V_ID,Severity,CCI,Version,Title,Description,Service,IA Controls,ruleID,fixid,fixtext,checkid,checktext,,Response,Title,Description
V-26681,medium,CCI-000068,SRG-APP-000014,Applications providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions.,“Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.”,Core,None,SV-33881r1_rule,None,“Implement protective measures when providing remote access.
See the official documentation for the complete guide on establishing SSL configuration: www.elastic.co/guide/en/x-pack/current/ssl-tls.html”,None,“Application must utilize approved cryptography to protect remote access sessions.
As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.
$cat elasticsearch.yml | grep xpack.ssl
xpack.ssl.key: <server_key>.key
xpack.ssl.certificate: <server_certificate>.crt
xpack.ssl.certificate_authorities: [ <approved_ca>.crt”“ ]
If these setting are not set or the underlining certificate and keys are not correct, this is a finding.
$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true
If this setting is not present or set to true, this is a finding.
As a elasticsearch user, check that non-secure http traffic does not response with 200 status:
$curl