View STIG - VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V1R2

b

Lighttpd must limit the number of simultaneous requests.

AC-10 - Medium - CCI-000054 - V-240215 - SV-240215r879511_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

VRAU-LI-000005

Vuln IDs

V-240215
V-89219

Rule IDs

SV-240215r879511_rule
SV-99869

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Lighttpd is used for administrative purposes only. Lighttpd provides the maxConnections attribute of the to limit the number of concurrent TCP connections.

Checks: C-43448r667820_chk

At the command prompt, execute the following command: grep 'server.max-connections = 1024' /opt/vmware/etc/lighttpd/lighttpd.conf If the "server.max-connections" is not set to "1024", commented out, or does not exist, this is a finding.

Fix: F-43407r667821_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: server.max-connections = 1024

b

Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.

AC-17 - Medium - CCI-000068 - V-240216 - SV-240216r879519_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000068

Version

VRAU-LI-000015

Vuln IDs

V-240216
V-89221

Rule IDs

SV-240216r879519_rule
SV-99871

Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

Checks: C-43449r667823_chk

At the command prompt, execute the following command: grep '^ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value ssl.cipher-list = "FIPS: +3DES:!aNULL" is not returned or commented out, this is a finding.

Fix: F-43408r667824_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

b

Lighttpd must be configured to use the SSL engine.

AC-17 - Medium - CCI-001453 - V-240217 - SV-240217r879520_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-001453

Version

VRAU-LI-000020

Vuln IDs

V-240217
V-89223

Rule IDs

SV-240217r879520_rule
SV-99873

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.

Checks: C-43450r667826_chk

At the command prompt, execute the following command: grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43409r667827_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: ssl.engine = "enable"

b

Lighttpd must be configured to use mod_accesslog.

AC-17 - Medium - CCI-000067 - V-240218 - SV-240218r879521_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000067

Version

VRAU-LI-000025

Vuln IDs

V-240218
V-89225

Rule IDs

SV-240218r879521_rule
SV-99875

Lighttpd is the administration panel for vRealize Automation. Because it is intended to provide remote access to the appliance, vRA must provide remote access information to external monitoring systems. mod_accesslog is the module in Lighttpd that configures Lighttpd to share information with external monitoring systems.

Checks: C-43451r667829_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the value "mod_accesslog" is not listed, this is a finding.

Fix: F-43410r667830_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Navigate to and configure the "server.modules" section with the following value: mod_accesslog

b

Lighttpd must generate log records for system startup and shutdown.

AU-12 - Medium - CCI-000169 - V-240219 - SV-240219r879559_rule

RMF Control

AU-12

Severity

Medium

CCI

CCI-000169

Version

VRAU-LI-000035

Vuln IDs

V-240219
V-89227

Rule IDs

SV-240219r879559_rule
SV-99877

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. Lighttpd records system event information in the error.log file. Included in the file is system start and stop events.

Checks: C-43452r667832_chk

At the command prompt, execute the following command: egrep 'server\sstarted|server\sstopped' /opt/vmware/var/log/lighttpd/error.log If server stopped and server started times are not listed, this is a finding.

Fix: F-43411r667833_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: server.errorlog = log_root + "/error.log"

b

Lighttpd must produce log records containing sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-240220 - SV-240220r879563_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-000130

Version

VRAU-LI-000050

Vuln IDs

V-240220
V-89231

Rule IDs

SV-240220r879563_rule
SV-99881

Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.

Checks: C-43453r667835_chk

At the command prompt, execute the following command: tail -n 4 /opt/vmware/var/log/lighttpd/access.log If the GET or POST events do not exist in the access.log file, this is a finding.

Fix: F-43412r667836_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b

Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred.

AU-3 - Medium - CCI-000131 - V-240221 - SV-240221r879564_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-000131

Version

VRAU-LI-000055

Vuln IDs

V-240221
V-89233

Rule IDs

SV-240221r879564_rule
SV-99883

Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.

Checks: C-43454r667838_chk

At the command prompt, execute the following command: tail -n 1 /opt/vmware/var/log/lighttpd/access.log If the generated log records do not have date and time data, this is a finding.

Fix: F-43413r667839_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b

Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred.

AU-3 - Medium - CCI-000132 - V-240222 - SV-240222r879565_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-000132

Version

VRAU-LI-000060

Vuln IDs

V-240222
V-89235

Rule IDs

SV-240222r879565_rule
SV-99885

Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.

Checks: C-43455r667841_chk

At the command prompt, execute the following command: tail -n 1 /opt/vmware/var/log/lighttpd/access.log If any of the generated audit records are without sufficient information to establish where the event occurred, this is a finding.

Fix: F-43414r667842_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b

Lighttpd must produce log records containing sufficient information to establish the source of events.

AU-3 - Medium - CCI-000133 - V-240223 - SV-240223r879566_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-000133

Version

VRAU-LI-000065

Vuln IDs

V-240223
V-89237

Rule IDs

SV-240223r879566_rule
SV-99887

Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.

Checks: C-43456r667844_chk

At the command prompt, execute the following command: tail -n 4 /opt/vmware/var/log/lighttpd/access.log If any of the generated audit records are without sufficient information to establish the source of the events, this is a finding.

Fix: F-43415r667845_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b

Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events.

AU-3 - Medium - CCI-000134 - V-240224 - SV-240224r879567_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-000134

Version

VRAU-LI-000075

Vuln IDs

V-240224
V-89239

Rule IDs

SV-240224r879567_rule
SV-99889

Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.

Checks: C-43457r668003_chk

At the command prompt, execute the following command: Note: The HTTP status code indicating success or failure is a 3-digit integer immediately after "HTTP/1.1". Any value other than a 3-digit code immediately following "HTTP/1.1" is a failure of the logging process. tail -n 4 /opt/vmware/var/log/lighttpd/access.log If any of the generated audit records are without sufficient information to establish the outcome of the event (success or failure), this is a finding.

Fix: F-43416r667848_fix

Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b

Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users.

AU-9 - Medium - CCI-000162 - V-240225 - SV-240225r879576_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

VRAU-LI-000095

Vuln IDs

V-240225
V-89241

Rule IDs

SV-240225r879576_rule
SV-99891

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must only be accessible by privileged users.

Checks: C-43458r667850_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the owner is not "root", this is a finding.

Fix: F-43417r667851_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users.

AU-9 - Medium - CCI-000162 - V-240226 - SV-240226r879576_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

VRAU-LI-000100

Vuln IDs

V-240226
V-89243

Rule IDs

SV-240226r879576_rule
SV-99893

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must only be accessible by privileged users.

Checks: C-43459r667853_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the group-owner is not "root", this is a finding.

Fix: F-43418r667854_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users.

AU-9 - Medium - CCI-000162 - V-240227 - SV-240227r879576_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

VRAU-LI-000105

Vuln IDs

V-240227
V-89245

Rule IDs

SV-240227r879576_rule
SV-99895

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must only be accessible by privileged users.

Checks: C-43460r667856_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If permissions on the log files are not "-rw-r----- (640)", this is a finding.

Fix: F-43419r667857_fix

At the command prompt, enter the following command: chmod 640 /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-240228 - SV-240228r879577_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000163

Version

VRAU-LI-000110

Vuln IDs

V-240228
V-89247

Rule IDs

SV-240228r879577_rule
SV-99897

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized modification.

Checks: C-43461r667859_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the owner is not "root", this is a finding.

Fix: F-43420r667860_fix

At the command prompt, enter the following commands: chown root:root /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-240229 - SV-240229r879577_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000163

Version

VRAU-LI-000115

Vuln IDs

V-240229
V-90325

Rule IDs

SV-240229r879577_rule
SV-100975

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized modification.

Checks: C-43462r667862_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the group-owner is not "root", this is a finding.

Fix: F-43421r667863_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-240230 - SV-240230r879577_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000163

Version

VRAU-LI-000120

Vuln IDs

V-240230
V-90327

Rule IDs

SV-240230r879577_rule
SV-100977

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized modification.

Checks: C-43463r667865_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If permissions on the log files are not "-rw-r----- (640)", this is a finding.

Fix: F-43422r667866_fix

At the command prompt, enter the following command: chmod 640 /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-240231 - SV-240231r879578_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000164

Version

VRAU-LI-000125

Vuln IDs

V-240231
V-89249

Rule IDs

SV-240231r879578_rule
SV-99899

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized deletion.

Checks: C-43464r667868_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the owner is not "root", this is a finding.

Fix: F-43423r667869_fix

At the command prompt, enter the following commands: chown root:root /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-240232 - SV-240232r879578_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000164

Version

VRAU-LI-000130

Vuln IDs

V-240232
V-90329

Rule IDs

SV-240232r879578_rule
SV-100979

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized deletion.

Checks: C-43465r667871_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the group-owner is not "root", this is a finding.

Fix: F-43424r667872_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-240233 - SV-240233r879578_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000164

Version

VRAU-LI-000135

Vuln IDs

V-240233
V-90331

Rule IDs

SV-240233r879578_rule
SV-100981

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized deletion.

Checks: C-43466r667874_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If permissions on the log files are not "-rw-r----- (640)", this is a finding.

Fix: F-43425r667875_fix

At the command prompt, enter the following command: chmod 640 /opt/vmware/var/log/lighttpd/*.log

b

Lighttpd log data and records must be backed up onto a different system or media.

AU-9 - Medium - CCI-001348 - V-240234 - SV-240234r879582_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001348

Version

VRAU-LI-000140

Vuln IDs

V-240234
V-89251

Rule IDs

SV-240234r879582_rule
SV-99901

Protection of Lighttpd log data includes assuring log data is not accidentally lost or deleted. Backing up Lighttpd log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.

Checks: C-43467r668005_chk

Obtain supporting documentation from the ISSO. Determine whether log data and records are being backed up to a different system or separate media. If log data and records are not being backed up to a different system or separate media, this is a finding.

Fix: F-43426r667878_fix

Backup the log data and records to a different system or separate media.

b

Lighttpd files must be verified for their integrity before being added to a production web server.

CM-5 - Medium - CCI-001749 - V-240235 - SV-240235r879584_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001749

Version

VRAU-LI-000145

Vuln IDs

V-240235
V-89253

Rule IDs

SV-240235r879584_rule
SV-99903

Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. The Lighttpd web server files on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.

Checks: C-43468r854808_chk

Obtain supporting documentation from the ISSO. Determine whether web server files are verified/validated before being implemented into the production environment. If the web server files are not verified or validated before being implemented into the production environment, this is a finding.

Fix: F-43427r667881_fix

Verify or validate the web server files for integrity before being implemented the production environment.

b

Lighttpd expansion modules must be verified for their integrity before being added to a production web server.

CM-5 - Medium - CCI-001749 - V-240236 - SV-240236r879584_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001749

Version

VRAU-LI-000150

Vuln IDs

V-240236
V-89255

Rule IDs

SV-240236r879584_rule
SV-99905

Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. Expansion modules that are installed on the production Lighttpd web server on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.

Checks: C-43469r854810_chk

Obtain supporting documentation from the ISSO. Determine whether expansion modules are being fully reviewed, tested, and signed before being implemented into the production environment. If the expansion modules are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.

