STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 7 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide

V-256910

CAT II (Medium)

Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

Rule ID

SV-256910r902300_rule

STIG

Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-002450

Discussion

An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of confidentiality, etc. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

Check Content

The Administrator must check the Automation Controller configuration. 

Download the latest DOD PKI CA certificate bundle:

curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.zip && gunzip /root/certificates_pkcs7_DOD.zip

Check the certificate at /etc/tower/tower.cert:

openssl verify -verbose -x509_strict -CAfile /root/certificates_pkcs7_DOD.pem -CApath nosuchdir <(cat  /etc/tower/tower.cert >><organizationally defined intermediate certificate file in PEM format>>>)

If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding.

Check the certificate at /etc/tower/tower.key:
openssl verify -CAfile /root/certificates_pkcs7_DOD.pem /etc/tower/tower.cert  

If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding.

Check the trusted ca certificate:

openssl x509 -in /etc/pki/ca-trust/tls-ca-bundle.pam custom_ca_cert

If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding.

If the >><organizationally defined intermediate certificate file in PEM format>>> does not exist, this is a finding.

Fix Text

For each Automation Controller host, the administrator must:

Download the >><organizationally defined intermediate certificate file in PEM format>>>;

Generate the appropriate /etc/tower/tower.key files, certificates, and CSRs and have the organizationally defined PKI authority issue a certificate signed by the >><organizationally defined intermediate certificate file in PEM format>>>;

Place the signed certificate in /etc/tower/tower.cert.

Place the >><organizationally defined intermediate certificate file in PEM format>>> in /etc/pki/ca-trust/source/anchors.

Execute:
update-ca-trust extract && update-ca-trust;

Download the latest DOD PKI CA certificate bundle:

curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.z && gunzip /root/certificates_pkcs7_DOD.z > /etc/pki/ca-trust/source/anchors

Install trusted root and intermediate CA certificates:

update-ca-trust extract && update-ca-trust;