Check: LVDA-VD-000030
Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent STIG:
LVDA-VD-000030
(in version v1 r1)
Title
Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption. (Cat I impact)
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000039, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442
Check Content
On the Delivery Controller, ensure the SSL encryption has been enabled for the delivery group (HdxSslEnabled:True) and the Delivery Controller uses FQDN of Linux VDA to contact target Linux VDA (DnsResolutionEnabled:True). Execute the following commands in a PowerShell window on the Delivery Controller: # Asnp citrix.* # Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | format-list HdxSslEnabled Where <GROUPNAME> is the target Delivery Group name. On Linux VDA, check the following: Check if SSL listener is up and running; run following command: # netstat -lptn|grep ctxhdx to see that the ctxhdx process is listening on an SSL port (443, by default). If, on the Delivery Controller, HdxSslEnabled is not set to "true", this is a finding. If, on the Delivery Controller, DnsResolutionEnabled is not set to "true", this is a finding. If, on the Linux VDS, the ctxhdx process is not listening on an SSL port (443 by default, or other approved port), this is a finding.
Fix Text
To enable TLS encryption on the Linux VDA, a server certificate must be installed on the Citrix Broker (DDC), each Linux VDA server and root certificates must be installed on each Linux VDA server and client per DoD guidelines. On the Linux VDA, use the enable_vdassl.sh tool to enable (or disable) TLS encryption. The tool is located in the /opt/Citrix/VDA/sbin directory. For information about options available in the tool, run the /opt/Citrix/VDA/sbin/enable_vdassl.sh -help command. To enable TLS 1.2 on Linux VDA OS - # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLMinVersion" -d 0x00000004 To enable GOV ciphersuites only: # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLCipherSuite" -d 0x00000001 thes restart service # sudo /sbin/service ctxhdx restart [root@ LVDA]# sudo /sbin/service ctxhdx restart
Additional Identifiers
Rule ID: SV-234257r628796_rule
Vulnerability ID: V-234257
Group Title: SRG-APP-000014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-001184 |
The information system protects the authenticity of communications sessions. |
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (1) |
Cryptographic Or Alternate Physical Protection |
SC-8 (2) |
Pre / Post Transmission Handling |
SC-23 |
Session Authenticity |