompt action to correct the problem. Minimally, the system must log this event and the SA will receive this notification during the daily system log review. If feasible, active alerting (such as e-mail or paging) should be employed consistent with the site's established operations management systems and procedures.
Checks: C-43284r665320_chk

Interview the ISSO. Determine if logging failure events are monitored, and warnings provided to the ISSO. If logging failure events do not provide warnings in accordance with organization policies, this is a finding. If alerts are not sent or the web server is not configured to use a dedicated logging tool that meets this requirement, this is a finding.

Fix: F-43243r665321_fix

Ensure logging failures result in warnings to the ISSO and SA at a minimum.

b
HAProxy log files must not be accessible to unauthorized users.
AU-9 - Medium - CCI-000162 - V-240052 - SV-240052r879576_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
VRAU-HA-000095
Vuln IDs
  • V-240052
  • V-89141
Rule IDs
  • SV-240052r879576_rule
  • SV-99791
The HAProxy log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid a malicious user with unauthorized access attempts to the database. Generation and protection of these files helps support security monitoring efforts.
Checks: C-43285r665323_chk

At the command prompt, execute the following command: ls -la /var/log/vmware/vcac/vcac-config.log If the log file has permissions more permissive than "640", this is a finding.

Fix: F-43244r665324_fix

At the command prompt, execute the following command: sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs

b
HAProxy log files must be protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240053 - SV-240053r879577_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
VRAU-HA-000100
Vuln IDs
  • V-240053
  • V-89143
Rule IDs
  • SV-240053r879577_rule
  • SV-99793
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc.
Checks: C-43286r665326_chk

At the command prompt, execute the following command: ls -la /var/log/vmware/vcac/vcac-config.log If the log file has permissions more permissive than "640", this is a finding.

Fix: F-43245r665327_fix

At the command prompt, execute the following command: sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs

b
HAProxy log files must be protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240054 - SV-240054r879578_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
VRAU-HA-000105
Vuln IDs
  • V-240054
  • V-89145
Rule IDs
  • SV-240054r879578_rule
  • SV-99795
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc.
Checks: C-43287r665329_chk

At the command prompt, execute the following command: ls -la /var/log/vmware/vcac/vcac-config.log If the log file has permissions more permissive than "640", this is a finding.

Fix: F-43246r665330_fix

At the command prompt, execute the following command: sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs

b
HAProxy log files must be backed up onto a different system or media.
AU-9 - Medium - CCI-001348 - V-240055 - SV-240055r879582_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
VRAU-HA-000110
Vuln IDs
  • V-240055
  • V-89147
Rule IDs
  • SV-240055r879582_rule
  • SV-99797
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc.
Checks: C-43288r665332_chk

Interview the ISSO. Determine whether log data and records are being backed up to a different system or separate media. If log data and records are not being backed up to a different system or separate media, this is a finding.

Fix: F-43247r665333_fix

Ensure log data and records are being backed up to a different system or separate media.

b
HAProxy files must be verified for their integrity (checksums) before being added to the build systems.
CM-5 - Medium - CCI-001749 - V-240056 - SV-240056r879584_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001749
Version
VRAU-HA-000115
Vuln IDs
  • V-240056
  • V-89149
Rule IDs
  • SV-240056r879584_rule
  • SV-99799
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. The HAProxy web server files on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.
Checks: C-43289r665335_chk

Interview the ISSO. Determine whether web server files are verified/validated before being implemented into the production environment. If the web server files are not verified or validated before being implemented into the production environment, this is a finding.

Fix: F-43248r665336_fix

Ensure web server files are verified or validated before being implemented the production environment.

b
HAProxy expansion modules must be verified for their integrity (checksums) before being added to the build systems.
CM-5 - Medium - CCI-001749 - V-240057 - SV-240057r879584_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001749
Version
VRAU-HA-000120
Vuln IDs
  • V-240057
  • V-89151
Rule IDs
  • SV-240057r879584_rule
  • SV-99801
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. Expansion that are installed on the production HAProxy web server on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.
Checks: C-43290r665338_chk

Interview the ISSO. Determine whether expansion modules are being fully reviewed, tested, and signed before being implemented into the production environment. If the expansion modules are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.

Fix: F-43249r665339_fix

Ensure expansion modules are fully reviewed, tested, and signed before being implemented into the production environment.

b
HAProxy must limit access to the statistics feature.
CM-7 - Medium - CCI-000381 - V-240058 - SV-240058r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-HA-000130
Vuln IDs
  • V-240058
  • V-89153
Rule IDs
  • SV-240058r879587_rule
  • SV-99803
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to be accessible on a production DoD system. HAProxy provide a statistics page, which will display web browser statistics from any web browser if HAProxy has not been configured to connect the server statistics to a UNIX socket.
Checks: C-43291r665341_chk

At the command prompt, execute the following command: grep 'stats socket' /etc/haproxy/haproxy.cfg If the command does not return the line below, this is a finding. stats socket /var/run/haproxy.sock mode 600 level admin

Fix: F-43250r665342_fix

Uninstall or deactivate features, services, and processes not needed by the web server for operation.

c
HAProxy must not contain any documentation, sample code, example applications, and tutorials.
CM-7 - High - CCI-000381 - V-240059 - SV-240059r879587_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
VRAU-HA-000140
Vuln IDs
  • V-240059
  • V-89155
Rule IDs
  • SV-240059r879587_rule
  • SV-99805
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
Checks: C-43292r665344_chk

At the command prompt, execute the following command: ls /usr/share/doc/packages/haproxy The command should report that there is no such file or directory. If the command shows any files or directories, this is a finding.

Fix: F-43251r665345_fix

Remove all listed files and directories.

b
HAProxy must be run in a chroot jail.
CM-7 - Medium - CCI-000381 - V-240060 - SV-240060r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-HA-000175
Vuln IDs
  • V-240060
  • V-89157
Rule IDs
  • SV-240060r879587_rule
  • SV-99807
Chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a chroot jail.
Checks: C-43293r665347_chk

At the command prompt, execute the following command: grep 'chroot' /etc/haproxy/haproxy.cfg If the value "/var/lib/haproxy" is not listed, this is a finding.

Fix: F-43252r665348_fix

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to and configure the globals section with the following value: 'chroot /var/lib/haproxy'

b
HAProxy frontend servers must be bound to a specific port.
CM-7 - Medium - CCI-000382 - V-240061 - SV-240061r879588_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
VRAU-HA-000185
Vuln IDs
  • V-240061
  • V-89159
Rule IDs
  • SV-240061r879588_rule
  • SV-99809
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-43294r665350_chk

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Verify that each frontend is bound to at least one port. Below is an example binding: frontend https-in-vro-config bind :8283 If each frontend is not bound to at least one port, this is a finding.

Fix: F-43253r665351_fix

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Configure each frontend to be bound to at least one port.

b
HAProxy must use SSL/TLS protocols in order to secure passwords during transmission from the client.
IA-5 - Medium - CCI-000197 - V-240062 - SV-240062r879609_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000197
Version
VRAU-HA-000190
Vuln IDs
  • V-240062
  • V-89161
Rule IDs
  • SV-240062r879609_rule
  • SV-99811
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Even when data is passed through a load balancer, data used to authenticate users must be sent via SSL/TLS.
Checks: C-43295r665353_chk

At the command line execute the following command: cat /etc/haproxy/conf.d/20-vcac.cfg | awk '$0 ~ /bind.*:80/ || $0 ~ /redirect.*ssl_fc/ {print}' If the command does not return the two lines below, this is a finding. bind 0.0.0.0:80 redirect scheme https if !{ ssl_fc }

Fix: F-43254r665354_fix

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following two values: bind 0.0.0.0:80 redirect scheme https if !{ ssl_fc }

b
HAProxy must perform RFC 5280-compliant certification path validation if PKI is being used.
IA-5 - Medium - CCI-000185 - V-240063 - SV-240063r879612_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
VRAU-HA-000195
Vuln IDs
  • V-240063
  • V-89163
Rule IDs
  • SV-240063r879612_rule
  • SV-99813
The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-43296r665356_chk

Interview the ISSO. Review HAProxy configuration to verify that certificates being provided by the web server are validated, RFC 5280-compliant certificates. If PKI is not being used, this is NA. If certificates are not validated, RFC 5280-compliant certificates, this is a finding.

Fix: F-43255r665357_fix

Install validated RFC 5280-compliant certificates.

b
HAProxys private key must have access restricted.
IA-5 - Medium - CCI-000186 - V-240064 - SV-240064r879613_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000186
Version
VRAU-HA-000200
Vuln IDs
  • V-240064
  • V-89165
Rule IDs
  • SV-240064r879613_rule
  • SV-99815
HAProxy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web server's private key. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the encrypted traffic between a client and the web server.
Checks: C-43297r665359_chk

At the command prompt, execute the following command: ls -al /etc/apache2/server.pem If the permissions on the file are not "600", this is a finding.

Fix: F-43256r665360_fix

At the command prompt, execute the following command:s: chmod 600 /etc/apache2/server.pem

b
HAProxy must be configured to use only FIPS 140-2 approved ciphers.
IA-7 - Medium - CCI-000803 - V-240065 - SV-240065r879616_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
VRAU-HA-000210
Vuln IDs
  • V-240065
  • V-89167
Rule IDs
  • SV-240065r879616_rule
  • SV-99817
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.
Checks: C-43298r665362_chk

At the command prompt, execute the following command: grep -E 'bind.*ssl' /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg If the return value for SSL cipher list is not set to "FIPS: +3DES:!aNULL", this is a finding.

Fix: F-43257r665363_fix

Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to the frontend section in each file. Configure the bind keyword file with this cipher list: 'FIPS: +3DES:!aNULL'

c
HAProxy must prohibit anonymous users from editing system files.
SC-2 - High - CCI-001082 - V-240066 - SV-240066r879631_rule
RMF Control
SC-2
Severity
H
CCI
CCI-001082
Version
VRAU-HA-000225
Vuln IDs
  • V-240066
  • V-89169
Rule IDs
  • SV-240066r879631_rule
  • SV-99819
Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.
Checks: C-43299r665365_chk

At the command prompt, execute the following command: ls -alR /etc/haproxy /var/lib/haproxy /usr/sbin/haproxy | grep -E '^-' | awk '{print $1}' | cut -c9 | grep w If the command returns any value, this is a finding.

Fix: F-43258r665366_fix

Navigate to and remove anonymous permissions for any listed files.

b
The HAProxy baseline must be documented and maintained.
SC-24 - Medium - CCI-001190 - V-240067 - SV-240067r879640_rule
RMF Control
SC-24
Severity
M
CCI
CCI-001190
Version
VRAU-HA-000275
Vuln IDs
  • V-240067
  • V-89171
Rule IDs
  • SV-240067r879640_rule
  • SV-99821
Without maintenance of a baseline of current HAProxy software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to HAProxy could be the result of intentional or unintentional actions.
Checks: C-43300r665368_chk

Have the appliance administrator and/or ISSO provide the HAProxy software baseline procedures, implementation evidence, and a list of files and directories included in the baseline procedure for completeness. If baseline procedures do not exist, not implemented reliably, or are not complete, this is a finding.

Fix: F-43259r665369_fix

Develop, document, and implement baseline procedures that include all HAProxy software files and directories. Update the baseline after new installations, upgrades, or maintenance activities that include changes to the software baseline.

b
HAProxy must be configured to validate the configuration files during start and restart events.
SC-24 - Medium - CCI-001190 - V-240068 - SV-240068r879640_rule
RMF Control
SC-24
Severity
M
CCI
CCI-001190
Version
VRAU-HA-000280
Vuln IDs
  • V-240068
  • V-89173
Rule IDs
  • SV-240068r879640_rule
  • SV-99823
Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Failure in a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission/business processes. An example is a firewall that blocks all traffic rather than allowing all traffic when a firewall component fails. This prevents an attacker from forcing a failure of the system in order to obtain access. Web servers must fail to a known consistent state. Validating the server's configuration file during start and restart events can help to minimize the risk of an unexpected server failure during system start.
Checks: C-43301r665371_chk

At the command prompt, execute the following command: grep -E '\s(start|restart)\)' -A 7 /etc/init.d/haproxy If the command "haproxy_check" is not shown in the "start)" and the "restart)" code blocks, this is a finding.

