Rule ID
SV-256941r1155084_rule
Version
V2R3
CCIs
The Automation Controller communicates information about configuration of other information systems through its web interface and API, storing records about this information in a database. Although large portions are sanitized of sensitive information, due to the nature of this kind of information, it must always be maximally protected. Leaked details of configuration for DOD enterprise information systems could lead to compromise, so all access to and from the Automation Controller servers must be encrypted.
1. Web Server Must Enforce TLS 1.2 or Higher
As a system administrator for each Automation Controller NGINX web server, validate the effective TLS protocol configuration.
Obtain the active nginx.conf path:
NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}')
Execute the following command:
sudo grep -E '^[[:space:]]*ssl_protocols[[:space:]]+.*(TLSv1\.2|TLSv1\.3)' "$NGINXCONF" >/dev/null || echo "FAILED"
Pass condition: ssl_protocols includes TLSv1.2 or TLSv1.3.
Fail condition: ssl_protocols missing, or only legacy protocols configured.
If "FAILED" is displayed, this is a finding.
2. Web Server Must Use Host OS–Provided Cipher Policy.
Validate the cipher suite binding is set to the system crypto policy.
Obtain the active nginx.conf path:
NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}')
Execute the following command:
sudo grep -Eq '^[[:space:]]*ssl_ciphers[[:space:]]+PROFILE=SYSTEM[[:space:]]*;[[:space:]]*$' "$NGINXCONF" || echo "FAILED"
Pass condition: ssl_ciphers PROFILE=SYSTEM; (exact directive, whitespace-tolerant).
If "FAILED" is displayed, this is a finding.
3. External Database Connections Must Use TLS With Certificate Verification.
Automation Controller may be configured to connect to PostgreSQL databases with or without TLS. The Administrator must check the contents of the file at /etc/tower/conf.d/postgres.py with root permissions to determine if pg_sslmode was configured with "verify-full" for any external databases at the time of installation.
3.1 Client-Side
Execute the following command:
sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); import sys; bad=[n for n,c in DATABASES.items() if c.get("HOST") not in ("127.0.0.1","localhost","") and c.get("OPTIONS",{}).get("sslmode")!="verify-full"]; sys.exit(0 if not bad else 1)' || echo "FAILED"
If "FAILED" is displayed, this is a finding.
3.2 Server-Side
Confirm the database server negotiates TLS.
Get DB host:port for the default connection:
PGCON=$(sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); import sys; d=DATABASES.get("default",{}); h=d.get("HOST",""); p=d.get("PORT",""); print(f"{h}:{p}" if h and p else "", end="")')
Validate SSL with psql (requires psql client):
test -n "$PGCON" && psql "postgresql://${PGCON}/postgres?sslmode=require" -qAt -c '\conninfo' 2>/dev/null | grep -qi 'SSL connection' || echo "FAILED"
If "FAILED" is displayed, this is a finding.Web Server TLS and Cipher Configuration
As a system administrator for each Automation Controller NGINX web server:
1. Identify the active configuration file:
NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}')
2. Edit the configuration:
sudo -e "$NGINXCONF"
3. Ensure the ssl_protocols line is configured as (note the leading spaces):
" ssl_protocols TLSv1.2 TLSv1.3;
If the directive does not exist, add it immediately after the ssl_ciphers line.
4. Ensure the ssl_ciphers line is configured as(note the leading spaces):
" ssl_ciphers PROFILE=SYSTEM;"
5. Save the file and apply the changes:
sudo nginx -t && sudo systemctl restart nginx
Database TLS Configuration
1. Edit the Ansible Automation Platform installer inventory file and set:
pg_sslmode='verify-full'
postgres_use_ssl=true
2. Reconfigure the controller:
sudo ./setup.sh