Automation Controller NGINX web servers must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

An XCCDF Rule

Description

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.

ID: SV-256964r961632_rule
Version: APWS-AT-000900
Severity: Medium
References: CCI-002418
Updated: 15 days ago

Remediation Templates

As a System Administrator for each Automation Controller Web Server, reconfigure the TLS versions or ciphers used in Automation Controller's web server:

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' `
sudo -e ${NGINXCONF}

Replace the line beginning with "ssl_protocols" to match (note the leading spaces):"        ssl_protocols TLSv1.2;"

If the "ssl_protocols" variable does not exist, add it after the line beginning with "ssl_ciphers".

Save the file and exit the text editor. To apply these changes to the running service immediately, restart the NGINX service with the following command:

sudo systemctl restart nginx

Automation Controller NGINX web servers must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

Description

Remediation Templates

A Manual Procedure