Red Hat Ansible Automation Controller Application Server STIG Version Comparison

There are 1 differences between versions v1 r2 (Oct. 25, 2023) (the "left" version) and v2 r2 (July 2, 2025) (the "right" version).

Check APAS-AT-000012 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Automation Controller must implement cryptography mechanisms to protect the integrity of information.

Check Content

As a System system administrator for each Automation Controller host, check if the Operating operating System system is FIPS enabled: sysctl FIPS-enabled: sysctl crypto.fips_enabled If fips_enabled "fips_enabled" is not 1, "1", this is a finding. Verify the installed volume for Automation Controller is on a LUKS encrypted volume command: AAPROOT='/var/lib/awx' && cryptsetup status `df -T ${AAPROOT} | cut -d ' ' -f 1 | tail -n 1 ` | grep type | grep -i luks || echo "FAILED" If "FAILED" is displayed, this is a finding. Verify this LUKS encrypted volume is using FIPS-compliant cryptographic functions command: allowed_FIPS_ciphers=('aes.*\(256\|384\|512\)') ; echo "${allowed_FIPS_ciphers[*]}" | tr ' ' '\n' >tempfile && cryptsetup status `df -T ${AAPROOT} | cut -d ' ' -f 1 | tail -n 1 ` | grep -e '\(cipher\|keysize\)' | awk '{print $2}' | paste -s -d '-' | grep -f tempfile 1>/dev/null || echo "FAILED" && rm -f tempfile If "FAILED" the output is displayed, not 1, this is a finding.

Discussion

Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify Automation Controller configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Automation Controller utilizes a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS and scripted access requires using SSH or some other form of approved cryptography. Automation Controller must have the ability to enable a secure remote admin capability. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. Automation Controller requires the use of Red Hat Enterprise Linux as an operating system and its underlying FIPS validated FIPS-validated cryptographic modules to ensure it meets FIPS 140-2 criteria. Satisfies: SRG-APP-000015-AS-000010, SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000231-AS-000133, SRG-APP-000231-AS-000156, SRG-APP-000416-AS-000140, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157, SRG-APP-000439-AS-000274, SRG-APP-000440-AS-000167, SRG-APP-000514-AS-000136

Fix

As an administrator for each Automation Controller host, configure the Operating operating System system to be FIPS enabled FIPS-enabled with the following command: sudo fips-mode-setup --enable Reboot each system. Configure Ansible Automation Platform installation location to reside on a LUKS encrypted volume: Add a LUKS volume using default or other encrypted volume in accordance with organizationally defined policy. The '/var/lib/awx' filesystem must reside on this volume. Reinstall the Ansible Automation Platform. Note: The phrasing "Reinstall the Ansible Automation Platform." is applicable here; the installer cannot just be rerun on the same system. Reinstall the operating system on the Automation Controller server with FIPS mode enabled at install time by following the guidance located here: https://access.redhat.com/solutions/5416081 OR Enable FIPS mode without reinstalling the operating system by following the guidance located here: https://access.redhat.com/solutions/137833 If the operating system was reinstalled, reinstall Automation Controller by following the guidance located here: https://docs.ansible.com/ansible-tower/latest/html/installandreference/index.html