Automation Controller NGINX web servers must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

STIG ID: APWS-AT-000900  |  SRG: SRG-APP-000439-WSR-000156 |  Severity: medium |  CCI: CCI-002418 |  Vulnerability Id: V-256964

Vulnerability Discussion

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.

NIST SP 800-52 defines the approved TLS versions for government applications.

Check

As a System Administrator, for each Automation Controller NGINX web server, a TLS Configuration Check validates the TLS version used by the server:

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' `
sudo grep ssl_protocols ${NGINXCONF} | grep -E 'ssl_protocols\s+TLSv1.2;' || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Fix

As a System Administrator for each Automation Controller Web Server, reconfigure the TLS versions or ciphers used in Automation Controller's web server:

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' `
sudo -e ${NGINXCONF}

Replace the line beginning with "ssl_protocols" to match (note the leading spaces):
" ssl_protocols TLSv1.2;"

If the "ssl_protocols" variable does not exist, add it after the line beginning with "ssl_ciphers".

Save the file and exit the text editor. To apply these changes to the running service immediately, restart the NGINX service with the following command:

sudo systemctl restart nginx
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.