Check: VCST-67-000009
VMware vSphere 6.7 STS Tomcat STIG:
VCST-67-000009
(in versions v1 r3 through v1 r2)
Title
The Security Token Service must only run one web app. (Cat II impact)
Discussion
VMware ships the Security Token Service on the VCSA with one web app, in ROOT.war. Any other .war file is potentially malicious and must be removed.
Check Content
Connect to the PSC, whether external or embedded. At the command prompt, execute the following command: # ls /usr/lib/vmware-sso/vmware-sts/webapps/*.war Expected result: /usr/lib/vmware-sso/vmware-sts/webapps/ROOT.war If the result of this command does not match the expected result, this is a finding.
Fix Text
Connect to the PSC, whether external or embedded. For each unexpected file returned in the check, run the following command: # rm /usr/lib/vmware-sso/vmware-sts/webapps/<NAME>.war Restart the service with the following command: # service-control --restart vmware-stsd
Additional Identifiers
Rule ID: SV-239660r879584_rule
Vulnerability ID: V-239660
Group Title: SRG-APP-000131-WSR-000073
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
Controls
Number | Title |
---|---|
CM-5 (3) |
Signed Components |