Check: VCRP-67-000003
VMware vSphere 6.7 RhttpProxy STIG:
VCRP-67-000003
(in versions v1 r3 through v1 r1)
Title
The rhttpproxy must be configured to operate solely with FIPS ciphers. (Cat II impact)
Discussion
The rhttpproxy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all crypto operations performed by rhttproxy, including protection of data-in-transit over the client TLS connection.
Check Content
At the command prompt, execute the following command: # xmllint --xpath '/config/vmacore/ssl/fips' /etc/vmware-rhttpproxy/config.xml Expected result: <fips>true</fips> If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /etc/vmware-rhttpproxy/config.xml. Locate the <config>/<vmacore>/<ssl> block and configure <fips> as follows: <fips>true</fips> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
Additional Identifiers
Rule ID: SV-240718r879519_rule
Vulnerability ID: V-240718
Group Title: SRG-APP-000014-WSR-000006
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |