Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

An XCCDF Rule

Description

An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of confidentiality, etc. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

ID: SV-256910r961596_rule
Version: APAS-AT-000110
Severity: Medium
References: CCI-002450 CCI-002470
Updated: 15 days ago

Remediation Templates

For each Automation Controller host, the administrator must:

Download the >><organizationally defined intermediate certificate file in PEM format>>>;

Generate the appropriate /etc/tower/tower.key files, certificates, and CSRs and have the organizationally defined PKI authority issue a certificate signed by the >><organizationally defined intermediate certificate file in PEM format>>>;
Place the signed certificate in /etc/tower/tower.cert.

Place the >><organizationally defined intermediate certificate file in PEM format>>> in /etc/pki/ca-trust/source/anchors.

Execute:
update-ca-trust extract && update-ca-trust;

Download the latest DOD PKI CA certificate bundle:

curl https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DOD.zip > /root/certificates_pkcs7_DOD.z && gunzip /root/certificates_pkcs7_DOD.z > /etc/pki/ca-trust/source/anchors

Install trusted root and intermediate CA certificates:

update-ca-trust extract && update-ca-trust;

Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

Description

Remediation Templates

A Manual Procedure