STIGQter: STIG Summary: VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

HAProxy must use SSL/TLS protocols in order to secure passwords during transmission from the client.

DISA Rule

SV-99811r1_rule

Vulnerability Number

V-89161

Group Title

SRG-APP-000172-WSR-000104

Rule Version

VRAU-HA-000190

Severity

CAT II

CCI(s)

• CCI-000197 - The information system, for password-based authentication, transmits only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg

Navigate to and configure the "frontend https-in" section with the following two values:

bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }

Check Contents

At the command line execute the following command:

cat /etc/haproxy/conf.d/20-vcac.cfg | awk '$0 ~ /bind.*:80/ || $0 ~ /redirect.*ssl_fc/ {print}'

If the command does not return the two lines below, this is a finding.

bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }

Vulnerability Number

V-89161

Documentable

False

Rule Version

VRAU-HA-000190

Severity Override Guidance

At the command line execute the following command:

cat /etc/haproxy/conf.d/20-vcac.cfg | awk '$0 ~ /bind.*:80/ || $0 ~ /redirect.*ssl_fc/ {print}'

If the command does not return the two lines below, this is a finding.

bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }

Check Content Reference

M

Target Key

3455

Comments