Check: VCST-67-000018
VMware vSphere 6.7 STS Tomcat STIG:
VCST-67-000018
(in versions v1 r3 through v1 r2)
Title
The Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. (Cat II impact)
Discussion
Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web server is hosting. For the Security Token Service, it is preferable that the service abort startup on any initialization failure rather than continuing in a degraded and potentially insecure state.
Check Content
Connect to the PSC, whether external or embedded. At the command line, execute the following command: # grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Expected result: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true If the output of the command does not match the expected result, this is a finding.
Fix Text
Connect to the PSC, whether external or embedded. Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties. Add or change the following line: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true
Additional Identifiers
Rule ID: SV-239669r879640_rule
Vulnerability ID: V-239669
Group Title: SRG-APP-000225-WSR-000140
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001190 |
The information system fails to an organization-defined known-state for organization-defined types of failures. |
Controls
Number | Title |
---|---|
SC-24 |
Fail In Known State |