Check: VCLD-67-000027
VMware vSphere 6.7 VAMI-lighttpd STIG:
VCLD-67-000027
(in versions v1 r3 through v1 r2)
Title
VAMI must protect against or limit the effects of HTTP types of denial-of-service (DoS) attacks. (Cat II impact)
Discussion
In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe or network connection. File descriptors index into a per-process file descriptor table maintained by the kernel, which in turn indexes into a system-wide table of files opened by all processes, called the file table. As a single-threaded server, Lighttpd must be limited in the number of file descriptors that can be allocated. This will prevent Lighttpd from being used in a form of DoS attack against the operating system.
Check Content
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "server.max-fds" Expected result: server.max-fds = 2048 If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Add or reconfigure the following value: server.max-fds = 2048
Additional Identifiers
Rule ID: SV-239734r879650_rule
Vulnerability ID: V-239734
Group Title: SRG-APP-000246-WSR-000149
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001094 |
The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems. |
Controls
Number | Title |
---|---|
SC-5 (1) |
Restrict Internal Users |