Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide

V1R2 · · · Released 25 Oct 2023 · 62 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 28 Sep 2018 +62 −62

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 62

  • V-240215 Medium Lighttpd must limit the number of simultaneous requests.
  • V-240216 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-240217 Medium Lighttpd must be configured to use the SSL engine.
  • V-240218 Medium Lighttpd must be configured to use mod_accesslog.
  • V-240219 Medium Lighttpd must generate log records for system startup and shutdown.
  • V-240220 Medium Lighttpd must produce log records containing sufficient information to establish what type of events occurred.
  • V-240221 Medium Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred.
  • V-240222 Medium Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred.
  • V-240223 Medium Lighttpd must produce log records containing sufficient information to establish the source of events.
  • V-240224 Medium Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events.
  • V-240225 Medium Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users.
  • V-240226 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users.
  • V-240227 Medium Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users.
  • V-240228 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification.
  • V-240229 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification.
  • V-240230 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification.
  • V-240231 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion.
  • V-240232 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion.
  • V-240233 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion.
  • V-240234 Medium Lighttpd log data and records must be backed up onto a different system or media.
  • V-240235 Medium Lighttpd files must be verified for their integrity before being added to a production web server.
  • V-240236 Medium Lighttpd expansion modules must be verified for their integrity before being added to a production web server.
  • V-240237 Medium Lighttpd must prohibit unnecessary services, functions or processes.
  • V-240238 Medium Lighttpd proxy settings must be configured.
  • V-240239 High Lighttpd must only contain components that are operationally necessary.
  • V-240240 Medium Lighttpd must have MIME types for csh or sh shell programs disabled.
  • V-240241 Medium Lighttpd must only enable mappings to necessary and approved scripts.
  • V-240242 Medium Lighttpd must have resource mappings set to disable the serving of certain file types.
  • V-240243 Medium Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed.
  • V-240244 Medium Lighttpd must not have the webdav configuration file included.
  • V-240245 Medium Lighttpd must prevent hosted applications from exhausting system resources.
  • V-240246 High Lighttpd must not use symbolic links in the Lighttpd web content directory tree.
  • V-240247 Medium Lighttpd must be configured to use port 5480.
  • V-240248 Medium Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client.
  • V-240249 Medium Lighttpd must have private key access restricted.
  • V-240250 Medium Lighttpd must be configured to use only FIPS 140-2 approved ciphers.
  • V-240251 High Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.
  • V-240252 High Lighttpd must have the latest version installed.
  • V-240253 Medium The Lighttpd baseline must be maintained.
  • V-240254 Medium Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
  • V-240255 Medium Lighttpd must disable directory browsing.
  • V-240256 Medium Lighttpd must not be configured to use mod_status.
  • V-240257 Medium Lighttpd must have debug logging disabled.
  • V-240258 High Lighttpd must be configured to utilize the Common Information Model Object Manager.
  • V-240259 Medium Lighttpd must restrict inbound connections from nonsecure zones.
  • V-240260 Medium Lighttpd must be configured to use syslog.
  • V-240261 Medium Lighttpd must be configured to use syslog.
  • V-240262 Medium The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
  • V-240263 Medium Lighttpd audit records must be mapped to a time stamp.
  • V-240264 Medium Lighttpd must record time stamps for log records to a minimum granularity of time.
  • V-240265 Medium Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.
  • V-240266 Medium Lighttpd must not be configured to listen to unnecessary ports.
  • V-240267 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-240268 Medium Lighttpd must be protected from being stopped by a non-privileged user.
  • V-240269 Medium Lighttpd must be configured to use the SSL engine.
  • V-240270 Medium Lighttpd must be configured to use the SSL engine.
  • V-240271 High Lighttpd must use an approved TLS version for encryption.
  • V-240272 Medium Lighttpd must remove all export ciphers to transmitted information.
  • V-240273 Medium Lighttpd must be configured to use SSL.
  • V-240274 Medium Lighttpd must have the latest approved security-relevant software updates installed.
  • V-240275 Medium Lighttpd must disable IP forwarding.
  • V-258452 High The version of vRealize Automation 7.x Lighttpd running on the system must be a supported version.

Removed rules 62

  • V-89219 Medium Lighttpd must limit the number of simultaneous requests.
  • V-89221 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-89223 Medium Lighttpd must be configured to use the SSL engine.
  • V-89225 Medium Lighttpd must be configured to use mod_accesslog.
  • V-89227 Medium Lighttpd must generate log records for system startup and shutdown.
  • V-89229 Medium Lighttpd must capture, record, and log the IP address associated with a user session.
  • V-89231 Medium Lighttpd must produce log records containing sufficient information to establish what type of events occurred.
  • V-89233 Medium Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred.
  • V-89235 Medium Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred.
  • V-89237 Medium Lighttpd must produce log records containing sufficient information to establish the source of events.
  • V-89239 Medium Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events.
  • V-89241 Medium Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users.
  • V-89243 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users.
  • V-89245 Medium Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users.
  • V-89247 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification.
  • V-89249 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion.
  • V-89251 Medium Lighttpd log data and records must be backed up onto a different system or media.
  • V-89253 Medium Lighttpd files must be verified for their integrity before being added to a production web server.
  • V-89255 Medium Lighttpd expansion modules must be verified for their integrity before being added to a production web server.
  • V-89257 Medium Lighttpd must prohibit unnecessary services, functions or processes.
  • V-89259 High Lighttpd must only contain components that are operationally necessary.
  • V-89261 Medium Lighttpd must have MIME types for csh or sh shell programs disabled.
  • V-89263 Medium Lighttpd must only enable mappings to necessary and approved scripts.
  • V-89265 Medium Lighttpd must have resource mappings set to disable the serving of certain file types.
  • V-89267 Medium Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed.
  • V-89269 Medium Lighttpd must not have the webdav configuration file included.
  • V-89271 Medium Lighttpd must prevent hosted applications from exhausting system resources.
  • V-89273 High Lighttpd must not use symbolic links in the Lighttpd web content directory tree.
  • V-89275 Medium Lighttpd must be configured to use port 5480.
  • V-89277 Medium Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client.
  • V-89279 Medium Lighttpd must have private key access restricted.
  • V-89281 Medium Lighttpd must be configured to use only FIPS 140-2 approved ciphers.
  • V-89283 High Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.
  • V-89285 High Lighttpd must have the latest version installed.
  • V-89287 Medium The Lighttpd baseline must be maintained.
  • V-89289 Medium Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
  • V-89291 Medium Lighttpd must disable directory browsing.
  • V-89293 Medium Lighttpd must not be configured to use mod_status.
  • V-89295 Medium Lighttpd must have debug logging disabled.
  • V-89297 High Lighttpd must be configured to utilize the Common Information Model Object Manager.
  • V-89299 Medium The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
  • V-89301 Medium Lighttpd audit records must be mapped to a time stamp.
  • V-89303 Medium Lighttpd must record time stamps for log records to a minimum granularity of time.
  • V-89305 Medium Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.
  • V-89307 Medium Lighttpd must not be configured to listen to unnecessary ports.
  • V-89309 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
  • V-89311 Medium Lighttpd must be protected from being stopped by a non-privileged user.
  • V-89313 Medium Lighttpd must be configured to use the SSL engine.
  • V-89315 Medium Lighttpd must be configured to use the SSL engine.
  • V-89317 High Lighttpd must use an approved TLS version for encryption.
  • V-89319 Medium Lighttpd must remove all export ciphers to transmitted information.
  • V-89321 Medium Lighttpd must be configured to use SSL.
  • V-89323 Medium Lighttpd must have the latest approved security-relevant software updates installed.
  • V-89325 Medium Lighttpd must disable IP forwarding.
  • V-90325 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification.
  • V-90327 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification.
  • V-90329 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion.
  • V-90331 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion.
  • V-90333 Medium Lighttpd proxy settings must be configured.
  • V-90335 Medium Lighttpd must restrict inbound connections from nonsecure zones.
  • V-90337 Medium Lighttpd must be configured to use syslog.
  • V-90339 Medium Lighttpd must be configured to use syslog.
Sort by
b
Lighttpd must limit the number of simultaneous requests.
AC-10 - Medium - CCI-000054 - V-240215 - SV-240215r879511_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
VRAU-LI-000005
Vuln IDs
  • V-240215
  • V-89219
Rule IDs
  • SV-240215r879511_rule
  • SV-99869
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Lighttpd is used for administrative purposes only. Lighttpd provides the maxConnections attribute of the to limit the number of concurrent TCP connections.
Checks: C-43448r667820_chk

At the command prompt, execute the following command: grep 'server.max-connections = 1024' /opt/vmware/etc/lighttpd/lighttpd.conf If the "server.max-connections" is not set to "1024", commented out, or does not exist, this is a finding.

Fix: F-43407r667821_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: server.max-connections = 1024

b
Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
AC-17 - Medium - CCI-000068 - V-240216 - SV-240216r879519_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
VRAU-LI-000015
Vuln IDs
  • V-240216
  • V-89221
Rule IDs
  • SV-240216r879519_rule
  • SV-99871
Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.
Checks: C-43449r667823_chk

At the command prompt, execute the following command: grep '^ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value ssl.cipher-list = "FIPS: +3DES:!aNULL" is not returned or commented out, this is a finding.

Fix: F-43408r667824_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

b
Lighttpd must be configured to use the SSL engine.
AC-17 - Medium - CCI-001453 - V-240217 - SV-240217r879520_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
VRAU-LI-000020
Vuln IDs
  • V-240217
  • V-89223
Rule IDs
  • SV-240217r879520_rule
  • SV-99873
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.
Checks: C-43450r667826_chk

At the command prompt, execute the following command: grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43409r667827_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: ssl.engine = "enable"

b
Lighttpd must be configured to use mod_accesslog.
AC-17 - Medium - CCI-000067 - V-240218 - SV-240218r879521_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
VRAU-LI-000025
Vuln IDs
  • V-240218
  • V-89225
Rule IDs
  • SV-240218r879521_rule
  • SV-99875
Lighttpd is the administration panel for vRealize Automation. Because it is intended to provide remote access to the appliance, vRA must provide remote access information to external monitoring systems. mod_accesslog is the module in Lighttpd that configures Lighttpd to share information with external monitoring systems.
Checks: C-43451r667829_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the value "mod_accesslog" is not listed, this is a finding.

Fix: F-43410r667830_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Navigate to and configure the "server.modules" section with the following value: mod_accesslog

b
Lighttpd must generate log records for system startup and shutdown.
AU-12 - Medium - CCI-000169 - V-240219 - SV-240219r879559_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
VRAU-LI-000035
Vuln IDs
  • V-240219
  • V-89227
Rule IDs
  • SV-240219r879559_rule
  • SV-99877
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. Lighttpd records system event information in the error.log file. Included in the file is system start and stop events.
Checks: C-43452r667832_chk

At the command prompt, execute the following command: egrep 'server\sstarted|server\sstopped' /opt/vmware/var/log/lighttpd/error.log If server stopped and server started times are not listed, this is a finding.

Fix: F-43411r667833_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: server.errorlog = log_root + "/error.log"

b
Lighttpd must produce log records containing sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-240220 - SV-240220r879563_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
VRAU-LI-000050
Vuln IDs
  • V-240220
  • V-89231
Rule IDs
  • SV-240220r879563_rule
  • SV-99881
Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.
Checks: C-43453r667835_chk

At the command prompt, execute the following command: tail -n 4 /opt/vmware/var/log/lighttpd/access.log If the GET or POST events do not exist in the access.log file, this is a finding.

Fix: F-43412r667836_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b
Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred.
AU-3 - Medium - CCI-000131 - V-240221 - SV-240221r879564_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
VRAU-LI-000055
Vuln IDs
  • V-240221
  • V-89233
Rule IDs
  • SV-240221r879564_rule
  • SV-99883
Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.
Checks: C-43454r667838_chk

At the command prompt, execute the following command: tail -n 1 /opt/vmware/var/log/lighttpd/access.log If the generated log records do not have date and time data, this is a finding.

Fix: F-43413r667839_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b
Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred.
AU-3 - Medium - CCI-000132 - V-240222 - SV-240222r879565_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000132
Version
VRAU-LI-000060
Vuln IDs
  • V-240222
  • V-89235
Rule IDs
  • SV-240222r879565_rule
  • SV-99885
Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.
Checks: C-43455r667841_chk

At the command prompt, execute the following command: tail -n 1 /opt/vmware/var/log/lighttpd/access.log If any of the generated audit records are without sufficient information to establish where the event occurred, this is a finding.

Fix: F-43414r667842_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b
Lighttpd must produce log records containing sufficient information to establish the source of events.
AU-3 - Medium - CCI-000133 - V-240223 - SV-240223r879566_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
VRAU-LI-000065
Vuln IDs
  • V-240223
  • V-89237
Rule IDs
  • SV-240223r879566_rule
  • SV-99887
Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.
Checks: C-43456r667844_chk

At the command prompt, execute the following command: tail -n 4 /opt/vmware/var/log/lighttpd/access.log If any of the generated audit records are without sufficient information to establish the source of the events, this is a finding.

Fix: F-43415r667845_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b
Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-240224 - SV-240224r879567_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000134
Version
VRAU-LI-000075
Vuln IDs
  • V-240224
  • V-89239
Rule IDs
  • SV-240224r879567_rule
  • SV-99889
Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. Lighttpd logs user activity in the access.log file using the Common Log Format (CLF). The CLF format, a World Wide Web Consortium standard, captures logs all user session information related to the hosted application session. This will enable forensic analysis of server events in case of malicious event.
Checks: C-43457r668003_chk

At the command prompt, execute the following command: Note: The HTTP status code indicating success or failure is a 3-digit integer immediately after "HTTP/1.1". Any value other than a 3-digit code immediately following "HTTP/1.1" is a failure of the logging process. tail -n 4 /opt/vmware/var/log/lighttpd/access.log If any of the generated audit records are without sufficient information to establish the outcome of the event (success or failure), this is a finding.

Fix: F-43416r667848_fix

Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the "lighttpd.conf" file with the following: $HTTP["url"] !~ "(.css|.jpg|.gif|.png|.ico)$" { accesslog.filename = log_root + "/access.log" }

b
Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-240225 - SV-240225r879576_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
VRAU-LI-000095
Vuln IDs
  • V-240225
  • V-89241
Rule IDs
  • SV-240225r879576_rule
  • SV-99891
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must only be accessible by privileged users.
Checks: C-43458r667850_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the owner is not "root", this is a finding.

Fix: F-43417r667851_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-240226 - SV-240226r879576_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
VRAU-LI-000100
Vuln IDs
  • V-240226
  • V-89243
Rule IDs
  • SV-240226r879576_rule
  • SV-99893
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must only be accessible by privileged users.
Checks: C-43459r667853_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the group-owner is not "root", this is a finding.

Fix: F-43418r667854_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-240227 - SV-240227r879576_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
VRAU-LI-000105
Vuln IDs
  • V-240227
  • V-89245
Rule IDs
  • SV-240227r879576_rule
  • SV-99895
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must only be accessible by privileged users.
Checks: C-43460r667856_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If permissions on the log files are not "-rw-r----- (640)", this is a finding.

Fix: F-43419r667857_fix

At the command prompt, enter the following command: chmod 640 /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240228 - SV-240228r879577_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
VRAU-LI-000110
Vuln IDs
  • V-240228
  • V-89247
Rule IDs
  • SV-240228r879577_rule
  • SV-99897
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized modification.
Checks: C-43461r667859_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the owner is not "root", this is a finding.

Fix: F-43420r667860_fix

At the command prompt, enter the following commands: chown root:root /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240229 - SV-240229r879577_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
VRAU-LI-000115
Vuln IDs
  • V-240229
  • V-90325
Rule IDs
  • SV-240229r879577_rule
  • SV-100975
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized modification.
Checks: C-43462r667862_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the group-owner is not "root", this is a finding.

Fix: F-43421r667863_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240230 - SV-240230r879577_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
VRAU-LI-000120
Vuln IDs
  • V-240230
  • V-90327
Rule IDs
  • SV-240230r879577_rule
  • SV-100977
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized modification.
Checks: C-43463r667865_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If permissions on the log files are not "-rw-r----- (640)", this is a finding.

Fix: F-43422r667866_fix

At the command prompt, enter the following command: chmod 640 /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240231 - SV-240231r879578_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
VRAU-LI-000125
Vuln IDs
  • V-240231
  • V-89249
Rule IDs
  • SV-240231r879578_rule
  • SV-99899
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized deletion.
Checks: C-43464r667868_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the owner is not "root", this is a finding.

Fix: F-43423r667869_fix

At the command prompt, enter the following commands: chown root:root /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240232 - SV-240232r879578_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
VRAU-LI-000130
Vuln IDs
  • V-240232
  • V-90329
Rule IDs
  • SV-240232r879578_rule
  • SV-100979
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized deletion.
Checks: C-43465r667871_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If the group-owner is not "root", this is a finding.

Fix: F-43424r667872_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240233 - SV-240233r879578_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
VRAU-LI-000135
Vuln IDs
  • V-240233
  • V-90331
Rule IDs
  • SV-240233r879578_rule
  • SV-100981
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. Lighttpd creates its own logs. It does not use an external log system. The Lighttpd log must be protected from unauthorized deletion.
Checks: C-43466r667874_chk

At the command prompt, execute the following command: ls -l /opt/vmware/var/log/lighttpd/*.log If permissions on the log files are not "-rw-r----- (640)", this is a finding.

Fix: F-43425r667875_fix

At the command prompt, enter the following command: chmod 640 /opt/vmware/var/log/lighttpd/*.log

b
Lighttpd log data and records must be backed up onto a different system or media.
AU-9 - Medium - CCI-001348 - V-240234 - SV-240234r879582_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
VRAU-LI-000140
Vuln IDs
  • V-240234
  • V-89251
Rule IDs
  • SV-240234r879582_rule
  • SV-99901
Protection of Lighttpd log data includes assuring log data is not accidentally lost or deleted. Backing up Lighttpd log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.
Checks: C-43467r668005_chk

Obtain supporting documentation from the ISSO. Determine whether log data and records are being backed up to a different system or separate media. If log data and records are not being backed up to a different system or separate media, this is a finding.

Fix: F-43426r667878_fix

Backup the log data and records to a different system or separate media.

b
Lighttpd files must be verified for their integrity before being added to a production web server.
CM-5 - Medium - CCI-001749 - V-240235 - SV-240235r879584_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001749
Version
VRAU-LI-000145
Vuln IDs
  • V-240235
  • V-89253
Rule IDs
  • SV-240235r879584_rule
  • SV-99903
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. The Lighttpd web server files on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.
Checks: C-43468r854808_chk

Obtain supporting documentation from the ISSO. Determine whether web server files are verified/validated before being implemented into the production environment. If the web server files are not verified or validated before being implemented into the production environment, this is a finding.

