STIGQter: STIG Summary: VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

HAProxy must perform RFC 5280-compliant certification path validation if PKI is being used.

DISA Rule

SV-99813r1_rule

Vulnerability Number

V-89163

Group Title

SRG-APP-000175-WSR-000095

Rule Version

VRAU-HA-000195

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Install validated RFC 5280-compliant certificates.

Check Contents

Interview the ISSO.

Review HAProxy configuration to verify that certificates being provided by the web server are validated, RFC 5280-compliant certificates. If PKI is not being used, this is NA.

If certificates are not validated, RFC 5280-compliant certificates, this is a finding.

Vulnerability Number

V-89163

Documentable

False

Rule Version

VRAU-HA-000195

Severity Override Guidance

Interview the ISSO.

Review HAProxy configuration to verify that certificates being provided by the web server are validated, RFC 5280-compliant certificates. If PKI is not being used, this is NA.

If certificates are not validated, RFC 5280-compliant certificates, this is a finding.

Check Content Reference

M

Target Key

3455

Comments