Check: VCLD-67-000015
VMware vSphere 6.7 VAMI-lighttpd STIG:
VCLD-67-000015
(in versions v1 r3 through v1 r2)
Title
VAMI server binaries and libraries must be verified for their integrity. (Cat II impact)
Discussion
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. VMware delivers product updates and patches regularly. When VAMI is updated, the signed packages will also be updated. These packages can be used to verify that VAMI has not been inappropriately modified since it was installed.
Check Content
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # rpm -qa|grep lighttpd|xargs rpm -V|grep -vE "lighttpd.conf|vami-lighttp.*\.service" If the command returns any output, this is a finding.
Fix Text
If the VAMI binaries have been modified from the default state when deployed as part of the VCSA, the system must be wiped and redeployed or restored from backup. VMware does not recommend or support recovering from such a state by reinstalling RPMs or similar efforts.
Additional Identifiers
Rule ID: SV-239723r879584_rule
Vulnerability ID: V-239723
Group Title: SRG-APP-000131-WSR-000051
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
Controls
Number | Title |
---|---|
CM-5 (3) |
Signed Components |