The Automation Controller servers must use encrypted communication for all channels given the high impact of those services to an organization's infrastructure.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-256941	SRG-APP-000014-WSR-000006	APWS-AT-000030	SV-256941r1155084_rule	2025-11-20	2

Description
The Automation Controller communicates information about configuration of other information systems through its web interface and API, storing records about this information in a database. Although large portions are sanitized of sensitive information, due to the nature of this kind of information, it must always be maximally protected. Leaked details of configuration for DOD enterprise information systems could lead to compromise, so all access to and from the Automation Controller servers must be encrypted.

Description

The Automation Controller communicates information about configuration of other information systems through its web interface and API, storing records about this information in a database. Although large portions are sanitized of sensitive information, due to the nature of this kind of information, it must always be maximally protected. Leaked details of configuration for DOD enterprise information systems could lead to compromise, so all access to and from the Automation Controller servers must be encrypted.

ℹ️ Check
1. Web Server Must Enforce TLS 1.2 or Higher As a system administrator for each Automation Controller NGINX web server, validate the effective TLS protocol configuration. Obtain the active nginx.conf path: NGINXCONF=$(nginx -V 2>&1 \| tr ' ' '\n' \| sed -ne '/conf-path/{s/.conf-path=\(.\)/\1/;p}') Execute the following command: sudo grep -E '^[[:space:]]ssl_protocols[[:space:]]+.(TLSv1\.2\|TLSv1\.3)' "$NGINXCONF" >/dev/null \|\| echo "FAILED" Pass condition: ssl_protocols includes TLSv1.2 or TLSv1.3. Fail condition: ssl_protocols missing, or only legacy protocols configured. If "FAILED" is displayed, this is a finding. 2. Web Server Must Use Host OS–Provided Cipher Policy. Validate the cipher suite binding is set to the system crypto policy. Obtain the active nginx.conf path: NGINXCONF=$(nginx -V 2>&1 \| tr ' ' '\n' \| sed -ne '/conf-path/{s/.conf-path=\(.\)/\1/;p}') Execute the following command: sudo grep -Eq '^[[:space:]]ssl_ciphers[[:space:]]+PROFILE=SYSTEM[[:space:]];[[:space:]]*$' "$NGINXCONF" \|\| echo "FAILED" Pass condition: ssl_ciphers PROFILE=SYSTEM; (exact directive, whitespace-tolerant). If "FAILED" is displayed, this is a finding. 3. External Database Connections Must Use TLS With Certificate Verification. Automation Controller may be configured to connect to PostgreSQL databases with or without TLS. The Administrator must check the contents of the file at /etc/tower/conf.d/postgres.py with root permissions to determine if pg_sslmode was configured with "verify-full" for any external databases at the time of installation. 3.1 Client-Side Execute the following command: sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); import sys; bad=[n for n,c in DATABASES.items() if c.get("HOST") not in ("127.0.0.1","localhost","") and c.get("OPTIONS",{}).get("sslmode")!="verify-full"]; sys.exit(0 if not bad else 1)' \|\| echo "FAILED" If "FAILED" is displayed, this is a finding. 3.2 Server-Side Confirm the database server negotiates TLS. Get DB host:port for the default connection: PGCON=$(sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); import sys; d=DATABASES.get("default",{}); h=d.get("HOST",""); p=d.get("PORT",""); print(f"{h}:{p}" if h and p else "", end="")') Validate SSL with psql (requires psql client): test -n "$PGCON" && psql "postgresql://${PGCON}/postgres?sslmode=require" -qAt -c '\conninfo' 2>/dev/null \| grep -qi 'SSL connection' \|\| echo "FAILED" If "FAILED" is displayed, this is a finding.