Fix: F-43260r665372_fix

Navigate to and open /etc/init.d/haproxy Navigate to the "start)" code block. Add the value "haproxy_check" before the line with the value "/sbin/startproc". Navigate to the "restart)" code block. Add the value "haproxy_check" before the line with the value "$0 stop".

b
HAProxy must limit the amount of time that half-open connections are kept alive.
SC-5 - Medium - CCI-001094 - V-240069 - SV-240069r879650_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
VRAU-HA-000300
Vuln IDs
  • V-240069
  • V-89175
Rule IDs
  • SV-240069r879650_rule
  • SV-99825
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is to limit the amount of time that a half-open connection is kept alive.
Checks: C-43302r665374_chk

At the command prompt, execute the following command: grep 'timeout client-fin' /etc/haproxy/haproxy.cfg If the return value for "timeout client-fin" list is not set to "30s", this is a finding.

Fix: F-43261r665375_fix

Navigate to and open /etc/haproxy/haproxy.cfg Configure the haproxy.cfg file with the following value in the defaults section: 'timeout client-fin 30s'.

b
HAProxy must provide default error files.
SI-11 - Medium - CCI-001312 - V-240070 - SV-240070r879655_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
VRAU-HA-000315
Vuln IDs
  • V-240070
  • V-89177
Rule IDs
  • SV-240070r879655_rule
  • SV-99827
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.
Checks: C-43303r665377_chk

At the command prompt, execute the following command: grep 'errorfile' /etc/haproxy/haproxy.cfg If the return value for "errorfile" does not list error pages for the following HTTP status codes, this is a finding. 400, 403, 408, 500, 502, 503, 504

Fix: F-43262r665378_fix

Create error pages for each of the HTTP status codes below: 400, 403, 408, 500, 502, 503, 504 Navigate to and open /etc/haproxy/haproxy.cfg. Navigate to the "defaults" section. Add the following lines: errorfile 400 /path/to/errorPage/for/400.http errorfile 403 /path/to/errorPage/for/403.http errorfile 408 /path/to/errorPage/for/408.http errorfile 500 /path/to/errorPage/for/500.http errorfile 502 /path/to/errorPage/for/502.http errorfile 503 /path/to/errorPage/for/503.http errorfile 504 /path/to/errorPage/for/504.http

b
HAProxy must not be started with the debug switch.
SI-11 - Medium - CCI-001312 - V-240071 - SV-240071r879655_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
VRAU-HA-000320
Vuln IDs
  • V-240071
  • V-89179
Rule IDs
  • SV-240071r879655_rule
  • SV-99829
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.
Checks: C-43304r665380_chk

At the command prompt, execute the following command: ps aux | grep '[h]aproxy' | grep '\s\-d\s' If the command returns any value, this is a finding.

Fix: F-43263r665381_fix

Restart the HAProxy without the debug command line argument, which is "-d".

b
HAProxy must set an absolute timeout on sessions.
AC-12 - Medium - CCI-002361 - V-240072 - SV-240072r879673_rule
RMF Control
AC-12
Severity
M
CCI
CCI-002361
Version
VRAU-HA-000325
Vuln IDs
  • V-240072
  • V-89181
Rule IDs
  • SV-240072r879673_rule
  • SV-99831
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after an absolute period of time, the user is forced to re-authenticate guaranteeing the session is still in use. Enabling an absolute timeout for sessions closes sessions that are still active. Examples would be a runaway process accessing the web server or an attacker using a hijacked session to slowly probe the web server. HAProxy provides a 'tune.ssl.lifetime' parameter, which will set an absolute timeout on SSL sessions.
Checks: C-43305r665383_chk

At the command prompt, execute the following command: grep 'tune.ssl.lifetime' /etc/haproxy/haproxy.cfg If the command returns any value, this is a finding.

Fix: F-43264r665384_fix

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the "globals" section Add the value 'tune.ssl.lifetime 20m'

b
HAProxy must set an inactive timeout on sessions.
AC-12 - Medium - CCI-002361 - V-240073 - SV-240073r879673_rule
RMF Control
AC-12
Severity
M
CCI
CCI-002361
Version
VRAU-HA-000330
Vuln IDs
  • V-240073
  • V-89183
Rule IDs
  • SV-240073r879673_rule
  • SV-99833
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Acceptable values are "5" minutes for high-value applications, "10" minutes for medium-value applications, and "20" minutes for low-value applications. HAProxy provides an appsession parameter, which will invalidate an inactive cookie after a configurable amount of time.
Checks: C-43306r665386_chk

Navigate to and open the following files: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg Verify that each backend that sets a cookie is configured with the following: appsession <cookie> len 64 timeout 5m Note: The value for <cookie> is defined in the "cookie" option for each backend and may be different. If the "appsession" option is not present or is not configured as shown, this is a finding.

Fix: F-43265r665387_fix

Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to each backend section that sets a cookie in each file. Configure the backend with the following: appsession <cookie> len 64 timeout 5m Note: The value for <cookie> is defined in the "cookie" option for each backend and may be different.

c
HAProxy must redirect all http traffic to use https.
AC-17 - High - CCI-002314 - V-240074 - SV-240074r879692_rule
RMF Control
AC-17
Severity
H
CCI
CCI-002314
Version
VRAU-HA-000335
Vuln IDs
  • V-240074
  • V-89185
Rule IDs
  • SV-240074r879692_rule
  • SV-99835
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. vRA can be configured to redirect unencrypted, http port 80, traffic to use the encrypted, https port 443.
Checks: C-43307r665389_chk

At the command prompt, execute the following command: grep 'redirect scheme https' /etc/haproxy/conf.d/20-vcac.cfg Note: the command should return this line: 'redirect scheme https if !{ ssl_fc }' If the command does not return the expected line, this is a finding.

Fix: F-43266r665390_fix

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to the "frontend https-in" section. In the "frontend https-in" section, add the 'redirect scheme https if !{ ssl_fc }' option before all 'acl' options.

b
HAProxy must restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-240075 - SV-240075r879692_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
VRAU-HA-000340
Vuln IDs
  • V-240075
  • V-89187
Rule IDs
  • SV-240075r879692_rule
  • SV-99837
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server. As the web server for the vRA Virtual Appliance Management Interface (vAMI), Lighttpd is the primary remote access management system for vRA. Lighttpd must be configured to restrict inbound connections from nonsecure zones. To accomplish this, the SSL engine must be enabled. The SSL engine forces Lighttpd to only listen via secure protocols.
Checks: C-43308r665392_chk

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to the "frontend https-in" section. Review the "frontend https-in" section. Verify that the port 443 binding has the "ssl" keyword. Verify that port 80 is binded. Verify that non-ssl traffic is redirected to port 443. Note: Ports are binded with this statement: 'bind 0.0.0.0:&lt;port&gt;', where &lt;port&gt; is the binded port. Note: Non-ssl traffic is redirected with this statement: 'redirect scheme https if !{ ssl_fc }' Note: Ensure the redirection statement appears before all 'acl' statements. If the port 443 binding is missing the "ssl" keyword, OR port 80 is NOT binded, OR non-ssl traffic is NOT being redirected to port 443, this is a finding.

Fix: F-43267r665393_fix

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following three values: bind 0.0.0.0:80 bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 redirect scheme https if !{ ssl_fc } Note: Ensure the redirection statement appears before all 'acl' statements.

b
HAProxy must be configured to use syslog.
AU-4 - Medium - CCI-001849 - V-240076 - SV-240076r879730_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001849
Version
VRAU-HA-000360
Vuln IDs
  • V-240076
  • V-89189
Rule IDs
  • SV-240076r879730_rule
  • SV-99839
There are many aspects of appropriate web server logging for security. Storage capacity must be adequate. ISSO and SA must receive warnings and alerts when storage capacity is filled to 75%. Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.
Checks: C-43309r665395_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the "globals" section. Verify that the "globals" section contains the "log" keyword, and that the "log" option contains the local0 syslog facility as its parameter. If properly configured, the "globals" section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the "defaults" section. Verify that the "defaults" section contains the "log" keyword with the global value. Verify that an option keyword has been configured with the "httplog" value. If properly configured, the "defaults" section will contain the following: defaults log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to the each frontend section. Verify that the "log" keyword has not been set for each frontend. If the "log" keyword is present in a frontend, this is a finding. Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging start and stop events to the log file. If the log file is not recording HAProxy start and stop events, this is a finding.

Fix: F-43268r665396_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the "globals" section with the following: log 127.0.0.1 local0 Configure the "defaults" section with both of the following: log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to each frontend section. Remove any log options from each frontend.

b
HAProxy must not impede the ability to write specified log record content to an audit log server.
AU-4 - Medium - CCI-001851 - V-240077 - SV-240077r879731_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
VRAU-HA-000365
Vuln IDs
  • V-240077
  • V-89191
Rule IDs
  • SV-240077r879731_rule
  • SV-99841
Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.
Checks: C-43310r665398_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the "globals" section. Verify that the "globals" section contains the "log" keyword, and that the "log" option contains the local0 syslog facility as its parameter. If properly configured, the "globals" section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the "defaults" section. Verify that the "defaults" section contains the "log" keyword with the global value. Verify that an option keyword has been configured with the "httplog" value. If properly configured, the "defaults" section will contain the following: defaults log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to the each frontend section. Verify that the "log" keyword has not been set for each frontend. If the "log" keyword is present in a frontend, this is a finding. Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging start and stop events to the log file. If the log file is not recording HAProxy start and stop events, this is a finding.

Fix: F-43269r665399_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must be configurable to integrate with an organizations security infrastructure.
AU-4 - Medium - CCI-001851 - V-240078 - SV-240078r879731_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
VRAU-HA-000370
Vuln IDs
  • V-240078
  • V-89193
Rule IDs
  • SV-240078r879731_rule
  • SV-99843
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.
Checks: C-43311r665401_chk

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the "globals" section. Verify that the "globals" section contains the "log" keyword, and that the "log" option contains the local0 syslog facility as its parameter. If properly configured, the "globals" section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the "defaults" section. Verify that the "defaults" section contains the "log" keyword with the global value. Verify that an option keyword has been configured with the "httplog" value. If properly configured, the "defaults" section will contain the following: defaults log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to the each frontend section. Verify that the "log" keyword has not been set for each frontend. If the "log" keyword is present in a frontend, this is a finding. Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging start and stop events to the log file. If the log file is not recording HAProxy start and stop events, this is a finding.

Fix: F-43270r665402_fix

Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following: log 127.0.0.1 local0 Configure the defaults section with both of the following: log global option httplog

b
HAProxy must use the httplog option.
AU-8 - Medium - CCI-001890 - V-240079 - SV-240079r879747_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001890
Version
VRAU-HA-000380
Vuln IDs
  • V-240079
  • V-89195
Rule IDs
  • SV-240079r879747_rule
  • SV-99845
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-43312r665404_chk

At the command prompt, execute the following command: grep -E 'option\s+httplog' /etc/haproxy/haproxy.cfg If the command does not return a line, this is a finding.

Fix: F-43271r665405_fix

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the defaults section. Add "option httplog" to the "defaults" section.

b
HAProxy libraries, and configuration files must only be accessible to privileged users.
CM-5 - Medium - CCI-001813 - V-240080 - SV-240080r879753_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001813
Version
VRAU-HA-000390
Vuln IDs
  • V-240080
  • V-89197
Rule IDs
  • SV-240080r879753_rule
  • SV-99847
A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.
Checks: C-43313r665407_chk

At the command prompt, execute the following command: ls -alR /etc/haproxy /etc/init.d/haproxy /usr/sbin/haproxy If any configuration or application files have permissions greater than "750" or are not owned by "root", this is a finding.

Fix: F-43272r665408_fix

Navigate to any listed files with incorrect permissions or ownership and set them in accordance with site policy.

b
HAProxy psql-local frontend must be bound to port 5433.
CM-7 - Medium - CCI-001762 - V-240081 - SV-240081r879756_rule
RMF Control
CM-7
Severity
M
CCI
CCI-001762
Version
VRAU-HA-000395
Vuln IDs
  • V-240081
  • V-89199
Rule IDs
  • SV-240081r879756_rule
  • SV-99849
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The HAProxy load balancer in the vRA appliance listens to port 5433 on behalf of the PostgreSQL service.
Checks: C-43314r665410_chk

At the command prompt, execute the following command: grep 'bind' /etc/haproxy/conf.d/10-psql.cfg If the value for bind is not set to 5433, this is a finding.

Fix: F-43273r665411_fix

Navigate to and open /etc/haproxy/conf.d/10-psql.cfg Navigate to and configure the "frontend psql-local" section with the following value: bind 127.0.0.1:5433

b
HAProxy vcac frontend must be bound to ports 80 and 443.
CM-7 - Medium - CCI-001762 - V-240082 - SV-240082r879756_rule
RMF Control
CM-7
Severity
M
CCI
CCI-001762
Version
VRAU-HA-000400
Vuln IDs
  • V-240082
  • V-89201
Rule IDs
  • SV-240082r879756_rule
  • SV-99851
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The HAProxy load balancer in the vRA appliance listens to ports 80 and 443 on behalf of the vcac service.
Checks: C-43315r665413_chk

At the command prompt, execute the following command: grep 'bind' /etc/haproxy/conf.d/20-vcac.cfg If two lines are not returned, this is a finding. If the values for bind are not set to "80" and to "443", this is a finding.

Fix: F-43274r665414_fix

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following two values: bind 0.0.0.0:80 bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

b
HAProxy vro frontend must be bound to the correct port 8283.
CM-7 - Medium - CCI-001762 - V-240083 - SV-240083r879756_rule
RMF Control
CM-7
Severity
M
CCI
CCI-001762
Version
VRAU-HA-000405
Vuln IDs
  • V-240083
  • V-89203
Rule IDs
  • SV-240083r879756_rule
  • SV-99853
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The HAProxy load balancer in the vRA appliance listens to ports 8283 on behalf of the vro configuration service.
Checks: C-43316r665416_chk

At the command prompt, execute the following command: grep 'bind' /etc/haproxy/conf.d/30-vro-config.cfg If the value for bind is not set to "8283", this is a finding.

Fix: F-43275r665417_fix

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

b
HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.
SC-13 - Medium - CCI-002450 - V-240084 - SV-240084r879944_rule
RMF Control
SC-13
Severity
M
CCI
CCI-002450
Version
VRAU-HA-000410
Vuln IDs
  • V-240084
  • V-89205
Rule IDs
  • SV-240084r879944_rule
  • SV-99855
Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.
Checks: C-43317r665419_chk

At the command prompt, execute the following command: grep -En 'ciphers' /etc/haproxy/conf.d/*.cfg If two lines are not returned, this is a finding. If the values for "ciphers" are not set to "FIPS:+3DES:!aNULL", this is a finding.

Fix: F-43276r665420_fix

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following value: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

b
HAProxy must be protected from being stopped by a non-privileged user.
SC-5 - Medium - CCI-002385 - V-240085 - SV-240085r879806_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
VRAU-HA-000425
Vuln IDs
  • V-240085
  • V-89207
Rule IDs
  • SV-240085r879806_rule
  • SV-99857
An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. To prohibit an attacker from stopping the HAProxy process must be owned by "root".
Checks: C-43318r665422_chk

At the command prompt, execute the following command: ps aux -U root | grep '[h]aproxy' If the command does not return a line, this is a finding.

Fix: F-43277r665423_fix

Restart the HAProxy service as "root".

b
HAProxy must be configured to use SSL/TLS.
SC-8 - Medium - CCI-002418 - V-240086 - SV-240086r928837_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
VRAU-HA-000435
Vuln IDs
  • V-240086
  • V-89209
Rule IDs
  • SV-240086r928837_rule
  • SV-99859
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.
Checks: C-43319r665425_chk

At the command line execute the following command: grep -En '\sssl\s' /etc/haproxy/conf.d/*.cfg If the command does not return the two lines below, this is a finding. /etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 /etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

Fix: F-43278r665426_fix

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following value: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

b
HAProxy session IDs must be sent to the client using SSL/TLS.
SC-8 - Medium - CCI-002418 - V-240087 - SV-240087r879810_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
VRAU-HA-000440
Vuln IDs
  • V-240087
  • V-90321
Rule IDs
  • SV-240087r879810_rule
  • SV-100971
The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired. In order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.
Checks: C-43320r665428_chk

