Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

An XCCDF Rule

Description

<VulnDiscussion>An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of confidentiality, etc. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256910r902300_rule
Severity: Medium
References: CCI-002450 CCI-002470
Updated: 9 months ago

For each Automation Controller host, the administrator must:

Download the >><organizationally defined intermediate certificate file in PEM format>>>;

Generate the appropriate /etc/tower/tower.key files, certificates, and CSRs and have the organizationally defined PKI authority issue a certificate signed by the >><organizationally defined intermediate certificate file in PEM format>>>;
Place the signed certificate in /etc/tower/tower.cert.

Place the >><organizationally defined intermediate certificate file in PEM format>>> in /etc/pki/ca-trust/source/anchors.

Execute:
update-ca-trust extract && update-ca-trust;

Download the latest DOD PKI CA certificate bundle:

curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.z && gunzip /root/certificates_pkcs7_DOD.z > /etc/pki/ca-trust/source/anchors

Install trusted root and intermediate CA certificates:

update-ca-trust extract && update-ca-trust;

Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

Description

Remediation - Manual Procedure