All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

An XCCDF Rule

Description

<VulnDiscussion>Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and nonrepudiation of the information. The Automation Controller NGINX web server host must have a mechanism to verify that files are valid prior to installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256944r902346_rule
Severity: High
References: CCI-001749
Updated: 9 months ago

As a System Administrator, for each Automation Controller NGINX web server host, check for existing or install AIDE:

yum install -y aide

Create or update the AIDE database immediately after initial installation of each Automation Controller NGINX web server host:
aide --init && mv /var/lib/aide/aide.db.new.gz  /var/lib/aide/aide.db.gz

Accept any expected changes to the host by updating the AIDE database:

aide --update

The output will provide checksums for the AIDE database. Save in a protected location.

All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

Description

Remediation - Manual Procedure