1f:["$","$L20",null,{"checks":[{"id":"7c8b537d-feb2-49ba-b41c-f57d44e5baa2","vulnId":"V-240039","severity":"medium","ruleTitle":"HAProxy must limit the amount of time that an http request can be received.","description":"Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive).\n\nHAProxy provides an http-request timeout parameter that set the maximum allowed time to wait for a complete HTTP request. Setting this parameter will mitigate slowloris DoS attacks. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request.","checkContent":"At the command prompt, execute the following command:\n\ngrep 'timeout http-request' /etc/haproxy/haproxy.cfg\n\nIf the value of ''timeout http-request\" is not set to \"5000\", is commented out, or is missing, this is a finding.","fixText":"Navigate to and open /etc/haproxy/haproxy.cfg \n\nConfigure the haproxy.cfg file with the following value in the global section: \n\n'timeout http-request 5000'"},{"id":"3d3c7e75-0125-4d0d-b32f-3467fa21530c","vulnId":"V-240040","severity":"medium","ruleTitle":"HAProxy must enable cookie-based persistence in a backend.","description":"Session management is the practice of protecting the bulk of the user authorization and identity information. As a load balancer, HAProxy must participate in session management in order to set the session management cookie. Additionally, HAProxy must also ensure that the backend server which started the session with the client is forwarded subsequent requests from the client.","checkContent":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nVerify that each backend is configured with the following:\n\ncookie JSESSIONID prefix\n\nIf \"cookie\" is not set for each backend, this is a finding.","fixText":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nConfigure each backend with the following value:\n\n'cookie JSESSIONID prefix'"},{"id":"743fca50-4e18-4dfd-9cb7-8d0fc2c6f13e","vulnId":"V-240041","severity":"medium","ruleTitle":"HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.","description":"Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. \n\nWithout the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. \n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.","checkContent":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nVerify that each frontend is configured with the following:\n\nbind : ssl crt ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNote: and will be different for each frontend.\n\nIf the ciphers listed are not as shown above, this is a finding.","fixText":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nConfigure the bind option for each frontend with the following ciphers parameter:\n\n'ciphers FIPS:+3DES:!aNULL'."},{"id":"382d8ab0-5202-4236-97a6-0413b3a03dac","vulnId":"V-240042","severity":"medium","ruleTitle":"HAProxy must be configured to use TLS for https connections.","description":"Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.\n\nIn order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.","checkContent":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nVerify that each frontend is configured with the following:\n\nbind : ssl crt ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNote: and will be different for each frontend.\n\nIf \"ssl\" is not set for the bind option for each frontend, this is a finding.","fixText":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nConfigure the bind option for each frontend with the \"ssl\" parameter."},{"id":"4f04d5d9-5e97-4526-8f77-31eb9bfecc7a","vulnId":"V-240043","severity":"medium","ruleTitle":"HAProxy must be configured to use syslog.","description":"Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. \n\nBy providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server.","checkContent":"$21","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog\n\nNavigate to and open the following files:\n\n/etc/haproxy/conf.d/30-vro-config.cfg \n/etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to each frontend section.\n\nRemove any log options from each frontend."},{"id":"15942eae-f859-447a-af3d-909da175f865","vulnId":"V-240044","severity":"medium","ruleTitle":"HAProxy must generate log records for system startup and shutdown.","description":"Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Recording the start and stop events of HAProxy will provide useful information to investigators.","checkContent":"$22","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"442e29cf-77ad-4129-af4b-430b392d94a7","vulnId":"V-240045","severity":"medium","ruleTitle":"HAProxy must log what type of events occurred.","description":"Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. \n\nWithout sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.\n\nWhen configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the type of web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.","checkContent":"$23","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"b4a4ab48-43b1-4302-a16a-76f19feecc02","vulnId":"V-240046","severity":"medium","ruleTitle":"HAProxy must log when events occurred.","description":"Ascertaining when an event occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. \n\nWithout sufficient information establishing when an event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.