STIGQter: STIG Summary: VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.

DISA Rule

SV-100951r1_rule

Vulnerability Number

V-90301

Group Title

SRG-APP-000014-WSR-000006

Rule Version

VRAU-HA-000015

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Navigate to and open the following files:

/etc/haproxy/conf.d/20-vcac.cfg
/etc/haproxy/conf.d/30-vro-config.cfg

Configure the bind option for each frontend with the following ciphers parameter:

'ciphers FIPS:+3DES:!aNULL'.

Check Contents

Navigate to and open the following files:

/etc/haproxy/conf.d/20-vcac.cfg
/etc/haproxy/conf.d/30-vro-config.cfg

Verify that each frontend is configured with the following:

bind :<port> ssl crt <pemfile> ciphers FIPS:+3DES:!aNULL no-sslv3

Note: <port> and <pemfile> will be different for each frontend.

If the ciphers listed are not as shown above, this is a finding.

Vulnerability Number

V-90301

Documentable

False

Rule Version

VRAU-HA-000015

Severity Override Guidance

Navigate to and open the following files:

/etc/haproxy/conf.d/20-vcac.cfg
/etc/haproxy/conf.d/30-vro-config.cfg

Verify that each frontend is configured with the following:

bind :<port> ssl crt <pemfile> ciphers FIPS:+3DES:!aNULL no-sslv3

Note: <port> and <pemfile> will be different for each frontend.

If the ciphers listed are not as shown above, this is a finding.

Check Content Reference

M

Target Key

3455

Comments