Check: VCRP-67-000001
VMware vSphere 6.7 RhttpProxy STIG:
VCRP-67-000001
(in versions v1 r3 through v1 r1)
Title
The rhttpproxy must drop connections to disconnected clients. (Cat II impact)
Discussion
The rhttpproxy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client.
Check Content
At the command prompt, execute the following command: # xmllint --xpath '/config/vmacore/tcpKeepAlive/clientSocket/idleTimeSec' /etc/vmware-rhttpproxy/config.xml Expected result: <idleTimeSec>900</idleTimeSec> If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /etc/vmware-rhttpproxy/config.xml. Locate the <config>/<vmacore>/<tcpKeepAlive>/<clientSocket> block and configure <idleTimeSec> as follows: <idleTimeSec>900</idleTimeSec> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
Additional Identifiers
Rule ID: SV-240716r879511_rule
Vulnerability ID: V-240716
Group Title: SRG-APP-000001-WSR-000001
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000054 |
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. |
Controls
Number | Title |
---|---|
AC-10 |
Concurrent Session Control |