Check: VCPF-67-000005
VMware vSphere 6.7 Perfcharts Tomcat STIG:
VCPF-67-000005
(in version v1 r1)
Title
Performance Charts must record user access in a format that enables monitoring of remote access. (Cat II impact)
Discussion
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. Tomcat can be configured with an "AccessLogValve", a component that can be inserted into the request processing pipeline to provide robust access logging. The AccessLogValve creates log files in the same format as those created by standard web servers. When AccessLogValve is properly configured, log files will contain all the forensic information necessary in the case of a security incident. Satisfies: SRG-APP-000016-WSR-000005, SRG-APP-000095-WSR-000056, SRG-APP-000096-WSR-000057, SRG-APP-000097-WSR-000058, SRG-APP-000098-WSR-000059, SRG-APP-000098-WSR-000060, SRG-APP-000099-WSR-000061, SRG-APP-000100-WSR-000064, SRG-APP-000374-WSR-000172, SRG-APP-000375-WSR-000171
Check Content
At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern - Expected result: pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b "%{User-Agent}i"" resolveHosts="false" prefix="localhost_access_log" suffix=".txt" /> If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml. Add the following line at the very top of the <Host> node. <Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="80" httpsServerPort="443" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" remoteIpHeader="x-forwarded-for" requestAttributesEnabled="true" internalProxies="127\.0\.0\.1"/> Inside the <Host> node, remove the existing "AccessLogValve" <Valve> node entirely and replace it with the following line: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="${vim.logdir}" pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b "%{User-Agent}i"" resolveHosts="false" prefix="localhost_access_log" suffix=".txt"/>
Additional Identifiers
Rule ID: SV-239406r675021_rule
Vulnerability ID: V-239406
Group Title: SRG-APP-000016-WSR-000005
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000067 |
The information system monitors remote access methods. |
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
CCI-001462 |
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
CCI-001889 |
The information system records time stamps for audit records that meet organization-defined granularity of time measurement. |
CCI-001890 |
The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |