STIGQter: STIG Summary: Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

Citrix Linux Virtual Delivery Agent must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.

DISA Rule

SV-234260r628796_rule

Vulnerability Number

V-234260

Group Title

SRG-APP-000427

Rule Version

LVDA-VD-000970

Severity

CAT I

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

A server certificate must be installed on each Linux VDA server and root certificates must be installed on each Linux VDA server and client.
Obtain server certificates in PEM format and root certificates in CRT format from a trusted CA. A server certificate contains the following sections:
- Certificate
- Unencrypted private key
- Intermediate certificates (optional)

After obtaining required certificates, customers need to install them as follows:
Upload server and CA certificates into Linux VDA server, which will be used in “Step 2: Enable SSL encryption on Linux VDA”. For example, put server.pem (name of server certificate) and myca.crt (name of CA certificate) to folder /root/myCert/myCA/certs/.

Download the CA certificate (myca.crt as an example) to client host and import it into system Certificate Store on the “Trusted Root Certification Authorities” folder. Refer to "Importing Trusted CA Certificates into the Windows Certificate Store" for the instructions. Note: Ensure the client host is able to resolve the FQDN of Linux VDA; otherwise, the connection cannot be established.

Check Contents

Verify the correct server certificate issued by authorized certificate authority is installed on Linux VDA.
Navigate to folder /root/myCert/myCA/certs/ and examine certificates.
If the certificates are not issued by the DoD or approved CA, this is a finding.

Vulnerability Number

V-234260

Documentable

False

Rule Version

LVDA-VD-000970

Severity Override Guidance

Verify the correct server certificate issued by authorized certificate authority is installed on Linux VDA.
Navigate to folder /root/myCert/myCA/certs/ and examine certificates.
If the certificates are not issued by the DoD or approved CA, this is a finding.

Check Content Reference

M

Target Key

5266

Comments