An error occurred:

Check: VCRP-67-000002

VMware vSphere 6.7 RhttpProxy STIG: VCRP-67-000002 (in versions v1 r2 through v1 r1)

Title

The rhttpproxy must set a limit on established connections. (Cat II impact)

Discussion

The rhttpproxy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed. The rhttproxy comes configured with a tested and supported value that must be maintained.

Check Content

At the command prompt, execute the following command: # xmllint --xpath '/config/vmacore/http/maxConnections' /etc/vmware-rhttpproxy/config.xml Expected result: <maxConnections> 2048 </maxConnections> If the output does not match the expected result, this is a finding.

Fix Text

Navigate to and open /etc/vmware-rhttpproxy/config.xml. Locate the <config>/<vmacore>/<http> block and configure <maxConnections> as follows: <maxConnections> 2048 </maxConnections> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy

Additional Identifiers

Rule ID: SV-240717r679664_rule

Vulnerability ID: V-240717

Group Title: SRG-APP-000001-WSR-000001

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000054

The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-10

Concurrent Session Control