\n\nWhen configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the time of a web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.","checkContent":"$24","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"716f6fd7-d482-4628-8ea2-601103b8a9d3","vulnId":"V-240047","severity":"medium","ruleTitle":"HAProxy must log where events occurred.","description":"Ascertaining where an event occurred is important during forensic analysis. The correct determination of the event and where on the web server it occurred is important in relation to other events that happened at that same time. \n\nWithout sufficient information establishing where an event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.\n\nWhen configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the local resource that was the target of a web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.","checkContent":"$25","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"2a745789-1ac7-4bfb-8807-7d6ab10b93c9","vulnId":"V-240048","severity":"medium","ruleTitle":"HAProxy must log the source of events.","description":"Ascertaining the source of an event is important during forensic analysis. The correct determination of the event and what client requested the resource is important in relation to other events that happened at that same time. \n\nWithout sufficient information establishing the source of an event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.\n\nWhen configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the client IP address that requested the web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.","checkContent":"$26","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"0206bb1c-bb24-47be-ac5d-e092fb755b6b","vulnId":"V-240049","severity":"medium","ruleTitle":"HAProxy must log the outcome of events.","description":"Ascertaining the outcome of an event is important during forensic analysis. The correct determination of the event and its outcome is important in relation to other events that happened at that same time. \n\nWithout sufficient information establishing the outcome of an event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.\n\nWhen configured for httplog, HAProxy logs uses the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures the success or failure of the web server event in addition to other useful information. This will enable forensic analysis of server events in case of a malicious event.","checkContent":"$27","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"33a9b307-dba5-4d14-9a53-56b3cf0d9a4f","vulnId":"V-240050","severity":"medium","ruleTitle":"HAProxy must log the session ID from the request headers.","description":"$28","checkContent":"$29","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the globals section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"9225fc31-4633-4c50-83a3-7d5177cd8b7a","vulnId":"V-240051","severity":"medium","ruleTitle":"HAProxy must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.","description":"An accurate and current audit trail is essential for maintaining a record of system activity. If the logging system fails, the SA must be notified and must take prompt action to correct the problem. Minimally, the system must log this event and the SA will receive this notification during the daily system log review. If feasible, active alerting (such as e-mail or paging) should be employed consistent with the site's established operations management systems and procedures.","checkContent":"Interview the ISSO.\n\nDetermine if logging failure events are monitored, and warnings provided to the ISSO.\n\nIf logging failure events do not provide warnings in accordance with organization policies, this is a finding.\n\nIf alerts are not sent or the web server is not configured to use a dedicated logging tool that meets this requirement, this is a finding.","fixText":"Ensure logging failures result in warnings to the ISSO and SA at a minimum."},{"id":"3536f385-6fa3-4fa0-9913-c2e41139a706","vulnId":"V-240052","severity":"medium","ruleTitle":"HAProxy log files must not be accessible to unauthorized users.","description":"The HAProxy log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid a malicious user with unauthorized access attempts to the database. Generation and protection of these files helps support security monitoring efforts.","checkContent":"At the command prompt, execute the following command:\n\nls -la /var/log/vmware/vcac/vcac-config.log\n\nIf the log file has permissions more permissive than \"640\", this is a finding.","fixText":"At the command prompt, execute the following command:\n\nsed -i \"/^[^#]*UMASK/ c\\UMASK 077\" /etc/login.defs"},{"id":"b8c9cd18-b3f8-4ecc-a690-6d6b739bcf17","vulnId":"V-240053","severity":"medium","ruleTitle":"HAProxy log files must be protected from unauthorized modification.","description":"Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc.","checkContent":"At the command prompt, execute the following command:\n\nls -la /var/log/vmware/vcac/vcac-config.log\n\nIf the log file has permissions more permissive than \"640\", this is a finding.","fixText":"At the command prompt, execute the following command:\n\nsed -i \"/^[^#]*UMASK/ c\\UMASK 077\" /etc/login.defs"},{"id":"cbb93026-fdd1-47d2-ba4e-626f88d0a6c1","vulnId":"V-240054","severity":"medium","ruleTitle":"HAProxy log files must be protected from unauthorized deletion.","description":"Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc.","checkContent":"At the command prompt, execute the following command:\n\nls -la /var/log/vmware/vcac/vcac-config.log\n\nIf the log file has permissions more permissive than \"640\", this is a finding.","fixText":"At the command prompt, execute the following command:\n\nsed -i \"/^[^#]*UMASK/ c\\UMASK 077\" /etc/login.defs"},{"id":"57b3e1d1-528c-4bbd-8d84-1e2ecb57c8a3","vulnId":"V-240055","severity":"medium","ruleTitle":"HAProxy log files must be backed up onto a different system or media.","description":"Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc.","checkContent":"Interview the ISSO.\n\nDetermine whether log data and records are being backed up to a different system or separate media.\n\nIf log data and records are not being backed up to a different system or separate media, this is a finding.","fixText":"Ensure log data and records are being backed up to a different system or separate media."},{"id":"e2ce73ea-2af5-43a6-9e36-8d3f96469c3e","vulnId":"V-240056","severity":"medium","ruleTitle":"HAProxy files must be verified for their integrity (checksums) before being added to the build systems.","description":"Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information.\n\nThe HAProxy web server files on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.","checkContent":"Interview the ISSO.\n\nDetermine whether web server files are verified/validated before being implemented into the production environment.\n\nIf the web server files are not verified or validated before being implemented into the production environment, this is a finding.","fixText":"Ensure web server files are verified or validated before being implemented the production environment."},{"id":"b9709622-f73d-467a-942d-a636b7cefced","vulnId":"V-240057","severity":"medium","ruleTitle":"HAProxy expansion modules must be verified for their integrity (checksums) before being added to the build systems.","description":"Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information.\n\nExpansion that are installed on the production HAProxy web server on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.","checkContent":"Interview the ISSO.\n\nDetermine whether expansion modules are being fully reviewed, tested, and signed before being implemented into the production environment.\n\nIf the expansion modules are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.","fixText":"Ensure expansion modules are fully reviewed, tested, and signed before being implemented into the production environment."},{"id":"1401ba47-767d-4e29-8e3d-471ec96ea8cf","vulnId":"V-240058","severity":"medium","ruleTitle":"HAProxy must limit access to the statistics feature.","description":"A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to be accessible on a production DoD system. \n\nHAProxy provide a statistics page, which will display web browser statistics from any web browser if HAProxy has not been configured to connect the server statistics to a UNIX socket.","checkContent":"At the command prompt, execute the following command:\n\ngrep 'stats socket' /etc/haproxy/haproxy.cfg\n\nIf the command does not return the line below, this is a finding.\n\nstats socket /var/run/haproxy.sock mode 600 level admin","fixText":"Uninstall or deactivate features, services, and processes not needed by the web server for operation."},{"id":"191d04ac-9cac-4f68-b7b9-8ac4aea5fb9d","vulnId":"V-240059","severity":"high","ruleTitle":"HAProxy must not contain any documentation, sample code, example applications, and tutorials.","description":"Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). \n\nAny documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.","checkContent":"At the command prompt, execute the following command:\n\nls /usr/share/doc/packages/haproxy\n\nThe command should report that there is no such file or directory. \n\nIf the command shows any files or directories, this is a finding.","fixText":"Remove all listed files and directories."},{"id":"7c59a63c-14e9-4b3e-9f6f-1256d5c962e1","vulnId":"V-240060","severity":"medium","ruleTitle":"HAProxy must be run in a chroot jail.","description":"Chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a chroot jail.","checkContent":"At the command prompt, execute the following command:\n\ngrep 'chroot' /etc/haproxy/haproxy.cfg\n\nIf the value \"/var/lib/haproxy\" is not listed, this is a finding.","fixText":"Navigate to and open /etc/haproxy/haproxy.cfg\n\nNavigate to and configure the globals section with the following value:\n\n'chroot /var/lib/haproxy'"},{"id":"1c341472-05da-4bfa-a93d-9d39f93d270b","vulnId":"V-240061","severity":"medium","ruleTitle":"HAProxy frontend servers must be bound to a specific port.","description":"The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address.\n\nAccessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.","checkContent":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nVerify that each frontend is bound to at least one port. Below is an example binding:\n\nfrontend https-in-vro-config\n bind :8283\n\nIf each frontend is not bound to at least one port, this is a finding.","fixText":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nConfigure each frontend to be bound to at least one port."},{"id":"7bcb55c8-1050-4541-80b8-3c8d74ae27c3","vulnId":"V-240062","severity":"medium","ruleTitle":"HAProxy must use SSL/TLS protocols in order to secure passwords during transmission from the client.","description":"Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Even when data is passed through a load balancer, data used to authenticate users must be sent via SSL/TLS.","checkContent":"At the command line execute the following command:\n\ncat /etc/haproxy/conf.d/20-vcac.cfg | awk '$0 ~ /bind.*:80/ || $0 ~ /redirect.*ssl_fc/ {print}'\n\nIf the command does not return the two lines below, this is a finding.\n\nbind 0.0.0.0:80\nredirect scheme https if !{ ssl_fc }","fixText":"Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following two values: \n\nbind 0.0.0.0:80\nredirect scheme https if !{ ssl_fc }"},{"id":"fd7725bd-7fdc-4c10-8fce-33a0d8fa124a","vulnId":"V-240063","severity":"medium","ruleTitle":"HAProxy must perform RFC 5280-compliant certification path validation if PKI is being used.","description":"The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.","checkContent":"Interview the ISSO.\n\nReview HAProxy configuration to verify that certificates being provided by the web server are validated, RFC 5280-compliant certificates. If PKI is not being used, this is NA. \n\nIf certificates are not validated, RFC 5280-compliant certificates, this is a finding.","fixText":"Install validated RFC 5280-compliant certificates."},{"id":"bc7b605f-6e34-414e-bbd5-bb7cb739f857","vulnId":"V-240064","severity":"medium","ruleTitle":"HAProxys private key must have access restricted.","description":"HAProxy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients.\n\nOnly authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web server's private key. \n\nBy gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the encrypted traffic between a client and the web server.","checkContent":"At the command prompt, execute the following command:\n\nls -al /etc/apache2/server.pem\n\nIf the permissions on the file are not \"600\", this is a finding.","fixText":"At the command prompt, execute the following command:s:\n\nchmod 600 /etc/apache2/server.pem"},{"id":"e63bdec5-bd7a-47aa-85ff-147381bdfe22","vulnId":"V-240065","severity":"medium","ruleTitle":"HAProxy must be configured to use only FIPS 140-2 approved ciphers.","description":"Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.","checkContent":"At the command prompt, execute the following command:\n\ngrep -E 'bind.*ssl' /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg\n\nIf the return value for SSL cipher list is not set to \"FIPS: +3DES:!aNULL\", this is a finding.","fixText":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/30-vro-config.cfg \n/etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to the frontend section in each file.\n\nConfigure the bind keyword file with this cipher list: \n\n'FIPS: +3DES:!aNULL'"},{"id":"33c90546-0641-40b8-b142-e228b94158fb","vulnId":"V-240066","severity":"high","ruleTitle":"HAProxy must prohibit anonymous users from editing system files.","description":"Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.","checkContent":"At the command prompt, execute the following command:\n\nls -alR /etc/haproxy /var/lib/haproxy /usr/sbin/haproxy | grep -E '^-' | awk '{print $1}' | cut -c9 | grep w\n\nIf the command returns any value, this is a finding.","fixText":"Navigate to and remove anonymous permissions for any listed files."},{"id":"10be72da-895f-4860-8e5d-03ff69dcef0b","vulnId":"V-240067","severity":"medium","ruleTitle":"The HAProxy baseline must be documented and maintained.","description":"Without maintenance of a baseline of current HAProxy software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to HAProxy could be the result of intentional or unintentional actions.","checkContent":"Have the appliance administrator and/or ISSO provide the HAProxy software baseline procedures, implementation evidence, and a list of files and directories included in the baseline procedure for completeness.\n\nIf baseline procedures do not exist, not implemented reliably, or are not complete, this is a finding.","fixText":"Develop, document, and implement baseline procedures that include all HAProxy software files and directories.\n\nUpdate the baseline after new installations, upgrades, or maintenance activities that include changes to the software baseline."},{"id":"4404f5fe-91e4-4e8f-aac5-6d8299169c25","vulnId":"V-240068","severity":"medium","ruleTitle":"HAProxy must be configured to validate the configuration files during start and restart events.","description":"$2a","checkContent":"At the command prompt, execute the following command:\n\ngrep -E '\\s(start|restart)\\)' -A 7 /etc/init.d/haproxy\n\nIf the command \"haproxy_check\" is not shown in the \"start)\" and the \"restart)\" code blocks, this is a finding.","fixText":"Navigate to and open /etc/init.d/haproxy\n\nNavigate to the \"start)\" code block. Add the value \"haproxy_check\" before the line with the value \"/sbin/startproc\". \n\nNavigate to the \"restart)\" code block. Add the value \"haproxy_check\" before the line with the value \"$0 stop\"."},{"id":"0b45911e-6c88-465c-9f41-b33fe2bf6a47","vulnId":"V-240069","severity":"medium","ruleTitle":"HAProxy must limit the amount of time that half-open connections are kept alive.","description":"A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. \n\nAn example setting that could be used to limit the ability of the web server being used in a DoS attack is to limit the amount of time that a half-open connection is kept alive.","checkContent":"At the command prompt, execute the following command:\n\ngrep 'timeout client-fin' /etc/haproxy/haproxy.cfg\n\nIf the return value for \"timeout client-fin\" list is not set to \"30s\", this is a finding.","fixText":"Navigate to and open /etc/haproxy/haproxy.cfg \n\nConfigure the haproxy.cfg file with the following value in the defaults section: \n\n'timeout client-fin 30s'."},{"id":"f2214f6e-f2a1-4ea1-bcfe-ceaefef0cbed","vulnId":"V-240070","severity":"medium","ruleTitle":"HAProxy must provide default error files.","description":"Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. \n\nWeb servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. \n\nThis information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.","checkContent":"At the command prompt, execute the following command:\n\ngrep 'errorfile' /etc/haproxy/haproxy.cfg\n\nIf the return value for \"errorfile\" does not list error pages for the following HTTP status codes, this is a finding.\n\n400, 403, 408, 500, 502, 503, 504","fixText":"Create error pages for each of the HTTP status codes below:\n\n400, 403, 408, 500, 502, 503, 504\n\nNavigate to and open /etc/haproxy/haproxy.cfg. Navigate to the \"defaults\" section.\n\nAdd the following lines:\n\n errorfile 400 /path/to/errorPage/for/400.http\n errorfile 403 /path/to/errorPage/for/403.http\n errorfile 408 /path/to/errorPage/for/408.http\n errorfile 500 /path/to/errorPage/for/500.http\n errorfile 502 /path/to/errorPage/for/502.http\n errorfile 503 /path/to/errorPage/for/503.http\n errorfile 504 /path/to/errorPage/for/504.http"},{"id":"8901c67f-5422-4c7d-9073-e64f877b181d","vulnId":"V-240071","severity":"medium","ruleTitle":"HAProxy must not be started with the debug switch.","description":"Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.","checkContent":"At the command prompt, execute the following command:\n\nps aux | grep '[h]aproxy' | grep '\\s\\-d\\s'\n\nIf the command returns any value, this is a finding.","fixText":"Restart the HAProxy without the debug command line argument, which is \"-d\"."},{"id":"3216580b-a898-4f05-832f-d9e19713f031","vulnId":"V-240072","severity":"medium","ruleTitle":"HAProxy must set an absolute timeout on sessions.","description":"Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after an absolute period of time, the user is forced to re-authenticate guaranteeing the session is still in use. Enabling an absolute timeout for sessions closes sessions that are still active. Examples would be a runaway process accessing the web server or an attacker using a hijacked session to slowly probe the web server.\n\nHAProxy provides a 'tune.ssl.lifetime' parameter, which will set an absolute timeout on SSL sessions.","checkContent":"At the command prompt, execute the following command:\n\ngrep 'tune.ssl.lifetime' /etc/haproxy/haproxy.cfg\n\nIf the command returns any value, this is a finding.","fixText":"Navigate to and open /etc/haproxy/haproxy.cfg\n\nNavigate to the \"globals\" section\n\nAdd the value 'tune.ssl.lifetime 20m'"},{"id":"4b7bc8a8-82fd-4e68-851f-da348eafeba7","vulnId":"V-240073","severity":"medium","ruleTitle":"HAProxy must set an inactive timeout on sessions.","description":"Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. \n\nAcceptable values are \"5\" minutes for high-value applications, \"10\" minutes for medium-value applications, and \"20\" minutes for low-value applications.\n\nHAProxy provides an appsession parameter, which will invalidate an inactive cookie after a configurable amount of time.","checkContent":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/20-vcac.cfg\n/etc/haproxy/conf.d/30-vro-config.cfg\n\nVerify that each backend that sets a cookie is configured with the following:\n\nappsession len 64 timeout 5m\n\nNote: The value for is defined in the \"cookie\" option for each backend and may be different.\n\nIf the \"appsession\" option is not present or is not configured as shown, this is a finding.","fixText":"Navigate to and open the following files:\n\n/etc/haproxy/conf.d/30-vro-config.cfg \n/etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to each backend section that sets a cookie in each file.\n\nConfigure the backend with the following:\n\nappsession len 64 timeout 5m\n\nNote: The value for is defined in the \"cookie\" option for each backend and may be different."},{"id":"94a757ca-2919-4ff7-b7a6-cbc9d28a2c29","vulnId":"V-240074","severity":"high","ruleTitle":"HAProxy must redirect all http traffic to use https.","description":"Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions.\n\nA web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. \n\nvRA can be configured to redirect unencrypted, http port 80, traffic to use the encrypted, https port 443.","checkContent":"At the command prompt, execute the following command:\n\ngrep 'redirect scheme https' /etc/haproxy/conf.d/20-vcac.cfg\n\nNote: the command should return this line:\n\n'redirect scheme https if !{ ssl_fc }'\n\nIf the command does not return the expected line, this is a finding.","fixText":"Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to the \"frontend https-in\" section. \n\nIn the \"frontend https-in\" section, add the 'redirect scheme https if !{ ssl_fc }' option before all 'acl' options."},{"id":"54a81158-ab10-40f1-a88d-1bf6b6e69c5c","vulnId":"V-240075","severity":"medium","ruleTitle":"HAProxy must restrict inbound connections from nonsecure zones.","description":"$2b","checkContent":"Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to the \"frontend https-in\" section. \n\nReview the \"frontend https-in\" section.\n\nVerify that the port 443 binding has the \"ssl\" keyword.\n\nVerify that port 80 is binded.\n\nVerify that non-ssl traffic is redirected to port 443.\n\nNote: Ports are binded with this statement: 'bind 0.0.0.0:', where is the binded port.\n\nNote: Non-ssl traffic is redirected with this statement: 'redirect scheme https if !{ ssl_fc }'\n\nNote: Ensure the redirection statement appears before all 'acl' statements.\n\nIf the port 443 binding is missing the \"ssl\" keyword, OR port 80 is NOT binded, OR non-ssl traffic is NOT being redirected to port 443, this is a finding.","fixText":"Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following three values: \n\nbind 0.0.0.0:80\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\nredirect scheme https if !{ ssl_fc }\n\nNote: Ensure the redirection statement appears before all 'acl' statements."},{"id":"8584c0d7-4681-426e-8f9a-1fc75403062e","vulnId":"V-240076","severity":"medium","ruleTitle":"HAProxy must be configured to use syslog.","description":"There are many aspects of appropriate web server logging for security. Storage capacity must be adequate. ISSO and SA must receive warnings and alerts when storage capacity is filled to 75%.\n\nWriting events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.\n\nThis requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.","checkContent":"$2c","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg.\n\nConfigure the \"globals\" section with the following: \n\nlog 127.0.0.1 local0\n\nConfigure the \"defaults\" section with both of the following:\n\nlog global\noption httplog\n\nNavigate to and open the following files:\n\n/etc/haproxy/conf.d/30-vro-config.cfg \n/etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to each frontend section.\n\nRemove any log options from each frontend."},{"id":"cbdef988-cbc1-4eff-975e-a9567607496c","vulnId":"V-240077","severity":"medium","ruleTitle":"HAProxy must not impede the ability to write specified log record content to an audit log server.","description":"Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.","checkContent":"$2d","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following:\n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"a58a81f8-d29a-47bd-bb31-cb6e38350bcc","vulnId":"V-240078","severity":"medium","ruleTitle":"HAProxy must be configurable to integrate with an organizations security infrastructure.","description":"A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.","checkContent":"$2e","fixText":"Navigate to and open /etc/rsyslog.d/vcac.conf.\n\nConfigure the local0 syslog facility to write to an appropriate log file.\n\nNavigate to and open /etc/haproxy/haproxy.cfg. Configure the globals section with the following:\n\nlog 127.0.0.1 local0\n\nConfigure the defaults section with both of the following:\n\nlog global\noption httplog"},{"id":"c81c93da-bc87-4a15-9c16-1e4a9b1dbb59","vulnId":"V-240079","severity":"medium","ruleTitle":"HAProxy must use the httplog option.","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.\n\nTime stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","checkContent":"At the command prompt, execute the following command:\n\ngrep -E 'option\\s+httplog' /etc/haproxy/haproxy.cfg\n\nIf the command does not return a line, this is a finding.","fixText":"Navigate to and open /etc/haproxy/haproxy.cfg\n\nNavigate to the defaults section.\n\nAdd \"option httplog\" to the \"defaults\" section."},{"id":"8ddad70a-e8df-49b9-97d3-2268d0654634","vulnId":"V-240080","severity":"medium","ruleTitle":"HAProxy libraries, and configuration files must only be accessible to privileged users.","description":"A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability.\n\nTo limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.","checkContent":"At the command prompt, execute the following command:\n \nls -alR /etc/haproxy /etc/init.d/haproxy /usr/sbin/haproxy\n \nIf any configuration or application files have permissions greater than \"750\" or are not owned by \"root\", this is a finding.","fixText":"Navigate to any listed files with incorrect permissions or ownership and set them in accordance with site policy."},{"id":"b5f57cbb-d550-445a-88ff-cc3ce29b3f44","vulnId":"V-240081","severity":"medium","ruleTitle":"HAProxy psql-local frontend must be bound to port 5433.","description":"Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.\n\nThe HAProxy load balancer in the vRA appliance listens to port 5433 on behalf of the PostgreSQL service.","checkContent":"At the command prompt, execute the following command:\n \ngrep 'bind' /etc/haproxy/conf.d/10-psql.cfg\n \nIf the value for bind is not set to 5433, this is a finding.","fixText":"Navigate to and open /etc/haproxy/conf.d/10-psql.cfg\n\nNavigate to and configure the \"frontend psql-local\" section with the following value: \n\nbind 127.0.0.1:5433"},{"id":"1ce4dc3c-795c-41d6-9ef8-fdf496482cd2","vulnId":"V-240082","severity":"medium","ruleTitle":"HAProxy vcac frontend must be bound to ports 80 and 443.","description":"Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.\n\nThe HAProxy load balancer in the vRA appliance listens to ports 80 and 443 on behalf of the vcac service.","checkContent":"At the command prompt, execute the following command:\n \ngrep 'bind' /etc/haproxy/conf.d/20-vcac.cfg\n \nIf two lines are not returned, this is a finding. \n\nIf the values for bind are not set to \"80\" and to \"443\", this is a finding.","fixText":"Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following two values: \n\nbind 0.0.0.0:80\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"94bdecee-9840-48c8-9050-67107de70cc4","vulnId":"V-240083","severity":"medium","ruleTitle":"HAProxy vro frontend must be bound to the correct port 8283.","description":"Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.\n\nThe HAProxy load balancer in the vRA appliance listens to ports 8283 on behalf of the vro configuration service.","checkContent":"At the command prompt, execute the following command:\n \ngrep 'bind' /etc/haproxy/conf.d/30-vro-config.cfg\n \nIf the value for bind is not set to \"8283\", this is a finding.","fixText":"Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg\n\nNavigate to and configure the \"frontend https-in-vro-config\" section with the following value: \n\nbind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"b4631c09-aad6-4a9f-be54-14699b23ebed","vulnId":"V-240084","severity":"medium","ruleTitle":"HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.","description":"Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. \n\nWithout the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. \n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.","checkContent":"At the command prompt, execute the following command:\n \ngrep -En 'ciphers' /etc/haproxy/conf.d/*.cfg\n \nIf two lines are not returned, this is a finding. \n\nIf the values for \"ciphers\" are not set to \"FIPS:+3DES:!aNULL\", this is a finding.","fixText":"Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg\n\nNavigate to and configure the \"frontend https-in-vro-config\" section with the following value: \n\nbind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNavigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following value: \n\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"2280614d-e69f-470f-a642-682b1c6e5821","vulnId":"V-240085","severity":"medium","ruleTitle":"HAProxy must be protected from being stopped by a non-privileged user.","description":"An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. \n\nTo prohibit an attacker from stopping the HAProxy process must be owned by \"root\".","checkContent":"At the command prompt, execute the following command:\n\nps aux -U root | grep '[h]aproxy'\n\nIf the command does not return a line, this is a finding.","fixText":"Restart the HAProxy service as \"root\"."},{"id":"957703e9-032e-49c9-b0cc-ddeeb631365f","vulnId":"V-240086","severity":"medium","ruleTitle":"HAProxy must be configured to use SSL/TLS.","description":"Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.\n\nIn order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.","checkContent":"At the command line execute the following command:\n\ngrep -En '\\sssl\\s' /etc/haproxy/conf.d/*.cfg\n\nIf the command does not return the two lines below, this is a finding.\n\n/etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n/etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3","fixText":"Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg\n\nNavigate to and configure the \"frontend https-in-vro-config\" section with the following value: \n\nbind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNavigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following value: \n\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"1bb67fee-4d51-4d8f-a822-cf9601f6d85c","vulnId":"V-240087","severity":"medium","ruleTitle":"HAProxy session IDs must be sent to the client using SSL/TLS.","description":"The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired.\n\nIn order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.","checkContent":"At the command line execute the following command:\n\ngrep -En '\\sssl\\s' /etc/haproxy/conf.d/*.cfg\n\nIf the command does not return the two lines below, this is a finding.