VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

Version

VROM-TC-000005

Vuln IDs

V-241573
V-88775

Rule IDs

SV-241573r879511_rule
SV-99425

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the “maxThreads” attribute.

Checks: C-44849r683579_chk

At the command prompt, execute the following command: grep maxThreads /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml If the value of “maxThreads” is not “300” or is missing, this is a finding.

Fix: F-44808r683580_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Executor>. Configure the <Executor> with the value 'maxThreads= "300"'. Note: The <Executor> node should be configured per the below: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/>

b

tc Server CaSa must limit the number of maximum concurrent connections permitted.

AC-10 - Medium - CCI-000054 - V-241574 - SV-241574r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000010

Vuln IDs

V-241574
V-88777

Rule IDs

SV-241574r879511_rule
SV-99427

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the “maxThreads” attribute.

Checks: C-44850r683582_chk

At the command prompt, execute the following command: grep maxThreads /usr/lib/vmware-casa/casa-webapp/conf/server.xml If the value of “maxThreads” is not “300” or is missing, this is a finding.

Fix: F-44809r683583_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Executor>. Configure the <Executor> with the value 'maxThreads="300"'. Note: The <Executor> node should be configured per the below: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/>

b

tc Server API must limit the number of maximum concurrent connections permitted.

AC-10 - Medium - CCI-000054 - V-241575 - SV-241575r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000015

Vuln IDs

V-241575
V-88779

Rule IDs

SV-241575r879511_rule
SV-99429

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the “maxThreads” attribute.

Checks: C-44851r683585_chk

At the command prompt, execute the following command: grep maxThreads /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml If the value of “maxThreads” is not “300” or is missing, this is a finding.

Fix: F-44810r683586_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Executor>. Configure the <Executor> with the value 'maxThreads="300"'. Note: The <Executor> node should be configured per the below: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/>

b

tc Server UI must limit the amount of time that each TCP connection is kept alive.

AC-10 - Medium - CCI-000054 - V-241576 - SV-241576r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000020

Vuln IDs

V-241576
V-88781

Rule IDs

SV-241576r879511_rule
SV-99431

Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the number of resources that can be consumed in certain ways. tc Server provides the “connectionTimeout” attribute. This sets the number of milliseconds tc Server will wait, after accepting a connection, for the request URI line to be presented. This timeout will also be used when reading the request body (if any).

Checks: C-44852r683588_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “connectionTimeout” is not set to “20000” or is missing, this is a finding.

Fix: F-44811r683589_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'connectionTimeout="20000"'.

b

tc Server CaSa must limit the amount of time that each TCP connection is kept alive.

AC-10 - Medium - CCI-000054 - V-241577 - SV-241577r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000025

Vuln IDs

V-241577
V-88783

Rule IDs

SV-241577r879511_rule
SV-99433

Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the number of resources that can be consumed in certain ways. tc Server provides the “connectionTimeout” attribute. This sets the number of milliseconds tc Server will wait, after accepting a connection, for the request URI line to be presented. This timeout will also be used when reading the request body (if any).

Checks: C-44853r683591_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “connectionTimeout” is not set to “20000” or is missing, this is a finding.

Fix: F-44812r683592_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'connectionTimeout="20000"'.

b

tc Server API must limit the amount of time that each TCP connection is kept alive.

AC-10 - Medium - CCI-000054 - V-241578 - SV-241578r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000030

Vuln IDs

V-241578
V-88785

Rule IDs

SV-241578r879511_rule
SV-99435

Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the number of resources that can be consumed in certain ways. tc Server provides the “connectionTimeout” attribute. This sets the number of milliseconds tc Server will wait, after accepting a connection, for the request URI line to be presented. This timeout will also be used when reading the request body (if any).

Checks: C-44854r683594_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “connectionTimeout” is not set to “20000” or is missing, this is a finding.

Fix: F-44813r683595_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'connectionTimeout="20000"'.

b

tc Server UI must limit the number of times that each TCP connection is kept alive.

AC-10 - Medium - CCI-000054 - V-241579 - SV-241579r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000035

Vuln IDs

V-241579
V-88787

Rule IDs

SV-241579r879511_rule
SV-99437

KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. tc Server can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client. “maxKeepAliveRequests” is the tc Server attribute which sets this limit.

Checks: C-44855r683597_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “maxKeepAliveRequests” is not set to “15” or is missing, this is a finding.

Fix: F-44814r683598_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'maxKeepAliveRequests="15"'.

b

tc Server CaSa must limit the number of times that each TCP connection is kept alive.

AC-10 - Medium - CCI-000054 - V-241580 - SV-241580r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000040

Vuln IDs

V-241580
V-88789

Rule IDs

SV-241580r879511_rule
SV-99439

KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. tc Server can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client. “maxKeepAliveRequests” is the tc Server attribute that sets this limit.

Checks: C-44856r683600_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “maxKeepAliveRequests” is not set to “15” or is missing, this is a finding.

Fix: F-44815r683601_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'maxKeepAliveRequests="15"'.

b

tc Server API must limit the number of times that each TCP connection is kept alive.

AC-10 - Medium - CCI-000054 - V-241581 - SV-241581r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000045

Vuln IDs

V-241581
V-88791

Rule IDs

SV-241581r879511_rule
SV-99441

KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. tc Server can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client. “maxKeepAliveRequests” is the tc Server attribute that sets this limit.

Checks: C-44857r683603_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “maxKeepAliveRequests” is not set to “15” or is missing, this is a finding.

Fix: F-44816r683604_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'maxKeepAliveRequests="15"'.

b

tc Server UI must perform server-side session management.

AC-10 - Medium - CCI-000054 - V-241582 - SV-241582r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000050

Vuln IDs

V-241582
V-88793

Rule IDs

SV-241582r879511_rule
SV-99443

Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Operations. By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.

Checks: C-44858r683606_chk

At the command prompt, execute the following command: grep -E 'cookies=.false' /usr/lib/vmware-vcops/tomcat-web-app/conf/context.xml If the command produces any output, this is a finding.

Fix: F-44817r683607_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.

b

tc Server CaSa must perform server-side session management.

AC-10 - Medium - CCI-000054 - V-241583 - SV-241583r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000055

Vuln IDs

V-241583
V-88795

Rule IDs

SV-241583r879511_rule
SV-99445

Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Automation. By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.

Checks: C-44859r683609_chk

At the command prompt, execute the following command: grep -E 'cookies=.false' /usr/lib/vmware-casa/casa-webapp/conf/context.xml If the command produces any output, this is a finding.

Fix: F-44818r683610_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.

b

tc Server API must perform server-side session management.

AC-10 - Medium - CCI-000054 - V-241584 - SV-241584r879511_rule

RMF Control

AC-10

Severity

M

CCI

Version

VROM-TC-000060

Vuln IDs

V-241584
V-88797

Rule IDs

SV-241584r879511_rule
SV-99447

Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Automation. By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.

Checks: C-44860r683612_chk

At the command prompt, execute the following command: grep -E 'cookies=.false' /usr/lib/vmware-vcops/tomcat-enterprise/conf/context.xml If the command produces any output, this is a finding.

Fix: F-44819r683613_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/context.xml. Navigate to and locate the <Context> node. Remove the value 'cookies="false"' from the <Context> node.

b

tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.

AC-17 - Medium - CCI-000068 - V-241585 - SV-241585r879519_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000068

Version

VROM-TC-000065

Vuln IDs

V-241585
V-88799

Rule IDs

SV-241585r879519_rule
SV-99449

Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2) identifies eleven areas for a cryptographic module used inside a security system that protects information. FIPS 140-2- approved ciphers provide the maximum level of encryption possible for a private web server. Configuration of ciphers used by tc Server are set in the “catalina.properties” file. Only those ciphers specified in the configuration file, and which are available in the installed OpenSSL library, will be used by tc Server while encrypting data for transmission.

Checks: C-44861r684095_chk

At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties If the value of “vmware-ssl.ssl.ciphers.list” does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-44820r683616_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties. Navigate to and locate “vmware-ssl.ssl.ciphers.list”. Configure the “vmware-ssl.ssl.ciphers.list” with FIPS 140-2 compliant ciphers.

b

tc Server CaSa must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.

AC-17 - Medium - CCI-000068 - V-241586 - SV-241586r879519_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000068

Version

VROM-TC-000070

Vuln IDs

V-241586
V-88801

Rule IDs

SV-241586r879519_rule
SV-99451

Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2) identifies eleven areas for a cryptographic module used inside a security system that protects information. FIPS 140-2- approved ciphers provide the maximum level of encryption possible for a private web server. Configuration of ciphers used by tc Server are set in the “catalina.properties” file. Only those ciphers specified in the configuration file, and which are available in the installed OpenSSL library, will be used by tc Server while encrypting data for transmission.

Checks: C-44862r684097_chk

At the command prompt, execute the following command: grep -A 10 vmware-casa.ssl.ciphers.list /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties If the value of “vmware-casa.ssl.ciphers.list” does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-44821r683619_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties. Navigate to and locate “vmware-casa.ssl.ciphers.list”. Configure the “vmware-casa.ssl.ciphers.list” with FIPS 140-2 compliant ciphers.

b

tc Server API must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.

AC-17 - Medium - CCI-000068 - V-241587 - SV-241587r879519_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000068

Version

VROM-TC-000075

Vuln IDs

V-241587
V-88803

Rule IDs

SV-241587r879519_rule
SV-99453

Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised. The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2) identifies eleven areas for a cryptographic module used inside a security system that protects information. FIPS 140-2-approved ciphers provide the maximum level of encryption possible for a private web server. Configuration of ciphers used by tc Server are set in the “catalina.properties” file. Only those ciphers specified in the configuration file, and which are available in the installed OpenSSL library, will be used by tc Server while encrypting data for transmission.

Checks: C-44863r684099_chk

At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties If the value of “vmware-ssl.ssl.ciphers.list” does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-44822r683622_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties. Navigate to and locate “vmware-ssl.ssl.ciphers.list”. Configure the “vmware-ssl.ssl.ciphers.list” with FIPS 140-2 compliant ciphers.

b

tc Server UI must use cryptography to protect the integrity of remote sessions.

AC-17 - Medium - CCI-001453 - V-241588 - SV-241588r879520_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

VROM-TC-000080

Vuln IDs

V-241588
V-88805

Rule IDs

SV-241588r879520_rule
SV-99455

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's “SSLEnabled” flag, SSL handshake/encryption/decryption is enabled.

Checks: C-44864r683624_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “SSLEnabled” is not set to “true” or is missing, this is a finding.

Fix: F-44823r683625_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'SSLEnabled="true"'.

b

tc Server CaSa must use cryptography to protect the integrity of remote sessions.

AC-17 - Medium - CCI-001453 - V-241589 - SV-241589r879520_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

VROM-TC-000085

Vuln IDs

V-241589
V-88807

Rule IDs

SV-241589r879520_rule
SV-99457

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's “SSLEnabled” flag, SSL handshake/encryption/decryption is enabled.

Checks: C-44865r683627_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “SSLEnabled” is not set to “true” or is missing, this is a finding.

Fix: F-44824r683628_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'SSLEnabled="true"'.

b

tc Server API must use cryptography to protect the integrity of remote sessions.

AC-17 - Medium - CCI-001453 - V-241590 - SV-241590r879520_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

VROM-TC-000090

Vuln IDs

V-241590
V-88809

Rule IDs

SV-241590r879520_rule
SV-99459

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's “SSLEnabled” flag, SSL handshake/encryption/decryption is enabled.

Checks: C-44866r683630_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Connector> node that contains 'port="${vmware-ssl.https.port}"'. If the value of “SSLEnabled” is not set to “true” or is missing, this is a finding.

Fix: F-44825r683631_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Connector> node that contains 'port="${vmware-ssl.https.port}"'. Configure each <Connector> with the value 'SSLEnabled="true"'.

b

tc Server UI must record user access in a format that enables monitoring of remote access.

AC-17 - Medium - CCI-000067 - V-241591 - SV-241591r879521_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

VROM-TC-000095

Vuln IDs

V-241591
V-88811

Rule IDs

SV-241591r879521_rule
SV-99461

Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The Access Log Valve creates log files in the same format as those created by standard web servers.

Checks: C-44867r684101_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an “AccessLogValve” is not configured correctly or is missing, this is a finding. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

Fix: F-44826r683634_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must record user access in a format that enables monitoring of remote access.

AC-17 - Medium - CCI-000067 - V-241592 - SV-241592r879521_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

VROM-TC-000100

Vuln IDs

V-241592
V-88813

Rule IDs

SV-241592r879521_rule
SV-99463

Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The Access Log Valve creates log files in the same format as those created by standard web servers.

Checks: C-44868r684103_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an “AccessLogValve” is not configured correctly or is missing, this is a finding. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

Fix: F-44827r683637_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must record user access in a format that enables monitoring of remote access.

AC-17 - Medium - CCI-000067 - V-241593 - SV-241593r879521_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

VROM-TC-000105

Vuln IDs

V-241593
V-88815

Rule IDs

SV-241593r879521_rule
SV-99465

Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The Access Log Valve creates log files in the same format as those created by standard web servers.

Checks: C-44869r684105_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an “AccessLogValve” is not configured correctly or is missing, this is a finding. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

Fix: F-44828r683640_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server ALL must generate log records for system startup and shutdown.

AU-12 - Medium - CCI-000169 - V-241594 - SV-241594r879559_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-TC-000115

Vuln IDs

V-241594
V-88817

Rule IDs

SV-241594r879559_rule
SV-99467

Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go un-logged. During start, tc Server reports system messages onto STDOUT and STDERR. These messages will be logged if the initialization script is configured correctly. For historical reasons, the standard log file for this is called “catalina.out”.

Checks: C-44870r684107_chk

At the command prompt, execute the following command: more /storage/log/vcops/log/product-ui/catalina.out Verify that tc Server start and stop events are being logged. If the tc Server start and stop events are not being recorded, this is a finding. Note: The tc Server service is referred to as Catalina in the log.

Fix: F-44829r683643_fix

Navigate to and open /opt/pivotal/pivotal-tc-server-standard/tomcat-7.0.57.B.RELEASE/bin/catalina.sh. Navigate to and locate the start block : "elif [ "$1" = "start" ] ; then". Navigate to and locate both “eval” statements: "org.apache.catalina.startup.Bootstrap "$@" start \" Add this statement immediately below both of the “eval” statements: '>> "$CATALINA_OUT" 2>&1 "&"'

b

tc Server UI must generate log records for user access and authentication events.

AU-12 - Medium - CCI-000169 - V-241595 - SV-241595r879559_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-TC-000120

Vuln IDs

V-241595
V-88819

Rule IDs

SV-241595r879559_rule
SV-99469

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged.

Checks: C-44871r684109_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an “AccessLogValve” is not configured correctly or is missing, this is a finding. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

Fix: F-44830r683646_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must generate log records for user access and authentication events.

AU-12 - Medium - CCI-000169 - V-241596 - SV-241596r879559_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-TC-000125

Vuln IDs

V-241596
V-88821

Rule IDs

SV-241596r879559_rule
SV-99471

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged.

Checks: C-44872r684111_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an “AccessLogValve” is not configured correctly or is missing, this is a finding. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

Fix: F-44831r683649_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must generate log records for user access and authentication events.

AU-12 - Medium - CCI-000169 - V-241597 - SV-241597r879559_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-TC-000130

Vuln IDs

V-241597
V-88823

Rule IDs

SV-241597r879559_rule
SV-99473

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged.

Checks: C-44873r684113_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Host> node. Verify that the node contains a <Valve className="org.apache.catalina.valves.AccessLogValve"> node. If an “AccessLogValve” is not configured correctly or is missing, this is a finding. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log." suffix=".txt"/>

Fix: F-44832r683652_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server ALL must initiate logging during service start-up.

AU-14 - Medium - CCI-001464 - V-241598 - SV-241598r879562_rule

RMF Control

AU-14

Severity

M

CCI

CCI-001464

Version

VROM-TC-000135

Vuln IDs

V-241598
V-88825

Rule IDs

SV-241598r879562_rule
SV-99475

An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all logable events are captured, the web server must begin logging once the first web server process is initiated. During start, tc Server reports system messages onto STDOUT and STDERR. These messages will be logged if the initialization script is configured correctly. For historical reasons, the standard log file for this is called “catalina.out”.

Checks: C-44874r684115_chk

At the command prompt, execute the following command: more /opt/pivotal/pivotal-tc-server-standard/tomcat-7.0.57.B.RELEASE/bin/catalina.sh Type /touch "$CATALINA_OUT" Verify that the start command contains the command ">> "$CATALINA_OUT" 2>&1 "&"" If the command is not correct or is missing, this is a finding. Note: Use the Enter key to scroll down after typing /touch "$CATALINA_OUT"

Fix: F-44833r683655_fix

Navigate to and open /opt/pivotal/pivotal-tc-server-standard/tomcat-7.0.57.B.RELEASE/bin/catalina.sh. Navigate to and locate the start block : "elif [ "$1" = "start" ] ; then". Navigate to and locate both “eval” statements: "org.apache.catalina.startup.Bootstrap "$@" start \" Add this statement immediately below both of the “eval” statements: '>> "$CATALINA_OUT" 2>&1 "&"'

b

tc Server UI must produce log records containing sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-241599 - SV-241599r879563_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000130

Version

VROM-TC-000155

Vuln IDs

V-241599
V-88833

Rule IDs

SV-241599r879563_rule
SV-99483

After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process “GET” and “POST” requests clients. These will help investigators understand what happened.

Checks: C-44875r684117_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.

Fix: F-44834r683658_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must produce log records containing sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-241600 - SV-241600r879563_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000130

Version

VROM-TC-000160

Vuln IDs

V-241600
V-88835

Rule IDs

SV-241600r879563_rule
SV-99485

After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process “GET” and “POST” requests clients. These will help investigators understand what happened.

Checks: C-44876r683660_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.

Fix: F-44835r683661_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must produce log records containing sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-241601 - SV-241601r879563_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000130

Version

VROM-TC-000165

Vuln IDs

V-241601
V-88837

Rule IDs

SV-241601r879563_rule
SV-99487

After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process “GET” and “POST” requests clients. These will help investigators understand what happened.

Checks: C-44877r684119_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.

Fix: F-44836r683664_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server UI must produce log records containing sufficient information to establish when (date and time) events occurred.

AU-3 - Medium - CCI-000131 - V-241602 - SV-241602r879564_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

VROM-TC-000170

Vuln IDs

V-241602
V-88839

Rule IDs

SV-241602r879564_rule
SV-99489

After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%t” parameter specifies that the system time should be recorded.

Checks: C-44878r684121_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.

Fix: F-44837r683667_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred.

AU-3 - Medium - CCI-000131 - V-241603 - SV-241603r879564_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

VROM-TC-000175

Vuln IDs

V-241603
V-88841

Rule IDs

SV-241603r879564_rule
SV-99491

After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%t” parameter specifies that the system time should be recorded.

Checks: C-44879r683669_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.

Fix: F-44838r683670_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must produce log records containing sufficient information to establish when (date and time) events occurred.

AU-3 - Medium - CCI-000131 - V-241604 - SV-241604r879564_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

VROM-TC-000180

Vuln IDs

V-241604
V-88843

Rule IDs

SV-241604r879564_rule
SV-99493

After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%t” parameter specifies that the system time should be recorded.

Checks: C-44880r683672_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.

Fix: F-44839r683673_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The AccessLogValve should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server UI must produce log records containing sufficient information to establish where within the web server the events occurred.

AU-3 - Medium - CCI-000132 - V-241605 - SV-241605r879565_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

VROM-TC-000185

Vuln IDs

V-241605
V-88845

Rule IDs

SV-241605r879565_rule
SV-99495

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server will log the requested URL and the parameters, if any, sent in the request. This information will enable investigators to determine where in the server an action was requested.

Checks: C-44881r683675_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the location of events are not being recorded, this is a finding.

Fix: F-44840r683676_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must produce log records containing sufficient information to establish where within the web server the events occurred.

AU-3 - Medium - CCI-000132 - V-241606 - SV-241606r879565_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

VROM-TC-000190

Vuln IDs

V-241606
V-88847

Rule IDs

SV-241606r879565_rule
SV-99497

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server will log the requested URL and the parameters, if any, sent in the request. This information will enable investigators to determine where in the server an action was requested.

Checks: C-44882r683678_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the location of events are not being recorded, this is a finding.

Fix: F-44841r683679_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must produce log records containing sufficient information to establish where within the web server the events occurred.

AU-3 - Medium - CCI-000132 - V-241607 - SV-241607r879565_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

VROM-TC-000195

Vuln IDs

V-241607
V-88849

Rule IDs

SV-241607r879565_rule
SV-99499

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server will log the requested URL and the parameters, if any, sent in the request. This information will enable investigators to determine where in the server an action was requested.

Checks: C-44883r683681_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the location of events are not being recorded, this is a finding.

Fix: F-44842r683682_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server UI must produce log records containing sufficient information to establish the source of events.

AU-3 - Medium - CCI-000133 - V-241608 - SV-241608r879566_rule

RMF Control

AU-3

Severity

M

CCI

Version

VROM-TC-000200

Vuln IDs

V-241608
V-88851

Rule IDs

SV-241608r879566_rule
SV-99501

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%h” parameter will record the remote hostname or IP address that sent the request; i.e. the source of the event.

Checks: C-44884r684123_chk

At the command prompt, execute the following command: grep -v 127.0 /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the source IP of events are not being recorded, this is a finding.

Fix: F-44843r683685_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must produce log records containing sufficient information to establish the source of events.

AU-3 - Medium - CCI-000133 - V-241609 - SV-241609r879566_rule

RMF Control

AU-3

Severity

M

CCI

Version

VROM-TC-000205

Vuln IDs

V-241609
V-88853

Rule IDs

SV-241609r879566_rule
SV-99503

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%h” parameter will record the remote hostname or IP address that sent the request; i.e. the source of the event.

Checks: C-44885r683687_chk

At the command prompt, execute the following command: grep -v 127.0 /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the source IP of events are not being recorded, this is a finding.

Fix: F-44844r683688_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must produce log records containing sufficient information to establish the source of events.

AU-3 - Medium - CCI-000133 - V-241610 - SV-241610r879566_rule

RMF Control

AU-3

Severity

M

CCI

Version

VROM-TC-000210

Vuln IDs

V-241610
V-88855

Rule IDs

SV-241610r879566_rule
SV-99505

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%h” parameter will record the remote hostname or IP address that sent the request; i.e. the source of the event.

Checks: C-44886r684125_chk

At the command prompt, execute the following command: grep -v 127.0 /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the source IP of events are not being recorded, this is a finding.

Fix: F-44845r683691_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

AU-3 - Medium - CCI-000133 - V-241611 - SV-241611r879566_rule

RMF Control

AU-3

Severity

M

CCI

Version

VROM-TC-000215

Vuln IDs

V-241611
V-88857

Rule IDs

SV-241611r879566_rule
SV-99507

tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. tc Server HORIZON must be configured with the “RemoteIpValve” element in order to record the Client source vice the load balancer or proxy server as the source of every logable event. The “RemoteIpValve” enables the “x-forward-* HTTP” properties, which are used by the load balance to provide the client source.

Checks: C-44887r684127_chk

At the command prompt, execute the following command: grep -v 127.0 /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.

Fix: F-44846r683694_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note: The “RemoteIpValve” should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" internalProxies=".*" protocolHeader="x-forwarded-proto" />

b

tc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

AU-3 - Medium - CCI-000133 - V-241612 - SV-241612r879566_rule

RMF Control

AU-3

Severity

M

CCI

Version

VROM-TC-000220

Vuln IDs

V-241612
V-88859

Rule IDs

SV-241612r879566_rule
SV-99509

tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. tc Server HORIZON must be configured with the “RemoteIpValve” element in order to record the Client source vice the load balancer or proxy server as the source of every logable event. The “RemoteIpValve” enables the “x-forward-* HTTP” properties, which are used by the load balance to provide the client source.

Checks: C-44888r684129_chk

At the command prompt, execute the following command: grep -v 127.0 /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.

Fix: F-44847r683697_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note : The “RemoteIpValve” should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" internalProxies=".*" protocolHeader="x-forwarded-proto" />

b

tc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

AU-3 - Medium - CCI-000133 - V-241613 - SV-241613r879566_rule

RMF Control

AU-3

Severity

M

CCI

Version

VROM-TC-000225

Vuln IDs

V-241613
V-88861

Rule IDs

SV-241613r879566_rule
SV-99511

tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. tc Server HORIZON must be configured with the “RemoteIpValve” element in order to record the Client source vice the load balancer or proxy server as the source of every logable event. The “RemoteIpValve” enables the “x-forward-* HTTP” properties, which are used by the load balance to provide the client source.

Checks: C-44889r684131_chk

At the command prompt, execute the following command: grep -v 127.0 /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If actual client IP information, not load balancer or proxy server, is not being recorded, this is a finding.

Fix: F-44848r683700_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <RemoteIpValve> below. Note : The “RemoteIpValve” should be configured as follows: <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" internalProxies=".*" protocolHeader="x-forwarded-proto" />

b

tc Server UI must produce log records that contain sufficient information to establish the outcome (success or failure) of events.

AU-3 - Medium - CCI-000134 - V-241614 - SV-241614r879567_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

VROM-TC-000230

Vuln IDs

V-241614
V-88863

Rule IDs

SV-241614r879567_rule
SV-99513

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server generates HTTP status codes. The status code is a three-digit indicator of the outcome of the server's response to the request.

Checks: C-44890r684133_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"

Fix: F-44849r683703_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must produce log records that contain sufficient information to establish the outcome (success or failure) of events.

AU-3 - Medium - CCI-000134 - V-241615 - SV-241615r879567_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

VROM-TC-000235

Vuln IDs

V-241615
V-88865

Rule IDs

SV-241615r879567_rule
SV-99515

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server generates HTTP status codes. The status code is a three-digit indicator of the outcome of the server's response to the request.

Checks: C-44891r684135_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are 3-digit codes, which are recorded immediately after "HTTP/1.1"

Fix: F-44850r683706_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must produce log records that contain sufficient information to establish the outcome (success or failure) of events.

AU-3 - Medium - CCI-000134 - V-241616 - SV-241616r879567_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

VROM-TC-000240

Vuln IDs

V-241616
V-88867

Rule IDs

SV-241616r879567_rule
SV-99517

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. Like all web servers, tc Server generates HTTP status codes. The status code is a three-digit indicator of the outcome of the server's response to the request.

Checks: C-44892r684137_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the HTTP status codes are not being recorded, this is a finding. Note: HTTP status codes are three-digit codes, which are recorded immediately after "HTTP/1.1"

Fix: F-44851r683709_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server UI must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

AU-3 - Medium - CCI-001487 - V-241617 - SV-241617r879568_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

VROM-TC-000245

Vuln IDs

V-241617
V-88869

Rule IDs

SV-241617r879568_rule
SV-99519

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%u” parameter will record the remote user that was authenticated. Knowing the authenticated user could be crucial to know in an investigation.

Checks: C-44893r683711_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the identity of the user is not being recorded, this is a finding.

Fix: F-44852r683712_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

AU-3 - Medium - CCI-001487 - V-241618 - SV-241618r879568_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

VROM-TC-000250

Vuln IDs

V-241618
V-88871

Rule IDs

SV-241618r879568_rule
SV-99521

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%u” parameter will record the remote user that was authenticated. Knowing the authenticated user could be crucial to know in an investigation.

Checks: C-44894r683714_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the identity of the user is not being recorded, this is a finding.

Fix: F-44853r683715_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

AU-3 - Medium - CCI-001487 - V-241619 - SV-241619r879568_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

VROM-TC-000255

Vuln IDs

V-241619
V-88873

Rule IDs

SV-241619r879568_rule
SV-99523

After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the system authenticates users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, the identity of the user/subject/process associated with the event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%u” parameter will record the remote user that was authenticated. Knowing the authenticated user could be crucial to know in an investigation.

Checks: C-44895r683717_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the identity of the user is not being recorded, this is a finding.

Fix: F-44854r683718_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate <Host>. Configure the <Host> node with the <AccessLogValve> below. Note: The “AccessLogValve” should be configured as follows: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.

AU-5 - Medium - CCI-000139 - V-241620 - SV-241620r879570_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

VROM-TC-000260

Vuln IDs

V-241620
V-88875

Rule IDs

SV-241620r879570_rule
SV-99525

Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily administrative duties on the hosted system or within the hosted applications. If the logging system begins to fail, events will not be recorded. Organizations must define logging failure events, at which time the application or the logging mechanism the application utilizes will provide a warning to the ISSO and SA at a minimum.

Checks: C-44896r684139_chk

Obtain supporting documentation from the ISSO. Determine if log data and records are configured to alert the ISSO and SA in the event of processing failure. If log data and records are not configured to alert the ISSO and SA in the event of processing failure, this is a finding.

Fix: F-44855r683721_fix

Configure the web server to provide an alert to the ISSO and SA when log processing failures occur. If the web server cannot generate alerts, utilize an external logging system that meets this criterion.

b

tc Server UI log files must only be accessible by privileged users.

AU-9 - Medium - CCI-000162 - V-241621 - SV-241621r879576_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

VROM-TC-000270

Vuln IDs

V-241621
V-88877

Rule IDs

SV-241621r879576_rule
SV-99527

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.

Checks: C-44897r683723_chk

At the command prompt, execute the following command: stat -c "%a %n" /storage/log/vcops/log/product-ui/* | awk '$1 !~ /^640/ && $2 ~ /(\.txt)|(\.log)/ {print}' If the command produces any output, this is a finding.

Fix: F-44856r683724_fix

At the command prompt, execute the following commands: sed -i "/^[^#]*UMASK/ c\UMASK 027" /etc/login.defs find /storage/log/vcops/log/product-ui/ -type f -exec chmod o=--- {} \;

b

tc Server CaSa log files must only be accessible by privileged users.

AU-9 - Medium - CCI-000162 - V-241622 - SV-241622r879576_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

VROM-TC-000275

Vuln IDs

V-241622
V-88879

Rule IDs

SV-241622r879576_rule
SV-99529

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.

Checks: C-44898r683726_chk

At the command prompt, execute the following command: stat -c "%a %n" /storage/log/vcops/log/casa/* | awk '$1 !~ /^640/ && $2 ~ /(\.txt)|(\.log)/ {print}' If the command produces any output, this is a finding.

Fix: F-44857r683727_fix

At the command prompt, execute the following commands: sed -i "/^[^#]*UMASK/ c\UMASK 027" /etc/login.defs find /storage/log/vcops/log/casa/ -type f -exec chmod o=--- {} \;

b

tc Server API log files must only be accessible by privileged users.

AU-9 - Medium - CCI-000162 - V-241623 - SV-241623r879576_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

VROM-TC-000280

Vuln IDs

V-241623
V-88881

Rule IDs

SV-241623r879576_rule
SV-99531

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.

Checks: C-44899r683729_chk

At the command prompt, execute the following command: stat -c "%a %n" /storage/log/vcops/log/suite-api/* | awk '$1 !~ /^640/ && $2 ~ /(\.txt)|(\.log)/ {print}' If the command produces any output, this is a finding.

Fix: F-44858r683730_fix

At the command prompt, execute the following commands: sed -i "/^[^#]*UMASK/ c\UMASK 027" /etc/login.defs find /storage/log/vcops/log/suite-api/ -type f -exec chmod o=--- {} \;

b

tc Server UI log files must be protected from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-241624 - SV-241624r879577_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

VROM-TC-000285

Vuln IDs

V-241624
V-88883

Rule IDs

SV-241624r879577_rule
SV-99533

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.

Checks: C-44900r683732_chk

Find any files that are not owned by admin or not group owned by admin, execute the following command: ls -lR /storage/log/vcops/log/product-ui/* | grep -vE 'pid$' | awk '$3 !~ /^admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44859r683733_fix

At the command prompt, execute the following command: chown admin:admin <file> Note: Replace <file> with any listed files.

b

tc Server CaSa log files must be protected from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-241625 - SV-241625r879577_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

VROM-TC-000290

Vuln IDs

V-241625
V-88885

Rule IDs

SV-241625r879577_rule
SV-99535

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.

Checks: C-44901r683735_chk

At the command prompt, execute the following command: ls -lR /storage/log/vcops/log/casa/* | grep -vE '(pid$)|ntp' | awk '$3 !~ /^admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44860r683736_fix

At the command prompt, execute the following command: chown admin:admin <file> Note: Replace <file> with any listed files.

b

tc Server API log files must be protected from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-241626 - SV-241626r879577_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

VROM-TC-000295

Vuln IDs

V-241626
V-88887

Rule IDs

SV-241626r879577_rule
SV-99537

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.

Checks: C-44902r683738_chk

Find any files that are not owned by admin or not group owned by admin, execute the following command: ls -lR /storage/log/vcops/log/suite-api/* | grep -vE 'pid$' | awk '$3 !~ /^admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44861r683739_fix

At the command prompt, execute the following command: chown admin:admin <file> Note: Replace <file> with any listed files.

b

tc Server UI log files must be protected from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-241627 - SV-241627r879578_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000164

Version

VROM-TC-000300

Vuln IDs

V-241627
V-88889

Rule IDs

SV-241627r879578_rule
SV-99539

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.

Checks: C-44903r683741_chk

At the command prompt, execute the following command: ls -lR /storage/log/vcops/log/product-ui/* | grep -vE 'pid$' | awk '$3 !~ /^admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44862r683742_fix

At the command prompt, execute the following command: chown admin:admin <file> Note: Replace <file> with any listed files.

b

tc Server CaSa log files must be protected from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-241628 - SV-241628r879578_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000164

Version

VROM-TC-000305

Vuln IDs

V-241628
V-88891

Rule IDs

SV-241628r879578_rule
SV-99541

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.

Checks: C-44904r683744_chk

At the command prompt, execute the following command: ls -lR /storage/log/vcops/log/casa/* | grep -vE '(pid$)|ntp' | awk '$3 !~ /^admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44863r683745_fix

At the command prompt, execute the following command: chown admin:admin <file> Note: Replace <file> with any listed files.

b

tc Server API log files must be protected from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-241629 - SV-241629r879578_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000164

Version

VROM-TC-000310

Vuln IDs

V-241629
V-88893

Rule IDs

SV-241629r879578_rule
SV-99543

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.

Checks: C-44905r683747_chk

At the command prompt, execute the following command: ls -lR /storage/log/vcops/log/suite-api/* | grep -vE 'pid$' | awk '$3 !~ /^admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44864r683748_fix

At the command prompt, execute the following command: chown admin:admin <file> Note: Replace <file> with any listed files.

b

tc Server ALL log data and records must be backed up onto a different system or media.

AU-9 - Medium - CCI-001348 - V-241630 - SV-241630r879582_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001348

Version

VROM-TC-000315

Vuln IDs

V-241630
V-88895

Rule IDs

SV-241630r879582_rule
SV-99545

Protection of tc Server ALL log data includes assuring log data is not accidentally lost or deleted. Backing up tc Server ALL log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.

Checks: C-44906r683750_chk

Obtain supporting documentation from the ISSO. Determine if log data and records are not being backed up onto a different system or media. If log data and records are not being backed up onto a different system or media, this is a finding.

Fix: F-44865r683751_fix

Ensure log data and records are being backed up to a different system or separate media.

b

tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

CM-5 - Medium - CCI-001749 - V-241631 - SV-241631r879584_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

VROM-TC-000320

Vuln IDs

V-241631
V-88897

Rule IDs

SV-241631r879584_rule
SV-99547

Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. VMware delivers product updates and patches regularly. It is crucial that system administrators coordinate installation of product updates with the site ISSO to ensure that only valid files are uploaded onto the system.

Checks: C-44907r854899_chk

Obtain supporting documentation from the ISSO. Determine whether web server files are being fully reviewed, tested, and signed before being implemented into the production environment. If the web server files are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.

Fix: F-44866r683754_fix

Configure the web server to verify object integrity before becoming part of the production web server or utilize an external tool designed to meet this requirement.

b

tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.

CM-5 - Medium - CCI-001749 - V-241632 - SV-241632r879584_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

VROM-TC-000325

Vuln IDs

V-241632
V-88899

Rule IDs

SV-241632r879584_rule
SV-99549

In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on a functional production website entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable. VMware delivers product updates and patches regularly. It is crucial that system administrators coordinate installation of product updates with the site ISSO to ensure that only valid files are uploaded onto the system.

Checks: C-44908r854901_chk

Obtain supporting documentation from the ISSO. Determine whether expansion modules are being fully reviewed, tested, and signed before being implemented into the production environment. If the expansion modules are not being fully reviewed, tested, and signed before being implemented into the production environment, this is a finding.

Fix: F-44867r683757_fix

Configure the web server to enforce, internally or through an external utility, the review, testing and signing of modules before implementation into the production environment.

b

tc Server UI must not use the tomcat-users XML database for user management.

CM-7 - Medium - CCI-000381 - V-241633 - SV-241633r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000330

Vuln IDs

V-241633
V-88901

Rule IDs

SV-241633r879587_rule
SV-99551

User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logins, and management of temporary and emergency accounts; and all of this must be done enterprise-wide. For historical reasons, tc Server contains a tomcat-users.xml file in the configuration directory. This file was originally used by standalone applications that did not authenticate against an LDAP or other enterprise mechanism. vROps does not use this file.

Checks: C-44909r683759_chk

At the command prompt, execute the following command: cat /usr/lib/vmware-vcops/tomcat-web-app/conf/tomcat-users.xml If “tomcat-users.xml” file contains any user information, this is a finding.

Fix: F-44868r683760_fix

Contact the ISSO and/or SA. Determine why user data is being stored in the “tomcat-users.xml” file. The vROps appliance does not maintain user data in this file by default.

b

tc Server CaSa must not use the tomcat-users XML database for user management.

CM-7 - Medium - CCI-000381 - V-241634 - SV-241634r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000335

Vuln IDs

V-241634
V-88903

Rule IDs

SV-241634r879587_rule
SV-99553

User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logins, and management of temporary and emergency accounts; and all of this must be done enterprise-wide. For historical reasons, tc Server contains a “tomcat-users.xml” file in the configuration directory. This file was originally used by standalone applications that did not authenticate against an LDAP or other enterprise mechanism. vROps does not use this file.

Checks: C-44910r683762_chk

At the command prompt, execute the following command: cat /usr/lib/vmware-casa/casa-webapp/conf/tomcat-users.xml If “tomcat-users.xml” file contains any user information, this is a finding.

Fix: F-44869r683763_fix

Contact the ISSO and/or SA. Determine why user data is being stored in the “tomcat-users.xml” file. The vROps appliance does not maintain user data in this file by default.

b

tc Server API must not use the tomcat-users XML database for user management.

CM-7 - Medium - CCI-000381 - V-241635 - SV-241635r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000340

Vuln IDs

V-241635
V-88905

Rule IDs

SV-241635r879587_rule
SV-99555

User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logins, and management of temporary and emergency accounts; and all of this must be done enterprise-wide. For historical reasons, tc Server contains a “tomcat-users.xml” file in the configuration directory. This file was originally used by standalone applications that did not authenticate against an LDAP or other enterprise mechanism. vROps does not use this file.

Checks: C-44911r683765_chk

At the command prompt, execute the following command: cat /usr/lib/vmware-vcops/tomcat-enterprise/conf/tomcat-users.xml If “tomcat-users.xml” file contains any user information, this is a finding.

