Check: VCLD-67-000018
VMware vSphere 6.7 VAMI-lighttpd STIG:
VCLD-67-000018
(in versions v1 r3 through v1 r2)
Title
VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mappings based on "Content-Type". (Cat II impact)
Discussion
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually and automatic mapping must be disabled.
Check Content
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "mimetype.use-xattr" Expected result: mimetype.use-xattr = "disable" If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Add or reconfigure the following value: mimetype.use-xattr = "disable"
Additional Identifiers
Rule ID: SV-239726r879587_rule
Vulnerability ID: V-239726
Group Title: SRG-APP-000141-WSR-000081
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |