The Automation Controller web server must manage sessions.

An XCCDF Rule

Description

<VulnDiscussion>Session management on client and server is required to protect identity and authorization information. Sessions for the Automation Controller web server, if compromised, could lead to execution of jobs on remote endpoints as if authenticated. Satisfies: SRG-APP-000001-WSR-000002, SRG-APP-000001-WSR-000001, SRG-APP-000295-WSR-000012, SRG-APP-000295-WSR-000134</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256940r960735_rule
Severity: Medium
References: CCI-000054 CCI-002361
Updated: 19 days ago

Log in to Automation Controller as an administrator and navigate to Settings >> System >> Miscellaneous Authentication.

Click "Edit".

Set the following parameters:
OAuth 2 Timeout Settings < 1800 seconds. 

The maximum number of simultaneous logged session must equal 0 or the organizationally defined maximum.

Disable the built-in authentication system = ON

Enable HTTP Basic Auth = Off

Access Token Expiration = 31536000000

Authorization Code Expiration = 600

Refresh Token Expiration = 2628000

Allow External Users to Create OAuth2 Tokens = Off

Login redirect override URL = Not Configured or Blank

Social Auth Organization Map = Null

Social Auth Team Map = Null

Social Auth User Fields = Null

Click "Save".

The Automation Controller web server must manage sessions.

Description

Remediation - Manual Procedure