STIGQter: STIG Summary: VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

HAProxy must be configured with FIPS 140-2 compliant ciphers for https connections.

DISA Rule

SV-99855r1_rule

Vulnerability Number

V-89205

Group Title

SRG-APP-000416-WSR-000118

Rule Version

VRAU-HA-000410

Severity

CAT II

CCI(s)

• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg

Navigate to and configure the "frontend https-in-vro-config" section with the following value:

bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg

Navigate to and configure the "frontend https-in" section with the following value:

bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3

Check Contents

At the command prompt, execute the following command:

grep -En 'ciphers' /etc/haproxy/conf.d/*.cfg

If two lines are not returned, this is a finding.

If the values for "ciphers" are not set to "FIPS:+3DES:!aNULL", this is a finding.

Vulnerability Number

V-89205

Documentable

False

Rule Version

VRAU-HA-000410

Severity Override Guidance

At the command prompt, execute the following command:

grep -En 'ciphers' /etc/haproxy/conf.d/*.cfg

If two lines are not returned, this is a finding.

If the values for "ciphers" are not set to "FIPS:+3DES:!aNULL", this is a finding.

Check Content Reference

M

Target Key

3455

Comments