Fix: F-43428r667884_fix

Review, test, and sign expansion modules before being implemented into the production environment.

b

Lighttpd must prohibit unnecessary services, functions or processes.

CM-7 - Medium - CCI-000381 - V-240237 - SV-240237r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000160

Vuln IDs

V-240237
V-89257

Rule IDs

SV-240237r879587_rule
SV-99907

Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks.

Checks: C-43470r667886_chk

Obtain supporting documentation from the ISSO. Determine if any unnecessary services, functions or processes are running on the web server. If any unnecessary services, functions or processes are running on the web server, this is a finding.

Fix: F-43429r667887_fix

Remove or disable any unnecessary services, functions or processes.

b

Lighttpd proxy settings must be configured.

CM-7 - Medium - CCI-000381 - V-240238 - SV-240238r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000165

Vuln IDs

V-240238
V-90333

Rule IDs

SV-240238r879587_rule
SV-100983

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.

Checks: C-43471r668031_chk

At the command prompt, execute the following command: grep -A 6 -B 1 proxy.server /opt/vmware/etc/lighttpd/lighttpd.conf If the proxy.server "host" value is not set to "127.0.0.1" and the proxy.server "port" value is not set to "5488", this is a finding.

Fix: F-43430r668032_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Navigate to proxy.server. Set the proxy.server "host" value to "127.0.0.1" and the proxy.server "port" value to "5488". Note: The proxy.server section should look like this when it is configured: $HTTP["url"] =~ "^/cimom" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => "5488" )) ) }

c

Lighttpd must only contain components that are operationally necessary.

CM-7 - High - CCI-000381 - V-240239 - SV-240239r879587_rule

RMF Control

CM-7

Severity

High

CCI

CCI-000381

Version

VRAU-LI-000170

Vuln IDs

V-240239
V-89259

Rule IDs

SV-240239r879587_rule
SV-99909

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.

Checks: C-43472r668011_chk

Obtain supporting documentation from the ISSO. Determine if web server documentation, sample code, example applications, or tutorials has been deleted or removed and only contains components that are operationally necessary. If web server documentation, sample code, example applications, or tutorials has not been deleted or removed and contains components that are not operationally necessary, this is a finding.

Fix: F-43431r667893_fix

Delete or remove any documentation, sample code, example applications, tutorials and any components that are not operationally necessary.

b

Lighttpd must have MIME types for csh or sh shell programs disabled.

CM-7 - Medium - CCI-000381 - V-240240 - SV-240240r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000185

Vuln IDs

V-240240
V-89261

Rule IDs

SV-240240r879587_rule
SV-99911

Users must not be allowed to access the shell programs. Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web server. A shell is a program that serves as the basic interface between the user and the operating system. In this regard, there are shells that are security risks in the context of a web server and shells that are unauthorized in the context of the Security Features User's Guide. Lighttpd must be configured to disable MIME types for csh or sh shell programs.

Checks: C-43473r667895_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | egrep '".sh"|".csh"' If the command returns any value, this is a finding.

Fix: F-43432r667896_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Delete any line(s) that return the value of csh or sh.

b

Lighttpd must only enable mappings to necessary and approved scripts.

CM-7 - Medium - CCI-000381 - V-240241 - SV-240241r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000190

Vuln IDs

V-240241
V-89263

Rule IDs

SV-240241r879587_rule
SV-99913

Lighttpd will only allow or deny script execution based on file extension. The ability to control script execution is controlled with the cgi.assign variable in lighttpd.conf. For script mappings, the ISSO must document and approve all allowable file extensions the web site allows (whitelist). The whitelist will be compared to the script mappings in Lighttpd.

Checks: C-43474r668013_chk

Obtain supporting documentation from the ISSO. Determine the scripts that are deemed necessary and approved (whitelist). Note: Lighttpd provides the cgi.assign parameter to specify script mappings. Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the cgi.assign parameter. If cgi.assign parameter is configured with script types that are deemed for denial, this is a finding.

Fix: F-43433r667899_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the cgi.assign parameter. Configure the cgi.assign parameter with the scripts that are deemed necessary and approved (whitelisted).

b

Lighttpd must have resource mappings set to disable the serving of certain file types.

CM-7 - Medium - CCI-000381 - V-240242 - SV-240242r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000195

Vuln IDs

V-240242
V-89265

Rule IDs

SV-240242r879587_rule
SV-99915

Resource mapping is the process of tying a particular file type to a process in Lighttpd that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. Lighttpd provides the url.access-deny parameter to specify a blacklist of file types which should be denied.

Checks: C-43475r668015_chk

Obtain supporting documentation from the ISSO. Determine the file types (blacklist) that are deemed for denial. Note: Lighttpd provides the url.access-deny parameter to specify the blacklist of files. Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the url.access-deny parameter. If url.access-deny parameter is not configured with the file types that are blacklisted, this is a finding. If url.access-deny parameter is not set properly, this is a finding.

Fix: F-43434r667902_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the url.access-deny parameter. Configure the url.access-deny parameter with the file types that are blacklisted.

b

Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed.

CM-7 - Medium - CCI-000381 - V-240243 - SV-240243r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000200

Vuln IDs

V-240243
V-89267

Rule IDs

SV-240243r879587_rule
SV-99917

A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server. Lighttpd uses the mod_webdav module to provide WebDAV services. This module must not be installed.

Checks: C-43476r667904_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the value "mod_webdav" module is listed, this is a finding.

Fix: F-43435r667905_fix

Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the server.modules section. In the server.modules section, delete the "mod_webdav" entry.

b

Lighttpd must not have the webdav configuration file included.

CM-7 - Medium - CCI-000381 - V-240244 - SV-240244r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000205

Vuln IDs

V-240244
V-89269

Rule IDs

SV-240244r879587_rule
SV-99919

A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server. The Lighttpd configuration file uses the 'include' statement to include other configuration files. The default lighttpd.conf file contains a reference to include a webdav.conf file, and it is possible for the WebDAV module to be loaded in other files.

Checks: C-43477r667907_chk

At the command prompt, execute the following command: grep 'webdav.conf' /opt/vmware/etc/lighttpd/lighttpd.conf If the return value is an include statement and it is not commented out, this is a finding.

Fix: F-43436r667908_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Delete or comment out the include "conf.d/webdav.conf" statement.

b

Lighttpd must prevent hosted applications from exhausting system resources.

CM-7 - Medium - CCI-000381 - V-240245 - SV-240245r879587_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

VRAU-LI-000210

Vuln IDs

V-240245
V-89271

Rule IDs

SV-240245r879587_rule
SV-99921

When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that extent, a variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. Applications and application developers must take the steps needed to ensure users cannot use these applications to launch DoS attacks against other systems and networks. An example would be preventing Lighttpd from keeping idle connections open for too long.

Checks: C-43478r667910_chk

At the command prompt, execute the following command: grep '^server.max-keep-alive-idle' /opt/vmware/etc/lighttpd/lighttpd.conf If the "server.max-keep-alive-idle" is not set to "30", this is a finding.

Fix: F-43437r667911_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: server.max-keep-alive-idle = 30

c

Lighttpd must not use symbolic links in the Lighttpd web content directory tree.

CM-7 - High - CCI-000381 - V-240246 - SV-240246r879587_rule

RMF Control

CM-7

Severity

High

CCI

CCI-000381

Version

VRAU-LI-000215

Vuln IDs

V-240246
V-89273

Rule IDs

SV-240246r879587_rule
SV-99923

A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the Lighttpd could be allowed to access locations on the server that are outside the scope of the hosted application document root or home directory.

Checks: C-43479r667913_chk

At the command prompt, execute the following command: find /opt/vmware/share/htdocs -type l If any files are listed, this is a finding.

Fix: F-43438r667914_fix

At the command prompt, enter the following commands: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the commands for each file that was listed.

b

Lighttpd must be configured to use port 5480.

CM-7 - Medium - CCI-000382 - V-240247 - SV-240247r879588_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

VRAU-LI-000220

Vuln IDs

V-240247
V-89275

Rule IDs

SV-240247r879588_rule
SV-99925

Lighttpd is used as the web server for vRealize Automation's Virtual Appliance Management Interface (vAMI). To segregate appliance management from appliance operation, Lighttpd can be configured to listen on a separate port. Port 5488 is the recommended port setting.

Checks: C-43480r667916_chk

At the command prompt, execute the following command: grep '^server.port' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "server.port" is not "5480", this is a finding.

Fix: F-43439r667917_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: server.port = 5480

b

Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client.

IA-5 - Medium - CCI-000197 - V-240248 - SV-240248r879609_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000197

Version

VRAU-LI-000225

Vuln IDs

V-240248
V-89277

Rule IDs

SV-240248r879609_rule
SV-99927

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate the vAMI admin must be sent to Lighttpd via SSL/TLS. To ensure that Lighttpd is using SSL/TLS, the ssl.engine must be enabled.

Checks: C-43481r667919_chk

At the command prompt, execute the following command: grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43440r667920_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: ssl.engine = "enable"

b

Lighttpd must have private key access restricted.

IA-5 - Medium - CCI-000186 - V-240249 - SV-240249r879613_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000186

Version

VRAU-LI-000235

Vuln IDs

V-240249
V-89279

Rule IDs

SV-240249r879613_rule
SV-99929

Lighttpd's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the encrypted traffic between a client and the web server.

Checks: C-43482r667922_chk

At the command prompt, execute the following command: ls -al /opt/vmware/etc/lighttpd/server.pem If the "server.pem" file is not owned by "root" or the file permissions are not "400", this is a finding.

Fix: F-43441r667923_fix

At the command prompt, execute the following commands: chown root:root /opt/vmware/etc/lighttpd/server.pem chmod 400 /opt/vmware/etc/lighttpd/server.pem

b

Lighttpd must be configured to use only FIPS 140-2 approved ciphers.

IA-7 - Medium - CCI-000803 - V-240250 - SV-240250r879616_rule

RMF Control

IA-7

Severity

Medium

CCI

CCI-000803

Version

VRAU-LI-000245

Vuln IDs

V-240250
V-89281

Rule IDs

SV-240250r879616_rule
SV-99931

Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.

Checks: C-43483r667925_chk

At the command prompt, execute the following command: grep 'ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the return value for "ssl.cipher-list" is not set to "FIPS: +3DES:!aNULL", this is a finding.

Fix: F-43442r667926_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

c

Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.

SC-2 - High - CCI-001082 - V-240251 - SV-240251r879631_rule

RMF Control

SC-2

Severity

High

CCI

CCI-001082

Version

VRAU-LI-000255

Vuln IDs

V-240251
V-89283

Rule IDs

SV-240251r879631_rule
SV-99933

As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the Lighttpd server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and the Lighttpd server configuration files.

Checks: C-43484r668017_chk

At the command prompt, execute the following command: stat -c "%a %g %G %n" `find /opt/vmware/share/htdocs /opt/vmware/etc/lighttpd /opt/vmware/share/lighttpd -type f` | awk '$1 !~ /^..0/ || $3 !~ /root/ {print}' If any files are returned, this is a finding.

Fix: F-43443r667929_fix

At the command prompt, execute the following commands: Note: Replace <file_name> for the name of the file that was returned. chown root:root <file_name> chmod 640 <file_name> Repeat the commands for each file that was returned.

c

Lighttpd must have the latest version installed.

SC-2 - High - CCI-001082 - V-240252 - SV-240252r879631_rule

RMF Control

SC-2

Severity

High

CCI

CCI-001082

Version

VRAU-LI-000260

Vuln IDs

V-240252
V-89285

Rule IDs

SV-240252r879631_rule
SV-99935

Allowing malicious users the capability to traverse server directory tree can create significant vulnerabilities. Such information and the contents of files listed should not be normally readable by the web users as they often contain information relevant to the configuration and security of the web service. Older version of Lighttpd, up to 1.4.34, have been found to be vulnerable to directory traversal and subsequent directory traversal exploits. See CVE-2014-2324 for details.

Checks: C-43485r667931_chk

At the command prompt, execute the following command: /opt/vmware/sbin/vami-lighttpd -v If the Lighttpd version does not have the latest version installed, this is a finding.

Fix: F-43444r667932_fix

Install the latest version.

b

The Lighttpd baseline must be maintained.

SC-24 - Medium - CCI-001190 - V-240253 - SV-240253r879640_rule

RMF Control

SC-24

Severity

Medium

CCI

CCI-001190

Version

VRAU-LI-000310

Vuln IDs

V-240253
V-89287

Rule IDs

SV-240253r879640_rule
SV-99937

Without maintenance of a baseline of current Lighttpd software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to Lighttpd could be the result of intentional or unintentional actions.

Checks: C-43486r667934_chk

Obtain supporting documentation from the ISSO. Determine if a software baseline is being maintained. If a baseline is not being maintained, this is a finding.

Fix: F-43445r667935_fix

Update the software baseline.

b

Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

SC-5 - Medium - CCI-001094 - V-240254 - SV-240254r879650_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-001094

Version

VRAU-LI-000335

Vuln IDs

V-240254
V-89289

Rule IDs

SV-240254r879650_rule
SV-99939

In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe or network connection. File descriptors index into a per-process file descriptor table maintained by the kernel, that in turn indexes into a system-wide table of files opened by all processes, called the file table. As a single-threaded server, Lighttpd must be limited in the number of file descriptors that can be allocated. This will prevent Lighttpd from being used in a form of DoS attack against the Operating System.

Checks: C-43487r667937_chk

At the command prompt, execute the following command: grep '^server.max-fds' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "server.max-fds" is not set to "2048", this is a finding.

Fix: F-43446r667938_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: server.max-fds = 2048

b

Lighttpd must disable directory browsing.

SI-11 - Medium - CCI-001312 - V-240255 - SV-240255r879655_rule

RMF Control

SI-11

Severity

Medium

CCI

CCI-001312

Version

VRAU-LI-000345

Vuln IDs

V-240255
V-89291

Rule IDs

SV-240255r879655_rule
SV-99941

If not disabled, the directory listing feature can be used to facilitate a directory traversal exploit. Directory listing must be disabled. Lighttpd provides a configuration setting, dir-listing.activate, that must be set properly in order to globally disable directory listing.

Checks: C-43488r667940_chk

At the command prompt, execute the following command: grep '^dir-listing.activate' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "dir-listing.activate" is not set to "disable", this is a finding.

Fix: F-43447r667941_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: dir-listing.activate = "disable"

b

Lighttpd must not be configured to use mod_status.

SI-11 - Medium - CCI-001312 - V-240256 - SV-240256r879655_rule

RMF Control

SI-11

Severity

Medium

CCI

CCI-001312

Version

VRAU-LI-000350

Vuln IDs

V-240256
V-89293

Rule IDs

SV-240256r879655_rule
SV-99943

Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Lighttpd must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The mod_status module generates the status overview of the webserver. The information covers: uptime average throughput current throughput active connections and their state While this information is useful on a development system, production systems must not have mod_status enabled.

Checks: C-43489r667943_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the "mod_status" module is listed, this is a finding.

Fix: F-43448r667944_fix

Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the "server.modules" section. In the "server.modules" section, delete the "mod_status" entry.

b

Lighttpd must have debug logging disabled.

SI-11 - Medium - CCI-001312 - V-240257 - SV-240257r879655_rule

RMF Control

SI-11

Severity

Medium

CCI

CCI-001312

Version

VRAU-LI-000355

Vuln IDs

V-240257
V-89295

Rule IDs

SV-240257r879655_rule
SV-99945

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. While this information is useful on a development system, production systems must not have debug logging enabled.

Checks: C-43490r667946_chk

At the command prompt, execute the following command: grep '^debug.log-request-handling' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "debug.log-request-handling" is not set to "disable", this is a finding.

Fix: F-43449r667947_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: debug.log-request-handling = "disable"

c

Lighttpd must be configured to utilize the Common Information Model Object Manager.

AC-17 - High - CCI-002314 - V-240258 - SV-240258r879692_rule

RMF Control

AC-17

Severity

High

CCI

CCI-002314

Version

VRAU-LI-000370

Vuln IDs

V-240258
V-89297

Rule IDs

SV-240258r879692_rule
SV-99947

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. As the web server for the vRA Virtual Appliance Management Interface (vAMI), Lighttpd is the primary remote access management system for vRA. vRA uses CIMOM to Authenticate the sysadmin and to enforce policy requirements.

Checks: C-43491r854812_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/cimom/,/}/' Note: The return value should produce the following output: $HTTP["url"] =~ "^/cimom" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => "5488" )) ) } If the return value does not match the above output, this is a finding.

Fix: F-43450r854813_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf with the following: $HTTP["url"] =~ "^/cimom" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => "5488" )) ) }

b

Lighttpd must restrict inbound connections from nonsecure zones.

AC-17 - Medium - CCI-002314 - V-240259 - SV-240259r879692_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-002314

Version

VRAU-LI-000375

Vuln IDs

V-240259
V-90335

Rule IDs

SV-240259r879692_rule
SV-100985

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server. As the web server for the vRA Virtual Appliance Management Interface (vAMI), Lighttpd is the primary remote access management system for vRA. Lighttpd must be configured to restrict inbound connections from nonsecure zones. To accomplish this, the SSL engine must be enabled. The SSL engine forces Lighttpd to only listen via secure protocols.

Checks: C-43492r854815_chk

At the command prompt, execute the following command: grep -A 4 'remoteip' /opt/vmware/etc/lighttpd/lighttpd.conf If the command does not return any output, this is a finding. Note: The output should look like the following: $HTTP["remoteip"] !~ "a.a.a.a" { url.access-deny = ( "" ) } Where a.a.a.a is an allowed IP address.

Fix: F-43451r854816_fix

Determine the IP addresses which will be allowed to access Lighttpd. Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["remoteip"] !~ "a.a.a.a" { url.access-deny = ( "" ) } Note: a.a.a.a is the IPv4 address provided by the ISSO. If additional IPv4 addresses are allowed, use the information shown below instead (3 addresses shown): $HTTP["remoteip"] !~ "a.a.a.a|b.b.b.b|c.c.c.c" { url.access-deny = ( "" ) }

b

Lighttpd must be configured to use syslog.

AU-4 - Medium - CCI-001851 - V-240260 - SV-240260r879731_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001851

Version

VRAU-LI-000400

Vuln IDs

V-240260
V-90337

Rule IDs

SV-240260r879731_rule
SV-100987

Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.

Checks: C-43493r667955_chk

At the command prompt, execute the following command: grep 'accesslog.use-syslog' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If the value for "accesslog.use-syslog" is not set to "enable" or is missing, this is a finding.

Fix: F-43452r667956_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: accesslog.use-syslog = "enable"

b

Lighttpd must be configured to use syslog.

AU-4 - Medium - CCI-001851 - V-240261 - SV-240261r879731_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001851

Version

VRAU-LI-000405

Vuln IDs

V-240261
V-90339

Rule IDs

SV-240261r879731_rule
SV-100989

A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.

Checks: C-43494r667958_chk

At the command prompt, execute the following command: grep 'accesslog.use-syslog' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If the value for "accesslog.use-syslog" is not set to "enable" or is missing, this is a finding.

Fix: F-43453r667959_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: accesslog.use-syslog = "enable"

b

The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.

AU-5 - Medium - CCI-001855 - V-240262 - SV-240262r879732_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-001855

Version

VRAU-LI-000410

Vuln IDs

V-240262
V-89299

Rule IDs

SV-240262r879732_rule
SV-99949

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. If log capacity were to be exceeded, then events subsequently occurring would not be recorded. Organizations shall define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., web server has exceeded 75% of log storage capacity allocated), at which time the web server or the logging mechanism the web server utilizes will provide a warning to the ISSO and SA at a minimum. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.

Checks: C-43495r667961_chk

At the command prompt, execute the following command: grep 'accesslog.use-syslog' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If the value for "accesslog.use-syslog" is not set to "enable" or is missing, this is a finding.

Fix: F-43454r667962_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: accesslog.use-syslog = "enable"

b

Lighttpd audit records must be mapped to a time stamp.

AU-8 - Medium - CCI-001890 - V-240263 - SV-240263r879747_rule

RMF Control

AU-8

Severity

Medium

CCI

CCI-001890

Version

VRAU-LI-000415

Vuln IDs

V-240263
V-89301

Rule IDs

SV-240263r879747_rule
SV-99951

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. In order to ensure that Lighttpd is correctly logging timestamps, the accesslog.format setting must be enabled.

Checks: C-43496r667964_chk

At the command prompt, execute the following command: grep 'accesslog.format' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If no value is returned or if the "accesslog.format" is commented out, this is a finding.

Fix: F-43455r854821_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Note: If the accesslog.format setting was commented out with a '#' sign, remove the '#' sign. Configure the lighttpd.conf file with the following: accesslog.format = "%h %l %u %t \"%r\" %b %>s \"%{User-Agent}i\" \"%{Referer}i\""

b

Lighttpd must record time stamps for log records to a minimum granularity of time.

AU-8 - Medium - CCI-001889 - V-240264 - SV-240264r879748_rule

RMF Control

AU-8

Severity

Medium

CCI

CCI-001889

Version

VRAU-LI-000420

Vuln IDs

V-240264
V-89303

Rule IDs

SV-240264r879748_rule
SV-99953

Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. In order to ensure that Lighttpd is correctly logging timestamps, the accesslog.format setting must be configured correctly.

Checks: C-43497r667967_chk

At the command prompt, execute the following command: grep 'accesslog.format' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If no value is returned or if the "accesslog.format" is commented out, this is a finding.

Fix: F-43456r854823_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Note: If the accesslog.format setting was commented out with a '#' sign, remove the '#' sign. Configure the lighttpd.conf file with the following: accesslog.format = "%h %l %u %t \"%r\" %b %>s \"%{User-Agent}i\" \"%{Referer}i\""

b

Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.

CM-5 - Medium - CCI-001813 - V-240265 - SV-240265r879753_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001813

Version

VRAU-LI-000425

Vuln IDs

V-240265
V-89305

Rule IDs

SV-240265r879753_rule
SV-99955

As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the Lighttpd server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and the Lighttpd server configuration files.

Checks: C-43498r854825_chk

At the command prompt, execute the following command: stat -c "%a %g %G %n" `find /opt/vmware/share/htdocs /opt/vmware/etc/lighttpd /opt/vmware/share/lighttpd -type f` | awk '$1 !~ /^..0/ || $3 !~ /root/ {print}' If any files are returned, this is a finding.

Fix: F-43457r667971_fix

At the command prompt, enter the followings commands: Note: Replace <file_name> for the name of the file that was returned. chown root:root <file_name> chmod 640 <file_name> Repeat the commands for each file that was returned.

b

Lighttpd must not be configured to listen to unnecessary ports.

CM-7 - Medium - CCI-001762 - V-240266 - SV-240266r879756_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-001762

Version

VRAU-LI-000430

Vuln IDs

V-240266
V-89307

Rule IDs

SV-240266r879756_rule
SV-99957

Web servers must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. Lighttpd will listen on ports that are specified with the server.port configuration parameter. Lighttpd listens to port 5480 to provide remote access to the Virtual Appliance Management Interface (vAMI). Lighttpd must not be configured to listen to any other port.

Checks: C-43499r667973_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '$0 ~ /server\.port/ { print }' If any value returned other than "server.port=5480", this is a finding.

Fix: F-43458r667974_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Note: Do not delete the entry for "server.port=5480" Delete all other server.port entries.

b

Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.

SC-13 - Medium - CCI-002450 - V-240267 - SV-240267r879944_rule

RMF Control

SC-13

Severity

Medium

CCI

CCI-002450

Version

VRAU-LI-000435

Vuln IDs

V-240267
V-89309

Rule IDs

SV-240267r879944_rule
SV-99959

Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

Checks: C-43500r667976_chk

At the command prompt, execute the following command: grep '^ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned in not "ssl.cipher-list = "FIPS: +3DES:!aNULL" "or is commented out, this is a finding.

Fix: F-43459r667977_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

b

Lighttpd must be protected from being stopped by a non-privileged user.

SC-5 - Medium - CCI-002385 - V-240268 - SV-240268r879806_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-002385

Version

VRAU-LI-000450

Vuln IDs

V-240268
V-89311

Rule IDs

SV-240268r879806_rule
SV-99961

An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. To prohibit an attacker from stopping the Lighttpd, the process ID (pid) must be owned by privileged users.

Checks: C-43501r667979_chk

At the command prompt, execute the following command: ps -f -U root | awk '$0 ~ /vami-lighttpd/ && $0 !~ /awk/ {print}' If the "vami-lighttpd" process is not owned by "root", this is a finding.

Fix: F-43460r667980_fix

Note: The following command must be ran as root. At the command prompt, execute the following command: /opt/vmware/etc/init.d/vami-lighttpd restart

b

Lighttpd must be configured to use the SSL engine.

SC-8 - Medium - CCI-002418 - V-240269 - SV-240269r928837_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002418

Version

VRAU-LI-000460

Vuln IDs

V-240269
V-89313

Rule IDs

SV-240269r928837_rule
SV-99963

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.

Checks: C-43502r667982_chk

At the command prompt, execute the following command: $ grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned for "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43461r667983_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: ssl.engine = "enable"

b

Lighttpd must be configured to use the SSL engine.

SC-8 - Medium - CCI-002418 - V-240270 - SV-240270r879810_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002418

Version

VRAU-LI-000465

Vuln IDs

V-240270
V-89315

Rule IDs

SV-240270r879810_rule
SV-99965

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.

Checks: C-43503r667985_chk

At the command prompt, execute the following command: $ grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned for "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43462r667986_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: ssl.engine = "enable"

c

Lighttpd must use an approved TLS version for encryption.

SC-8 - High - CCI-002418 - V-240271 - SV-240271r879810_rule

RMF Control

SC-8

Severity

High

CCI

CCI-002418

Version

VRAU-LI-000485

Vuln IDs

V-240271
V-89317

Rule IDs

SV-240271r879810_rule
SV-99967

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. SSL/TLS is a collection of protocols. Weaknesses have been identified with earlier SSL protocols, including SSLv2 and SSLv3, hence SSL versions 1, 2, and 3 should no longer be used. The best practice for transport layer protection is to only provide support for the TLS protocols - TLS 1.0, TLS 1.1 and TLS 1.2. This configuration will provide maximum protection against skilled and determined attackers and is appropriate for applications handling sensitive data or performing critical operations. Lighttpd must explicitly disable all of the SSL-series protocols. If these protocols are not disabled, the vRA appliance may be vulnerable to a loss of confidentiality.

Checks: C-43504r854832_chk

At the command prompt, execute the following command: Note: The command should return 2 outputs: ssl.use-sslv2 and ssl.use-sslv3 grep '^ssl.use-sslv' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned for "ssl.use-sslv2" and "ssl.use-sslv3" are not set to "disable", this is a finding.

Fix: F-43463r667989_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with following: ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable"

b

Lighttpd must remove all export ciphers to transmitted information.

SC-8 - Medium - CCI-002418 - V-240272 - SV-240272r879810_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002418

Version

VRAU-LI-000490

Vuln IDs

V-240272
V-89319

Rule IDs

SV-240272r879810_rule
SV-99969

During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The Lighttpd will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.

Checks: C-43505r667991_chk

At the command prompt, execute the following command: grep '^ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned in not "ssl.cipher-list = "FIPS: +3DES:!aNULL" "or is commented out, this is a finding.

Fix: F-43464r667992_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

b

Lighttpd must be configured to use SSL.

SC-8 - Medium - CCI-002422 - V-240273 - SV-240273r879813_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002422

Version

VRAU-LI-000500

Vuln IDs

V-240273
V-89321

Rule IDs

SV-240273r879813_rule
SV-99971

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.

Checks: C-43506r667994_chk

At the command prompt, execute the following command: $ grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43465r667995_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following value: ssl.engine = "enable"

b

Lighttpd must have the latest approved security-relevant software updates installed.

SI-2 - Medium - CCI-002605 - V-240274 - SV-240274r879827_rule

RMF Control

SI-2

Severity

Medium

CCI

CCI-002605

Version

VRAU-LI-000505

Vuln IDs

V-240274
V-89323

Rule IDs

SV-240274r879827_rule
SV-99973

All vRA components, to include Lighttpd, are under VMware configuration management control. The CM process ensures that all patches, functions, and modules have been thoroughly tested before being introduced into the production version. By using the most current version of Lighttpd, the Lighttpd server will always be using the most stable and known baseline.

Checks: C-43507r667997_chk

Obtain supporting documentation from the ISSO. Determine whether Lighttpd has the latest approved security-relevant software updates installed. If the latest approved security-relevant software updates are not installed, this is a finding.

Fix: F-43466r667998_fix

Install the latest approved security-relevant software updates.

b

Lighttpd must disable IP forwarding.

CM-6 - Medium - CCI-000366 - V-240275 - SV-240275r879887_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

VRAU-LI-000515

Vuln IDs

V-240275
V-89325

Rule IDs

SV-240275r879887_rule
SV-99975

IP forwarding permits Lighttpd to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. Lighttpd is not implemented as a router. With the url.redirect configuration parameter, Lighttpd can be configured to forward IPv4 packets. This configuration parameter is prohibited, unless Lighttpd is redirecting packets to localhost, 127.0.0.1.

Checks: C-43508r668000_chk

At the command prompt, execute the following command: grep -E 'url\.redirect' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v '^#' If any values are returned, this is a finding.

Fix: F-43467r668001_fix

Navigate to /opt/vmware/etc/lighttpd/lighttpd.conf In the "lighttpd.conf" file, delete all lines that are returned containing url.redirect returned.

c

The version of vRealize Automation 7.x Lighttpd running on the system must be a supported version.

SI-2 - High - CCI-002605 - V-258452 - SV-258452r928883_rule

RMF Control

SI-2

Severity

High

CCI

CCI-002605

Version

VRAU-LI-009999

Vuln IDs

V-258452

Rule IDs

SV-258452r928883_rule

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Checks: C-62192r928882_chk

vRealize Automation 7.x Lighttpd is no longer supported by the vendor. If the system is running vRealize Automation 7.x Lighttpd, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.

VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide

Compare

View

Checks: C-43448r667820_chk

Fix: F-43407r667821_fix

Generate Mitigation Statement:

Checks: C-43449r667823_chk

Fix: F-43408r667824_fix

Generate Mitigation Statement:

Checks: C-43450r667826_chk

Fix: F-43409r667827_fix

Generate Mitigation Statement:

Checks: C-43451r667829_chk

Fix: F-43410r667830_fix

Generate Mitigation Statement:

Checks: C-43452r667832_chk

Fix: F-43411r667833_fix

Generate Mitigation Statement:

Checks: C-43453r667835_chk

Fix: F-43412r667836_fix

Generate Mitigation Statement:

Checks: C-43454r667838_chk

Fix: F-43413r667839_fix

Generate Mitigation Statement:

Checks: C-43455r667841_chk

Fix: F-43414r667842_fix

Generate Mitigation Statement:

Checks: C-43456r667844_chk

Fix: F-43415r667845_fix

Generate Mitigation Statement:

Checks: C-43457r668003_chk

Fix: F-43416r667848_fix

Generate Mitigation Statement:

Checks: C-43458r667850_chk

Fix: F-43417r667851_fix

Generate Mitigation Statement:

Checks: C-43459r667853_chk

Fix: F-43418r667854_fix

Generate Mitigation Statement:

Checks: C-43460r667856_chk

Fix: F-43419r667857_fix

Generate Mitigation Statement:

Checks: C-43461r667859_chk

Fix: F-43420r667860_fix

Generate Mitigation Statement:

Checks: C-43462r667862_chk

Fix: F-43421r667863_fix

Generate Mitigation Statement:

Checks: C-43463r667865_chk

Fix: F-43422r667866_fix

Generate Mitigation Statement:

Checks: C-43464r667868_chk

Fix: F-43423r667869_fix

Generate Mitigation Statement:

Checks: C-43465r667871_chk

Fix: F-43424r667872_fix

Generate Mitigation Statement:

Checks: C-43466r667874_chk

Fix: F-43425r667875_fix

Generate Mitigation Statement:

Checks: C-43467r668005_chk

Fix: F-43426r667878_fix

Generate Mitigation Statement:

Checks: C-43468r854808_chk

Fix: F-43427r667881_fix

Generate Mitigation Statement:

Checks: C-43469r854810_chk

Fix: F-43428r667884_fix

Generate Mitigation Statement:

Checks: C-43470r667886_chk

Fix: F-43429r667887_fix

Generate Mitigation Statement:

Checks: C-43471r668031_chk

Fix: F-43430r668032_fix

Generate Mitigation Statement:

Checks: C-43472r668011_chk

Fix: F-43431r667893_fix

Generate Mitigation Statement:

Checks: C-43473r667895_chk

Fix: F-43432r667896_fix