At the command line execute the following command: grep -En '\sssl\s' /etc/haproxy/conf.d/*.cfg If the command does not return the two lines below, this is a finding. /etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 /etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

Fix: F-43279r665429_fix

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following value: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

c
HAProxy must set the no-sslv3 value on all client ports.
SC-8 - High - CCI-002418 - V-240088 - SV-240088r879810_rule
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
VRAU-HA-000460
Vuln IDs
  • V-240088
  • V-89211
Rule IDs
  • SV-240088r879810_rule
  • SV-99861
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.
Checks: C-43321r665431_chk

At the command prompt, execute the following command: grep -EnR '\bbind\b.*\bssl\b' /etc/haproxy Verify that each returned line contains the no-sslv3 value. If any lines do not have this value, this is a finding.

Fix: F-43280r665432_fix

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following value: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

b
HAProxy must remove all export ciphers.
SC-8 - Medium - CCI-002418 - V-240089 - SV-240089r879810_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
VRAU-HA-000465
Vuln IDs
  • V-240089
  • V-89213
Rule IDs
  • SV-240089r879810_rule
  • SV-99863
During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.
Checks: C-43322r665434_chk

At the command line execute the following command: grep -En '\sssl\s' /etc/haproxy/conf.d/*.cfg If the command does not return the two lines below, this is a finding. /etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 /etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

Fix: F-43281r665435_fix

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following value: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

b
HAProxy must maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-240090 - SV-240090r879813_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
VRAU-HA-000475
Vuln IDs
  • V-240090
  • V-90323
Rule IDs
  • SV-240090r879813_rule
  • SV-100973
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.
Checks: C-43323r665437_chk

At the command line execute the following command: grep -En '\sssl\s' /etc/haproxy/conf.d/*.cfg If the command does not return the two lines below, this is a finding. /etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 /etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

Fix: F-43282r665438_fix

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following value: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

b
HAProxy must have the latest approved security-relevant software updates installed.
SI-2 - Medium - CCI-002605 - V-240091 - SV-240091r879827_rule
RMF Control
SI-2
Severity
M
CCI
CCI-002605
Version
VRAU-HA-000480
Vuln IDs
  • V-240091
  • V-89215
Rule IDs
  • SV-240091r879827_rule
  • SV-99865
All vRA components, to include Lighttpd, are under VMware configuration management control. The CM process ensures that all patches, functions, and modules have been thoroughly tested before being introduced into the production version. By using the most current version of Lighttpd, the Lighttpd server will always be using the most stable and known baseline.
Checks: C-43324r665440_chk

Interview the ISSO. Determine whether HAProxy has the latest approved security-relevant software updates and updates are installed within the identified time period. If the latest approved security-relevant software updates are not installed or installed within the identified time period, this is a finding.

Fix: F-43283r665441_fix

Ensure HAProxy has the latest approved security-relevant software updates and the updates are installed within the identified time period.

b
HAProxy must set the maxconn value.
CM-6 - Medium - CCI-000366 - V-240092 - SV-240092r879887_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
VRAU-HA-000490
Vuln IDs
  • V-240092
  • V-89217
Rule IDs
  • SV-240092r879887_rule
  • SV-99867
Limiting the total number of connections that a server is allowed to open prevents an attacker from overloading a web server. Overloading the server will prevent it from managing other tasks besides serving web requests. This setting works together with per-client limits to mitigate against DDoS attacks.
Checks: C-43325r665443_chk

At the command line execute the following command: grep maxconn /etc/haproxy/haproxy.cfg If the "maxconn" value is not set to "32768", this is a finding.

Fix: F-43284r665444_fix

Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the "globals" section and add the following line: maxconn 32768

c
The version of vRealize Automation 7.x HA Proxy running on the system must be a supported version.
SI-2 - High - CCI-002605 - V-258451 - SV-258451r928881_rule
RMF Control
SI-2
Severity
H
CCI
CCI-002605
Version
VRAU-HA-009999
Vuln IDs
  • V-258451
Rule IDs
  • SV-258451r928881_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-62191r928880_chk

vRealize Automation 7.x HA Proxy is no longer supported by the vendor. If the system is running vRealize Automation 7.x HA Proxy, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.