Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2023-02-21
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Envoy must drop connections to disconnected clients.
AC-10 - Medium - CCI-000054 - V-256737 - SV-256737r889149_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCRP-70-000001
Vuln IDs
  • V-256737
Rule IDs
  • SV-256737r889149_rule
Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. Envoy is hard coded to drop connections after three minutes of idle time. The absence of any "tcpKeepAliveTimeSec" settings means this default is in effect. This configuration must be verified and maintained.
Checks: C-60412r889147_chk

At the command prompt, run the following command: # xmllint --xpath '/config/envoy/L4Filter/tcpKeepAliveTimeSec/text()' /etc/vmware-rhttpproxy/config.xml Expected result: 180 or XPath set is empty If the output does not match the expected result, this is a finding.

Fix: F-60355r889148_fix

Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<envoy>/<L4Filter> block and configure <tcpKeepAliveTimeSec> as follows: <tcpKeepAliveTimeSec>180</tcpKeepAliveTimeSec> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy

b
Envoy must set a limit on established connections.
AC-10 - Medium - CCI-000054 - V-256738 - SV-256738r889152_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCRP-70-000002
Vuln IDs
  • V-256738
Rule IDs
  • SV-256738r889152_rule
Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed. Envoy comes hard coded with a tested and supported value for "maxHttpsConnections" that must be verified and maintained.
Checks: C-60413r889150_chk

At the command prompt, run the following command: # xmllint --xpath '/config/envoy/L4Filter/maxHttpsConnections/text()' /etc/vmware-rhttpproxy/config.xml Expected result: 2048 or XPath set is empty If the output does not match the expected result, this is a finding.

Fix: F-60356r889151_fix

Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<envoy>/<L4Filter> block and configure <maxHttpsConnections> as follows: <maxHttpsConnections>2048</maxHttpsConnections> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy

b
Envoy must be configured to operate in FIPS mode.
AC-17 - Medium - CCI-000068 - V-256739 - SV-256739r889155_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
VCRP-70-000003
Vuln IDs
  • V-256739
Rule IDs
  • SV-256739r889155_rule
Envoy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all cryptographic operations performed by Envoy, including protection of data-in-transit over the client Transport Layer Security (TLS) connection. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000111, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188, SRG-APP-000179-WSR-000110
Checks: C-60414r889153_chk

At the command prompt, run the following command: # xmllint --xpath '/config/vmacore/ssl/fips' /etc/vmware-rhttpproxy/config.xml Expected result: &lt;fips&gt;true&lt;/fips&gt; If the output does not match the expected result, this is a finding.

Fix: F-60357r889154_fix

Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<vmacore>/<ssl> block and configure <fips> as follows: <fips>true</fips> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy

b
Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.
IA-5 - Medium - CCI-000197 - V-256740 - SV-256740r889158_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
VCRP-70-000004
Vuln IDs
  • V-256740
Rule IDs
  • SV-256740r889158_rule
Envoy can be configured to support TLS 1.0, 1.1, and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The block in the rhttpproxy configuration is commented out by default, and this configuration forces TLS 1.2. The block may also be set to "tls1.2" in certain upgrade scenarios, but the effect is the same. Uncommenting the block and enabling older protocols is possible; therefore, TLS 1.2 restriction must be verified and maintained. Satisfies: SRG-APP-000015-WSR-000014, SRG-APP-000172-WSR-000104, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182
Checks: C-60415r889156_chk

At the command prompt, run the following command: # xmllint --xpath '/config/vmacore/ssl/protocols' /etc/vmware-rhttpproxy/config.xml Expected result: XPath set is empty or &lt;protocols&gt;tls1.2&lt;/protocols&gt; If the output does not match the expected result, this is a finding.

Fix: F-60358r889157_fix

Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<vmacore>/<ssl> block and configure <protocols> as follows: <protocols>tls1.2</protocols> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy

b
The Envoy private key file must be protected from unauthorized access.
IA-5 - Medium - CCI-000186 - V-256741 - SV-256741r889161_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
VCRP-70-000005
Vuln IDs
  • V-256741
Rule IDs
  • SV-256741r889161_rule
Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the Transport Layer Security (TLS) traffic between a client and the web server.
Checks: C-60416r889159_chk

At  the command prompt, run the following command: # stat -c "%n permissions are %a, is owned by %U and group owned by %G" /etc/vmware-rhttpproxy/ssl/rui.key Expected result: /etc/vmware-rhttpproxy/ssl/rui.key permissions are 600, is owned by root and group owned by root If the output does not match the expected result, this is a finding.