Fix: F-43427r667881_fix

Verify or validate the web server files for integrity before being implemented the production environment.

b
Lighttpd expansion modules must be verified for their integrity before being added to a production web server.
CM-5 - Medium - CCI-001749 - V-240236 - SV-240236r879584_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001749
Version
VRAU-LI-000150
Vuln IDs
  • V-240236
  • V-89255
Rule IDs
  • SV-240236r879584_rule
  • SV-99905
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. Expansion modules that are installed on the production Lighttpd web server on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity.
Checks: C-43469r854810_chk

Obtain supporting documentation from the ISSO. Determine whether expansion modules are being fully reviewed, tested, and signed before being implemented into the production environment. If the expansion modules are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.

Fix: F-43428r667884_fix

Review, test, and sign expansion modules before being implemented into the production environment.

b
Lighttpd must prohibit unnecessary services, functions or processes.
CM-7 - Medium - CCI-000381 - V-240237 - SV-240237r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000160
Vuln IDs
  • V-240237
  • V-89257
Rule IDs
  • SV-240237r879587_rule
  • SV-99907
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks.
Checks: C-43470r667886_chk

Obtain supporting documentation from the ISSO. Determine if any unnecessary services, functions or processes are running on the web server. If any unnecessary services, functions or processes are running on the web server, this is a finding.

Fix: F-43429r667887_fix

Remove or disable any unnecessary services, functions or processes.

b
Lighttpd proxy settings must be configured.
CM-7 - Medium - CCI-000381 - V-240238 - SV-240238r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000165
Vuln IDs
  • V-240238
  • V-90333
Rule IDs
  • SV-240238r879587_rule
  • SV-100983
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-43471r668031_chk

At the command prompt, execute the following command: grep -A 6 -B 1 proxy.server /opt/vmware/etc/lighttpd/lighttpd.conf If the proxy.server "host" value is not set to "127.0.0.1" and the proxy.server "port" value is not set to "5488", this is a finding.

Fix: F-43430r668032_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Navigate to proxy.server. Set the proxy.server "host" value to "127.0.0.1" and the proxy.server "port" value to "5488". Note: The proxy.server section should look like this when it is configured: $HTTP["url"] =~ "^/cimom" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => "5488" )) ) }

c
Lighttpd must only contain components that are operationally necessary.
CM-7 - High - CCI-000381 - V-240239 - SV-240239r879587_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
VRAU-LI-000170
Vuln IDs
  • V-240239
  • V-89259
Rule IDs
  • SV-240239r879587_rule
  • SV-99909
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
Checks: C-43472r668011_chk

Obtain supporting documentation from the ISSO. Determine if web server documentation, sample code, example applications, or tutorials has been deleted or removed and only contains components that are operationally necessary. If web server documentation, sample code, example applications, or tutorials has not been deleted or removed and contains components that are not operationally necessary, this is a finding.

Fix: F-43431r667893_fix

Delete or remove any documentation, sample code, example applications, tutorials and any components that are not operationally necessary.

b
Lighttpd must have MIME types for csh or sh shell programs disabled.
CM-7 - Medium - CCI-000381 - V-240240 - SV-240240r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000185
Vuln IDs
  • V-240240
  • V-89261
Rule IDs
  • SV-240240r879587_rule
  • SV-99911
Users must not be allowed to access the shell programs. Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web server. A shell is a program that serves as the basic interface between the user and the operating system. In this regard, there are shells that are security risks in the context of a web server and shells that are unauthorized in the context of the Security Features User's Guide. Lighttpd must be configured to disable MIME types for csh or sh shell programs.
Checks: C-43473r667895_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | egrep '".sh"|".csh"' If the command returns any value, this is a finding.

Fix: F-43432r667896_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Delete any line(s) that return the value of csh or sh.

b
Lighttpd must only enable mappings to necessary and approved scripts.
CM-7 - Medium - CCI-000381 - V-240241 - SV-240241r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000190
Vuln IDs
  • V-240241
  • V-89263
Rule IDs
  • SV-240241r879587_rule
  • SV-99913
Lighttpd will only allow or deny script execution based on file extension. The ability to control script execution is controlled with the cgi.assign variable in lighttpd.conf. For script mappings, the ISSO must document and approve all allowable file extensions the web site allows (whitelist). The whitelist will be compared to the script mappings in Lighttpd.
Checks: C-43474r668013_chk

Obtain supporting documentation from the ISSO. Determine the scripts that are deemed necessary and approved (whitelist). Note: Lighttpd provides the cgi.assign parameter to specify script mappings. Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the cgi.assign parameter. If cgi.assign parameter is configured with script types that are deemed for denial, this is a finding.

Fix: F-43433r667899_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the cgi.assign parameter. Configure the cgi.assign parameter with the scripts that are deemed necessary and approved (whitelisted).

b
Lighttpd must have resource mappings set to disable the serving of certain file types.
CM-7 - Medium - CCI-000381 - V-240242 - SV-240242r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000195
Vuln IDs
  • V-240242
  • V-89265
Rule IDs
  • SV-240242r879587_rule
  • SV-99915
Resource mapping is the process of tying a particular file type to a process in Lighttpd that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. Lighttpd provides the url.access-deny parameter to specify a blacklist of file types which should be denied.
Checks: C-43475r668015_chk

Obtain supporting documentation from the ISSO. Determine the file types (blacklist) that are deemed for denial. Note: Lighttpd provides the url.access-deny parameter to specify the blacklist of files. Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the url.access-deny parameter. If url.access-deny parameter is not configured with the file types that are blacklisted, this is a finding. If url.access-deny parameter is not set properly, this is a finding.

Fix: F-43434r667902_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the url.access-deny parameter. Configure the url.access-deny parameter with the file types that are blacklisted.

b
Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed.
CM-7 - Medium - CCI-000381 - V-240243 - SV-240243r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000200
Vuln IDs
  • V-240243
  • V-89267
Rule IDs
  • SV-240243r879587_rule
  • SV-99917
A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server. Lighttpd uses the mod_webdav module to provide WebDAV services. This module must not be installed.
Checks: C-43476r667904_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the value "mod_webdav" module is listed, this is a finding.

Fix: F-43435r667905_fix

Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the server.modules section. In the server.modules section, delete the "mod_webdav" entry.

b
Lighttpd must not have the webdav configuration file included.
CM-7 - Medium - CCI-000381 - V-240244 - SV-240244r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000205
Vuln IDs
  • V-240244
  • V-89269
Rule IDs
  • SV-240244r879587_rule
  • SV-99919
A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server. The Lighttpd configuration file uses the 'include' statement to include other configuration files. The default lighttpd.conf file contains a reference to include a webdav.conf file, and it is possible for the WebDAV module to be loaded in other files.
Checks: C-43477r667907_chk

At the command prompt, execute the following command: grep 'webdav.conf' /opt/vmware/etc/lighttpd/lighttpd.conf If the return value is an include statement and it is not commented out, this is a finding.

Fix: F-43436r667908_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Delete or comment out the include "conf.d/webdav.conf" statement.

b
Lighttpd must prevent hosted applications from exhausting system resources.
CM-7 - Medium - CCI-000381 - V-240245 - SV-240245r879587_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
VRAU-LI-000210
Vuln IDs
  • V-240245
  • V-89271
Rule IDs
  • SV-240245r879587_rule
  • SV-99921
When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that extent, a variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. Applications and application developers must take the steps needed to ensure users cannot use these applications to launch DoS attacks against other systems and networks. An example would be preventing Lighttpd from keeping idle connections open for too long.
Checks: C-43478r667910_chk

At the command prompt, execute the following command: grep '^server.max-keep-alive-idle' /opt/vmware/etc/lighttpd/lighttpd.conf If the "server.max-keep-alive-idle" is not set to "30", this is a finding.

Fix: F-43437r667911_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: server.max-keep-alive-idle = 30

c
Lighttpd must not use symbolic links in the Lighttpd web content directory tree.
CM-7 - High - CCI-000381 - V-240246 - SV-240246r879587_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
VRAU-LI-000215
Vuln IDs
  • V-240246
  • V-89273
Rule IDs
  • SV-240246r879587_rule
  • SV-99923
A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the Lighttpd could be allowed to access locations on the server that are outside the scope of the hosted application document root or home directory.
Checks: C-43479r667913_chk

At the command prompt, execute the following command: find /opt/vmware/share/htdocs -type l If any files are listed, this is a finding.

Fix: F-43438r667914_fix

At the command prompt, enter the following commands: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the commands for each file that was listed.

b
Lighttpd must be configured to use port 5480.
CM-7 - Medium - CCI-000382 - V-240247 - SV-240247r879588_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
VRAU-LI-000220
Vuln IDs
  • V-240247
  • V-89275
Rule IDs
  • SV-240247r879588_rule
  • SV-99925
Lighttpd is used as the web server for vRealize Automation's Virtual Appliance Management Interface (vAMI). To segregate appliance management from appliance operation, Lighttpd can be configured to listen on a separate port. Port 5488 is the recommended port setting.
Checks: C-43480r667916_chk

At the command prompt, execute the following command: grep '^server.port' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "server.port" is not "5480", this is a finding.

Fix: F-43439r667917_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: server.port = 5480

b
Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client.
IA-5 - Medium - CCI-000197 - V-240248 - SV-240248r879609_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000197
Version
VRAU-LI-000225
Vuln IDs
  • V-240248
  • V-89277
Rule IDs
  • SV-240248r879609_rule
  • SV-99927
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate the vAMI admin must be sent to Lighttpd via SSL/TLS. To ensure that Lighttpd is using SSL/TLS, the ssl.engine must be enabled.
Checks: C-43481r667919_chk

At the command prompt, execute the following command: grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43440r667920_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: ssl.engine = "enable"

b
Lighttpd must have private key access restricted.
IA-5 - Medium - CCI-000186 - V-240249 - SV-240249r879613_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000186
Version
VRAU-LI-000235
Vuln IDs
  • V-240249
  • V-89279
Rule IDs
  • SV-240249r879613_rule
  • SV-99929
Lighttpd's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the encrypted traffic between a client and the web server.
Checks: C-43482r667922_chk

At the command prompt, execute the following command: ls -al /opt/vmware/etc/lighttpd/server.pem If the "server.pem" file is not owned by "root" or the file permissions are not "400", this is a finding.

Fix: F-43441r667923_fix

At the command prompt, execute the following commands: chown root:root /opt/vmware/etc/lighttpd/server.pem chmod 400 /opt/vmware/etc/lighttpd/server.pem

b
Lighttpd must be configured to use only FIPS 140-2 approved ciphers.
IA-7 - Medium - CCI-000803 - V-240250 - SV-240250r879616_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
VRAU-LI-000245
Vuln IDs
  • V-240250
  • V-89281
Rule IDs
  • SV-240250r879616_rule
  • SV-99931
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.
Checks: C-43483r667925_chk

At the command prompt, execute the following command: grep 'ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the return value for "ssl.cipher-list" is not set to "FIPS: +3DES:!aNULL", this is a finding.

Fix: F-43442r667926_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

c
Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.
SC-2 - High - CCI-001082 - V-240251 - SV-240251r879631_rule
RMF Control
SC-2
Severity
H
CCI
CCI-001082
Version
VRAU-LI-000255
Vuln IDs
  • V-240251
  • V-89283
Rule IDs
  • SV-240251r879631_rule
  • SV-99933
As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the Lighttpd server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and the Lighttpd server configuration files.
Checks: C-43484r668017_chk

At the command prompt, execute the following command: stat -c "%a %g %G %n" `find /opt/vmware/share/htdocs /opt/vmware/etc/lighttpd /opt/vmware/share/lighttpd -type f` | awk '$1 !~ /^..0/ || $3 !~ /root/ {print}' If any files are returned, this is a finding.

Fix: F-43443r667929_fix

At the command prompt, execute the following commands: Note: Replace <file_name> for the name of the file that was returned. chown root:root <file_name> chmod 640 <file_name> Repeat the commands for each file that was returned.

c
Lighttpd must have the latest version installed.
SC-2 - High - CCI-001082 - V-240252 - SV-240252r879631_rule
RMF Control
SC-2
Severity
H
CCI
CCI-001082
Version
VRAU-LI-000260
Vuln IDs
  • V-240252
  • V-89285
Rule IDs
  • SV-240252r879631_rule
  • SV-99935
Allowing malicious users the capability to traverse server directory tree can create significant vulnerabilities. Such information and the contents of files listed should not be normally readable by the web users as they often contain information relevant to the configuration and security of the web service. Older version of Lighttpd, up to 1.4.34, have been found to be vulnerable to directory traversal and subsequent directory traversal exploits. See CVE-2014-2324 for details.
Checks: C-43485r667931_chk

At the command prompt, execute the following command: /opt/vmware/sbin/vami-lighttpd -v If the Lighttpd version does not have the latest version installed, this is a finding.

Fix: F-43444r667932_fix

Install the latest version.

b
The Lighttpd baseline must be maintained.
SC-24 - Medium - CCI-001190 - V-240253 - SV-240253r879640_rule
RMF Control
SC-24
Severity
M
CCI
CCI-001190
Version
VRAU-LI-000310
Vuln IDs
  • V-240253
  • V-89287
Rule IDs
  • SV-240253r879640_rule
  • SV-99937
Without maintenance of a baseline of current Lighttpd software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to Lighttpd could be the result of intentional or unintentional actions.
Checks: C-43486r667934_chk

Obtain supporting documentation from the ISSO. Determine if a software baseline is being maintained. If a baseline is not being maintained, this is a finding.

Fix: F-43445r667935_fix

Update the software baseline.

b
Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
SC-5 - Medium - CCI-001094 - V-240254 - SV-240254r879650_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
VRAU-LI-000335
Vuln IDs
  • V-240254
  • V-89289
Rule IDs
  • SV-240254r879650_rule
  • SV-99939
In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe or network connection. File descriptors index into a per-process file descriptor table maintained by the kernel, that in turn indexes into a system-wide table of files opened by all processes, called the file table. As a single-threaded server, Lighttpd must be limited in the number of file descriptors that can be allocated. This will prevent Lighttpd from being used in a form of DoS attack against the Operating System.
Checks: C-43487r667937_chk

At the command prompt, execute the following command: grep '^server.max-fds' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "server.max-fds" is not set to "2048", this is a finding.

Fix: F-43446r667938_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: server.max-fds = 2048

b
Lighttpd must disable directory browsing.
SI-11 - Medium - CCI-001312 - V-240255 - SV-240255r879655_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
VRAU-LI-000345
Vuln IDs
  • V-240255
  • V-89291
Rule IDs
  • SV-240255r879655_rule
  • SV-99941
If not disabled, the directory listing feature can be used to facilitate a directory traversal exploit. Directory listing must be disabled. Lighttpd provides a configuration setting, dir-listing.activate, that must be set properly in order to globally disable directory listing.
Checks: C-43488r667940_chk

At the command prompt, execute the following command: grep '^dir-listing.activate' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "dir-listing.activate" is not set to "disable", this is a finding.

Fix: F-43447r667941_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: dir-listing.activate = "disable"

b
Lighttpd must not be configured to use mod_status.
SI-11 - Medium - CCI-001312 - V-240256 - SV-240256r879655_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
VRAU-LI-000350
Vuln IDs
  • V-240256
  • V-89293
Rule IDs
  • SV-240256r879655_rule
  • SV-99943
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Lighttpd must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The mod_status module generates the status overview of the webserver. The information covers: uptime average throughput current throughput active connections and their state While this information is useful on a development system, production systems must not have mod_status enabled.
Checks: C-43489r667943_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the "mod_status" module is listed, this is a finding.

Fix: F-43448r667944_fix

Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the "server.modules" section. In the "server.modules" section, delete the "mod_status" entry.

b
Lighttpd must have debug logging disabled.
SI-11 - Medium - CCI-001312 - V-240257 - SV-240257r879655_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
VRAU-LI-000355
Vuln IDs
  • V-240257
  • V-89295
Rule IDs
  • SV-240257r879655_rule
  • SV-99945
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. While this information is useful on a development system, production systems must not have debug logging enabled.
Checks: C-43490r667946_chk

At the command prompt, execute the following command: grep '^debug.log-request-handling' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "debug.log-request-handling" is not set to "disable", this is a finding.

Fix: F-43449r667947_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: debug.log-request-handling = "disable"

c
Lighttpd must be configured to utilize the Common Information Model Object Manager.
AC-17 - High - CCI-002314 - V-240258 - SV-240258r879692_rule
RMF Control
AC-17
Severity
H
CCI
CCI-002314
Version
VRAU-LI-000370
Vuln IDs
  • V-240258
  • V-89297
Rule IDs
  • SV-240258r879692_rule
  • SV-99947
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. As the web server for the vRA Virtual Appliance Management Interface (vAMI), Lighttpd is the primary remote access management system for vRA. vRA uses CIMOM to Authenticate the sysadmin and to enforce policy requirements.
Checks: C-43491r854812_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/cimom/,/}/' Note: The return value should produce the following output: $HTTP["url"] =~ "^/cimom" { proxy.server = ( "" =&gt; (( "host" =&gt; "127.0.0.1", "port" =&gt; "5488" )) ) } If the return value does not match the above output, this is a finding.

Fix: F-43450r854813_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf with the following: $HTTP["url"] =~ "^/cimom" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => "5488" )) ) }

b
Lighttpd must restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-240259 - SV-240259r879692_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
VRAU-LI-000375
Vuln IDs
  • V-240259
  • V-90335
Rule IDs
  • SV-240259r879692_rule
  • SV-100985
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server. As the web server for the vRA Virtual Appliance Management Interface (vAMI), Lighttpd is the primary remote access management system for vRA. Lighttpd must be configured to restrict inbound connections from nonsecure zones. To accomplish this, the SSL engine must be enabled. The SSL engine forces Lighttpd to only listen via secure protocols.
Checks: C-43492r854815_chk

At the command prompt, execute the following command: grep -A 4 'remoteip' /opt/vmware/etc/lighttpd/lighttpd.conf If the command does not return any output, this is a finding. Note: The output should look like the following: $HTTP["remoteip"] !~ "a.a.a.a" { url.access-deny = ( "" ) } Where a.a.a.a is an allowed IP address.

Fix: F-43451r854816_fix

Determine the IP addresses which will be allowed to access Lighttpd. Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: $HTTP["remoteip"] !~ "a.a.a.a" { url.access-deny = ( "" ) } Note: a.a.a.a is the IPv4 address provided by the ISSO. If additional IPv4 addresses are allowed, use the information shown below instead (3 addresses shown): $HTTP["remoteip"] !~ "a.a.a.a|b.b.b.b|c.c.c.c" { url.access-deny = ( "" ) }

b
Lighttpd must be configured to use syslog.
AU-4 - Medium - CCI-001851 - V-240260 - SV-240260r879731_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
VRAU-LI-000400
Vuln IDs
  • V-240260
  • V-90337
Rule IDs
  • SV-240260r879731_rule
  • SV-100987
Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.
Checks: C-43493r667955_chk

At the command prompt, execute the following command: grep 'accesslog.use-syslog' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If the value for "accesslog.use-syslog" is not set to "enable" or is missing, this is a finding.

Fix: F-43452r667956_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: accesslog.use-syslog = "enable"

b
Lighttpd must be configured to use syslog.
AU-4 - Medium - CCI-001851 - V-240261 - SV-240261r879731_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
VRAU-LI-000405
Vuln IDs
  • V-240261
  • V-90339
Rule IDs
  • SV-240261r879731_rule
  • SV-100989
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.
Checks: C-43494r667958_chk

At the command prompt, execute the following command: grep 'accesslog.use-syslog' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If the value for "accesslog.use-syslog" is not set to "enable" or is missing, this is a finding.

Fix: F-43453r667959_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: accesslog.use-syslog = "enable"

b
The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
AU-5 - Medium - CCI-001855 - V-240262 - SV-240262r879732_rule
RMF Control
AU-5
Severity
M
CCI
CCI-001855
Version
VRAU-LI-000410
Vuln IDs
  • V-240262
  • V-89299
Rule IDs
  • SV-240262r879732_rule
  • SV-99949
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. If log capacity were to be exceeded, then events subsequently occurring would not be recorded. Organizations shall define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., web server has exceeded 75% of log storage capacity allocated), at which time the web server or the logging mechanism the web server utilizes will provide a warning to the ISSO and SA at a minimum. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.
Checks: C-43495r667961_chk

At the command prompt, execute the following command: grep 'accesslog.use-syslog' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If the value for "accesslog.use-syslog" is not set to "enable" or is missing, this is a finding.

Fix: F-43454r667962_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: accesslog.use-syslog = "enable"

b
Lighttpd audit records must be mapped to a time stamp.
AU-8 - Medium - CCI-001890 - V-240263 - SV-240263r879747_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001890
Version
VRAU-LI-000415
Vuln IDs
  • V-240263
  • V-89301
Rule IDs
  • SV-240263r879747_rule
  • SV-99951
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. In order to ensure that Lighttpd is correctly logging timestamps, the accesslog.format setting must be enabled.
Checks: C-43496r667964_chk

At the command prompt, execute the following command: grep 'accesslog.format' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If no value is returned or if the "accesslog.format" is commented out, this is a finding.

Fix: F-43455r854821_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Note: If the accesslog.format setting was commented out with a '#' sign, remove the '#' sign. Configure the lighttpd.conf file with the following: accesslog.format = "%h %l %u %t \"%r\" %b %>s \"%{User-Agent}i\" \"%{Referer}i\""

b
Lighttpd must record time stamps for log records to a minimum granularity of time.
AU-8 - Medium - CCI-001889 - V-240264 - SV-240264r879748_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001889
Version
VRAU-LI-000420
Vuln IDs
  • V-240264
  • V-89303
Rule IDs
  • SV-240264r879748_rule
  • SV-99953
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. In order to ensure that Lighttpd is correctly logging timestamps, the accesslog.format setting must be configured correctly.
Checks: C-43497r667967_chk

At the command prompt, execute the following command: grep 'accesslog.format' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v ^# If no value is returned or if the "accesslog.format" is commented out, this is a finding.

Fix: F-43456r854823_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Note: If the accesslog.format setting was commented out with a '#' sign, remove the '#' sign. Configure the lighttpd.conf file with the following: accesslog.format = "%h %l %u %t \"%r\" %b %>s \"%{User-Agent}i\" \"%{Referer}i\""

b
Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.
CM-5 - Medium - CCI-001813 - V-240265 - SV-240265r879753_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001813
Version
VRAU-LI-000425
Vuln IDs
  • V-240265
  • V-89305
Rule IDs
  • SV-240265r879753_rule
  • SV-99955
As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the Lighttpd server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and the Lighttpd server configuration files.
Checks: C-43498r854825_chk

At the command prompt, execute the following command: stat -c "%a %g %G %n" `find /opt/vmware/share/htdocs /opt/vmware/etc/lighttpd /opt/vmware/share/lighttpd -type f` | awk '$1 !~ /^..0/ || $3 !~ /root/ {print}' If any files are returned, this is a finding.

Fix: F-43457r667971_fix

At the command prompt, enter the followings commands: Note: Replace <file_name> for the name of the file that was returned. chown root:root <file_name> chmod 640 <file_name> Repeat the commands for each file that was returned.

b
Lighttpd must not be configured to listen to unnecessary ports.
CM-7 - Medium - CCI-001762 - V-240266 - SV-240266r879756_rule
RMF Control
CM-7
Severity
M
CCI
CCI-001762
Version
VRAU-LI-000430
Vuln IDs
  • V-240266
  • V-89307
Rule IDs
  • SV-240266r879756_rule
  • SV-99957
Web servers must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. Lighttpd will listen on ports that are specified with the server.port configuration parameter. Lighttpd listens to port 5480 to provide remote access to the Virtual Appliance Management Interface (vAMI). Lighttpd must not be configured to listen to any other port.
Checks: C-43499r667973_chk

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '$0 ~ /server\.port/ { print }' If any value returned other than "server.port=5480", this is a finding.

Fix: F-43458r667974_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Note: Do not delete the entry for "server.port=5480" Delete all other server.port entries.

b
Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
SC-13 - Medium - CCI-002450 - V-240267 - SV-240267r879944_rule
RMF Control
SC-13
Severity
M
CCI
CCI-002450
Version
VRAU-LI-000435
Vuln IDs
  • V-240267
  • V-89309
Rule IDs
  • SV-240267r879944_rule
  • SV-99959
Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.
Checks: C-43500r667976_chk

At the command prompt, execute the following command: grep '^ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned in not "ssl.cipher-list = "FIPS: +3DES:!aNULL" "or is commented out, this is a finding.