\n\n/etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n/etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3","fixText":"Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg\n\nNavigate to and configure the \"frontend https-in-vro-config\" section with the following value: \n\nbind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNavigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following value: \n\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"a368f5da-b7a1-4026-a2d0-9752f2552450","vulnId":"V-240088","severity":"high","ruleTitle":"HAProxy must set the no-sslv3 value on all client ports.","description":"Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.","checkContent":"At the command prompt, execute the following command:\n\ngrep -EnR '\\bbind\\b.*\\bssl\\b' /etc/haproxy\n\nVerify that each returned line contains the no-sslv3 value.\n\nIf any lines do not have this value, this is a finding.","fixText":"Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg\n\nNavigate to and configure the \"frontend https-in-vro-config\" section with the following value: \n\nbind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNavigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following value: \n\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"367a35d4-f2e3-42d5-a3ef-a65e61866ba7","vulnId":"V-240089","severity":"medium","ruleTitle":"HAProxy must remove all export ciphers.","description":"During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.","checkContent":"At the command line execute the following command:\n\ngrep -En '\\sssl\\s' /etc/haproxy/conf.d/*.cfg\n\nIf the command does not return the two lines below, this is a finding.\n\n/etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n/etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3","fixText":"Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg\n\nNavigate to and configure the \"frontend https-in-vro-config\" section with the following value: \n\nbind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNavigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following value: \n\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"673c5973-4b41-4e99-9c1a-d74ca8705b58","vulnId":"V-240090","severity":"medium","ruleTitle":"HAProxy must maintain the confidentiality and integrity of information during reception.","description":"Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.\n\nIn order to protect the integrity and confidentiality of the remote sessions, HAProxy uses SSL/TLS.","checkContent":"At the command line execute the following command:\n\ngrep -En '\\sssl\\s' /etc/haproxy/conf.d/*.cfg\n\nIf the command does not return the two lines below, this is a finding.\n\n/etc/haproxy/conf.d/20-vcac.cfg:4: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n/etc/haproxy/conf.d/30-vro-config.cfg:2: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3","fixText":"Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg\n\nNavigate to and configure the \"frontend https-in-vro-config\" section with the following value: \n\nbind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3\n\nNavigate to and open /etc/haproxy/conf.d/20-vcac.cfg\n\nNavigate to and configure the \"frontend https-in\" section with the following value: \n\nbind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3"},{"id":"3587480e-7756-4c33-b906-e0c8127cf43f","vulnId":"V-240091","severity":"medium","ruleTitle":"HAProxy must have the latest approved security-relevant software updates installed.","description":"All vRA components, to include Lighttpd, are under VMware configuration management control. The CM process ensures that all patches, functions, and modules have been thoroughly tested before being introduced into the production version.\n\nBy using the most current version of Lighttpd, the Lighttpd server will always be using the most stable and known baseline.","checkContent":"Interview the ISSO.\n\nDetermine whether HAProxy has the latest approved security-relevant software updates and updates are installed within the identified time period. \n\nIf the latest approved security-relevant software updates are not installed or installed within the identified time period, this is a finding.","fixText":"Ensure HAProxy has the latest approved security-relevant software updates and the updates are installed within the identified time period."},{"id":"c1da96a5-803a-41f0-be98-b4097aaca485","vulnId":"V-240092","severity":"medium","ruleTitle":"HAProxy must set the maxconn value.","description":"Limiting the total number of connections that a server is allowed to open prevents an attacker from overloading a web server. Overloading the server will prevent it from managing other tasks besides serving web requests.\n\nThis setting works together with per-client limits to mitigate against DDoS attacks.","checkContent":"At the command line execute the following command:\n \ngrep maxconn /etc/haproxy/haproxy.cfg\n \nIf the \"maxconn\" value is not set to \"32768\", this is a finding.","fixText":"Navigate to and open /etc/haproxy/haproxy.cfg\n\nNavigate to the \"globals\" section and add the following line:\n\nmaxconn 32768"},{"id":"b1b34ded-dcc7-44c8-acd5-45b7bf223856","vulnId":"V-258451","severity":"high","ruleTitle":"The version of vRealize Automation 7.x HA Proxy running on the system must be a supported version.","description":"$2f","checkContent":"vRealize Automation 7.x HA Proxy is no longer supported by the vendor. If the system is running vRealize Automation 7.x HA Proxy, this is a finding.","fixText":"Upgrade to a supported version."}]}]

VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide

Checks (55)