Fix: F-60359r889160_fix

At the command prompt, run the following commands: # chmod 600 /etc/vmware-rhttpproxy/ssl/rui.key # chown root:root /etc/vmware-rhttpproxy/ssl/rui.key

b
Envoy must exclusively use the HTTPS protocol for client connections.
AC-17 - Medium - CCI-002314 - V-256742 - SV-256742r889164_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
VCRP-70-000006
Vuln IDs
  • V-256742
Rule IDs
  • SV-256742r889164_rule
Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an encrypted session of HTTPS rather than plain-text HTTP. The Secure Sockets Layer (SSL) configuration block inside the rhttpproxy configuration must be present and correctly configured to safely enable Transport Layer Security (TLS).
Checks: C-60417r889162_chk

At the command prompt, run the following command: # xmllint --xpath '/config/ssl' /etc/vmware-rhttpproxy/config.xml Expected result: &lt;ssl&gt; &lt;!-- The server private key file --&gt; &lt;privateKey&gt;/etc/vmware-rhttpproxy/ssl/rui.key&lt;/privateKey&gt; &lt;!-- The server side certificate file --&gt; &lt;certificate&gt;/etc/vmware-rhttpproxy/ssl/rui.crt&lt;/certificate&gt; &lt;!-- vecs server name. Currently vecs runs on all node types. --&gt; &lt;vecsServerName&gt;localhost&lt;/vecsServerName&gt; &lt;/ssl&gt; If the output does not match the expected result, this is a finding.

Fix: F-60360r889163_fix

Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the first <ssl> block and set its content to the following: <ssl> <!-- The server private key file --> <privateKey>/etc/vmware-rhttpproxy/ssl/rui.key</privateKey> <!-- The server side certificate file --> <certificate>/etc/vmware-rhttpproxy/ssl/rui.crt</certificate> <!-- vecs server name. Currently vecs runs on all node types. --> <vecsServerName>localhost</vecsServerName> </ssl> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy

b
Envoy (rhttpproxy) log files must be shipped via syslog to a central log server.
AU-4 - Medium - CCI-001851 - V-256743 - SV-256743r889167_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VCRP-70-000007
Vuln IDs
  • V-256743
Rule IDs
  • SV-256743r889167_rule
Envoy produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. Envoy (rhttpproxy) rsyslog configuration is included in the "VMware-visl-integration" package and unpacked to "/etc/vmware-syslog/vmware-services-rhttpproxy.conf". Ensuring the package hashes are as expected also ensures the shipped rsyslog configuration is present and unmodified.
Checks: C-60418r889165_chk

At the command prompt, run the following command: # rpm -V VMware-visl-integration|grep vmware-services-rhttpproxy.conf|grep "^..5......" If the command returns any output, this is a finding.

Fix: F-60361r889166_fix

Navigate to and open: /etc/vmware-syslog/vmware-services-rhttpproxy.conf Create the file if it does not exist. Set the contents of the file as follows: #rhttpproxy log input(type="imfile" File="/var/log/vmware/rhttpproxy/rhttpproxy.log" Tag="rhttpproxy-main" Severity="info" Facility="local0")

b
Envoy log files must be shipped via syslog to a central log server.
AU-4 - Medium - CCI-001851 - V-256744 - SV-256744r889170_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VCRP-70-000008
Vuln IDs
  • V-256744
Rule IDs
  • SV-256744r889170_rule
Envoy rsyslog configuration is included in the "VMware-visl-integration" package and unpacked to "/etc/vmware-syslog/vmware-services-envoy.conf". Ensuring the package hashes are as expected also ensures the shipped rsyslog configuration is present and unmodified.
Checks: C-60419r889168_chk

At the command prompt, run the following command: # rpm -V VMware-visl-integration|grep vmware-services-envoy.conf|grep "^..5......" If the command returns any output, this is a finding.

Fix: F-60362r889169_fix

Navigate to and open: /etc/vmware-syslog/vmware-services-envoy.conf Create the file if it does not exist. Set the contents of the file as follows: #envoy service log input(type="imfile" File="/var/log/vmware/envoy/envoy.log" Tag="envoy-main" Severity="info" Facility="local0") #envoy access log input(type="imfile" File="/var/log/vmware/envoy/envoy-access.log" Tag="envoy-access" Severity="info" Facility="local0")