STIGQter: STIG Summary: Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.

DISA Rule

SV-234257r628796_rule

Vulnerability Number

V-234257

Group Title

SRG-APP-000014

Rule Version

LVDA-VD-000030

Severity

CAT I

CCI(s)

CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
CCI-001184 - The information system protects the authenticity of communications sessions.
CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.

Weight

Fix Recommendation

To enable TLS encryption on the Linux VDA, a server certificate must be installed on the Citrix Broker (DDC), each Linux VDA server and root certificates must be installed on each Linux VDA server and client per DoD guidelines.
On the Linux VDA, use the enable_vdassl.sh tool to enable (or disable) TLS encryption. The tool is located in the /opt/Citrix/VDA/sbin directory. For information about options available in the tool, run the /opt/Citrix/VDA/sbin/enable_vdassl.sh -help command.

To enable TLS 1.2 on Linux VDA OS - # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLMinVersion" -d 0x00000004
To enable GOV ciphersuites only:
# /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLCipherSuite" -d 0x00000001
thes restart service
# sudo /sbin/service ctxhdx restart
[root@ LVDA]# sudo /sbin/service ctxhdx restart

Check Contents

On the Delivery Controller, ensure the SSL encryption has been enabled for the delivery group (HdxSslEnabled:True) and the Delivery Controller uses FQDN of Linux VDA to contact target Linux VDA (DnsResolutionEnabled:True).

Execute the following commands in a PowerShell window on the Delivery Controller:
# Asnp citrix.*
# Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | format-list HdxSslEnabled
Where <GROUPNAME> is the target Delivery Group name.

On Linux VDA, check the following:
Check if SSL listener is up and running; run following command:
# netstat -lptn|grep ctxhdx
to see that the ctxhdx process is listening on an SSL port (443, by default).

If, on the Delivery Controller, HdxSslEnabled is not set to "true", this is a finding.
If, on the Delivery Controller, DnsResolutionEnabled is not set to "true", this is a finding.
If, on the Linux VDS, the ctxhdx process is not listening on an SSL port (443 by default, or other approved port), this is a finding.

Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments