VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide

  • Version/Release: V2R3
  • Published: 2023-10-03
  • Released: 2023-10-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
tc Server HORIZON must limit the number of maximum concurrent connections permitted.
AC-10 - Medium - CCI-000054 - V-240725 - SV-240725r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000005
Vuln IDs
  • V-240725
  • V-90341
Rule IDs
  • SV-240725r879511_rule
  • SV-100991
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute.
Checks: C-43958r673917_chk

At the command prompt, execute the following command: grep maxThreads /opt/vmware/horizon/workspace/conf/server.xml If the value of "maxThreads" is not "300" or is missing, this is a finding.

Fix: F-43917r673918_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Executor>. Configure the <Executor> with the value 'maxThreads="300"'. Note: The <Executor> node should be configured per the following: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/>

b
tc Server VCO must limit the number of maximum concurrent connections permitted.
AC-10 - Medium - CCI-000054 - V-240726 - SV-240726r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000010
Vuln IDs
  • V-240726
  • V-89883
Rule IDs
  • SV-240726r879511_rule
  • SV-100533
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute.
Checks: C-43959r673920_chk

At the command prompt, execute the following command: grep maxThreads /etc/vco/app-server/server.xml If the value of "maxThreads" is not "300" or is missing, this is a finding.

Fix: F-43918r673921_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate the <Connector> node. Configure the <Connector> with the value 'maxThreads="300"'.

b
tc Server VCAC must limit the number of maximum concurrent connections permitted.
AC-10 - Medium - CCI-000054 - V-240727 - SV-240727r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000015
Vuln IDs
  • V-240727
  • V-89885
Rule IDs
  • SV-240727r879511_rule
  • SV-100535
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute.
Checks: C-43960r673923_chk

At the command prompt, execute the following command: grep maxThreads /etc/vcac/server.xml If the value of "maxThreads" is not "1000" or is missing, this is a finding.

Fix: F-43919r673924_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Executor>. Configure the <Executor> with the value 'maxThreads="1000"'. Note: The <Executor> node should be configured per the following: <Executor maxThreads="1000" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/>

b
tc Server HORIZON must limit the amount of time that each TCP connection is kept alive.
AC-10 - Medium - CCI-000054 - V-240728 - SV-240728r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000020
Vuln IDs
  • V-240728
  • V-89887
Rule IDs
  • SV-240728r879511_rule
  • SV-100537
Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the number of resources that can be consumed in certain ways. tc Server provides the connectionTimeout attribute. This sets the number of milliseconds tc Server will wait, after accepting a connection, for the request URI line to be presented. This timeout will also be used when reading the request body (if any).
Checks: C-43961r673926_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "connectionTimeout" is not set to "20000" or is missing, this is a finding.

Fix: F-43920r673927_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'connectionTimeout="20000"'.

b
tc Server VCO must limit the amount of time that each TCP connection is kept alive.
AC-10 - Medium - CCI-000054 - V-240729 - SV-240729r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000025
Vuln IDs
  • V-240729
  • V-89889
Rule IDs
  • SV-240729r879511_rule
  • SV-100539
Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the number of resources that can be consumed in certain ways. tc Server provides the connectionTimeout attribute. This sets the number of milliseconds tc Server will wait, after accepting a connection, for the request URI line to be presented. This timeout will also be used when reading the request body (if any).
Checks: C-43962r673929_chk

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "connectionTimeout" is not set to "20000" or is missing, this is a finding.

Fix: F-43921r673930_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'connectionTimeout="10000"'.

b
tc Server VCAC must limit the amount of time that each TCP connection is kept alive.
AC-10 - Medium - CCI-000054 - V-240730 - SV-240730r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000030
Vuln IDs
  • V-240730
  • V-89891
Rule IDs
  • SV-240730r879511_rule
  • SV-100541
Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the number of resources that can be consumed in certain ways. tc Server provides the connectionTimeout attribute. This sets the number of milliseconds tc Server will wait, after accepting a connection, for the request URI line to be presented. This timeout will also be used when reading the request body (if any).
Checks: C-43963r673932_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "connectionTimeout" is not set to "10000" or is missing, this is a finding.

Fix: F-43922r673933_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'connectionTimeout="10000"'.

b
tc Server HORIZON must limit the number of times that each TCP connection is kept alive.
AC-10 - Medium - CCI-000054 - V-240731 - SV-240731r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000035
Vuln IDs
  • V-240731
  • V-89893
Rule IDs
  • SV-240731r879511_rule
  • SV-100543
KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. tc Server can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client. maxKeepAliveRequests is the tc Server attribute that sets this limit.
Checks: C-43964r673935_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "maxKeepAliveRequests" is not set to "15" or is missing, this is a finding.

Fix: F-43923r673936_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'maxKeepAliveRequests="15"'.

b
tc Server VCO must limit the number of times that each TCP connection is kept alive.
AC-10 - Medium - CCI-000054 - V-240732 - SV-240732r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000040
Vuln IDs
  • V-240732
  • V-89895
Rule IDs
  • SV-240732r879511_rule
  • SV-100545
KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. tc Server can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client. maxKeepAliveRequests is the tc Server attribute that sets this limit.
Checks: C-43965r673938_chk

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "maxKeepAliveRequests" is not set to "15" or is missing, this is a finding.

Fix: F-43924r673939_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'maxKeepAliveRequests="15"'.

b
tc Server VCAC must limit the number of times that each TCP connection is kept alive.
AC-10 - Medium - CCI-000054 - V-240733 - SV-240733r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000045
Vuln IDs
  • V-240733
  • V-89897
Rule IDs
  • SV-240733r879511_rule
  • SV-100547
KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. tc Server can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client. maxKeepAliveRequests is the tc Server attribute that sets this limit.
Checks: C-43966r673941_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "maxKeepAliveRequests" is not set to "15" or is missing, this is a finding.

Fix: F-43925r673942_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'maxKeepAliveRequests="15"'.

b
tc Server HORIZON must perform server-side session management.
AC-10 - Medium - CCI-000054 - V-240734 - SV-240734r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000050
Vuln IDs
  • V-240734
  • V-89899
Rule IDs
  • SV-240734r879511_rule
  • SV-100549
Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Automation. By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.
Checks: C-43967r673944_chk

At the command prompt, execute the following command: grep -E 'cookies=.false' /opt/vmware/horizon/workspace/conf/context.xml If the command produces any output, this is a finding.

Fix: F-43926r673945_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.

b
tc Server VCO must perform server-side session management.
AC-10 - Medium - CCI-000054 - V-240735 - SV-240735r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000055
Vuln IDs
  • V-240735
  • V-89901
Rule IDs
  • SV-240735r879511_rule
  • SV-100551
Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Automation. By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.
Checks: C-43968r673947_chk

At the command prompt, execute the following command: grep -E 'cookies=.false' /etc/vco/app-server/context.xml If the command produces any output, this is a finding.

Fix: F-43927r673948_fix

Navigate to and open /etc/vco/app-server/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.

b
tc Server VCAC must perform server-side session management.
AC-10 - Medium - CCI-000054 - V-240736 - SV-240736r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VRAU-TC-000060
Vuln IDs
  • V-240736
  • V-89903
Rule IDs
  • SV-240736r879511_rule
  • SV-100553
Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Automation. By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.
Checks: C-43969r673950_chk

At the command prompt, execute the following command: grep -E 'cookies=.false' /etc/vcac/context.xml If the command produces any output, this is a finding.

Fix: F-43928r673951_fix

Navigate to and open /etc/vcac/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.

b
tc Server HORIZON must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
AC-17 - Medium - CCI-000068 - V-240737 - SV-240737r879519_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
VRAU-TC-000065
Vuln IDs
  • V-240737
  • V-89905
Rule IDs
  • SV-240737r879519_rule
  • SV-100555
Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2) identifies eleven areas for a cryptographic module used inside a security system that protects information. FIPS 140-2 approved ciphers provide the maximum level of encryption possible for a private web server. Configuration of ciphers used by tc Server are set in the catalina.properties file. Only those ciphers specified in the configuration file, and which are available in the installed OpenSSL library, will be used by tc Server while encrypting data for transmission.
Checks: C-43970r674391_chk

At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "bio-ssl.cipher.list" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-43929r673954_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to and locate "bio-ssl.cipher.list". Configure the "bio-ssl.cipher.list" with FIPS 140-2 compliant ciphers.

b
tc Server VCAC must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
AC-17 - Medium - CCI-000068 - V-240738 - SV-240738r879519_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
VRAU-TC-000070
Vuln IDs
  • V-240738
  • V-89907
Rule IDs
  • SV-240738r879519_rule
  • SV-100557
Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2) identifies eleven areas for a cryptographic module used inside a security system that protects information. FIPS 140-2 approved ciphers provide the maximum level of encryption possible for a private web server. Configuration of ciphers used by tc Server are set in the catalina.properties file. Only those ciphers specified in the configuration file, and which are available in the installed OpenSSL library, will be used by tc Server while encrypting data for transmission.
Checks: C-43971r674393_chk

At the command prompt, execute the following command: grep cipher /etc/vcac/catalina.properties If the value of "cipher" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-43930r673957_fix

Navigate to and open /etc/vcac/catalina.properties. Navigate to and locate "cipher". Configure the "cipher" with FIPS 140-2 compliant ciphers.

b
tc Server HORIZON must use cryptography to protect the integrity of remote sessions.
AC-17 - Medium - CCI-001453 - V-240739 - SV-240739r879520_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
VRAU-TC-000075
Vuln IDs
  • V-240739
  • V-89909
Rule IDs
  • SV-240739r879520_rule
  • SV-100559
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's SSLEnabled flag, SSL handshake/encryption/decryption is enabled.
Checks: C-43972r673959_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.

Fix: F-43931r673960_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'SSLEnabled="true"'.

b
tc Server VCAC must use cryptography to protect the integrity of remote sessions.
AC-17 - Medium - CCI-001453 - V-240740 - SV-240740r879520_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
VRAU-TC-000080
Vuln IDs
  • V-240740
  • V-90343
Rule IDs
  • SV-240740r879520_rule
  • SV-100993
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's SSLEnabled flag, SSL handshake/encryption/decryption is enabled.
Checks: C-43973r673962_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.

Fix: F-43932r673963_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'SSLEnabled="true"'.

b
tc Server HORIZON must record user access in a format that enables monitoring of remote access.
AC-17 - Medium - CCI-000067 - V-240741 - SV-240741r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VRAU-TC-000085
Vuln IDs
  • V-240741
  • V-89911
Rule IDs
  • SV-240741r879521_rule
  • SV-100561
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The Access Log Valve creates log files in the same format as those created by standard web servers.
Checks: C-43974r674395_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the &lt;Host&gt; node. Verify that the node contains a &lt;Valve className="org.apache.catalina.valves.AccessLogValve"&gt; node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: &lt;Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &amp;quot;%r&amp;quot; %s %b" prefix="access_log" suffix=".txt" rotatable="false" requestAttributesEnabled="true" checkExists="true"/&gt;

Fix: F-43933r673966_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must record user access in a format that enables monitoring of remote access.
AC-17 - Medium - CCI-000067 - V-240742 - SV-240742r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VRAU-TC-000090
Vuln IDs
  • V-240742
  • V-89913
Rule IDs
  • SV-240742r879521_rule
  • SV-100563
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The Access Log Valve creates log files in the same format as those created by standard web servers.
Checks: C-43975r674397_chk

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the &lt;Host&gt; node. Verify that the node contains a &lt;Valve className="org.apache.catalina.valves.AccessLogValve"&gt; node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: &lt;Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t &amp;quot;%r&amp;quot; %s %b" rotatable="false" checkExists="true"/&gt;

Fix: F-43934r673969_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must record user access in a format that enables monitoring of remote access.
AC-17 - Medium - CCI-000067 - V-240743 - SV-240743r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VRAU-TC-000095
Vuln IDs
  • V-240743
  • V-89915
Rule IDs
  • SV-240743r879521_rule
  • SV-100565
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The Access Log Valve creates log files in the same format as those created by standard web servers.
Checks: C-43976r674399_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Host&gt; node. Verify that the node contains a &lt;Valve className="org.apache.catalina.valves.AccessLogValve"&gt; node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: &lt;Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &amp;quot;%r&amp;quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/&gt;

Fix: F-43935r673972_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server ALL must generate log records for system startup and shutdown.
AU-12 - Medium - CCI-000169 - V-240744 - SV-240744r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
VRAU-TC-000105
Vuln IDs
  • V-240744
  • V-89917
Rule IDs
  • SV-240744r879559_rule
  • SV-100567
Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go unlogged. During start, tc Server reports system messages onto STDOUT and STDERR. These messages will be logged if the initialization script is configured correctly. For historical reasons, the standard log file for this is called catalina.out.
Checks: C-43977r674401_chk

At the command prompt, execute the following command: more /storage/log/vmware/vco/app-server/catalina.out Verify that tc Server start and stop events are being logged. If the tc Server start and stop events are not being recorded, this is a finding. Note: The tc Server service is referred to as Catalina in the log.

Fix: F-43936r673975_fix

Navigate to and open /usr/share/tomcat/bin/catalina.sh. Navigate to and locate the start block : "elif [ "$1" = "start" ] ; then" Navigate to and locate both "eval" statements : "org.apache.catalina.startup.Bootstrap "$@" start \" Add this statement immediately below both of the "eval" statements : '>> "$CATALINA_OUT" 2>&1 "&"'

b
tc Server HORIZON must generate log records for user access and authentication events.
AU-12 - Medium - CCI-000169 - V-240745 - SV-240745r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
VRAU-TC-000110
Vuln IDs
  • V-240745
  • V-89919
Rule IDs
  • SV-240745r879559_rule
  • SV-100569
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged.
Checks: C-43978r674403_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the &lt;Host&gt; node. Verify that the node contains a &lt;Valve className="org.apache.catalina.valves.AccessLogValve"&gt; node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The "AccessLogValve" should be configured as follows: &lt;Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &amp;quot;%r&amp;quot; %s %b" prefix="access_log" suffix=".txt" rotatable="false" requestAttributesEnabled="true" checkExists="true"/&gt;

Fix: F-43937r673978_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must generate log records for user access and authentication events.
AU-12 - Medium - CCI-000169 - V-240746 - SV-240746r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
VRAU-TC-000115
Vuln IDs
  • V-240746
  • V-89921
Rule IDs
  • SV-240746r879559_rule
  • SV-100571
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged.
Checks: C-43979r674405_chk

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the &lt;Host&gt; node. Verify that the node contains a &lt;Valve className="org.apache.catalina.valves.AccessLogValve"&gt; node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: &lt;Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t &amp;quot;%r&amp;quot; %s %b" rotatable="false" checkExists="true"/&gt;

Fix: F-43938r673981_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must generate log records for user access and authentication events.
AU-12 - Medium - CCI-000169 - V-240747 - SV-240747r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
VRAU-TC-000120
Vuln IDs
  • V-240747
  • V-89923
Rule IDs
  • SV-240747r879559_rule
  • SV-100573
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged.
Checks: C-43980r674407_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Host&gt; node. Verify that the node contains a &lt;Valve className="org.apache.catalina.valves.AccessLogValve"&gt; node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The "AccessLogValve" should be configured as follows: &lt;Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &amp;quot;%r&amp;quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/&gt;

Fix: F-43939r673984_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server ALL must initiate logging during service start-up.
AU-14 - Medium - CCI-001464 - V-240748 - SV-240748r879562_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
VRAU-TC-000125
Vuln IDs
  • V-240748
  • V-89925
Rule IDs
  • SV-240748r879562_rule
  • SV-100575
An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all logable events are captured, the web server must begin logging once the first web server process is initiated. During start, tc Server reports system messages onto STDOUT and STDERR. These messages will be logged if the initialization script is configured correctly. For historical reasons, the standard log file for this is called catalina.out.
Checks: C-43981r674409_chk

At the command prompt, execute the following command: more /usr/share/tomcat/bin/catalina.sh Type /touch "$CATALINA_OUT" Verify that the start command contains the command "&gt;&gt; "$CATALINA_OUT" 2&gt;&amp;1 "&amp;"" If the command is not correct or is missing, this is a finding. Note: Use the "Enter" key to scroll down after typing /touch "$CATALINA_OUT"

Fix: F-43940r673987_fix

Navigate to and open Navigate to and open /usr/share/tomcat/bin/catalina.sh. Navigate to and locate the start block : "elif [ "$1" = "start" ] ; then" Navigate to and locate both "eval" statements : "org.apache.catalina.startup.Bootstrap "$@" start \" Add this statement immediately below both of the "eval" statements : '>> "$CATALINA_OUT" 2>&1 "&"'

b
tc Server HORIZON must produce log records containing sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-240749 - SV-240749r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
VRAU-TC-000145
Vuln IDs
  • V-240749
  • V-89933
Rule IDs
  • SV-240749r879563_rule
  • SV-100583
After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process GET and POST requests clients. These will help investigators understand what happened.
Checks: C-43982r673989_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.

Fix: F-43941r673990_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must produce log records containing sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-240750 - SV-240750r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
VRAU-TC-000150
Vuln IDs
  • V-240750
  • V-89935
Rule IDs
  • SV-240750r879563_rule
  • SV-100585
After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process GET and POST requests clients. These will help investigators understand what happened.
Checks: C-43983r673992_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.

Fix: F-43942r673993_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must produce log records containing sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-240751 - SV-240751r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
VRAU-TC-000155
Vuln IDs
  • V-240751
  • V-89937
Rule IDs
  • SV-240751r879563_rule
  • SV-100587
After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process GET and POST requests clients. These will help investigators understand what happened.
Checks: C-43984r673995_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.

Fix: F-43943r673996_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server HORIZON must produce log records containing sufficient information to establish when (date and time) events occurred.
AU-3 - Medium - CCI-000131 - V-240752 - SV-240752r879564_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
VRAU-TC-000160
Vuln IDs
  • V-240752
  • V-89939
Rule IDs
  • SV-240752r879564_rule
  • SV-100589
After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %t parameter specifies that the system time should be recorded.
Checks: C-43985r673998_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.

Fix: F-43944r673999_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must produce log records containing sufficient information to establish when (date and time) events occurred.
AU-3 - Medium - CCI-000131 - V-240753 - SV-240753r879564_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
VRAU-TC-000165
Vuln IDs
  • V-240753
  • V-89941
Rule IDs
  • SV-240753r879564_rule
  • SV-100591
After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %t parameter specifies that the system time should be recorded.
Checks: C-43986r674001_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the time and date of events are not being recorded, this is a finding.

Fix: F-43945r674002_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must produce log records containing sufficient information to establish when (date and time) events occurred.
AU-3 - Medium - CCI-000131 - V-240754 - SV-240754r879564_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
VRAU-TC-000170
Vuln IDs
  • V-240754
  • V-89943
Rule IDs
  • SV-240754r879564_rule
  • SV-100593
After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %t parameter specifies that the system time should be recorded.
Checks: C-43987r674004_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.

Fix: F-43946r674005_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server HORIZON must produce log records containing sufficient information to establish where within the web server the events occurred.
AU-3 - Medium - CCI-000132 - V-240755 - SV-240755r879565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
VRAU-TC-000175
Vuln IDs
  • V-240755
  • V-89945
Rule IDs
  • SV-240755r879565_rule
  • SV-100595
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server will log the requested URL and the parameters, if any, sent in the request. This information will enable investigators to determine where in the server an action was requested.
Checks: C-43988r674007_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the location of events are not being recorded, this is a finding.

Fix: F-43947r674008_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must produce log records containing sufficient information to establish where within the web server the events occurred.
AU-3 - Medium - CCI-000132 - V-240756 - SV-240756r879565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
VRAU-TC-000180
Vuln IDs
  • V-240756
  • V-89947
Rule IDs
  • SV-240756r879565_rule
  • SV-100597
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server will log the requested URL and the parameters, if any, sent in the request. This information will enable investigators to determine where in the server an action was requested.
Checks: C-43989r674010_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the location of events are not being recorded, this is a finding.

Fix: F-43948r674011_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must produce log records containing sufficient information to establish where within the web server the events occurred.
AU-3 - Medium - CCI-000132 - V-240757 - SV-240757r879565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
VRAU-TC-000185
Vuln IDs
  • V-240757
  • V-89949
Rule IDs
  • SV-240757r879565_rule
  • SV-100599
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server will log the requested URL and the parameters, if any, sent in the request. This information will enable investigators to determine where in the server an action was requested.
Checks: C-43990r674013_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the location of events are not being recorded, this is a finding.

Fix: F-43949r674014_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server HORIZON must produce log records containing sufficient information to establish the source of events.
AU-3 - Medium - CCI-000133 - V-240758 - SV-240758r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
VRAU-TC-000190
Vuln IDs
  • V-240758
  • V-89951
Rule IDs
  • SV-240758r879566_rule
  • SV-100601
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %h parameter will record the remote hostname or IP address that sent the request; i.e. the source of the event.
Checks: C-43991r674016_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the source IP of events are not being recorded, this is a finding.

Fix: F-43950r674017_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must produce log records containing sufficient information to establish the source of events.
AU-3 - Medium - CCI-000133 - V-240759 - SV-240759r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
VRAU-TC-000195
Vuln IDs
  • V-240759
  • V-89953
Rule IDs
  • SV-240759r879566_rule
  • SV-100603
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %h parameter will record the remote hostname or IP address that sent the request; i.e. the source of the event.
Checks: C-43992r674019_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the source IP of events are not being recorded, this is a finding.

Fix: F-43951r674020_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must produce log records containing sufficient information to establish the source of events.
AU-3 - Medium - CCI-000133 - V-240760 - SV-240760r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
VRAU-TC-000200
Vuln IDs
  • V-240760
  • V-89955
Rule IDs
  • SV-240760r879566_rule
  • SV-100605
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %h parameter will record the remote hostname or IP address that sent the request; i.e. the source of the event.
Checks: C-43993r674022_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the source IP of events are not being recorded, this is a finding.

Fix: F-43952r674023_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-240761 - SV-240761r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
VRAU-TC-000205
Vuln IDs
  • V-240761
  • V-89957
Rule IDs
  • SV-240761r879566_rule
  • SV-100607
tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. tc Server HORIZON must be configured with the RemoteIpValve element in order to record the Client source vice the load balancer or proxy server as the source of every logable event. The RemoteIpValve enables the x-forward-* HTTP properties, which are used by the load balance to provide the client source.
Checks: C-43994r674411_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.

Fix: F-43953r674026_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note: The "RemoteIpValve" should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="80" httpsServerPort="443" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" remoteIpHeader="x-forwarded-for" internalProxies="127\.0\.0\.1"/>

b
tc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-240762 - SV-240762r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
VRAU-TC-000210
Vuln IDs
  • V-240762
  • V-89959
Rule IDs
  • SV-240762r879566_rule
  • SV-100609
tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. tc Server HORIZON must be configured with the RemoteIpValve element in order to record the Client source vice the load balancer or proxy server as the source of every logable event. The RemoteIpValve enables the x-forward-* HTTP properties, which are used by the load balance to provide the client source.
Checks: C-43995r674028_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.

Fix: F-43954r674029_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note: The "RemoteIpValve" should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" internalProxies=".*" protocolHeader="x-forwarded-proto" />

b
tc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-240763 - SV-240763r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
VRAU-TC-000215
Vuln IDs
  • V-240763
  • V-89961
Rule IDs
  • SV-240763r879566_rule
  • SV-100611
tc Server VCAC logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. tc Server VCAC must be configured with the RemoteIpValve element in order to record the Client source vice the load balancer or proxy server as the source of every logable event. The RemoteIpValve enables the x-forward-* HTTP properties, which are used by the load balance to provide the client source.
Checks: C-43996r674413_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.

Fix: F-43955r674032_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note: The "RemoteIpValve" should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="80" httpsServerPort="443" internalProxies="127\.0\.0\.1" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" remoteIpHeader="x-forwarded-for"/>

b
tc Server HORIZON must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-240764 - SV-240764r879567_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
VRAU-TC-000220
Vuln IDs
  • V-240764
  • V-89963
Rule IDs
  • SV-240764r879567_rule
  • SV-100613
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server generates HTTP status codes. The status code is a 3-digit indicator of the outcome of the server's response to the request.
Checks: C-43997r674415_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"

Fix: F-43956r674035_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-240765 - SV-240765r879567_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
VRAU-TC-000225
Vuln IDs
  • V-240765
  • V-89965
Rule IDs
  • SV-240765r879567_rule
  • SV-100615
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server generates HTTP status codes. The status code is a 3-digit indicator of the outcome of the server's response to the request.
Checks: C-43998r674417_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"

Fix: F-43957r674038_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-240766 - SV-240766r879567_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
VRAU-TC-000230
Vuln IDs
  • V-240766
  • V-89967
Rule IDs
  • SV-240766r879567_rule
  • SV-100617
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server generates HTTP status codes. The status code is a 3-digit indicator of the outcome of the server's response to the request.
Checks: C-43999r674419_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"

Fix: F-43958r674041_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server HORIZON must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-240767 - SV-240767r879568_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
VRAU-TC-000235
Vuln IDs
  • V-240767
  • V-89969
Rule IDs
  • SV-240767r879568_rule
  • SV-100619
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %u parameter will record the remote user that was authenticated. Knowing the authenticated user could be crucial to know in an investigation.
Checks: C-44000r674043_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the identity of the user is not being recorded, this is a finding.

Fix: F-43959r674044_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-240768 - SV-240768r879568_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
VRAU-TC-000240
Vuln IDs
  • V-240768
  • V-89971
Rule IDs
  • SV-240768r879568_rule
  • SV-100621
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %u parameter will record the remote user that was authenticated. Knowing the authenticated user could be crucial to know in an investigation.
Checks: C-44001r674046_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the identity of the user is not being recorded, this is a finding.

Fix: F-43960r674047_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-240769 - SV-240769r879568_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
VRAU-TC-000245
Vuln IDs
  • V-240769
  • V-89973
Rule IDs
  • SV-240769r879568_rule
  • SV-100623
After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %u parameter will record the remote user that was authenticated. Knowing the authenticated user could be crucial to know in an investigation.
Checks: C-44002r674049_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the identity of the user is not being recorded, this is a finding.

Fix: F-43961r674050_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
AU-5 - Medium - CCI-000139 - V-240770 - SV-240770r879570_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
VRAU-TC-000250
Vuln IDs
  • V-240770
  • V-89975
Rule IDs
  • SV-240770r879570_rule
  • SV-100625
Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily administrative duties on the hosted system or within the hosted applications. If the logging system begins to fail, events will not be recorded. Organizations must define logging failure events, at which time the application or the logging mechanism the application utilizes will provide a warning to the ISSO and SA at a minimum.
Checks: C-44003r674421_chk

Interview the ISSO. Determine if log data and records are configured to alert the ISSO and SA in the event of processing failure. If log data and records are not configured to alert the ISSO and SA in the event of processing failure, this is a finding.

Fix: F-43962r674053_fix

Configure the web server to provide an alert to the ISSO and SA when log processing failures occur. If the web server cannot generate alerts, utilize an external logging system that meets this criterion.

b
tc Server HORIZON log files must only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-240771 - SV-240771r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VRAU-TC-000260
Vuln IDs
  • V-240771
  • V-89977
Rule IDs
  • SV-240771r879576_rule
  • SV-100627
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.
Checks: C-44004r674055_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/horizon If any log files have permissions less restrictive than "640", this is a finding.

Fix: F-43963r674056_fix

At the command prompt, execute the following commands: chmod 640 /storage/log/vmware/horizon/<file> sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs Note: Substitute <file> with the listed file.

b
tc Server VCO log files must only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-240772 - SV-240772r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VRAU-TC-000265
Vuln IDs
  • V-240772
  • V-89979
Rule IDs
  • SV-240772r879576_rule
  • SV-100629
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.
Checks: C-44005r674058_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/vco/app-server If any log files have permissions less restrictive than "640", this is a finding.

Fix: F-43964r674059_fix

At the command prompt, execute the following commands: chmod 640 /storage/log/vmware/vco/app-server/<file> sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs Note: Substitute <file> with the listed file.

b
tc Server VCAC log files must only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-240773 - SV-240773r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VRAU-TC-000270
Vuln IDs
  • V-240773
  • V-89981
Rule IDs
  • SV-240773r879576_rule
  • SV-100631
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.
Checks: C-44006r674061_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files have permissions less restrictive than "640", this is a finding.

Fix: F-43965r674062_fix

At the command prompt, execute the following commands: chmod 640 /storage/log/vmware/vcac/<file> sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs Note: Substitute <file> with the listed file.

b
tc Server HORIZON log files must be protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240774 - SV-240774r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
VRAU-TC-000275
Vuln IDs
  • V-240774
  • V-89983
Rule IDs
  • SV-240774r879577_rule
  • SV-100633
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.
Checks: C-44007r674423_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files are not owned by "root" or "vcac", this is a finding. The following files should be owned by "vcac": access_log catalina.out gc_logs host-manager localhost manager tc Server.pid The following files should be owned by "root": system-config-history telemetry toolsgc vcac-config

Fix: F-43966r674065_fix

At the command prompt, execute the following command: chown <owner>:<owner> /storage/log/vmware/vcac/<file> Note: Substitute <file> with the listed file. Note: Substitute <owner> with the correct value below. The following files should be owned by "vcac": access_log catalina.out gc_logs host-manager localhost manager tc Server.pid The following files should be owned by "root": system-config-history telemetry toolsgc vcac-config

b
tc Server VCO log files must be protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240775 - SV-240775r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
VRAU-TC-000280
Vuln IDs
  • V-240775
  • V-89985
Rule IDs
  • SV-240775r879577_rule
  • SV-100635
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.
Checks: C-44008r674067_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/vco/app-server If any log files are not owned by "vco", this is a finding.

Fix: F-43967r674068_fix

At the command prompt, execute the following command: chown vco:vco /storage/log/vmware/vco/app-server/<file> Note: Substitute <file> with the listed file.

b
tc Server VCAC log files must be protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240776 - SV-240776r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
VRAU-TC-000285
Vuln IDs
  • V-240776
  • V-89987
Rule IDs
  • SV-240776r879577_rule
  • SV-100637
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.
Checks: C-44009r674070_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files are not owned by "root" or "vcac", this is a finding.

Fix: F-43968r674071_fix

At the command prompt, execute the following command: Set the owner & group of these files: access_log.txt, audit.log, catalina.log, catalina.out, gc_logs.log.0.current, host-manager.log, localhost.log, manager.log, and tomcat.pid to vcac, with the following command: chown vcac:vcac /storage/log/vmware/vcac/<file> Set all other files not listed above to the owner and group of root, with the following command: chown root:root /storage/log/vmware/vcac/<file> Note: Substitute <file> with the listed file.

b
tc Server HORIZON log files must be protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240777 - SV-240777r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
VRAU-TC-000290
Vuln IDs
  • V-240777
  • V-89989
Rule IDs
  • SV-240777r879578_rule
  • SV-100639
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.
Checks: C-44010r674073_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/horizon If any log files are not group-owned by "www", this is a finding.

Fix: F-43969r674074_fix

At the command prompt, execute the following command: chown horizon:www /storage/log/vmware/horizon/<file> Note: Substitute <file> with the listed file.

b
tc Server VCO log files must be protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240778 - SV-240778r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
VRAU-TC-000295
Vuln IDs
  • V-240778
  • V-89991
Rule IDs
  • SV-240778r879578_rule
  • SV-100641
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.
Checks: C-44011r674076_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/vco/app-server If any log files are not group-owned by "vco", this is a finding.

Fix: F-43970r674077_fix

At the command prompt, execute the following command: chown vco:vco /storage/log/vmware/vco/app-server/<file> Note: Substitute <file> with the listed file.

b
tc Server VCAC log files must be protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240779 - SV-240779r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
VRAU-TC-000300
Vuln IDs
  • V-240779
  • V-89993
Rule IDs
  • SV-240779r879578_rule
  • SV-100643
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.
Checks: C-44012r674079_chk

At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files are not group-owned by "root", this is a finding.

Fix: F-43971r674080_fix

At the command prompt, execute the following command: chown root:root /storage/log/vmware/vcac/<file> Note: Substitute <file> with the listed file.

b
tc Server ALL log data and records must be backed up onto a different system or media.
AU-9 - Medium - CCI-001348 - V-240780 - SV-240780r879582_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
VRAU-TC-000305
Vuln IDs
  • V-240780
  • V-89995
Rule IDs
  • SV-240780r879582_rule
  • SV-100645
Protection of tc Server ALL log data includes assuring log data is not accidentally lost or deleted. Backing up tc Server ALL log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.
Checks: C-44013r674082_chk

Interview the ISSO. Determine if log data and records are not being backed up onto a different system or media. If log data and records are not being backed up onto a different system or media, this is a finding.

Fix: F-43972r674083_fix

Ensure log data and records are being backed up to a different system or separate media.

b
tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
CM-5 - Medium - CCI-001749 - V-240781 - SV-240781r879584_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
VRAU-TC-000310
Vuln IDs
  • V-240781
  • V-89997
Rule IDs
  • SV-240781r879584_rule
  • SV-100647
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. VMware delivers product updates and patches regularly. It is crucial that system administrators coordinate installation of product updates with the site ISSO to ensure that only valid files are uploaded onto the system.
Checks: C-44014r854837_chk

Interview the ISSO. Determine whether web server files are being fully reviewed, tested, and signed before being implemented into the production environment. If the web server files are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.

Fix: F-43973r674086_fix

Configure the web server to verify object integrity before becoming part of the production web server or utilize an external tool designed to meet this requirement.

b
tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
CM-5 - Medium - CCI-001749 - V-240782 - SV-240782r879584_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
VRAU-TC-000315
Vuln IDs
  • V-240782
  • V-89999
Rule IDs
  • SV-240782r879584_rule
  • SV-100649
In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on a functional production website entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and logon schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable. VMware delivers product updates and patches regularly. It is crucial that system administrators coordinate installation of product updates with the site ISSO to ensure that only valid files are uploaded onto the system.
Checks: C-44015r854839_chk

Interview the ISSO. Determine whether expansion modules are being fully reviewed, tested, and signed before being implemented into the production environment. If the expansion modules are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.

Fix: F-43974r674089_fix

Configure the web server to enforce, internally or through an external utility, the review, testing and signing of modules before implementation into the production environment.

b
tc Server HORIZON must not use the tomcat-users XML database for user management.
CM-7 - Medium - CCI-000381 - V-240783 - SV-240783r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000320
Vuln IDs
  • V-240783
  • V-90001
Rule IDs
  • SV-240783r879587_rule
  • SV-100651
User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logons, and management of temporary and emergency accounts; and all of this must be done enterprise-wide. For historical reasons, tc Server contains a tomcat-users.xml file in the configuration directory. This file was originally used by standalone applications that did not authenticate against an LDAP or other enterprise mechanism. vRA does not use this file.
Checks: C-44016r674091_chk

At the command prompt, execute the following command: cat /opt/vmware/horizon/workspace/conf/tomcat-users.xml If "tomcat-users.xml" file contains any user information, this is a finding.

Fix: F-43975r674092_fix

Contact the ISSO and/or SA. Determine why user data is being stored in "tomcat-users.xml". If the user data is not required then it should be removed. The vRA appliance does not maintain user data in this file by default.

b
tc Server VCO must not use the tomcat-users XML database for user management.
CM-7 - Medium - CCI-000381 - V-240784 - SV-240784r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000325
Vuln IDs
  • V-240784
  • V-90003
Rule IDs
  • SV-240784r879587_rule
  • SV-100653
User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logons, and management of temporary and emergency accounts; and all of this must be done enterprise-wide. For historical reasons, tc Server contains a tomcat-users.xml file in the configuration directory. This file was originally used by standalone applications that did not authenticate against an LDAP or other enterprise mechanism. vRA does not use this file.
Checks: C-44017r674094_chk

At the command prompt, execute the following command: cat /etc/vco/app-server/tomcat-users.xml If "tomcat-users.xml" file contains any user information, this is a finding.

Fix: F-43976r674095_fix

Contact the ISSO and/or SA. Determine why user data is being stored in "tomcat-users.xml". If the user data is not required then it should be removed. The vRA appliance does not maintain user data in this file by default.

b
tc Server VCAC must not use the tomcat-users XML database for user management.
CM-7 - Medium - CCI-000381 - V-240785 - SV-240785r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000330
Vuln IDs
  • V-240785
  • V-90005
Rule IDs
  • SV-240785r879587_rule
  • SV-100655
User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logons, and management of temporary and emergency accounts; and all of this must be done enterprise-wide. For historical reasons, tc Server contains a tomcat-users.xml file in the configuration directory. This file was originally used by standalone applications that did not authenticate against an LDAP or other enterprise mechanism. vRA does not use this file.
Checks: C-44018r674097_chk

At the command prompt, execute the following command: cat /etc/vcac/tomcat-users.xml If "tomcat-users.xml" file contains any user information, this is a finding.

Fix: F-43977r674098_fix

Contact the ISSO and/or SA. Determine why user data is being stored in "tomcat-users.xml". If the user data is not required then it should be removed. The vRA appliance does not maintain user data in this file by default.

b
tc Server ALL must only contain services and functions necessary for operation.
CM-7 - Medium - CCI-000381 - V-240786 - SV-240786r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000335
Vuln IDs
  • V-240786
  • V-90007
Rule IDs
  • SV-240786r879587_rule
  • SV-100657
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-44019r674429_chk

Interview the ISSO. Review the web server documentation and deployed configuration to determine if web server features, services, and processes are installed that are not needed for hosted application deployment. If excessive features, services, and processes are installed, this is a finding.

Fix: F-43978r674101_fix

Uninstall or deactivate features, services, and processes not needed by the web server for operation.

c
tc Server ALL must exclude documentation, sample code, example applications, and tutorials.
CM-7 - High - CCI-000381 - V-240787 - SV-240787r879587_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
VRAU-TC-000345
Vuln IDs
  • V-240787
  • V-90009
Rule IDs
  • SV-240787r879587_rule
  • SV-100659
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. Because tc Server is installed as part of the entire vRA application, and not installed separately, VMware has ensured that all documentation, sample code, example applications, and tutorials have been removed from tc Server as part of the build process.
Checks: C-44020r674431_chk

Interview the ISSO. Review the web server documentation and deployed configuration to determine if documentation, sample code, example applications, and tutorials have been removed. If documentation, sample code, example applications, and tutorials have not been removed, this is a finding.

Fix: F-43979r674104_fix

Remove all documentation, sample code, example applications, and tutorials.

b
tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
CM-7 - Medium - CCI-000381 - V-240788 - SV-240788r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000355
Vuln IDs
  • V-240788
  • V-90345
Rule IDs
  • SV-240788r879587_rule
  • SV-100995
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Because tc Server is installed as part of the entire vRA application, and not installed separately, VMware has ensured that no unnecessary utilities and programs have been included in tc Server.
Checks: C-44021r674469_chk

Interview the ISSO. Review the web server documentation and deployed configuration to determine if utility programs, services, plug-ins, and modules not necessary for operation have been removed. If utility programs, services, plug-ins, and modules not necessary for operation have not been removed, this is a finding.

Fix: F-43980r674107_fix

Remove all utility programs, services, plug-ins, and modules not necessary for operation.

b
tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
CM-7 - Medium - CCI-000381 - V-240789 - SV-240789r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000360
Vuln IDs
  • V-240789
  • V-90011
Rule IDs
  • SV-240789r879587_rule
  • SV-100661
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. tc Server configures MIME types in the web.xml file. By ensuring that sh, csh, and shar MIME types are not included in web.xml, the server is protected against malicious users tricking the server into executing shell command files.
Checks: C-44022r674109_chk

At the command prompt, execute the following command: find / -name 'web.xml' -print0 | xargs -0r grep -HEn '(x-csh&lt;)|(x-sh&lt;)|(x-shar&lt;)|(x-ksh&lt;)' If the command produces any output, this is a finding.

Fix: F-43981r674110_fix

Navigate to a file that was listed. Open the file in a text editor. Delete any of the following types: application/x-sh application/x-shar application/x-csh application/x-ksh

b
tc Server ALL must have all mappings to unused and vulnerable scripts to be removed.
CM-7 - Medium - CCI-000381 - V-240790 - SV-240790r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000365
Vuln IDs
  • V-240790
  • V-90013
Rule IDs
  • SV-240790r879587_rule
  • SV-100663
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed. Because tc Server is installed as part of the entire vRA application, and not installed separately, VMware has ensured that scripts not needed for application operation or deemed vulnerable have been removed from tc Server.
Checks: C-44023r674112_chk

Interview the ISSO. Review the web server documentation and deployed configuration to determine if all mappings to unused and vulnerable scripts to be removed. If all mappings to unused and vulnerable scripts have not been removed, this is a finding.

Fix: F-43982r674113_fix

Remove script mappings that are not needed for web server and hosted application operation.

b
tc Server HORIZON must have mappings set for Java Servlet Pages.
CM-7 - Medium - CCI-000381 - V-240791 - SV-240791r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000370
Vuln IDs
  • V-240791
  • V-90015
Rule IDs
  • SV-240791r879587_rule
  • SV-100665
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As a derivative of the Apache Tomcat project, tc Server is a java-based web server. As a result, the main file extension used by tc Server is *.jsp. This check ensures that the *.jsp file type has been properly mapped to servlets.
Checks: C-44024r674115_chk

At the command prompt, execute the following command: grep -E '&lt;url-pattern&gt;\*\.jsp&lt;/url-pattern&gt;' -B 2 -A 2 /opt/vmware/horizon/workspace/conf/web.xml If the jsp and jspx file extensions have not been mapped to the JSP servlet, this is a finding.

Fix: F-43983r674116_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below: <!-- The mappings for the JSP servlet --> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>

b
tc Server VCO must have mappings set for Java Servlet Pages.
CM-7 - Medium - CCI-000381 - V-240792 - SV-240792r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000375
Vuln IDs
  • V-240792
  • V-90017
Rule IDs
  • SV-240792r879587_rule
  • SV-100667
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As a derivative of the Apache Tomcat project, tc Server is a java-based web server. As a result, the main file extension used by tc Server is *.jsp. This check ensures that the *.jsp file type has been properly mapped to servlets.
Checks: C-44025r674118_chk

At the command prompt, execute the following command: grep -E '&lt;url-pattern&gt;\*\.jsp&lt;/url-pattern&gt;' -B 2 -A 2 /etc/vco/app-server/web.xml If the jsp and jspx file extensions have not been mapped to the JSP servlet, this is a finding.

Fix: F-43984r674119_fix

Navigate to and open /etc/vco/app-server/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below: <!-- The mappings for the JSP servlet --> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>

b
tc Server VCAC must have mappings set for Java Servlet Pages.
CM-7 - Medium - CCI-000381 - V-240793 - SV-240793r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000380
Vuln IDs
  • V-240793
  • V-90019
Rule IDs
  • SV-240793r879587_rule
  • SV-100669
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As a derivative of the Apache Tomcat project, tc Server is a java-based web server. As a result, the main file extension used by tc Server is *.jsp. This check ensures that the *.jsp file type has been properly mapped to servlets.
Checks: C-44026r674121_chk

At the command prompt, execute the following command: grep -E '&lt;url-pattern&gt;\*\.jsp&lt;/url-pattern&gt;' -B 2 -A 2 /etc/vcac/web.xml If the jsp and jspx file extensions have not been mapped to the JSP servlet, this is a finding.

Fix: F-43985r674122_fix

Navigate to and open /etc/vcac/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below: <!-- The mappings for the JSP servlet --> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>

b
tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.
CM-7 - Medium - CCI-000381 - V-240794 - SV-240794r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000385
Vuln IDs
  • V-240794
  • V-90021
Rule IDs
  • SV-240794r879587_rule
  • SV-100671
A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server. As an extension to Tomcat, tc Server VCO-CFG uses the org.apache.catalina.servlets.WebdavServlet servlet to provide WebDAV services. Because the WebDAV service has been found to have an excessive number of vulnerabilities, this servlet must not be installed.
Checks: C-44027r674124_chk

At the command prompt, execute the following command: find / -name 'web.xml' -print0 | xargs -0r grep -HEn 'webdav' If the command produces any output, this is a finding.

Fix: F-43986r674125_fix

Navigate to and open all listed files. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>webdav</servlet-name>. Remove the WebDAV servlet and any mapping associated with it.

b
tc Server HORIZON must be configured with memory leak protection.
CM-7 - Medium - CCI-000381 - V-240795 - SV-240795r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000390
Vuln IDs
  • V-240795
  • V-90023
Rule IDs
  • SV-240795r879587_rule
  • SV-100673
The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources that will lead to OutOfMemoryErrors when reloading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The JreMemoryLeakPreventionListener class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.
Checks: C-44028r674127_chk

At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /opt/vmware/horizon/workspace/conf/server.xml If the JreMemoryLeakPreventionListener &lt;Listener&gt; node is not listed, this is a finding.

Fix: F-43987r674128_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.

b
tc Server VCO must be configured with memory leak protection.
CM-7 - Medium - CCI-000381 - V-240796 - SV-240796r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000395
Vuln IDs
  • V-240796
  • V-90025
Rule IDs
  • SV-240796r879587_rule
  • SV-100675
The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources that will lead to OutOfMemoryErrors when reloading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The JreMemoryLeakPreventionListener class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.
Checks: C-44029r674130_chk

At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /etc/vco/app-server/server.xml If the JreMemoryLeakPreventionListener &lt;Listener&gt; node is not listed, this is a finding.

Fix: F-43988r674131_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.

b
tc Server VCAC must be configured with memory leak protection.
CM-7 - Medium - CCI-000381 - V-240797 - SV-240797r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000400
Vuln IDs
  • V-240797
  • V-90027
Rule IDs
  • SV-240797r879587_rule
  • SV-100677
The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server VCAC can continue to consume system resources that will lead to OutOfMemoryErrors when reloading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The JreMemoryLeakPreventionListener class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.
Checks: C-44030r674133_chk

At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /etc/vcac/server.xml If the JreMemoryLeakPreventionListener &lt;Listener&gt; node is not listed, this is a finding.

Fix: F-43989r674134_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.

b
tc Server VCO must not have any symbolic links in the web content directory tree.
CM-7 - Medium - CCI-000381 - V-240798 - SV-240798r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VRAU-TC-000410
Vuln IDs
  • V-240798
  • V-90029
Rule IDs
  • SV-240798r879587_rule
  • SV-100679
A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. By checking that no symblic links exist in the document root, the web server is protected from users jumping outside the hosted application directory tree and gaining access to the other directories, including the system root.
Checks: C-44031r674136_chk

At the command prompt, execute the following command: ls -lR /usr/lib/vco/configuration/webapps | grep '^l' If the command produces any output, this is a finding.

Fix: F-43990r674137_fix

At the command prompt, execute the following commands: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the commands for each file that was returned.

b
tc Server HORIZON must be configured to use a specified IP address and port.
CM-7 - Medium - CCI-000382 - V-240799 - SV-240799r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VRAU-TC-000420
Vuln IDs
  • V-240799
  • V-90031
Rule IDs
  • SV-240799r879588_rule
  • SV-100681
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-44032r674139_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If either the IP address or the port is not specified for each &lt;Connector&gt;, this is a finding.

Fix: F-43991r674140_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'address="XXXXX"'. Note: Replace XXXXX with the appropriate address for that node.

b
tc Server VCO must be configured to use a specified IP address and port.
CM-7 - Medium - CCI-000382 - V-240800 - SV-240800r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VRAU-TC-000425
Vuln IDs
  • V-240800
  • V-90033
Rule IDs
  • SV-240800r879588_rule
  • SV-100683
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-44033r674142_chk

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the &lt;Connector&gt; node. If either the IP address or the port is not specified for the &lt;Connector&gt;, this is a finding.

Fix: F-43992r674143_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'address="XXXXX"'. Note: Replace XXXXX with the appropriate address for that node.

b
tc Server VCAC must be configured to use a specified IP address and port.
CM-7 - Medium - CCI-000382 - V-240801 - SV-240801r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VRAU-TC-000430
Vuln IDs
  • V-240801
  • V-90035
Rule IDs
  • SV-240801r879588_rule
  • SV-100685
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-44034r674145_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If either the IP address or the port is not specified for the &lt;Connector&gt;, this is a finding.

Fix: F-43993r674146_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'address="XXXXX"'. Note: Replace XXXXX with the appropriate address for that node.

b
tc Server HORIZON must encrypt passwords during transmission.
IA-5 - Medium - CCI-000197 - V-240802 - SV-240802r879609_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
VRAU-TC-000435
Vuln IDs
  • V-240802
  • V-90037
Rule IDs
  • SV-240802r879609_rule
  • SV-100687
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's SSLEnabled flag, SSL handshake/encryption/decryption is enabled.
Checks: C-44035r674148_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.

Fix: F-43994r674149_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'SSLEnabled="true"'.

b
tc Server VCAC must encrypt passwords during transmission.
IA-5 - Medium - CCI-000197 - V-240803 - SV-240803r879609_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
VRAU-TC-000440
Vuln IDs
  • V-240803
  • V-90039
Rule IDs
  • SV-240803r879609_rule
  • SV-100689
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's SSLEnabled flag, SSL handshake/encryption/decryption is enabled.
Checks: C-44036r674151_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.

Fix: F-43995r674152_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure each <Connector> node with the value 'SSLEnabled="true"'.

b
tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid.
IA-5 - Medium - CCI-000185 - V-240804 - SV-240804r879612_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
VRAU-TC-000445
Vuln IDs
  • V-240804
  • V-90041
Rule IDs
  • SV-240804r879612_rule
  • SV-100691
The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-44037r674433_chk

If PKI is not being used, this check is Not Applicable. Interview the ISSO. Review tc Server ALL configuration to verify that certificates being provided by the client are being validated in accordance with RFC 5280. If certificates are not being validated in accordance with RFC 5280, this is a finding.

Fix: F-43996r674155_fix

If PKI is not being used, this check is Not Applicable. Validate client certificates in accordance with RFC 5280.

b
tc Server ALL must only allow authenticated system administrators to have access to the keystore.
IA-5 - Medium - CCI-000186 - V-240805 - SV-240805r879613_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
VRAU-TC-000450
Vuln IDs
  • V-240805
  • V-90347
Rule IDs
  • SV-240805r879613_rule
  • SV-100997
The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server. tc Server stores the server's private key in a keystore file. The vRA keystore file is tcserver.keystore, and this file must be protected to only allow system administrators and other authorized users to have access to it.
Checks: C-44038r674471_chk

At the command prompt, execute the following command: ls -al /opt/vmware/horizon/workspace/conf/tcserver.keystore Verify that file permissions are set to "640" or more restrictive. Verify that the owner is horizon and group-owner is www. If either of these conditions are not met, this is a finding.

Fix: F-43997r674158_fix

At the command prompt, execute the following commands: chown horizon:www /opt/vmware/horizon/workspace/conf/tcserver.keystore chmod 640 /opt/vmware/horizon/workspace/conf/tcserver.keystore

b
tc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
IA-7 - Medium - CCI-000803 - V-240806 - SV-240806r879616_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
VRAU-TC-000460
Vuln IDs
  • V-240806
  • V-90043
Rule IDs
  • SV-240806r879616_rule
  • SV-100693
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. vRA relies upon the OpenSSL suite of encryption libraries. A special carefully defined software component called the OpenSSL FIPS Object Module has been created from the OpenSSL libraries to provide FIPS 140-2 validated encryption. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.
Checks: C-44039r674435_chk

At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "bio-ssl.cipher.list" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-43998r674161_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to and locate "bio-ssl.cipher.list". Configure the "bio-ssl.cipher.list" with FIPS 140-2 compliant ciphers.

b
tc Server VCAC must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
IA-7 - Medium - CCI-000803 - V-240807 - SV-240807r879616_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
VRAU-TC-000465
Vuln IDs
  • V-240807
  • V-90045
Rule IDs
  • SV-240807r879616_rule
  • SV-100695
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. vRA relies upon the OpenSSL suite of encryption libraries. A special carefully defined software component called the OpenSSL FIPS Object Module has been created from the OpenSSL libraries to provide FIPS 140-2 validated encryption. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.
Checks: C-44040r674437_chk

At the command prompt, execute the following command: grep cipher /etc/vcac/catalina.properties If the value of "cipher" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-43999r674164_fix

Navigate to and open /etc/vcac/catalina.properties. Navigate to and locate "cipher". Configure the "cipher" with FIPS 140-2 compliant ciphers.

c
tc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SC-2 - High - CCI-001082 - V-240808 - SV-240808r879631_rule
RMF Control
SC-2
Severity
High
CCI
CCI-001082
Version
VRAU-TC-000475
Vuln IDs
  • V-240808
  • V-90047
Rule IDs
  • SV-240808r879631_rule
  • SV-100697
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. As with all secure web server installations, tc Server files and directories must be adequately protected with correct permissions.
Checks: C-44041r674166_chk

At the command prompt, execute the following command: ls -alR /opt/vmware/horizon/workspace/webapps | grep -E '^-' | awk '$3 !~ /horizon|root/ {print}' If the command produces any output, this is a finding.

Fix: F-44000r674167_fix

At the command prompt, execute the following command: chown horizon:www <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.

c
tc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SC-2 - High - CCI-001082 - V-240809 - SV-240809r879631_rule
RMF Control
SC-2
Severity
High
CCI
CCI-001082
Version
VRAU-TC-000480
Vuln IDs
  • V-240809
  • V-90049
Rule IDs
  • SV-240809r879631_rule
  • SV-100699
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. As with all secure web server installations, tc Server files and directories must be adequately protected with correct permissions.
Checks: C-44042r674169_chk

At the command prompt, execute the following command: ls -lL /usr/lib/vco/configuration/webapps If the listed files are not owned by "vco", this is a finding.

Fix: F-44001r674170_fix

At the command prompt, execute the following command: chown vco:vco <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.

c
tc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SC-2 - High - CCI-001082 - V-240810 - SV-240810r879631_rule
RMF Control
SC-2
Severity
High
CCI
CCI-001082
Version
VRAU-TC-000485
Vuln IDs
  • V-240810
  • V-90051
Rule IDs
  • SV-240810r879631_rule
  • SV-100701
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. As with all secure web server installations, tc Server files and directories must be adequately protected with correct permissions.
Checks: C-44043r674172_chk

At the command prompt, execute the following command: ls -alR /etc/vcac /usr/lib/vcac/server/webapps | grep -E '^-' | awk '$3 !~ /vcac|root/ {print}' If the command produces any output, this is a finding.

Fix: F-44002r674173_fix

At the command prompt, execute the following command: If the file was found in /etc/vcac or /usr/lib/vcac/server/webapps, execute the following command: chown vcac:vcac <file_name> Note: Replace <file_name> for the name of the file that was returned.

c
tc Server HORIZON web server application directories must not be accessible to anonymous user.
SC-2 - High - CCI-001082 - V-240811 - SV-240811r879631_rule
RMF Control
SC-2
Severity
High
CCI
CCI-001082
Version
VRAU-TC-000490
Vuln IDs
  • V-240811
  • V-90053
Rule IDs
  • SV-240811r879631_rule
  • SV-100703
In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.
Checks: C-44044r674175_chk

At the command prompt, execute the following command: ls -alR /opt/vmware/horizon/workspace | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44003r674176_fix

At the command prompt, execute the following command: chmod 750 <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.

c
tc Server VCO web server application directories must not be accessible to anonymous user.
SC-2 - High - CCI-001082 - V-240812 - SV-240812r879631_rule
RMF Control
SC-2
Severity
High
CCI
CCI-001082
Version
VRAU-TC-000495
Vuln IDs
  • V-240812
  • V-90055
Rule IDs
  • SV-240812r879631_rule
  • SV-100705
In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.
Checks: C-44045r674178_chk

At the command prompt, execute the following command: ls -alR /etc/vco /usr/lib/vco/app-server | grep -E '^-' | awk '$1 !~ /---$/ {print}' If anything is returned, this is a finding.

Fix: F-44004r674179_fix

At the command prompt, execute the following command: chmod 750 <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.

c
tc Server VCAC web server application directories must not be accessible to anonymous user.
SC-2 - High - CCI-001082 - V-240813 - SV-240813r879631_rule
RMF Control
SC-2
Severity
High
CCI
CCI-001082
Version
VRAU-TC-000500
Vuln IDs
  • V-240813
  • V-90057
Rule IDs
  • SV-240813r879631_rule
  • SV-100707
In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.
Checks: C-44046r674181_chk

At the command prompt, execute the following command: ls -alR /etc/vcac /usr/lib/vcac/server/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44005r674182_fix

At the command prompt, execute the following command: chmod 750 <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.

b
tc Server ALL baseline must be documented and maintained.
SC-24 - Medium - CCI-001190 - V-240814 - SV-240814r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-TC-000550
Vuln IDs
  • V-240814
  • V-90059
Rule IDs
  • SV-240814r879640_rule
  • SV-100709
Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the possibility for security risks. The web server must offer, and not hinder, a method that allows for the quick and easy reinstallation of a verified and patched baseline to guarantee the production web server is up-to-date and has not been modified to add functionality or expose security risks. Because tc Server is installed as part of the entire vRA application, and not installed separately, VMware has ensured that all updates, upgrades, and patches have been thoroughly tested before becoming part of the production build process.
Checks: C-44047r674184_chk

Interview the ISSO. Review the web server documentation and deployed configuration to determine if the tc Server code baseline is documented and maintained. If the tc Server code baseline is not documented and maintained, this is a finding.

Fix: F-44006r674185_fix

Develop baseline documentation of the tc Server codebase.

b
tc Server HORIZON must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SC-24 - Medium - CCI-001190 - V-240815 - SV-240815r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-TC-000555
Vuln IDs
  • V-240815
  • V-90061
Rule IDs
  • SV-240815r879640_rule
  • SV-100711
Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server. The VMware engineering process includes regression testing of new and modified components before they become part of the production build process.
Checks: C-44048r674187_chk

At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /opt/vmware/horizon/workspace/conf/catalina.properties If the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" setting is not set to "true" or is missing, this is a finding.

Fix: F-44007r674188_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Configure the setting "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" with the value "true". Note: The word "true" should not be surrounded with any quote characters.

b
tc Server VCO must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SC-24 - Medium - CCI-001190 - V-240816 - SV-240816r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-TC-000560
Vuln IDs
  • V-240816
  • V-90063
Rule IDs
  • SV-240816r879640_rule
  • SV-100713
Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server. The VMware engineering process includes regression testing of new and modified components before they become part of the production build process.
Checks: C-44049r674190_chk

At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /etc/vco/app-server/catalina.properties If the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" setting is not set to "true" or is missing, this is a finding.

Fix: F-44008r674191_fix

Navigate to and open /etc/vco/app-server/catalina.properties. Configure the setting "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" with the value "true". Note: The word "true" should not be surrounded with any quote characters.

b
tc Server VCAC must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SC-24 - Medium - CCI-001190 - V-240817 - SV-240817r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-TC-000565
Vuln IDs
  • V-240817
  • V-90065
Rule IDs
  • SV-240817r879640_rule
  • SV-100715
Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server. The VMware engineering process includes regression testing of new and modified components before they become part of the production build process.
Checks: C-44050r674193_chk

At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /etc/vcac/catalina.properties If the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" setting is not set to "true" or is missing, this is a finding.

Fix: F-44009r674194_fix

Navigate to and open /etc/vcac/catalina.properties. Configure the setting "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" with the value "true". Note: The word "true" should not be surrounded with any quote characters.

b
tc Server HORIZON document directory must be in a separate partition from the web servers system files.
SC-3 - Medium - CCI-001084 - V-240818 - SV-240818r879643_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
VRAU-TC-000580
Vuln IDs
  • V-240818
  • V-90067
Rule IDs
  • SV-240818r879643_rule
  • SV-100717
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. As a Tomcat derivative, tc Server stores the web applications in a special 'webapps' folder. The Java engine, however, is stored in a separate are of the OS directory structure. For greatest security It is important to verify that the webapps and the Java directories remain separated.
Checks: C-44051r674196_chk

At the command prompt, execute the following commands: df -k /usr/java/jre-vmware df -k /opt/vmware/horizon/workspace/webapps If the two directories above are on the same partition, this is a finding.

Fix: F-44010r674197_fix

Consult with the ISSO. Move the tc Server HORIZON /opt/vmware/horizon/workspace/webapps folder to a separate partition.

b
tc Server VCO document directory must be in a separate partition from the web servers system files.
SC-3 - Medium - CCI-001084 - V-240819 - SV-240819r879643_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
VRAU-TC-000585
Vuln IDs
  • V-240819
  • V-90069
Rule IDs
  • SV-240819r879643_rule
  • SV-100719
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. As a Tomcat derivative, tc Server stores the web applications in a special 'webapps' folder. The Java engine, however, is stored in a separate are of the OS directory structure. For greatest security It is important to verify that the webapps and the Java directories remain separated.
Checks: C-44052r674199_chk

At the command prompt, execute the following commands: df -k /usr/java/jre-vmware df -k /usr/lib/vco/configuration/webapps If the two directories above are on the same partition, this is a finding.

Fix: F-44011r674200_fix

Consult with the ISSO. Move the tc Server VCO /usr/lib/vco/configuration/webapps folder to a separate partition.

b
tc Server VCAC document directory must be in a separate partition from the web servers system files.
SC-3 - Medium - CCI-001084 - V-240820 - SV-240820r879643_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
VRAU-TC-000590
Vuln IDs
  • V-240820
  • V-90071
Rule IDs
  • SV-240820r879643_rule
  • SV-100721
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. As a Tomcat derivative, tc Server stores the web applications in a special 'webapps' folder. The Java engine, however, is stored in a separate are of the OS directory structure. For greatest security It is important to verify that the webapps and the Java directories remain separated.
Checks: C-44053r674202_chk

At the command prompt, execute the following commands: df -k /usr/java/jre-vmware df -k /usr/lib/vcac/server/webapps If the two directories above are on the same partition, this is a finding.

Fix: F-44012r674203_fix

Consult with the ISSO. Move the tc Server VCAC /usr/lib/vcac/server/webapps folder to a separate partition.

b
tc Server HORIZON must set URIEncoding to UTF-8.
SI-10 - Medium - CCI-001310 - V-240824 - SV-240824r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VRAU-TC-000610
Vuln IDs
  • V-240824
  • V-90079
Rule IDs
  • SV-240824r879652_rule
  • SV-100729
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. To mitigate against many types of character-based vulnerabilities, tc Server should be configured to use a consistent character set. The URIEncoding attribute on the Connector nodes provides the means for tc Server to enforce a consistent character set encoding.
Checks: C-44057r674214_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "URIEncoding" is not set to "UTF-8" or is missing, this is a finding.

Fix: F-44016r674215_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'URIEncoding="UTF-8"'.

b
tc Server VCO must set URIEncoding to UTF-8.
SI-10 - Medium - CCI-001310 - V-240825 - SV-240825r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VRAU-TC-000615
Vuln IDs
  • V-240825
  • V-90081
Rule IDs
  • SV-240825r879652_rule
  • SV-100731
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. To mitigate against many types of character-based vulnerabilities, tc Server should be configured to use a consistent character set. The URIEncoding attribute on the Connector nodes provides the means for tc Server to enforce a consistent character set encoding.
Checks: C-44058r674217_chk

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "URIEncoding" is not set to "UTF-8" or is missing, this is a finding.

Fix: F-44017r674218_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure each <Connector> node with the value 'URIEncoding="UTF-8"'.

b
tc Server HORIZON must use the setCharacterEncodingFilter filter.
SI-10 - Medium - CCI-001310 - V-240826 - SV-240826r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VRAU-TC-000620
Vuln IDs
  • V-240826
  • V-90083
Rule IDs
  • SV-240826r879652_rule
  • SV-100733
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. As a web server, tc Server can be vulnerable to character encoding attacks if steps are not taken to mitigate the threat. VMware utilizes the standard Tomcat SetCharacterEncodingFilter to provide a layer of defense against character encoding attacks. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.
Checks: C-44059r674220_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Verify that the 'setCharacterEncodingFilter' &lt;filter&gt; has been specified. If the "setCharacterEncodingFilter" filter has not been specified or is commented out, this is a finding.

Fix: F-44018r674221_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter>

b
tc Server VCO must use the setCharacterEncodingFilter filter.
SI-10 - Medium - CCI-001310 - V-240827 - SV-240827r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VRAU-TC-000625
Vuln IDs
  • V-240827
  • V-90085
Rule IDs
  • SV-240827r879652_rule
  • SV-100735
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. As a web server, tc Server can be vulnerable to character encoding attacks if steps are not taken to mitigate the threat. VMware utilizes the standard Tomcat SetCharacterEncodingFilter to provide a layer of defense against character encoding attacks. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.
Checks: C-44060r674223_chk

Navigate to and open /etc/vco/app-server/web.xml. Verify that the 'setCharacterEncodingFilter' &lt;filter&gt; has been specified. If the "setCharacterEncodingFilter" filter has not been specified or is commented out, this is a finding.

Fix: F-44019r674224_fix

Navigate to and open /etc/vco/app-server/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter>

b
tc Server VCAC must set URIEncoding to UTF-8.
SI-10 - Medium - CCI-001310 - V-240828 - SV-240828r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VRAU-TC-000630
Vuln IDs
  • V-240828
  • V-90087
Rule IDs
  • SV-240828r879652_rule
  • SV-100737
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. To mitigate against many types of character-based vulnerabilities, tc Server should be configured to use a consistent character set. The URIEncoding attribute on the Connector nodes provides the means for tc Server to enforce a consistent character set encoding.
Checks: C-44061r674226_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "URIEncoding" is not set to "UTF-8" or is missing, this is a finding.

Fix: F-44020r674227_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'URIEncoding="UTF-8"'.

b
tc Server VCAC must use the setCharacterEncodingFilter filter.
SI-10 - Medium - CCI-001310 - V-240829 - SV-240829r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VRAU-TC-000635
Vuln IDs
  • V-240829
  • V-90089
Rule IDs
  • SV-240829r879652_rule
  • SV-100739
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. As a web server, tc Server can be vulnerable to character encoding attacks if steps are not taken to mitigate the threat. VMware utilizes the standard Tomcat SetCharacterEncodingFilter to provide a layer of defense against character encoding attacks. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.
Checks: C-44062r674229_chk

Navigate to and open /etc/vcac/web.xml. Verify that the 'setCharacterEncodingFilter' &lt;filter&gt; has been specified. If the "setCharacterEncodingFilter" filter has not been specified or is commented out, this is a finding.

Fix: F-44021r674230_fix

Navigate to and open /etc/vcac/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter>

b
tc Server HORIZON must set the welcome-file node to a default web page.
SI-11 - Medium - CCI-001312 - V-240830 - SV-240830r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000640
Vuln IDs
  • V-240830
  • V-90091
Rule IDs
  • SV-240830r879655_rule
  • SV-100741
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an index.jsp (or equivalent) file is one common sense approach to mitigating the vulnerability.
Checks: C-44063r674232_chk

At the command prompt, execute the following command: grep -E -A 4 '&lt;welcome-file-list' /opt/vmware/horizon/workspace/conf/web.xml If a &lt;welcome-file&gt; node is not set to a default web page, this is a finding.

Fix: F-44022r674233_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

b
tc Server VCO must set the welcome-file node to a default web page.
SI-11 - Medium - CCI-001312 - V-240831 - SV-240831r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000645
Vuln IDs
  • V-240831
  • V-90093
Rule IDs
  • SV-240831r879655_rule
  • SV-100743
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an index.jsp (or equivalent) file is one common sense approach to mitigating the vulnerability.
Checks: C-44064r674235_chk

At the command prompt, execute the following command: grep -E -A 4 '&lt;welcome-file-list' /etc/vco/app-server/web.xml If a &lt;welcome-file&gt; node is not set to a default web page, this is a finding.

Fix: F-44023r674236_fix

Navigate to and open /etc/vco/app-server/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

b
tc Server VCAC must set the welcome-file node to a default web page.
SI-11 - Medium - CCI-001312 - V-240832 - SV-240832r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000650
Vuln IDs
  • V-240832
  • V-90095
Rule IDs
  • SV-240832r879655_rule
  • SV-100745
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an index.jsp (or equivalent) file is one common sense approach to mitigating the vulnerability.
Checks: C-44065r674238_chk

At the command prompt, execute the following command: grep -E -A 4 '&lt;welcome-file-list' /etc/vcac/web.xml If a &lt;welcome-file&gt; node is not set to a default web page, this is a finding.

Fix: F-44024r674239_fix

Navigate to and open /etc/vcac/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

b
tc Server HORIZON must have the allowTrace parameter set to false.
SI-11 - Medium - CCI-001312 - V-240833 - SV-240833r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000660
Vuln IDs
  • V-240833
  • V-90097
Rule IDs
  • SV-240833r879655_rule
  • SV-100747
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. "Trace" is a technique for a user to request internal information about tc Server. This is useful during product development, but should not be enabled in production. Allowing an attacker to conduct a Trace operation against tc Server will expose information that would be useful to perform a more targeted attack. tc Server provides the allowTrace parameter as means to disable responding to Trace requests.
Checks: C-44066r674241_chk

At the command prompt, execute the following command: grep allowTrace /opt/vmware/horizon/workspace/conf/server.xml If "allowTrace" is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.

Fix: F-44025r674242_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate 'allowTrace="true"'. Remove the 'allowTrace="true"' setting.

b
tc Server VCO must have the allowTrace parameter set to false.
SI-11 - Medium - CCI-001312 - V-240834 - SV-240834r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000665
Vuln IDs
  • V-240834
  • V-90099
Rule IDs
  • SV-240834r879655_rule
  • SV-100749
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. "Trace" is a technique for a user to request internal information about tc Server. This is useful during product development, but should not be enabled in production. Allowing an attacker to conduct a Trace operation against tc Server will expose information that would be useful to perform a more targeted attack. tc Server provides the allowTrace parameter as means to disable responding to Trace requests.
Checks: C-44067r674244_chk

At the command prompt, execute the following command: grep allowTrace /etc/vco/app-server/server.xml If "allowTrace" is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.

Fix: F-44026r674245_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate 'allowTrace="true"'. Remove the 'allowTrace="true"' setting.

b
tc Server VCAC must have the allowTrace parameter set to false.
SI-11 - Medium - CCI-001312 - V-240835 - SV-240835r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000670
Vuln IDs
  • V-240835
  • V-90101
Rule IDs
  • SV-240835r879655_rule
  • SV-100751
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. "Trace" is a technique for a user to request internal information about tc Server. This is useful during product development, but should not be enabled in production. Allowing an attacker to conduct a Trace operation against tc Server will expose information that would be useful to perform a more targeted attack. tc Server provides the allowTrace parameter as means to disable responding to Trace requests.
Checks: C-44068r674247_chk

At the command prompt, execute the following command: grep allowTrace /etc/vcac/server.xml If "allowTrace" is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.

Fix: F-44027r674248_fix

Navigate to and open /etc/vcac/server.xml. Navigate to and locate 'allowTrace="true"'. Remove the 'allowTrace="true"' setting.

b
tc Server HORIZON must have the debug option turned off.
SI-11 - Medium - CCI-001312 - V-240836 - SV-240836r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000675
Vuln IDs
  • V-240836
  • V-90103
Rule IDs
  • SV-240836r879655_rule
  • SV-100753
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. As a Tomcat derivative, tc Server can be configured to set the debugging level. By setting the debugging level to zero (0), no debugging information will be provided to a malicious user. This provides a layer of defense to vRA.
Checks: C-44069r674250_chk

At the command prompt, execute the following command: grep -En -A 2 -B 1 '&lt;param-name&gt;debug&lt;/param-name&gt;' /opt/vmware/horizon/workspace/conf/web.xml If all instances of the debug parameter are not set to "0", this is a finding.

Fix: F-44028r674251_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>

b
tc Server VCO must have the debug option turned off.
SI-11 - Medium - CCI-001312 - V-240837 - SV-240837r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000680
Vuln IDs
  • V-240837
  • V-90105
Rule IDs
  • SV-240837r879655_rule
  • SV-100755
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. As a Tomcat derivative, tc Server can be configured to set the debugging level. By setting the debugging level to zero (0), no debugging information will be provided to a malicious user. This provides a layer of defense to vRA.
Checks: C-44070r674253_chk

At the command prompt, execute the following command: grep -En -A 2 -B 1 '&lt;param-name&gt;debug&lt;/param-name&gt;' /etc/vco/app-server/web.xml If all instances of the debug parameter are not set to "0", this is a finding.

Fix: F-44029r674254_fix

Navigate to and open /etc/vco/app-server/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>

b
tc Server VCAC must have the debug option turned off.
SI-11 - Medium - CCI-001312 - V-240838 - SV-240838r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-TC-000685
Vuln IDs
  • V-240838
  • V-90107
Rule IDs
  • SV-240838r879655_rule
  • SV-100757
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. As a Tomcat derivative, tc Server can be configured to set the debugging level. By setting the debugging level to zero (0), no debugging information will be provided to a malicious user. This provides a layer of defense to vRA.
Checks: C-44071r674256_chk

At the command prompt, execute the following command: grep -En -A 2 -B 1 '&lt;param-name&gt;debug&lt;/param-name&gt;' /etc/vcac/web.xml If all instances of the debug parameter are not set to "0", this is a finding.

Fix: F-44030r674257_fix

Navigate to and open /etc/vcac/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>

b
tc Server HORIZON must set an inactive timeout for sessions.
AC-12 - Medium - CCI-002361 - V-240839 - SV-240839r879673_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
VRAU-TC-000695
Vuln IDs
  • V-240839
  • V-90109
Rule IDs
  • SV-240839r879673_rule
  • SV-100759
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. tc Server provides a session timeout parameter in the web.xml configuration file.
Checks: C-44072r674259_chk

At the command prompt, execute the following command: grep session-timeout /opt/vmware/horizon/workspace/conf/web.xml If the value of &lt;session-timeout&gt; is not "30" or is missing, this is a finding.

Fix: F-44031r674260_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.

b
tc Server VCO must set an inactive timeout for sessions.
AC-12 - Medium - CCI-002361 - V-240840 - SV-240840r879673_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
VRAU-TC-000700
Vuln IDs
  • V-240840
  • V-90111
Rule IDs
  • SV-240840r879673_rule
  • SV-100761
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. tc Server provides a session timeout parameter in the web.xml configuration file.
Checks: C-44073r674262_chk

At the command prompt, execute the following command: grep session-timeout /etc/vco/app-server/web.xml If the value of &lt;session-timeout&gt; is not "30" or is missing, this is a finding.

Fix: F-44032r674263_fix

Navigate to and open /etc/vco/app-server/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.

b
tc Server VCAC must set an inactive timeout for sessions.
AC-12 - Medium - CCI-002361 - V-240841 - SV-240841r879673_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
VRAU-TC-000705
Vuln IDs
  • V-240841
  • V-90113
Rule IDs
  • SV-240841r879673_rule
  • SV-100763
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. tc Server provides a session timeout parameter in the web.xml configuration file.
Checks: C-44074r674265_chk

At the command prompt, execute the following command: grep session-timeout /etc/vcac/web.xml If the value of &lt;session-timeout&gt; is not "30" or is missing, this is a finding.

Fix: F-44033r674266_fix

Navigate to and open /etc/vcac/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.

c
tc Server ALL must be configured to the correct user authentication source.
AC-17 - High - CCI-002314 - V-240842 - SV-240842r879692_rule
RMF Control
AC-17
Severity
High
CCI
CCI-002314
Version
VRAU-TC-000710
Vuln IDs
  • V-240842
  • V-90115
Rule IDs
  • SV-240842r879692_rule
  • SV-100765
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. vRealize Automation can be configured with a variety of authentication sources. Site policies and procedures will dictate the appropriate authentication mechanism.
Checks: C-44075r854844_chk

Obtain the correct configuration data for the Authentication Source from the ISSO. Open a web browser, and type in the vRA URL. 1. Log on to the Tenant Administration Portal. 2. Click on Administration &gt;&gt; Directories Management. 3. Click on "Policies". 4. Click on the "Policy Set" link. 5. Verify that User Authentication is configured correctly. If the Authentication Source is not configured in accordance with site policy, this is a finding.

Fix: F-44034r674269_fix

Obtain the correct configuration data for the Authentication Source from the ISSO. Open a web browser, and type in the vRA URL. 1. Log on to the Tenant Administration Portal. 2. Click on Administration >> Directories Management. 3. Click on "Policies". 4. Click on the "Policy Set" link. 5. Modify the Authentication Source in accordance with site policy.

b
tc Server HORIZON must be configured to use the https scheme.
AC-17 - Medium - CCI-002314 - V-240843 - SV-240843r879692_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
VRAU-TC-000715
Vuln IDs
  • V-240843
  • V-90117
Rule IDs
  • SV-240843r879692_rule
  • SV-100767
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the Connector object class. By configuring external Connector objects to use the HTTPS scheme, vRA's information in flight will be protected.
Checks: C-44076r674271_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "scheme" is not set to "https" or is missing, this is a finding.

Fix: F-44035r674272_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'scheme="https"'.

b
tc Server VCAC must be configured to use the https scheme.
AC-17 - Medium - CCI-002314 - V-240844 - SV-240844r879692_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
VRAU-TC-000720
Vuln IDs
  • V-240844
  • V-90119
Rule IDs
  • SV-240844r879692_rule
  • SV-100769
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the Connector object class. By configuring external Connector objects to use the HTTPS scheme, vRA's information in flight will be protected.
Checks: C-44077r674274_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "scheme" is not set to "https" or is missing, this is a finding.

Fix: F-44036r674275_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'scheme="https"'.

b
tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
AU-4 - Medium - CCI-001849 - V-240845 - SV-240845r879730_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
VRAU-TC-000740
Vuln IDs
  • V-240845
  • V-90121
Rule IDs
  • SV-240845r879730_rule
  • SV-100771
In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity. The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.
Checks: C-44078r674277_chk

Interview the ISSO. Determine if tc Server ALL is using a logging mechanism that is configured to have a capacity large enough to accommodate logging requirements. If the logging mechanism does not have sufficient capacity, this is a finding.

Fix: F-44037r674278_fix

Configure the web server to use a logging mechanism that is configured to allocate log record storage capacity in accordance with NIST SP 800-92 log record storage requirements.

b
tc Server ALL log files must be moved to a permanent repository in accordance with site policy.
AU-4 - Medium - CCI-001851 - V-240846 - SV-240846r879731_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VRAU-TC-000750
Vuln IDs
  • V-240846
  • V-90349
Rule IDs
  • SV-240846r879731_rule
  • SV-100999
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. Log files must be periodically moved from the web server to a permanent storage location. This serves two beneficial purposes. First, the web server's resources are freed up for productions. Also, this ensures that the site has, and enforces, policies designed to preserve the integrity of historical logs.
Checks: C-44079r854849_chk

Interview the ISSO. Review the site policy for moving log files from the web server to a permanent repository. Ensure that log files are being moved from the web server in accordance with the site policy. If the site does not have a policy for periodically moving log files to an archive repository or such policy is not being enforced, this is a finding.

Fix: F-44038r674281_fix

Develop and enforce a site procedure for moving log files periodically from the web server to a permanent repository in accordance with site retention policies.

b
tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
AU-5 - Medium - CCI-001855 - V-240847 - SV-240847r879732_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
VRAU-TC-000755
Vuln IDs
  • V-240847
  • V-90123
Rule IDs
  • SV-240847r879732_rule
  • SV-100773
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. If log capacity were to be exceeded, then events subsequently occurring would not be recorded. Organizations must define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., web server has exceeded 75% of log storage capacity allocated), at which time the web server or the logging mechanism the web server utilizes will provide a warning to the ISSO and SA at a minimum. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.
Checks: C-44080r854851_chk

Interview the ISSO. Review site documentation and system configuration. Determine if the system has a logging mechanism that will provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. If such an alert mechanism is not in use, this is a finding.

Fix: F-44039r674284_fix

Configure the tc Server ALL logging mechanism to alert the ISSO / SA when the logs have reached 75% of storage capacity.

b
tc Server HORIZON must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-240848 - SV-240848r879747_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
VRAU-TC-000760
Vuln IDs
  • V-240848
  • V-90125
Rule IDs
  • SV-240848r879747_rule
  • SV-100775
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an AccessLogValve, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The Access Log Valve creates log files in the same format as those created by standard web servers including GMT offset.
Checks: C-44081r854853_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The +0000 part is the time zone mapping.

Fix: F-44040r674287_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t &quot;%r&quot; %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-240849 - SV-240849r879747_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
VRAU-TC-000765
Vuln IDs
  • V-240849
  • V-90127
Rule IDs
  • SV-240849r879747_rule
  • SV-100777
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an AccessLogValve, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The Access Log Valve creates log files in the same format as those created by standard web servers including GMT offset.
Checks: C-44082r854855_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The +0000 part is the time zone mapping.

Fix: F-44041r674290_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t &quot;%r&quot; %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-240850 - SV-240850r879747_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
VRAU-TC-000770
Vuln IDs
  • V-240850
  • V-90129
Rule IDs
  • SV-240850r879747_rule
  • SV-100779
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an AccessLogValve, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The Access Log Valve creates log files in the same format as those created by standard web servers including GMT offset.
Checks: C-44083r854857_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The +0000 part is the time zone mapping.

Fix: F-44042r674293_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t &quot;%r&quot; %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server HORIZON must record time stamps for log records to a minimum granularity of one second.
AU-8 - Medium - CCI-001889 - V-240851 - SV-240851r879748_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001889
Version
VRAU-TC-000775
Vuln IDs
  • V-240851
  • V-90131
Rule IDs
  • SV-240851r879748_rule
  • SV-100781
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an AccessLogValve, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The Access Log Valve should be configured to ensure that investigators have sufficient information to conduct an appropriate audit.
Checks: C-44084r854859_chk

At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The "57" part is the "seconds" part of the timestamp.

Fix: F-44043r674296_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the 'pattern' setting with "%h %l %u %t &quot;%r&quot; %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCO must record time stamps for log records to a minimum granularity of one second.
AU-8 - Medium - CCI-001889 - V-240852 - SV-240852r879748_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001889
Version
VRAU-TC-000780
Vuln IDs
  • V-240852
  • V-90133
Rule IDs
  • SV-240852r879748_rule
  • SV-100783
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an AccessLogValve, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The Access Log Valve should be configured to ensure that investigators have sufficient information to conduct an appropriate audit.
Checks: C-44085r854861_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The "57" part is the "seconds" part of the timestamp.

Fix: F-44044r674299_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t &quot;%r&quot; %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

b
tc Server VCAC must record time stamps for log records to a minimum granularity of one second.
AU-8 - Medium - CCI-001889 - V-240853 - SV-240853r879748_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001889
Version
VRAU-TC-000785
Vuln IDs
  • V-240853
  • V-90135
Rule IDs
  • SV-240853r879748_rule
  • SV-100785
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an AccessLogValve, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The Access Log Valve should be configured to ensure that investigators have sufficient information to conduct an appropriate audit.
Checks: C-44086r854863_chk

At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The "57" part is the "seconds" part of the timestamp.

Fix: F-44045r674302_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t &quot;%r&quot; %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>

b
tc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users.
CM-5 - Medium - CCI-001813 - V-240854 - SV-240854r879753_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
VRAU-TC-000790
Vuln IDs
  • V-240854
  • V-90137
Rule IDs
  • SV-240854r879753_rule
  • SV-100787
A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.
Checks: C-44087r674304_chk

At the command prompt, execute the following command: ls -alR /opt/vmware/horizon/workspace /opt/vmware/horizon/workspace/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44046r674305_fix

Remove all world permissions from any listed file with the following command: chmod -R o-rwx /opt/vmware/horizon/workspace /opt/vmware/horizon/workspace/webapps

b
tc Server VCO application, libraries, and configuration files must only be accessible to privileged users.
CM-5 - Medium - CCI-001813 - V-240855 - SV-240855r879753_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
VRAU-TC-000795
Vuln IDs
  • V-240855
  • V-90139
Rule IDs
  • SV-240855r879753_rule
  • SV-100789
A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.
Checks: C-44088r674307_chk

At the command prompt, execute the following command: ls -alR /usr/lib/vco/configuration/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44047r674308_fix

Remove all world permissions from any listed file with the following command: chmod -R o-rwx /usr/lib/vco/configuration/webapps

b
tc Server VCAC application, libraries, and configuration files must only be accessible to privileged users.
CM-5 - Medium - CCI-001813 - V-240856 - SV-240856r879753_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
VRAU-TC-000800
Vuln IDs
  • V-240856
  • V-90141
Rule IDs
  • SV-240856r879753_rule
  • SV-100791
A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.
Checks: C-44089r674310_chk

At the command prompt, execute the following commands: ls -alR /etc/vcac /usr/lib/vcac/server/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44048r674311_fix

Remove all world permissions from any listed file with the following command: chmod -R o-rwx /etc/vcac /usr/lib/vcac/server/webapps

b
tc Server HORIZON must be configured with the appropriate ports.
CM-7 - Medium - CCI-001762 - V-240857 - SV-240857r879756_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
VRAU-TC-000805
Vuln IDs
  • V-240857
  • V-90143
Rule IDs
  • SV-240857r879756_rule
  • SV-100793
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. An essential configuration file for tc Server is catalina.properties. The ports that tc Server listens to will be configured in that file.
Checks: C-44090r854868_chk

At the command prompt, execute the following command: cat /opt/vmware/horizon/workspace/conf/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server HORIZON ports. base.shutdown.port=-1 base.jmx.port=6969 bio-ssl.https.port=6443 If the displayed ports do not match the above list of ports, this is a finding.

Fix: F-44049r674314_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the ports specification section. Set the tc Server HORIZON port specifications according to the list below: base.shutdown.port=-1 base.jmx.port=6969 bio-ssl.https.port=6443

b
tc Server VCO must be configured with the appropriate ports.
CM-7 - Medium - CCI-001762 - V-240858 - SV-240858r879756_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
VRAU-TC-000810
Vuln IDs
  • V-240858
  • V-90145
Rule IDs
  • SV-240858r879756_rule
  • SV-100795
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. An essential configuration file for tc Server is catalina.properties. The ports that tc Server listens to will be configured in that file.
Checks: C-44091r854870_chk

At the command prompt, execute the following command: cat /etc/vco/app-server/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server VCO ports. ch.dunes.http-server.port=8280 ch.dunes.https-server.port=8281 If the displayed ports do not match the above list of ports, this is a finding.

Fix: F-44050r674317_fix

Navigate to and open /etc/vco/app-server/catalina.properties. Navigate to the ports specification section. Set the tc Server VCO port specifications according to the list below: ch.dunes.http-server.port=8280 ch.dunes.https-server.port=8281

b
tc Server VCAC must be configured with the appropriate ports.
CM-7 - Medium - CCI-001762 - V-240859 - SV-240859r879756_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
VRAU-TC-000815
Vuln IDs
  • V-240859
  • V-90147
Rule IDs
  • SV-240859r879756_rule
  • SV-100797
Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. An essential configuration file for tc Server is catalina.properties. The ports that tc Server listens to will be configured in that file.
Checks: C-44092r854872_chk

At the command prompt, execute the following command: cat /etc/vcac/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server VCAC ports. base.shutdown.port=-1 base.jmx.port=6969 ajp.http.port=8009 ajp.https.port=8443 If the displayed ports do not match the above list of ports, this is a finding.

Fix: F-44051r674320_fix

Navigate to and open /etc/vcac/catalina.properties. Navigate to the ports specification section. Set the tc Server VCAC port specifications according to the list below: base.shutdown.port=-1 base.jmx.port=6969 ajp.http.port=8009 ajp.https.port=8443

b
tc Server HORIZON must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
SC-13 - Medium - CCI-002450 - V-240860 - SV-240860r879944_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
VRAU-TC-000820
Vuln IDs
  • V-240860
  • V-90149
Rule IDs
  • SV-240860r879944_rule
  • SV-100799
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.
Checks: C-44093r854874_chk

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "bio-ssl.cipher.list" does not match the list of NSA Suite A ciphers or is missing, this is a finding.

Fix: F-44052r674323_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the "bio-ssl.cipher.list" setting. Configure "bio-ssl.cipher.list" with a list of NSA Suite A ciphers.

b
tc Server VCAC must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
SC-13 - Medium - CCI-002450 - V-240861 - SV-240861r879944_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
VRAU-TC-000825
Vuln IDs
  • V-240861
  • V-90151
Rule IDs
  • SV-240861r879944_rule
  • SV-100801
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.
Checks: C-44094r854876_chk

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. At the command prompt, execute the following command: grep cipher /etc/vcac/catalina.properties If the value of "cipher" does not match the list of NSA Suite A ciphers or is missing, this is a finding.

Fix: F-44053r674326_fix

Navigate to and open /etc/vcac/catalina.properties. Navigate to and locate "cipher". Configure the "cipher" with NSA Suite A ciphers.

b
tc Server HORIZON must disable the shutdown port.
SC-5 - Medium - CCI-002385 - V-240862 - SV-240862r879806_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
VRAU-TC-000840
Vuln IDs
  • V-240862
  • V-90153
Rule IDs
  • SV-240862r879806_rule
  • SV-100803
An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shutdown port. If enabled, a shutdown signal can be sent to tc Server through this port. To ensure availability, the shutdown port should be disabled.
Checks: C-44095r674328_chk

At the command prompt, execute the following command: grep base.shutdown.port /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "base.shutdown.port" is not set to "-1" or is missing, this is a finding.

Fix: F-44054r674329_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the "base.shutdown.port" setting. Add the setting "base.shutdown.port=-1" to the "catalina.properties" file.

b
tc Server VCO must disable the shutdown port.
SC-5 - Medium - CCI-002385 - V-240863 - SV-240863r879806_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
VRAU-TC-000845
Vuln IDs
  • V-240863
  • V-90155
Rule IDs
  • SV-240863r879806_rule
  • SV-100805
An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shutdown port. If enabled, a shutdown signal can be sent to tc Server through this port. To ensure availability, the shutdown port should be disabled.
Checks: C-44096r674331_chk

At the command prompt, execute the following command: grep shutdown /etc/vco/app-server/server.xml If the value of "shutdown" is not set to "-1" or is missing, this is a finding.

Fix: F-44055r674332_fix

Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Server> node. Add the attribute 'port="-1"' to the <Server> node in the "server.xml" file.

b
tc Server VCAC must disable the shutdown port.
SC-5 - Medium - CCI-002385 - V-240864 - SV-240864r879806_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
VRAU-TC-000850
Vuln IDs
  • V-240864
  • V-90157
Rule IDs
  • SV-240864r879806_rule
  • SV-100807
An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shutdown port. If enabled, a shutdown signal can be sent to tc Server through this port. To ensure availability, the shutdown port should be disabled.
Checks: C-44097r674334_chk

At the command prompt, execute the following command: grep base.shutdown.port /etc/vcac/catalina.properties If the value of "base.shutdown.port" is not set to "-1" or is missing, this is a finding.

Fix: F-44056r674335_fix

Navigate to and open /etc/vcac/catalina.properties. Navigate to the "base.shutdown.port" setting. Add the setting "base.shutdown.port=-1" to the "catalina.properties" file.

b
tc Server HORIZON must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
SC-8 - Medium - CCI-002418 - V-240865 - SV-240865r928837_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000860
Vuln IDs
  • V-240865
  • V-90159
Rule IDs
  • SV-240865r928837_rule
  • SV-100809
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use modern, secure forms of transport encryption.
Checks: C-44098r674337_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml Navigate to each of the &lt;Connector&gt; nodes. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.

Fix: F-44057r674338_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'.

b
tc Server VCAC must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
SC-8 - Medium - CCI-002418 - V-240866 - SV-240866r928837_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000865
Vuln IDs
  • V-240866
  • V-90161
Rule IDs
  • SV-240866r928837_rule
  • SV-100811
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use modern, secure forms of transport encryption.
Checks: C-44099r674340_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.

Fix: F-44058r674341_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslProtocol="TLS"'.

b
tc Server HORIZON session IDs must be sent to the client using SSL/TLS.
SC-8 - Medium - CCI-002418 - V-240867 - SV-240867r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000870
Vuln IDs
  • V-240867
  • V-90163
Rule IDs
  • SV-240867r879810_rule
  • SV-100813
The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use modern, secure forms of transport encryption.
Checks: C-44100r674343_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.

Fix: F-44059r674344_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'.

b
tc Server VCAC session IDs must be sent to the client using SSL/TLS.
SC-8 - Medium - CCI-002418 - V-240868 - SV-240868r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000875
Vuln IDs
  • V-240868
  • V-90165
Rule IDs
  • SV-240868r879810_rule
  • SV-100815
The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use modern, secure forms of transport encryption.
Checks: C-44101r674346_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.

Fix: F-44060r674347_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslProtocol="TLS"'.

b
tc Server HORIZON must set the useHttpOnly parameter.
SC-8 - Medium - CCI-002418 - V-240869 - SV-240869r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000885
Vuln IDs
  • V-240869
  • V-90167
Rule IDs
  • SV-240869r879810_rule
  • SV-100817
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. As a Tomcat derivative, tc Server contains a Context object, which represents a web application running within a particular virtual host. One of the configurable parameters of the Context object will prevent the tc Server cookies from being accessed by JavaScript from another site.
Checks: C-44102r674349_chk

At the command prompt, execute the following command: grep useHttpOnly /opt/vmware/horizon/workspace/conf/context.xml If the value of "useHttpOnly" is not set to "true" or is missing, this is a finding.

Fix: F-44061r674350_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the following: <Context useHttpOnly="true">

b
tc Server VCO must set the useHttpOnly parameter.
SC-8 - Medium - CCI-002418 - V-240870 - SV-240870r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000890
Vuln IDs
  • V-240870
  • V-90169
Rule IDs
  • SV-240870r879810_rule
  • SV-100819
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. As a Tomcat derivative, tc Server contains a Context object, which represents a web application running within a particular virtual host. One of the configurable parameters of the Context object will prevent the tc Server cookies from being accessed by JavaScript from another site.
Checks: C-44103r674352_chk

At the command prompt, execute the following command: grep useHttpOnly /etc/vco/app-server/context.xml If the value of "useHttpOnly" is not set to "true" or is missing, this is a finding.

Fix: F-44062r674353_fix

Navigate to and open /etc/vco/app-server/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the following: <Context useHttpOnly="true">

b
tc Server VCAC must set the useHttpOnly parameter.
SC-8 - Medium - CCI-002418 - V-240871 - SV-240871r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000895
Vuln IDs
  • V-240871
  • V-90171
Rule IDs
  • SV-240871r879810_rule
  • SV-100821
A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. As a Tomcat derivative, tc Server contains a Context object, which represents a web application running within a particular virtual host. One of the configurable parameters of the Context object will prevent the tc Server cookies from being accessed by JavaScript from another site.
Checks: C-44104r674355_chk

At the command prompt, execute the following command: grep useHttpOnly /etc/vcac/context.xml If the value of "useHttpOnly" is not set to "true" or is missing, this is a finding.

Fix: F-44063r674356_fix

Navigate to and open /etc/vcac/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the following: <Context useHttpOnly="true">

b
tc Server HORIZON must set the secure flag for cookies.
SC-8 - Medium - CCI-002418 - V-240872 - SV-240872r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000900
Vuln IDs
  • V-240872
  • V-90173
Rule IDs
  • SV-240872r879810_rule
  • SV-100823
Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set. As a Tomcat derivative, tc Server is based in part on the Java Servlet specification. Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the correct configuration in web.xml.
Checks: C-44105r674358_chk

At the command prompt, execute the following command: grep -E '&lt;secure&gt;' /opt/vmware/horizon/workspace/conf/web.xml If the value of the &lt;secure&gt; node is not set to "true" or is missing, this is a finding.

Fix: F-44064r674359_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured per the following: <cookie-config> <secure>true</secure> </cookie-config>

b
tc Server VCO must set the secure flag for cookies.
SC-8 - Medium - CCI-002418 - V-240873 - SV-240873r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000905
Vuln IDs
  • V-240873
  • V-90175
Rule IDs
  • SV-240873r879810_rule
  • SV-100825
Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set. As a Tomcat derivative, tc Server is based in part on the Java Servlet specification. Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the correct configuration in web.xml.
Checks: C-44106r674361_chk

At the command prompt, execute the following command: grep -E '&lt;secure&gt;' /etc/vco/app-server/web.xml If the value of the &lt;secure&gt; node is not set to "true" or is missing, this is a finding.

Fix: F-44065r674362_fix

Navigate to and open /etc/vco/app-server/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured per the following: <cookie-config> <secure>true</secure> </cookie-config>

b
tc Server VCAC must set the secure flag for cookies.
SC-8 - Medium - CCI-002418 - V-240874 - SV-240874r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000910
Vuln IDs
  • V-240874
  • V-90177
Rule IDs
  • SV-240874r879810_rule
  • SV-100827
Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set. As a Tomcat derivative, tc Server is based in part on the Java Servlet specification. Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the correct configuration in web.xml.
Checks: C-44107r674364_chk

At the command prompt, execute the following command: grep -E '&lt;secure&gt;' /etc/vcac/web.xml If the value of the &lt;secure&gt; node is not set to "true" or is missing, this is a finding.

Fix: F-44066r674365_fix

Navigate to and open /etc/vcac/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured per the following: <cookie-config> <secure>true</secure> </cookie-config>

c
tc Server HORIZON must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
SC-8 - High - CCI-002418 - V-240875 - SV-240875r879810_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
VRAU-TC-000915
Vuln IDs
  • V-240875
  • V-90179
Rule IDs
  • SV-240875r879810_rule
  • SV-100829
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use the sslEnabledProtocols correctly to ensure that older, less secure forms of transport security are not used.
Checks: C-44108r674367_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.

Fix: F-44067r674368_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.

c
tc Server VCAC must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
SC-8 - High - CCI-002418 - V-240876 - SV-240876r879810_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
VRAU-TC-000920
Vuln IDs
  • V-240876
  • V-90181
Rule IDs
  • SV-240876r879810_rule
  • SV-100831
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use the sslEnabledProtocols correctly to ensure that older, less secure forms of transport security are not used.
Checks: C-44109r674370_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.

Fix: F-44068r674371_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.

b
tc Server HORIZON must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SC-8 - Medium - CCI-002418 - V-240877 - SV-240877r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000925
Vuln IDs
  • V-240877
  • V-90183
Rule IDs
  • SV-240877r879810_rule
  • SV-100833
During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours. An essential configuration file for tc Server is catalina.properties. Properly configured, tc Server will not provide the weaker, export ciphers.
Checks: C-44110r674373_chk

At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If any export ciphers are listed, this is a finding.

Fix: F-44069r674374_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the "bio-ssl.cipher.list" setting. Remove any export ciphers from "bio-ssl.cipher.list". Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'

b
tc Server VCAC must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SC-8 - Medium - CCI-002418 - V-240878 - SV-240878r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-TC-000930
Vuln IDs
  • V-240878
  • V-90185
Rule IDs
  • SV-240878r879810_rule
  • SV-100835
During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours. An essential configuration file for tc Server is catalina.properties. Properly configured, tc Server will not provide the weaker, export ciphers.
Checks: C-44111r674376_chk

At the command prompt, execute the following command: grep ciphers /etc/vcac/catalina.properties If any export ciphers are listed, this is a finding.

Fix: F-44070r674377_fix

Navigate to and open /etc/vcac/catalina.properties. Navigate to the "cipher" setting. Remove any export ciphers from "cipher". Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'

b
tc Server HORIZON must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-240879 - SV-240879r879813_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002422
Version
VRAU-TC-000940
Vuln IDs
  • V-240879
  • V-90187
Rule IDs
  • SV-240879r879813_rule
  • SV-100837
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use the sslEnabledProtocols correctly to ensure that older, less secure forms of transport security are not used.
Checks: C-44112r674379_chk

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the &lt;Connector&gt; nodes. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.

Fix: F-44071r674380_fix

Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.

b
tc Server VCAC must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-240880 - SV-240880r879813_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002422
Version
VRAU-TC-000945
Vuln IDs
  • V-240880
  • V-90189
Rule IDs
  • SV-240880r879813_rule
  • SV-100839
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vRA should be configured to use the sslEnabledProtocols correctly to ensure that older, less secure forms of transport security are not used.
Checks: C-44113r674382_chk

Navigate to and open /etc/vcac/server.xml. Navigate to the &lt;Connector&gt; node. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.

Fix: F-44072r674383_fix

Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.

b
tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.
SI-2 - Medium - CCI-002605 - V-240881 - SV-240881r879827_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002605
Version
VRAU-TC-000950
Vuln IDs
  • V-240881
  • V-90191
Rule IDs
  • SV-240881r879827_rule
  • SV-100841
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. The web server will be configured to check for and install security-relevant software updates from an authoritative source within an identified time period from the availability of the update. By default, this time period will be every 24 hours. VMware delivers product updates and patches regularly. It is crucial that system administrators coordinate installation of product updates with the site ISSO to ensure that updated and patched files are uploaded onto the system as soon as prescribed.
Checks: C-44114r854897_chk

Interview the ISSO. Review the policies and procedures used to ensure that all security-related upgrades are being installed within the configured time period directed by an authoritative source. If all security-related upgrades are not being installed within the configured time period directed by an authoritative source, this is a finding.

Fix: F-44073r674386_fix

Ensure that patches and updates from an authoritative source are applied at least within 24 hours after they have been received.

b
tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
CM-6 - Medium - CCI-000366 - V-240882 - SV-240882r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VRAU-TC-000960
Vuln IDs
  • V-240882
  • V-90193
Rule IDs
  • SV-240882r879887_rule
  • SV-100843
Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the web server, including the parameters required to satisfy other security control requirements. VMware delivers product updates and patches regularly. It is crucial that system administrators coordinate installation of product updates with the site ISSO to ensure that updated and patched files are uploaded onto the system as soon as prescribed.
Checks: C-44115r674467_chk

Interview the ISSO. Verify that this Security Technical Implementation Guide (STIG) is the most current STIG available for tc Server on vRA. Assess all of the organization's vRA installations to ensure that they are fully compliant with the most current tc Server STIG. If the most current version of the tc Server was not used, or if the tc Server configuration is not compliant with the most current tc Server STIG, this is a finding.

Fix: F-44074r674389_fix

Obtain the most current tc Server ALL STIG. Verify that tc Server ALL is configured with all current requirements.

c
The version of vRealize Automation 7.x tc Server running on the system must be a supported version.
SI-2 - High - CCI-002605 - V-258454 - SV-258454r928887_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
VRAU-TC-009999
Vuln IDs
  • V-258454
Rule IDs
  • SV-258454r928887_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-62194r928886_chk

vRealize Automation 7.x tc Server is no longer supported by the vendor. If the system is running vRealize Automation 7.x tc Server, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.