Red Hat Ansible Automation Controller Web Server STIG Version Comparison

There are 5 differences between versions v2 r1 (July 24, 2024) (the "left" version) and v2 r3 (Jan. 5, 2026) (the "right" version).

Check APWS-AT-000030 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Automation Controller servers must use encrypted communication for all channels given the high impact of those services to an organization's infrastructure.

Check Content

As 1. Web Server Must Enforce TLS 1.2 or Higher As a System system Administrator administrator for each Automation Controller NGINX web server, a validate the effective TLS protocol configuration. Obtain Configuration Check validates the active nginx.conf path: NGINXCONF=$(nginx TLS version used by the server: NGINXCONF="nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}'" sudo '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}') Execute the following command: sudo grep -E '^[[:space:]]*ssl_protocols[[:space:]]+.*(TLSv1\.2|TLSv1\.3)' "$NGINXCONF" >/dev/null || echo "FAILED" Pass condition: ssl_protocols ${NGINXCONF} | grep includes TLSv1.2 or TLSv1.3. Fail condition: 'ssl_protocols ssl_protocols TLSv1.2;' || echo missing, or only legacy protocols configured. If "FAILED" If "FAILED" "FAILED" is displayed, this is a finding. A finding. 2. TLS Configuration Check validates Web Server Must Use Host OS–Provided Cipher Policy. Validate the ciphers cipher used for suite binding is set to the system crypto policy. Obtain web server are provided by the active nginx.conf underlying host operating system: NGINXCONF=`nginx path: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}') Execute ` sudo the following command: sudo grep -Eq '^[[:space:]]*ssl_ciphers[[:space:]]+PROFILE=SYSTEM[[:space:]]*;[[:space:]]*$' "$NGINXCONF" || echo "FAILED" Pass condition: ssl_ciphers ${NGINXCONF} | grep -q '^ *ssl_ciphers PROFILE=SYSTEM;' PROFILE=SYSTEM; || echo (exact directive, whitespace-tolerant). If "FAILED" If "FAILED" "FAILED" is displayed, this is a finding. A finding. 3. External Database Connections Must Use TLS With Certificate Verification. Automation Configuration Check validates connections to required resources use TLS connections. Automation Controller may be configured to connect to PostgreSQL databases with or without TLS. The Administrator must check the contents of the file at /etc/tower/conf.d/postgres.py with root permissions to determine if pg_sslmode was configured with "verify-full" for any external databases at the time of installation. Execute installation. 3.1 Client-Side Execute the following command: sudo command to test the client-side database configuration: sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); [print(DATABASES[db]["OPTIONS"]["sslmode"]) import sys; bad=[n for db n,c in DATABASES DATABASES.items() if DATABASES[db]["HOST"] c.get("HOST") not in ("127.0.0.1", "localhost")]' | grep 'verify-full' ("127.0.0.1","localhost","") and c.get("OPTIONS",{}).get("sslmode")!="verify-full"]; sys.exit(0 if not bad else 1)' || echo "FAILED" If "FAILED" If "FAILED" is displayed, this is a finding. Execute finding. 3.2 Server-Side Confirm the following commands to test the server-side database configuration: PGCON=`sudo server negotiates TLS. Get DB host:port for the default connection: PGCON=$(sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read());print(":".join((DATABASES["default"]["HOST"],DATABASES["default"]["PORT"])))'` psql 'exec(open("/etc/tower/conf.d/postgres.py").read()); import sys; d=DATABASES.get("default",{}); h=d.get("HOST",""); p=d.get("PORT",""); print(f"{h}:{p}" if h and p else "", end="")') Validate SSL with psql (requires psql client): test -n "$PGCON" && psql "postgresql://${PGCON}/postgres?sslmode=require" -qAt -c '\conninfo' 2>/dev/null | grep -qi 'SSL connection' || echo FAILED If "FAILED" If "FAILED" is displayed, this is a finding.

Discussion

The Automation Controller communicates information about configuration of other information systems through its web interface and API, storing records about this information in a database. Although large portions are sanitized of sensitive information, due to the nature of this kind of information, it must always be maximally protected. Leaked details of configuration for DOD enterprise information systems could lead to compromise, so all access to and from the Automation Controller servers must be encrypted.

Fix

As Web Server TLS and Cipher Configuration As a System system Administrator administrator for each Automation Controller Web Server, reconfigure NGINX web server: 1. Identify the active configuration TLS versions or ciphers used in Automation Controller's web server: NGINXCONF=`nginx file: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}') 2. ` sudo Edit the configuration: sudo -e ${NGINXCONF} Replace "$NGINXCONF" 3. Ensure the ssl_protocols line is configured as beginning with "ssl_protocols" to match (note the leading spaces): " ssl_protocols TLSv1.2 TLSv1.2;" If TLSv1.3; If the directive "ssl_protocols" variable does not exist, add the line it immediately after the ssl_ciphers line. 4. Ensure the ssl_ciphers line is configured beginning with "ssl_ciphers". Replace the line beginning with "ssl_ciphers" to match (note as(note the leading spaces): " ssl_ciphers PROFILE=SYSTEM;" Save PROFILE=SYSTEM;" 5. Save the file and exit apply the changes: sudo nginx -t && sudo text editor. To apply these changes to the running service immediately, restart the NGINX service with the following command: sudo systemctl restart nginx Database TLS Configuration Configuration 1. Fix: Locate Edit the inventory file used to install Ansible Automation Platform installer inventory file and set: pg_sslmode='verify-full' postgres_use_ssl=true 2. Reconfigure edit it, ensuring that the following variables are set: pg_sslmode='verify-full' postgres_use_ssl=true Run the setup.sh command in the installer bundle directory to reconfigure the controller controller: sudo to use the new setting: sudo ./setup.sh