Fix: F-43459r667977_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

b
Lighttpd must be protected from being stopped by a non-privileged user.
SC-5 - Medium - CCI-002385 - V-240268 - SV-240268r879806_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
VRAU-LI-000450
Vuln IDs
  • V-240268
  • V-89311
Rule IDs
  • SV-240268r879806_rule
  • SV-99961
An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. To prohibit an attacker from stopping the Lighttpd, the process ID (pid) must be owned by privileged users.
Checks: C-43501r667979_chk

At the command prompt, execute the following command: ps -f -U root | awk '$0 ~ /vami-lighttpd/ &amp;&amp; $0 !~ /awk/ {print}' If the "vami-lighttpd" process is not owned by "root", this is a finding.

Fix: F-43460r667980_fix

Note: The following command must be ran as root. At the command prompt, execute the following command: /opt/vmware/etc/init.d/vami-lighttpd restart

b
Lighttpd must be configured to use the SSL engine.
SC-8 - Medium - CCI-002418 - V-240269 - SV-240269r928837_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
VRAU-LI-000460
Vuln IDs
  • V-240269
  • V-89313
Rule IDs
  • SV-240269r928837_rule
  • SV-99963
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.
Checks: C-43502r667982_chk

At the command prompt, execute the following command: $ grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned for "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43461r667983_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: ssl.engine = "enable"

b
Lighttpd must be configured to use the SSL engine.
SC-8 - Medium - CCI-002418 - V-240270 - SV-240270r879810_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
VRAU-LI-000465
Vuln IDs
  • V-240270
  • V-89315
Rule IDs
  • SV-240270r879810_rule
  • SV-99965
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.
Checks: C-43503r667985_chk

At the command prompt, execute the following command: $ grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned for "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43462r667986_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: ssl.engine = "enable"

c
Lighttpd must use an approved TLS version for encryption.
SC-8 - High - CCI-002418 - V-240271 - SV-240271r879810_rule
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
VRAU-LI-000485
Vuln IDs
  • V-240271
  • V-89317
Rule IDs
  • SV-240271r879810_rule
  • SV-99967
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. SSL/TLS is a collection of protocols. Weaknesses have been identified with earlier SSL protocols, including SSLv2 and SSLv3, hence SSL versions 1, 2, and 3 should no longer be used. The best practice for transport layer protection is to only provide support for the TLS protocols - TLS 1.0, TLS 1.1 and TLS 1.2. This configuration will provide maximum protection against skilled and determined attackers and is appropriate for applications handling sensitive data or performing critical operations. Lighttpd must explicitly disable all of the SSL-series protocols. If these protocols are not disabled, the vRA appliance may be vulnerable to a loss of confidentiality.
Checks: C-43504r854832_chk

At the command prompt, execute the following command: Note: The command should return 2 outputs: ssl.use-sslv2 and ssl.use-sslv3 grep '^ssl.use-sslv' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned for "ssl.use-sslv2" and "ssl.use-sslv3" are not set to "disable", this is a finding.

Fix: F-43463r667989_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with following: ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable"

b
Lighttpd must remove all export ciphers to transmitted information.
SC-8 - Medium - CCI-002418 - V-240272 - SV-240272r879810_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
VRAU-LI-000490
Vuln IDs
  • V-240272
  • V-89319
Rule IDs
  • SV-240272r879810_rule
  • SV-99969
During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The Lighttpd will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.
Checks: C-43505r667991_chk

At the command prompt, execute the following command: grep '^ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value returned in not "ssl.cipher-list = "FIPS: +3DES:!aNULL" "or is commented out, this is a finding.

Fix: F-43464r667992_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL"

b
Lighttpd must be configured to use SSL.
SC-8 - Medium - CCI-002422 - V-240273 - SV-240273r879813_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
VRAU-LI-000500
Vuln IDs
  • V-240273
  • V-89321
Rule IDs
  • SV-240273r879813_rule
  • SV-99971
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. In order to protect the integrity and confidentiality of the remote sessions, Lighttpd uses SSL/TLS.
Checks: C-43506r667994_chk

At the command prompt, execute the following command: $ grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value for "ssl.engine" is not set to "enable", this is a finding.

Fix: F-43465r667995_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the lighttpd.conf file with the following value: ssl.engine = "enable"

b
Lighttpd must have the latest approved security-relevant software updates installed.
SI-2 - Medium - CCI-002605 - V-240274 - SV-240274r879827_rule
RMF Control
SI-2
Severity
M
CCI
CCI-002605
Version
VRAU-LI-000505
Vuln IDs
  • V-240274
  • V-89323
Rule IDs
  • SV-240274r879827_rule
  • SV-99973
All vRA components, to include Lighttpd, are under VMware configuration management control. The CM process ensures that all patches, functions, and modules have been thoroughly tested before being introduced into the production version. By using the most current version of Lighttpd, the Lighttpd server will always be using the most stable and known baseline.
Checks: C-43507r667997_chk

Obtain supporting documentation from the ISSO. Determine whether Lighttpd has the latest approved security-relevant software updates installed. If the latest approved security-relevant software updates are not installed, this is a finding.

Fix: F-43466r667998_fix

Install the latest approved security-relevant software updates.

b
Lighttpd must disable IP forwarding.
CM-6 - Medium - CCI-000366 - V-240275 - SV-240275r879887_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
VRAU-LI-000515
Vuln IDs
  • V-240275
  • V-89325
Rule IDs
  • SV-240275r879887_rule
  • SV-99975
IP forwarding permits Lighttpd to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. Lighttpd is not implemented as a router. With the url.redirect configuration parameter, Lighttpd can be configured to forward IPv4 packets. This configuration parameter is prohibited, unless Lighttpd is redirecting packets to localhost, 127.0.0.1.
Checks: C-43508r668000_chk

At the command prompt, execute the following command: grep -E 'url\.redirect' /opt/vmware/etc/lighttpd/lighttpd.conf | grep -v '^#' If any values are returned, this is a finding.

Fix: F-43467r668001_fix

Navigate to /opt/vmware/etc/lighttpd/lighttpd.conf In the "lighttpd.conf" file, delete all lines that are returned containing url.redirect returned.

c
The version of vRealize Automation 7.x Lighttpd running on the system must be a supported version.
SI-2 - High - CCI-002605 - V-258452 - SV-258452r928883_rule
RMF Control
SI-2
Severity
H
CCI
CCI-002605
Version
VRAU-LI-009999
Vuln IDs
  • V-258452
Rule IDs
  • SV-258452r928883_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-62192r928882_chk

vRealize Automation 7.x Lighttpd is no longer supported by the vendor. If the system is running vRealize Automation 7.x Lighttpd, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.