Check: VCLD-67-000030
VMware vSphere 6.7 VAMI-lighttpd STIG:
VCLD-67-000030
(in versions v1 r3 through v1 r2)
Title
VAMI must not be configured to use "mod_status". (Cat II impact)
Discussion
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. VAMI must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The "mod_status" module generates the status overview of the webserver. The information covers: - uptime - average throughput - current throughput - active connections and their state While this information is useful on a development system, production systems must not have "mod_status" enabled.
Check Content
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|awk '/server\.modules/,/\)/'|grep mod_status If any value is returned, this is a finding.
Fix Text
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Remove the line containing "mod_status". The line may be in an included config and not in the parent config itself.
Additional Identifiers
Rule ID: SV-239737r879655_rule
Vulnerability ID: V-239737
Group Title: SRG-APP-000266-WSR-000159
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001312 |
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |