Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
At the command prompt, run the following command: # xmllint --xpath '/config/envoy/L4Filter/tcpKeepAliveTimeSec/text()' /etc/vmware-rhttpproxy/config.xml Expected result: 180 or XPath set is empty If the output does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<envoy>/<L4Filter> block and configure <tcpKeepAliveTimeSec> as follows: <tcpKeepAliveTimeSec>180</tcpKeepAliveTimeSec> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
At the command prompt, run the following command: # xmllint --xpath '/config/envoy/L4Filter/maxHttpsConnections/text()' /etc/vmware-rhttpproxy/config.xml Expected result: 2048 or XPath set is empty If the output does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<envoy>/<L4Filter> block and configure <maxHttpsConnections> as follows: <maxHttpsConnections>2048</maxHttpsConnections> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
At the command prompt, run the following command: # xmllint --xpath '/config/vmacore/ssl/fips' /etc/vmware-rhttpproxy/config.xml Expected result: <fips>true</fips> If the output does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<vmacore>/<ssl> block and configure <fips> as follows: <fips>true</fips> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
At the command prompt, run the following command: # xmllint --xpath '/config/vmacore/ssl/protocols' /etc/vmware-rhttpproxy/config.xml Expected result: XPath set is empty or <protocols>tls1.2</protocols> If the output does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<vmacore>/<ssl> block and configure <protocols> as follows: <protocols>tls1.2</protocols> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
At the command prompt, run the following command: # stat -c "%n permissions are %a, is owned by %U and group owned by %G" /etc/vmware-rhttpproxy/ssl/rui.key Expected result: /etc/vmware-rhttpproxy/ssl/rui.key permissions are 600, is owned by root and group owned by root If the output does not match the expected result, this is a finding.
At the command prompt, run the following commands: # chmod 600 /etc/vmware-rhttpproxy/ssl/rui.key # chown root:root /etc/vmware-rhttpproxy/ssl/rui.key
At the command prompt, run the following command: # xmllint --xpath '/config/ssl' /etc/vmware-rhttpproxy/config.xml Expected result: <ssl> <!-- The server private key file --> <privateKey>/etc/vmware-rhttpproxy/ssl/rui.key</privateKey> <!-- The server side certificate file --> <certificate>/etc/vmware-rhttpproxy/ssl/rui.crt</certificate> <!-- vecs server name. Currently vecs runs on all node types. --> <vecsServerName>localhost</vecsServerName> </ssl> If the output does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the first <ssl> block and set its content to the following: <ssl> <!-- The server private key file --> <privateKey>/etc/vmware-rhttpproxy/ssl/rui.key</privateKey> <!-- The server side certificate file --> <certificate>/etc/vmware-rhttpproxy/ssl/rui.crt</certificate> <!-- vecs server name. Currently vecs runs on all node types. --> <vecsServerName>localhost</vecsServerName> </ssl> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
At the command prompt, run the following command: # rpm -V VMware-visl-integration|grep vmware-services-rhttpproxy.conf|grep "^..5......" If the command returns any output, this is a finding.
Navigate to and open: /etc/vmware-syslog/vmware-services-rhttpproxy.conf Create the file if it does not exist. Set the contents of the file as follows: #rhttpproxy log input(type="imfile" File="/var/log/vmware/rhttpproxy/rhttpproxy.log" Tag="rhttpproxy-main" Severity="info" Facility="local0")
At the command prompt, run the following command: # rpm -V VMware-visl-integration|grep vmware-services-envoy.conf|grep "^..5......" If the command returns any output, this is a finding.
Navigate to and open: /etc/vmware-syslog/vmware-services-envoy.conf Create the file if it does not exist. Set the contents of the file as follows: #envoy service log input(type="imfile" File="/var/log/vmware/envoy/envoy.log" Tag="envoy-main" Severity="info" Facility="local0") #envoy access log input(type="imfile" File="/var/log/vmware/envoy/envoy-access.log" Tag="envoy-access" Severity="info" Facility="local0")