Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
At the command prompt, execute the following command: grep maxThreads /opt/vmware/horizon/workspace/conf/server.xml If the value of "maxThreads" is not "300" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Executor>. Configure the <Executor> with the value 'maxThreads="300"'. Note: The <Executor> node should be configured per the following: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/>
At the command prompt, execute the following command: grep maxThreads /etc/vco/app-server/server.xml If the value of "maxThreads" is not "300" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate the <Connector> node. Configure the <Connector> with the value 'maxThreads="300"'.
At the command prompt, execute the following command: grep maxThreads /etc/vcac/server.xml If the value of "maxThreads" is not "1000" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Executor>. Configure the <Executor> with the value 'maxThreads="1000"'. Note: The <Executor> node should be configured per the following: <Executor maxThreads="1000" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/>
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "connectionTimeout" is not set to "20000" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'connectionTimeout="20000"'.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. If the value of "connectionTimeout" is not set to "20000" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'connectionTimeout="10000"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "connectionTimeout" is not set to "10000" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'connectionTimeout="10000"'.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "maxKeepAliveRequests" is not set to "15" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'maxKeepAliveRequests="15"'.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. If the value of "maxKeepAliveRequests" is not set to "15" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'maxKeepAliveRequests="15"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "maxKeepAliveRequests" is not set to "15" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'maxKeepAliveRequests="15"'.
At the command prompt, execute the following command: grep -E 'cookies=.false' /opt/vmware/horizon/workspace/conf/context.xml If the command produces any output, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.
At the command prompt, execute the following command: grep -E 'cookies=.false' /etc/vco/app-server/context.xml If the command produces any output, this is a finding.
Navigate to and open /etc/vco/app-server/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.
At the command prompt, execute the following command: grep -E 'cookies=.false' /etc/vcac/context.xml If the command produces any output, this is a finding.
Navigate to and open /etc/vcac/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.
At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "bio-ssl.cipher.list" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to and locate "bio-ssl.cipher.list". Configure the "bio-ssl.cipher.list" with FIPS 140-2 compliant ciphers.
At the command prompt, execute the following command: grep cipher /etc/vcac/catalina.properties If the value of "cipher" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'
Navigate to and open /etc/vcac/catalina.properties. Navigate to and locate "cipher". Configure the "cipher" with FIPS 140-2 compliant ciphers.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'SSLEnabled="true"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'SSLEnabled="true"'.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" suffix=".txt" rotatable="false" requestAttributesEnabled="true" checkExists="true"/>
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t &quot;%r&quot; %s %b" rotatable="false" checkExists="true"/>
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
Navigate to and open /etc/vcac/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: more /storage/log/vmware/vco/app-server/catalina.out Verify that tc Server start and stop events are being logged. If the tc Server start and stop events are not being recorded, this is a finding. Note: The tc Server service is referred to as Catalina in the log.
Navigate to and open /usr/share/tomcat/bin/catalina.sh. Navigate to and locate the start block : "elif [ "$1" = "start" ] ; then" Navigate to and locate both "eval" statements : "org.apache.catalina.startup.Bootstrap "$@" start \" Add this statement immediately below both of the "eval" statements : '>> "$CATALINA_OUT" 2>&1 "&"'
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" suffix=".txt" rotatable="false" requestAttributesEnabled="true" checkExists="true"/>
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t &quot;%r&quot; %s %b" rotatable="false" checkExists="true"/>
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
Navigate to and open /etc/vcac/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an "AccessLogValve" is not configured correctly or is missing, this is a finding. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: more /usr/share/tomcat/bin/catalina.sh Type /touch "$CATALINA_OUT" Verify that the start command contains the command ">> "$CATALINA_OUT" 2>&1 "&"" If the command is not correct or is missing, this is a finding. Note: Use the "Enter" key to scroll down after typing /touch "$CATALINA_OUT"
Navigate to and open Navigate to and open /usr/share/tomcat/bin/catalina.sh. Navigate to and locate the start block : "elif [ "$1" = "start" ] ; then" Navigate to and locate both "eval" statements : "org.apache.catalina.startup.Bootstrap "$@" start \" Add this statement immediately below both of the "eval" statements : '>> "$CATALINA_OUT" 2>&1 "&"'
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the time and date of events are not being recorded, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the location of events are not being recorded, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the location of events are not being recorded, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the location of events are not being recorded, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the source IP of events are not being recorded, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the source IP of events are not being recorded, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the source IP of events are not being recorded, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note: The "RemoteIpValve" should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="80" httpsServerPort="443" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" remoteIpHeader="x-forwarded-for" internalProxies="127\.0\.0\.1"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note: The "RemoteIpValve" should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" internalProxies=".*" protocolHeader="x-forwarded-proto" />
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note: The "RemoteIpValve" should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="80" httpsServerPort="443" internalProxies="127\.0\.0\.1" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" remoteIpHeader="x-forwarded-for"/>
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the identity of the user is not being recorded, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the identity of the user is not being recorded, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the identity of the user is not being recorded, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The "AccessLogValve" should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
Interview the ISSO. Determine if log data and records are configured to alert the ISSO and SA in the event of processing failure. If log data and records are not configured to alert the ISSO and SA in the event of processing failure, this is a finding.
Configure the web server to provide an alert to the ISSO and SA when log processing failures occur. If the web server cannot generate alerts, utilize an external logging system that meets this criterion.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/horizon If any log files have permissions less restrictive than "640", this is a finding.
At the command prompt, execute the following commands: chmod 640 /storage/log/vmware/horizon/<file> sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs Note: Substitute <file> with the listed file.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/vco/app-server If any log files have permissions less restrictive than "640", this is a finding.
At the command prompt, execute the following commands: chmod 640 /storage/log/vmware/vco/app-server/<file> sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs Note: Substitute <file> with the listed file.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files have permissions less restrictive than "640", this is a finding.
At the command prompt, execute the following commands: chmod 640 /storage/log/vmware/vcac/<file> sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs Note: Substitute <file> with the listed file.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files are not owned by "root" or "vcac", this is a finding. The following files should be owned by "vcac": access_log catalina.out gc_logs host-manager localhost manager tc Server.pid The following files should be owned by "root": system-config-history telemetry toolsgc vcac-config
At the command prompt, execute the following command: chown <owner>:<owner> /storage/log/vmware/vcac/<file> Note: Substitute <file> with the listed file. Note: Substitute <owner> with the correct value below. The following files should be owned by "vcac": access_log catalina.out gc_logs host-manager localhost manager tc Server.pid The following files should be owned by "root": system-config-history telemetry toolsgc vcac-config
At the command prompt, execute the following command: ls -lL /storage/log/vmware/vco/app-server If any log files are not owned by "vco", this is a finding.
At the command prompt, execute the following command: chown vco:vco /storage/log/vmware/vco/app-server/<file> Note: Substitute <file> with the listed file.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files are not owned by "root" or "vcac", this is a finding.
At the command prompt, execute the following command: Set the owner & group of these files: access_log.txt, audit.log, catalina.log, catalina.out, gc_logs.log.0.current, host-manager.log, localhost.log, manager.log, and tomcat.pid to vcac, with the following command: chown vcac:vcac /storage/log/vmware/vcac/<file> Set all other files not listed above to the owner and group of root, with the following command: chown root:root /storage/log/vmware/vcac/<file> Note: Substitute <file> with the listed file.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/horizon If any log files are not group-owned by "www", this is a finding.
At the command prompt, execute the following command: chown horizon:www /storage/log/vmware/horizon/<file> Note: Substitute <file> with the listed file.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/vco/app-server If any log files are not group-owned by "vco", this is a finding.
At the command prompt, execute the following command: chown vco:vco /storage/log/vmware/vco/app-server/<file> Note: Substitute <file> with the listed file.
At the command prompt, execute the following command: ls -lL /storage/log/vmware/vcac If any log files are not group-owned by "root", this is a finding.
At the command prompt, execute the following command: chown root:root /storage/log/vmware/vcac/<file> Note: Substitute <file> with the listed file.
Interview the ISSO. Determine if log data and records are not being backed up onto a different system or media. If log data and records are not being backed up onto a different system or media, this is a finding.
Ensure log data and records are being backed up to a different system or separate media.
Interview the ISSO. Determine whether web server files are being fully reviewed, tested, and signed before being implemented into the production environment. If the web server files are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.
Configure the web server to verify object integrity before becoming part of the production web server or utilize an external tool designed to meet this requirement.
Interview the ISSO. Determine whether expansion modules are being fully reviewed, tested, and signed before being implemented into the production environment. If the expansion modules are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.
Configure the web server to enforce, internally or through an external utility, the review, testing and signing of modules before implementation into the production environment.
At the command prompt, execute the following command: cat /opt/vmware/horizon/workspace/conf/tomcat-users.xml If "tomcat-users.xml" file contains any user information, this is a finding.
Contact the ISSO and/or SA. Determine why user data is being stored in "tomcat-users.xml". If the user data is not required then it should be removed. The vRA appliance does not maintain user data in this file by default.
At the command prompt, execute the following command: cat /etc/vco/app-server/tomcat-users.xml If "tomcat-users.xml" file contains any user information, this is a finding.
Contact the ISSO and/or SA. Determine why user data is being stored in "tomcat-users.xml". If the user data is not required then it should be removed. The vRA appliance does not maintain user data in this file by default.
At the command prompt, execute the following command: cat /etc/vcac/tomcat-users.xml If "tomcat-users.xml" file contains any user information, this is a finding.
Contact the ISSO and/or SA. Determine why user data is being stored in "tomcat-users.xml". If the user data is not required then it should be removed. The vRA appliance does not maintain user data in this file by default.
Interview the ISSO. Review the web server documentation and deployed configuration to determine if web server features, services, and processes are installed that are not needed for hosted application deployment. If excessive features, services, and processes are installed, this is a finding.
Uninstall or deactivate features, services, and processes not needed by the web server for operation.
Interview the ISSO. Review the web server documentation and deployed configuration to determine if documentation, sample code, example applications, and tutorials have been removed. If documentation, sample code, example applications, and tutorials have not been removed, this is a finding.
Remove all documentation, sample code, example applications, and tutorials.
Interview the ISSO. Review the web server documentation and deployed configuration to determine if utility programs, services, plug-ins, and modules not necessary for operation have been removed. If utility programs, services, plug-ins, and modules not necessary for operation have not been removed, this is a finding.
Remove all utility programs, services, plug-ins, and modules not necessary for operation.
At the command prompt, execute the following command: find / -name 'web.xml' -print0 | xargs -0r grep -HEn '(x-csh<)|(x-sh<)|(x-shar<)|(x-ksh<)' If the command produces any output, this is a finding.
Navigate to a file that was listed. Open the file in a text editor. Delete any of the following types: application/x-sh application/x-shar application/x-csh application/x-ksh
Interview the ISSO. Review the web server documentation and deployed configuration to determine if all mappings to unused and vulnerable scripts to be removed. If all mappings to unused and vulnerable scripts have not been removed, this is a finding.
Remove script mappings that are not needed for web server and hosted application operation.
At the command prompt, execute the following command: grep -E '<url-pattern>\*\.jsp</url-pattern>' -B 2 -A 2 /opt/vmware/horizon/workspace/conf/web.xml If the jsp and jspx file extensions have not been mapped to the JSP servlet, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below: <!-- The mappings for the JSP servlet --> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>
At the command prompt, execute the following command: grep -E '<url-pattern>\*\.jsp</url-pattern>' -B 2 -A 2 /etc/vco/app-server/web.xml If the jsp and jspx file extensions have not been mapped to the JSP servlet, this is a finding.
Navigate to and open /etc/vco/app-server/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below: <!-- The mappings for the JSP servlet --> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>
At the command prompt, execute the following command: grep -E '<url-pattern>\*\.jsp</url-pattern>' -B 2 -A 2 /etc/vcac/web.xml If the jsp and jspx file extensions have not been mapped to the JSP servlet, this is a finding.
Navigate to and open /etc/vcac/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below: <!-- The mappings for the JSP servlet --> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>
At the command prompt, execute the following command: find / -name 'web.xml' -print0 | xargs -0r grep -HEn 'webdav' If the command produces any output, this is a finding.
Navigate to and open all listed files. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>webdav</servlet-name>. Remove the WebDAV servlet and any mapping associated with it.
At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /opt/vmware/horizon/workspace/conf/server.xml If the JreMemoryLeakPreventionListener <Listener> node is not listed, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.
At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /etc/vco/app-server/server.xml If the JreMemoryLeakPreventionListener <Listener> node is not listed, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.
At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /etc/vcac/server.xml If the JreMemoryLeakPreventionListener <Listener> node is not listed, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.
At the command prompt, execute the following command: ls -lR /usr/lib/vco/configuration/webapps | grep '^l' If the command produces any output, this is a finding.
At the command prompt, execute the following commands: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the commands for each file that was returned.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If either the IP address or the port is not specified for each <Connector>, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'address="XXXXX"'. Note: Replace XXXXX with the appropriate address for that node.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. If either the IP address or the port is not specified for the <Connector>, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'address="XXXXX"'. Note: Replace XXXXX with the appropriate address for that node.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If either the IP address or the port is not specified for the <Connector>, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'address="XXXXX"'. Note: Replace XXXXX with the appropriate address for that node.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'SSLEnabled="true"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "SSLEnabled" is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure each <Connector> node with the value 'SSLEnabled="true"'.
If PKI is not being used, this check is Not Applicable. Interview the ISSO. Review tc Server ALL configuration to verify that certificates being provided by the client are being validated in accordance with RFC 5280. If certificates are not being validated in accordance with RFC 5280, this is a finding.
If PKI is not being used, this check is Not Applicable. Validate client certificates in accordance with RFC 5280.
At the command prompt, execute the following command: ls -al /opt/vmware/horizon/workspace/conf/tcserver.keystore Verify that file permissions are set to "640" or more restrictive. Verify that the owner is horizon and group-owner is www. If either of these conditions are not met, this is a finding.
At the command prompt, execute the following commands: chown horizon:www /opt/vmware/horizon/workspace/conf/tcserver.keystore chmod 640 /opt/vmware/horizon/workspace/conf/tcserver.keystore
At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "bio-ssl.cipher.list" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to and locate "bio-ssl.cipher.list". Configure the "bio-ssl.cipher.list" with FIPS 140-2 compliant ciphers.
At the command prompt, execute the following command: grep cipher /etc/vcac/catalina.properties If the value of "cipher" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'
Navigate to and open /etc/vcac/catalina.properties. Navigate to and locate "cipher". Configure the "cipher" with FIPS 140-2 compliant ciphers.
At the command prompt, execute the following command: ls -alR /opt/vmware/horizon/workspace/webapps | grep -E '^-' | awk '$3 !~ /horizon|root/ {print}' If the command produces any output, this is a finding.
At the command prompt, execute the following command: chown horizon:www <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.
At the command prompt, execute the following command: ls -lL /usr/lib/vco/configuration/webapps If the listed files are not owned by "vco", this is a finding.
At the command prompt, execute the following command: chown vco:vco <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.
At the command prompt, execute the following command: ls -alR /etc/vcac /usr/lib/vcac/server/webapps | grep -E '^-' | awk '$3 !~ /vcac|root/ {print}' If the command produces any output, this is a finding.
At the command prompt, execute the following command: If the file was found in /etc/vcac or /usr/lib/vcac/server/webapps, execute the following command: chown vcac:vcac <file_name> Note: Replace <file_name> for the name of the file that was returned.
At the command prompt, execute the following command: ls -alR /opt/vmware/horizon/workspace | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.
At the command prompt, execute the following command: chmod 750 <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.
At the command prompt, execute the following command: ls -alR /etc/vco /usr/lib/vco/app-server | grep -E '^-' | awk '$1 !~ /---$/ {print}' If anything is returned, this is a finding.
At the command prompt, execute the following command: chmod 750 <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.
At the command prompt, execute the following command: ls -alR /etc/vcac /usr/lib/vcac/server/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.
At the command prompt, execute the following command: chmod 750 <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.
Interview the ISSO. Review the web server documentation and deployed configuration to determine if the tc Server code baseline is documented and maintained. If the tc Server code baseline is not documented and maintained, this is a finding.
Develop baseline documentation of the tc Server codebase.
At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /opt/vmware/horizon/workspace/conf/catalina.properties If the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" setting is not set to "true" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Configure the setting "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" with the value "true". Note: The word "true" should not be surrounded with any quote characters.
At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /etc/vco/app-server/catalina.properties If the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" setting is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/catalina.properties. Configure the setting "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" with the value "true". Note: The word "true" should not be surrounded with any quote characters.
At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /etc/vcac/catalina.properties If the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" setting is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vcac/catalina.properties. Configure the setting "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" with the value "true". Note: The word "true" should not be surrounded with any quote characters.
At the command prompt, execute the following commands: df -k /usr/java/jre-vmware df -k /opt/vmware/horizon/workspace/webapps If the two directories above are on the same partition, this is a finding.
Consult with the ISSO. Move the tc Server HORIZON /opt/vmware/horizon/workspace/webapps folder to a separate partition.
At the command prompt, execute the following commands: df -k /usr/java/jre-vmware df -k /usr/lib/vco/configuration/webapps If the two directories above are on the same partition, this is a finding.
Consult with the ISSO. Move the tc Server VCO /usr/lib/vco/configuration/webapps folder to a separate partition.
At the command prompt, execute the following commands: df -k /usr/java/jre-vmware df -k /usr/lib/vcac/server/webapps If the two directories above are on the same partition, this is a finding.
Consult with the ISSO. Move the tc Server VCAC /usr/lib/vcac/server/webapps folder to a separate partition.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "URIEncoding" is not set to "UTF-8" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'URIEncoding="UTF-8"'.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. If the value of "URIEncoding" is not set to "UTF-8" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Connector> node. Configure each <Connector> node with the value 'URIEncoding="UTF-8"'.
Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Verify that the 'setCharacterEncodingFilter' <filter> has been specified. If the "setCharacterEncodingFilter" filter has not been specified or is commented out, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter>
Navigate to and open /etc/vco/app-server/web.xml. Verify that the 'setCharacterEncodingFilter' <filter> has been specified. If the "setCharacterEncodingFilter" filter has not been specified or is commented out, this is a finding.
Navigate to and open /etc/vco/app-server/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter>
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "URIEncoding" is not set to "UTF-8" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'URIEncoding="UTF-8"'.
Navigate to and open /etc/vcac/web.xml. Verify that the 'setCharacterEncodingFilter' <filter> has been specified. If the "setCharacterEncodingFilter" filter has not been specified or is commented out, this is a finding.
Navigate to and open /etc/vcac/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter>
At the command prompt, execute the following command: grep -E -A 4 '<welcome-file-list' /opt/vmware/horizon/workspace/conf/web.xml If a <welcome-file> node is not set to a default web page, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>
At the command prompt, execute the following command: grep -E -A 4 '<welcome-file-list' /etc/vco/app-server/web.xml If a <welcome-file> node is not set to a default web page, this is a finding.
Navigate to and open /etc/vco/app-server/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>
At the command prompt, execute the following command: grep -E -A 4 '<welcome-file-list' /etc/vcac/web.xml If a <welcome-file> node is not set to a default web page, this is a finding.
Navigate to and open /etc/vcac/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>
At the command prompt, execute the following command: grep allowTrace /opt/vmware/horizon/workspace/conf/server.xml If "allowTrace" is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to and locate 'allowTrace="true"'. Remove the 'allowTrace="true"' setting.
At the command prompt, execute the following command: grep allowTrace /etc/vco/app-server/server.xml If "allowTrace" is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to and locate 'allowTrace="true"'. Remove the 'allowTrace="true"' setting.
At the command prompt, execute the following command: grep allowTrace /etc/vcac/server.xml If "allowTrace" is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to and locate 'allowTrace="true"'. Remove the 'allowTrace="true"' setting.
At the command prompt, execute the following command: grep -En -A 2 -B 1 '<param-name>debug</param-name>' /opt/vmware/horizon/workspace/conf/web.xml If all instances of the debug parameter are not set to "0", this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>
At the command prompt, execute the following command: grep -En -A 2 -B 1 '<param-name>debug</param-name>' /etc/vco/app-server/web.xml If all instances of the debug parameter are not set to "0", this is a finding.
Navigate to and open /etc/vco/app-server/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>
At the command prompt, execute the following command: grep -En -A 2 -B 1 '<param-name>debug</param-name>' /etc/vcac/web.xml If all instances of the debug parameter are not set to "0", this is a finding.
Navigate to and open /etc/vcac/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>
At the command prompt, execute the following command: grep session-timeout /opt/vmware/horizon/workspace/conf/web.xml If the value of <session-timeout> is not "30" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.
At the command prompt, execute the following command: grep session-timeout /etc/vco/app-server/web.xml If the value of <session-timeout> is not "30" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.
At the command prompt, execute the following command: grep session-timeout /etc/vcac/web.xml If the value of <session-timeout> is not "30" or is missing, this is a finding.
Navigate to and open /etc/vcac/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.
Obtain the correct configuration data for the Authentication Source from the ISSO. Open a web browser, and type in the vRA URL. 1. Log on to the Tenant Administration Portal. 2. Click on Administration >> Directories Management. 3. Click on "Policies". 4. Click on the "Policy Set" link. 5. Verify that User Authentication is configured correctly. If the Authentication Source is not configured in accordance with site policy, this is a finding.
Obtain the correct configuration data for the Authentication Source from the ISSO. Open a web browser, and type in the vRA URL. 1. Log on to the Tenant Administration Portal. 2. Click on Administration >> Directories Management. 3. Click on "Policies". 4. Click on the "Policy Set" link. 5. Modify the Authentication Source in accordance with site policy.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "scheme" is not set to "https" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'scheme="https"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "scheme" is not set to "https" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the value 'scheme="https"'.
Interview the ISSO. Determine if tc Server ALL is using a logging mechanism that is configured to have a capacity large enough to accommodate logging requirements. If the logging mechanism does not have sufficient capacity, this is a finding.
Configure the web server to use a logging mechanism that is configured to allocate log record storage capacity in accordance with NIST SP 800-92 log record storage requirements.
Interview the ISSO. Review the site policy for moving log files from the web server to a permanent repository. Ensure that log files are being moved from the web server in accordance with the site policy. If the site does not have a policy for periodically moving log files to an archive repository or such policy is not being enforced, this is a finding.
Develop and enforce a site procedure for moving log files periodically from the web server to a permanent repository in accordance with site retention policies.
Interview the ISSO. Review site documentation and system configuration. Determine if the system has a logging mechanism that will provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. If such an alert mechanism is not in use, this is a finding.
Configure the tc Server ALL logging mechanism to alert the ISSO / SA when the logs have reached 75% of storage capacity.
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The +0000 part is the time zone mapping.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t "%r" %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The +0000 part is the time zone mapping.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t "%r" %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The +0000 part is the time zone mapping.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t "%r" %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/horizon/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The "57" part is the "seconds" part of the timestamp.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the 'pattern' setting with "%h %l %u %t "%r" %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vco/app-server/localhost_access_log.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The "57" part is the "seconds" part of the timestamp.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t "%r" %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The "57" part is the "seconds" part of the timestamp.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the "pattern" setting with "%h %l %u %t "%r" %s %b". Note: The <Valve> node should be configured per the following: <Valve className="org.apache.catalina.valves.AccessLogValve" checkExists="true" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="access_log" requestAttributesEnabled="true" rotatable="false" suffix=".txt"/>
At the command prompt, execute the following command: ls -alR /opt/vmware/horizon/workspace /opt/vmware/horizon/workspace/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.
Remove all world permissions from any listed file with the following command: chmod -R o-rwx /opt/vmware/horizon/workspace /opt/vmware/horizon/workspace/webapps
At the command prompt, execute the following command: ls -alR /usr/lib/vco/configuration/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.
Remove all world permissions from any listed file with the following command: chmod -R o-rwx /usr/lib/vco/configuration/webapps
At the command prompt, execute the following commands: ls -alR /etc/vcac /usr/lib/vcac/server/webapps | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.
Remove all world permissions from any listed file with the following command: chmod -R o-rwx /etc/vcac /usr/lib/vcac/server/webapps
At the command prompt, execute the following command: cat /opt/vmware/horizon/workspace/conf/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server HORIZON ports. base.shutdown.port=-1 base.jmx.port=6969 bio-ssl.https.port=6443 If the displayed ports do not match the above list of ports, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the ports specification section. Set the tc Server HORIZON port specifications according to the list below: base.shutdown.port=-1 base.jmx.port=6969 bio-ssl.https.port=6443
At the command prompt, execute the following command: cat /etc/vco/app-server/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server VCO ports. ch.dunes.http-server.port=8280 ch.dunes.https-server.port=8281 If the displayed ports do not match the above list of ports, this is a finding.
Navigate to and open /etc/vco/app-server/catalina.properties. Navigate to the ports specification section. Set the tc Server VCO port specifications according to the list below: ch.dunes.http-server.port=8280 ch.dunes.https-server.port=8281
At the command prompt, execute the following command: cat /etc/vcac/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server VCAC ports. base.shutdown.port=-1 base.jmx.port=6969 ajp.http.port=8009 ajp.https.port=8443 If the displayed ports do not match the above list of ports, this is a finding.
Navigate to and open /etc/vcac/catalina.properties. Navigate to the ports specification section. Set the tc Server VCAC port specifications according to the list below: base.shutdown.port=-1 base.jmx.port=6969 ajp.http.port=8009 ajp.https.port=8443
If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "bio-ssl.cipher.list" does not match the list of NSA Suite A ciphers or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the "bio-ssl.cipher.list" setting. Configure "bio-ssl.cipher.list" with a list of NSA Suite A ciphers.
If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. At the command prompt, execute the following command: grep cipher /etc/vcac/catalina.properties If the value of "cipher" does not match the list of NSA Suite A ciphers or is missing, this is a finding.
Navigate to and open /etc/vcac/catalina.properties. Navigate to and locate "cipher". Configure the "cipher" with NSA Suite A ciphers.
At the command prompt, execute the following command: grep base.shutdown.port /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "base.shutdown.port" is not set to "-1" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the "base.shutdown.port" setting. Add the setting "base.shutdown.port=-1" to the "catalina.properties" file.
At the command prompt, execute the following command: grep shutdown /etc/vco/app-server/server.xml If the value of "shutdown" is not set to "-1" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/server.xml. Navigate to the <Server> node. Add the attribute 'port="-1"' to the <Server> node in the "server.xml" file.
At the command prompt, execute the following command: grep base.shutdown.port /etc/vcac/catalina.properties If the value of "base.shutdown.port" is not set to "-1" or is missing, this is a finding.
Navigate to and open /etc/vcac/catalina.properties. Navigate to the "base.shutdown.port" setting. Add the setting "base.shutdown.port=-1" to the "catalina.properties" file.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml Navigate to each of the <Connector> nodes. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslProtocol="TLS"'.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "sslProtocol" is not set to "TLS" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslProtocol="TLS"'.
At the command prompt, execute the following command: grep useHttpOnly /opt/vmware/horizon/workspace/conf/context.xml If the value of "useHttpOnly" is not set to "true" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the following: <Context useHttpOnly="true">
At the command prompt, execute the following command: grep useHttpOnly /etc/vco/app-server/context.xml If the value of "useHttpOnly" is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the following: <Context useHttpOnly="true">
At the command prompt, execute the following command: grep useHttpOnly /etc/vcac/context.xml If the value of "useHttpOnly" is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vcac/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the following: <Context useHttpOnly="true">
At the command prompt, execute the following command: grep -E '<secure>' /opt/vmware/horizon/workspace/conf/web.xml If the value of the <secure> node is not set to "true" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured per the following: <cookie-config> <secure>true</secure> </cookie-config>
At the command prompt, execute the following command: grep -E '<secure>' /etc/vco/app-server/web.xml If the value of the <secure> node is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vco/app-server/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured per the following: <cookie-config> <secure>true</secure> </cookie-config>
At the command prompt, execute the following command: grep -E '<secure>' /etc/vcac/web.xml If the value of the <secure> node is not set to "true" or is missing, this is a finding.
Navigate to and open /etc/vcac/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured per the following: <cookie-config> <secure>true</secure> </cookie-config>
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.
At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If any export ciphers are listed, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to the "bio-ssl.cipher.list" setting. Remove any export ciphers from "bio-ssl.cipher.list". Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'
At the command prompt, execute the following command: grep ciphers /etc/vcac/catalina.properties If any export ciphers are listed, this is a finding.
Navigate to and open /etc/vcac/catalina.properties. Navigate to the "cipher" setting. Remove any export ciphers from "cipher". Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.
Navigate to and open /opt/vmware/horizon/workspace/conf/server.xml. Navigate to each of the <Connector> nodes. Note: There are three <Connector> nodes. Configure each <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. If the value of "sslEnabledProtocols" is not set to "TLSv1.2,TLSv1.1,TLSv1" or is missing, this is a finding.
Navigate to and open /etc/vcac/server.xml. Navigate to the <Connector> node. Configure the <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'.
Interview the ISSO. Review the policies and procedures used to ensure that all security-related upgrades are being installed within the configured time period directed by an authoritative source. If all security-related upgrades are not being installed within the configured time period directed by an authoritative source, this is a finding.
Ensure that patches and updates from an authoritative source are applied at least within 24 hours after they have been received.
Interview the ISSO. Verify that this Security Technical Implementation Guide (STIG) is the most current STIG available for tc Server on vRA. Assess all of the organization's vRA installations to ensure that they are fully compliant with the most current tc Server STIG. If the most current version of the tc Server was not used, or if the tc Server configuration is not compliant with the most current tc Server STIG, this is a finding.
Obtain the most current tc Server ALL STIG. Verify that tc Server ALL is configured with all current requirements.
vRealize Automation 7.x tc Server is no longer supported by the vendor. If the system is running vRealize Automation 7.x tc Server, this is a finding.
Upgrade to a supported version.