Check: VCEM-67-000001
VMware vSphere 6.7 EAM Tomcat STIG:
VCEM-67-000001
(in versions v1 r4 through v1 r1)
Title
ESX Agent Manager must limit the amount of time that each TCP connection is kept alive. (Cat II impact)
Discussion
Denial of service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. In Tomcat, the "connectionTimeout" attribute sets the number of milliseconds the server will wait after accepting a connection for the request URI line to be presented. This timeout will also be used when reading the request body (if any). This prevents idle sockets that are not sending HTTP requests from consuming system resources and potentially denying new connections.
Check Content
At the command prompt, execute the following command: # xmllint --xpath '/Server/Service/Connector/@connectionTimeout' /usr/lib/vmware-eam/web/conf/server.xml Expected result: connectionTimeout="20000" If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Configure the <Connector> node with the value: connectionTimeout="20000"
Additional Identifiers
Rule ID: SV-239372r879511_rule
Vulnerability ID: V-239372
Group Title: SRG-APP-000001-WSR-000001
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000054 |
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. |
Controls
Number | Title |
---|---|
AC-10 |
Concurrent Session Control |