Check: VCLD-67-000032
VMware vSphere 6.7 VAMI-lighttpd STIG:
VCLD-67-000032
(in versions v1 r3 through v1 r2)
Title
VAMI configuration files must be protected from unauthorized access. (Cat II impact)
Discussion
Accounts on the VAMI server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the Lighttpd server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all of the system's capabilities, while the web administrator and associated staff require access and control of the web content and the Lighttpd server configuration files.
Check Content
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # stat -c "%n permissions are %a and ownership is %U:%G" /opt/vmware/etc/lighttpd/lighttpd.conf /etc/applmgmt/appliance/lighttpd.conf Expected result: /opt/vmware/etc/lighttpd/lighttpd.conf permissions are 644 and ownership is root:root /etc/applmgmt/appliance/lighttpd.conf permissions are 644 and ownership is root:root If the output does not match the expected result, this is a finding.
Fix Text
At the command prompt, enter the following command: # chmod 644 <file> # chown root:root <file> Note: Replace <file> with every file returned from the command in the check.
Additional Identifiers
Rule ID: SV-239739r879753_rule
Vulnerability ID: V-239739
Group Title: SRG-APP-000380-WSR-000072
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001813 |
The information system enforces access restrictions. |
Controls
Number | Title |
---|---|
CM-5 (1) |
Automated Access Enforcement / Auditing |