Check: VCLD-67-000003
VMware vSphere 6.7 VAMI-lighttpd STIG:
VCLD-67-000003
(in version v1 r1)
Title
VAMI must use cryptography to protect the integrity of remote sessions. (Cat II impact)
Discussion
Data exchanged between the user and the web server can range from static display data to credentials used to log in to the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. To protect the integrity and confidentiality of the remote sessions, VAMI uses SSL/TLS. Satisfies: SRG-APP-000015-WSR-000014, SRG-APP-000172-WSR-000104, SRG-APP-000315-WSR-000003, SRG-APP-000141-WSR-000076, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000442-WSR-000182
Check Content
At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "ssl.engine" Expected result: ssl.engine = "enable" If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Add or reconfigure the following value: ssl.engine = "enable"
Additional Identifiers
Rule ID: SV-239717r679261_rule
Vulnerability ID: V-239717
Group Title: SRG-APP-000015-WSR-000014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002314 |
The information system controls remote access methods. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
Controls
Number | Title |
---|---|
AC-17 (1) |
Automated Monitoring / Control |
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
CM-7 |
Least Functionality |
IA-5 (1) |
Password-Based Authentication |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (2) |
Pre / Post Transmission Handling |