STIGQter: STIG Summary: VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

HAProxy must be configured to use TLS for https connections.

DISA Rule

SV-100953r1_rule

Vulnerability Number

V-90303

Group Title

SRG-APP-000015-WSR-000014

Rule Version

VRAU-HA-000020

Severity

CAT II

CCI(s)

• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.

Weight

10

Fix Recommendation

Navigate to and open the following files:

/etc/haproxy/conf.d/20-vcac.cfg
/etc/haproxy/conf.d/30-vro-config.cfg

Configure the bind option for each frontend with the "ssl" parameter.

Check Contents

Navigate to and open the following files:

/etc/haproxy/conf.d/20-vcac.cfg
/etc/haproxy/conf.d/30-vro-config.cfg

Verify that each frontend is configured with the following:

bind :<port> ssl crt <pemfile> ciphers FIPS:+3DES:!aNULL no-sslv3

Note: <port> and <pemfile> will be different for each frontend.

If "ssl" is not set for the bind option for each frontend, this is a finding.

Vulnerability Number

V-90303

Documentable

False

Rule Version

VRAU-HA-000020

Severity Override Guidance

Navigate to and open the following files:

/etc/haproxy/conf.d/20-vcac.cfg
/etc/haproxy/conf.d/30-vro-config.cfg

Verify that each frontend is configured with the following:

bind :<port> ssl crt <pemfile> ciphers FIPS:+3DES:!aNULL no-sslv3

Note: <port> and <pemfile> will be different for each frontend.

If "ssl" is not set for the bind option for each frontend, this is a finding.

Check Content Reference

M

Target Key

3455

Comments