ℹ️ Check

1. Web Server Must Enforce TLS 1.2 or Higher As a system administrator for each Automation Controller NGINX web server, validate the effective TLS protocol configuration. Obtain the active nginx.conf path: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=$.*$/\1/;p}') Execute the following command: sudo grep -E '^[[:space:]]*ssl_protocols[[:space:]]+.*(TLSv1\.2|TLSv1\.3)' "$NGINXCONF" >/dev/null || echo "FAILED" Pass condition: ssl_protocols includes TLSv1.2 or TLSv1.3. Fail condition: ssl_protocols missing, or only legacy protocols configured. If "FAILED" is displayed, this is a finding. 2. Web Server Must Use Host OS–Provided Cipher Policy. Validate the cipher suite binding is set to the system crypto policy. Obtain the active nginx.conf path: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=$.*$/\1/;p}') Execute the following command: sudo grep -Eq '^[[:space:]]*ssl_ciphers[[:space:]]+PROFILE=SYSTEM[[:space:]]*;[[:space:]]*$' "$NGINXCONF" || echo "FAILED" Pass condition: ssl_ciphers PROFILE=SYSTEM; (exact directive, whitespace-tolerant). If "FAILED" is displayed, this is a finding. 3. External Database Connections Must Use TLS With Certificate Verification. Automation Controller may be configured to connect to PostgreSQL databases with or without TLS. The Administrator must check the contents of the file at /etc/tower/conf.d/postgres.py with root permissions to determine if pg_sslmode was configured with "verify-full" for any external databases at the time of installation. 3.1 Client-Side Execute the following command: sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); import sys; bad=[n for n,c in DATABASES.items() if c.get("HOST") not in ("127.0.0.1","localhost","") and c.get("OPTIONS",{}).get("sslmode")!="verify-full"]; sys.exit(0 if not bad else 1)' || echo "FAILED" If "FAILED" is displayed, this is a finding. 3.2 Server-Side Confirm the database server negotiates TLS. Get DB host:port for the default connection: PGCON=$(sudo python3 -c 'exec(open("/etc/tower/conf.d/postgres.py").read()); import sys; d=DATABASES.get("default",{}); h=d.get("HOST",""); p=d.get("PORT",""); print(f"{h}:{p}" if h and p else "", end="")') Validate SSL with psql (requires psql client): test -n "$PGCON" && psql "postgresql://${PGCON}/postgres?sslmode=require" -qAt -c '\conninfo' 2>/dev/null | grep -qi 'SSL connection' || echo "FAILED" If "FAILED" is displayed, this is a finding.

✔️ Fix
Web Server TLS and Cipher Configuration As a system administrator for each Automation Controller NGINX web server: 1. Identify the active configuration file: NGINXCONF=$(nginx -V 2>&1 \| tr ' ' '\n' \| sed -ne '/conf-path/{s/.conf-path=\(.\)/\1/;p}') 2. Edit the configuration: sudo -e "$NGINXCONF" 3. Ensure the ssl_protocols line is configured as (note the leading spaces): " ssl_protocols TLSv1.2 TLSv1.3; If the directive does not exist, add it immediately after the ssl_ciphers line. 4. Ensure the ssl_ciphers line is configured as(note the leading spaces): " ssl_ciphers PROFILE=SYSTEM;" 5. Save the file and apply the changes: sudo nginx -t && sudo systemctl restart nginx Database TLS Configuration 1. Edit the Ansible Automation Platform installer inventory file and set: pg_sslmode='verify-full' postgres_use_ssl=true 2. Reconfigure the controller: sudo ./setup.sh

✔️ Fix

Web Server TLS and Cipher Configuration As a system administrator for each Automation Controller NGINX web server: 1. Identify the active configuration file: NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=$.*$/\1/;p}') 2. Edit the configuration: sudo -e "$NGINXCONF" 3. Ensure the ssl_protocols line is configured as (note the leading spaces): " ssl_protocols TLSv1.2 TLSv1.3; If the directive does not exist, add it immediately after the ssl_ciphers line. 4. Ensure the ssl_ciphers line is configured as(note the leading spaces): " ssl_ciphers PROFILE=SYSTEM;" 5. Save the file and apply the changes: sudo nginx -t && sudo systemctl restart nginx Database TLS Configuration 1. Edit the Ansible Automation Platform installer inventory file and set: pg_sslmode='verify-full' postgres_use_ssl=true 2. Reconfigure the controller: sudo ./setup.sh