Fix: F-44870r683766_fix

Contact the ISSO and/or SA. Determine why user data is being stored in the “tomcat-users.xml” file. The vROps appliance does not maintain user data in this file by default.

b

tc Server ALL must only contain services and functions necessary for operation.

CM-7 - Medium - CCI-000381 - V-241636 - SV-241636r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000345

Vuln IDs

V-241636
V-88907

Rule IDs

SV-241636r879587_rule
SV-99557

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-44912r684145_chk

Obtain supporting documentation from the ISSO. Review the web server documentation and deployed configuration to determine if web server features, services, and processes are installed that are not needed for hosted application deployment. If excessive features, services, and processes are installed, this is a finding.

Fix: F-44871r683769_fix

Uninstall or deactivate features, services, and processes not needed by the web server for operation.

c

tc Server ALL must exclude documentation, sample code, example applications, and tutorials.

CM-7 - High - CCI-000381 - V-241637 - SV-241637r879587_rule

RMF Control

CM-7

Severity

H

CCI

Version

VROM-TC-000355

Vuln IDs

V-241637
V-88909

Rule IDs

SV-241637r879587_rule
SV-99559

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. Because tc Server is installed as part of the entire vROps application, and not installed separately, VMware has ensured that all documentation, sample code, example applications, and tutorials have been removed from tc Server as part of the build process.

Checks: C-44913r684147_chk

Obtain supporting documentation from the ISSO. Review the web server documentation and deployed configuration to determine if documentation, sample code, example applications, and tutorials have been removed. If documentation, sample code, example applications, and tutorials have not been removed, this is a finding.

Fix: F-44872r683772_fix

Document the removal of all documentation, sample code, example applications, and tutorials and ensure the web server configuration does not contain any documentation, sample code, example applications, and tutorials.

b

tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.

CM-7 - Medium - CCI-000381 - V-241638 - SV-241638r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000365

Vuln IDs

V-241638
V-88911

Rule IDs

SV-241638r879587_rule
SV-99561

Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Because tc Server is installed as part of the entire vROps application, and not installed separately, VMware has ensured that no unnecessary utilities and programs have been included in tc Server.

Checks: C-44914r684149_chk

Obtain supporting documentation from the ISSO. Review the web server documentation and deployed configuration to determine if utility programs, services, plug-ins, and modules not necessary for operation have been removed. If utility programs, services, plug-ins, and modules not necessary for operation have not been removed, this is a finding.

Fix: F-44873r683775_fix

Document the removal of all utility programs, services, plug-ins, and modules not necessary for operation and ensure the web server configuration does not contain any utility programs, services, plug-ins, and modules not necessary for operation.

b

tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

CM-7 - Medium - CCI-000381 - V-241639 - SV-241639r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000370

Vuln IDs

V-241639
V-88913

Rule IDs

SV-241639r879587_rule
SV-99563

Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. tc Server configures MIME types in the web.xml file. By ensuring that “sh”, “csh”, and “shar” MIME types are not included in web.xml, the server is protected against malicious users tricking the server into executing shell command files.

Checks: C-44915r683777_chk

At the command prompt, execute the following command: find / -name 'web.xml' -print0 | xargs -0r grep -HEn '(x-csh<)|(x-sh<)|(x-shar<)|(x-ksh<)' If the command produces any output, this is a finding.

Fix: F-44874r683778_fix

Navigate to a file that was listed. Open the file in a text editor. Delete any of the following types: application/x-sh application/x-shar application/x-csh application/x-ksh

b

tc Server ALL must have all mappings to unused and vulnerable scripts to be removed.

CM-7 - Medium - CCI-000381 - V-241640 - SV-241640r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000375

Vuln IDs

V-241640
V-88915

Rule IDs

SV-241640r879587_rule
SV-99565

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed. Because tc Server is installed as part of the entire vROps application, and not installed separately, VMware has ensured that scripts not needed for application operation or deemed vulnerable have been removed from tc Server.

Checks: C-44916r684151_chk

Obtain supporting documentation from the ISSO. Review the web server documentation and deployed configuration to determine if all mappings to unused and vulnerable scripts to be removed. If all mappings to unused and vulnerable scripts have not been removed, this is a finding.

Fix: F-44875r683781_fix

Document the removal of all script mappings that are not needed for web server and hosted application operation and ensure the web server configuration does not contain any script mappings that are not needed for web server and hosted application operation.

b

tc Server UI must have mappings set for Java Servlet Pages.

CM-7 - Medium - CCI-000381 - V-241641 - SV-241641r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000380

Vuln IDs

V-241641
V-88917

Rule IDs

SV-241641r879587_rule
SV-99567

Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As a derivative of the Apache Tomcat project, tc Server is a java-based web server. As a result, the main file extension used by tc Server is “*.jsp”. This check ensures that the “*.jsp” file type has been properly mapped to servlets.

Checks: C-44917r684153_chk

At the command prompt, execute the following command: grep -E '<url-pattern>\*\.jsp</url-pattern>' -B 2 -A 2 /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml If the “jsp” and “jspx” file extensions have not been mapped to the JSP servlet, this is a finding.

Fix: F-44876r683784_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below:  <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>

b

tc Server CaSa must have mappings set for Java Servlet Pages.

CM-7 - Medium - CCI-000381 - V-241642 - SV-241642r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000385

Vuln IDs

V-241642
V-88919

Rule IDs

SV-241642r879587_rule
SV-99569

Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As a derivative of the Apache Tomcat project, tc Server is a java-based web server. As a result, the main file extension used by tc Server is “*.jsp”. This check ensures that the “*.jsp” file type has been properly mapped to servlets.

Checks: C-44918r684155_chk

At the command prompt, execute the following command: grep -E '<url-pattern>\*\.jsp</url-pattern>' -B 2 -A 2 /usr/lib/vmware-casa/casa-webapp/conf/web.xml If the “jsp” and “jspx” file extensions have not been mapped to the JSP servlet, this is a finding.

Fix: F-44877r683787_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below:  <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>

b

tc Server API must have mappings set for Java Servlet Pages.

CM-7 - Medium - CCI-000381 - V-241643 - SV-241643r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000390

Vuln IDs

V-241643
V-88921

Rule IDs

SV-241643r879587_rule
SV-99571

Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As a derivative of the Apache Tomcat project, tc Server is a java-based web server. As a result, the main file extension used by tc Server is “*.jsp”. This check ensures that the “*.jsp” file type has been properly mapped to servlets.

Checks: C-44919r684157_chk

At the command prompt, execute the following command: grep -E '<url-pattern>\*\.jsp</url-pattern>' -B 2 -A 2 /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml If the “jsp” and “jspx” file extensions have not been mapped to the JSP servlet, this is a finding.

Fix: F-44878r683790_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below:  <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>

b

tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.

CM-7 - Medium - CCI-000381 - V-241644 - SV-241644r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000395

Vuln IDs

V-241644
V-88923

Rule IDs

SV-241644r879587_rule
SV-99573

A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server. As an extension to Tomcat, tc Server uses the “org.apache.catalina.servlets.WebdavServlet” servlet to provide WebDAV services. Because the WebDAV service has been found to have an excessive number of vulnerabilities, this servlet must not be installed.

Checks: C-44920r683792_chk

At the command prompt, execute the following command: find / -name 'web.xml' -print0 | xargs -0r grep -HEn 'webdav' If the command produces any output, this is a finding.

Fix: F-44879r683793_fix

Navigate to and open all listed web.xml files. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>webdav</servlet-name>. Remove the WebDav servlet and any mapping associated with it.

b

tc Server UI must be configured with memory leak protection.

CM-7 - Medium - CCI-000381 - V-241645 - SV-241645r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000400

Vuln IDs

V-241645
V-88925

Rule IDs

SV-241645r879587_rule
SV-99575

The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will lead to OutOfMemoryErrors when re-loading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The JreMemoryLeakPreventionListener class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.

Checks: C-44921r683795_chk

At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml If the JreMemoryLeakPreventionListener <Listener> node is not listed, this is a finding.

Fix: F-44880r683796_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.

b

tc Server CaSa must be configured with memory leak protection.

CM-7 - Medium - CCI-000381 - V-241646 - SV-241646r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000405

Vuln IDs

V-241646
V-88927

Rule IDs

SV-241646r879587_rule
SV-99577

The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will lead to OutOfMemoryErrors when re-loading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The JreMemoryLeakPreventionListener class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.

Checks: C-44922r683798_chk

At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /usr/lib/vmware-casa/casa-webapp/conf/server.xml If the JreMemoryLeakPreventionListener <Listener> node is not listed, this is a finding.

Fix: F-44881r683799_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.

b

tc Server API must be configured with memory leak protection.

CM-7 - Medium - CCI-000381 - V-241647 - SV-241647r879587_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-TC-000410

Vuln IDs

V-241647
V-88929

Rule IDs

SV-241647r879587_rule
SV-99579

The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will lead to OutOfMemoryErrors when re-loading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The JreMemoryLeakPreventionListener class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.

Checks: C-44923r683801_chk

At the command prompt, execute the following command: grep JreMemoryLeakPreventionListener /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml If the JreMemoryLeakPreventionListener <Listener> node is not listed, this is a finding.

Fix: F-44882r683802_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.

c

tc Server UI must not have any symbolic links in the web content directory tree.

CM-7 - High - CCI-000381 - V-241648 - SV-241648r879587_rule

RMF Control

CM-7

Severity

H

CCI

Version

VROM-TC-000415

Vuln IDs

V-241648
V-88931

Rule IDs

SV-241648r879587_rule
SV-99581

A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. By checking that no symbolic links exist in the document root, the web server is protected from users jumping outside the hosted application directory tree and gaining access to the other directories, including the system root.

Checks: C-44924r684159_chk

At the command prompt, execute the following command: ls -lR /usr/lib/vmware-vcops/tomcat-web-app | grep '^l' If the command produces any output other than the expected result below, this is a finding. Expected Result: lrwxrwxrwx 1 admin admin 33 Mar 6 03:37 logs -> /storage/log/vcops/log/product-ui lrwxrwxrwx 1 admin admin 47 Mar 6 03:37 vcops-web-ent -> /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui

Fix: F-44883r683805_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the commands for each file that was returned.

c

tc Server CaSa must not have any symbolic links in the web content directory tree.

CM-7 - High - CCI-000381 - V-241649 - SV-241649r879587_rule

RMF Control

CM-7

Severity

H

CCI

Version

VROM-TC-000420

Vuln IDs

V-241649
V-88933

Rule IDs

SV-241649r879587_rule
SV-99583

A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. By checking that no symbolic links exist in the document root, the web server is protected from users jumping outside the hosted application directory tree and gaining access to the other directories, including the system root.

Checks: C-44925r684161_chk

At the command prompt, execute the following command: ls -lR /usr/lib/vmware-casa/casa-webapp | grep '^l' If the command produces any output other than the expected result below, this is a finding. Expected Result: lrwxrwxrwx 1 admin admin 27 Mar 6 03:37 logs -> /storage/log/vcops/log/casa

Fix: F-44884r683808_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the commands for each file that was returned.

c

tc Server API must not have any symbolic links in the web content directory tree.

CM-7 - High - CCI-000381 - V-241650 - SV-241650r879587_rule

RMF Control

CM-7

Severity

H

CCI

Version

VROM-TC-000425

Vuln IDs

V-241650
V-88935

Rule IDs

SV-241650r879587_rule
SV-99585

A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. By checking that no symbolic links exist in the document root, the web server is protected from users jumping outside the hosted application directory tree and gaining access to the other directories, including the system root.

Checks: C-44926r683810_chk

At the command prompt, execute the following command: ls -lR /usr/lib/vmware-vcops/tomcat-enterprise | grep '^l' If the command produces any output, this is a finding.

Fix: F-44885r683811_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the commands for each file that was returned.

b

tc Server UI must be configured to use a specified IP address and port.

CM-7 - Medium - CCI-000382 - V-241651 - SV-241651r879588_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

VROM-TC-000430

Vuln IDs

V-241651
V-88937

Rule IDs

SV-241651r879588_rule
SV-99587

The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

Checks: C-44927r683813_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If either the IP address or the port is not specified for each <Connector>, this is a finding.

Fix: F-44886r683814_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the correct port and address value: address="XXXXX" port="YYYYY"

b

tc Server CaSa must be configured to use a specified IP address and port.

CM-7 - Medium - CCI-000382 - V-241652 - SV-241652r879588_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

VROM-TC-000435

Vuln IDs

V-241652
V-88939

Rule IDs

SV-241652r879588_rule
SV-99589

The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

Checks: C-44928r683816_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If either the IP address or the port is not specified for each <Connector>, this is a finding.

Fix: F-44887r683817_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the correct port and address value: address="XXXXX" port="YYYYY"

b

tc Server API must be configured to use a specified IP address and port.

CM-7 - Medium - CCI-000382 - V-241653 - SV-241653r879588_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

VROM-TC-000440

Vuln IDs

V-241653
V-88941

Rule IDs

SV-241653r879588_rule
SV-99591

The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

Checks: C-44929r683819_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. If either the IP address or the port is not specified for each <Connector>, this is a finding.

Fix: F-44888r683820_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the correct port and address value address="XXXXX" port="YYYYY"

b

tc Server UI must encrypt passwords during transmission.

IA-5 - Medium - CCI-000197 - V-241654 - SV-241654r879609_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000197

Version

VROM-TC-000445

Vuln IDs

V-241654
V-88943

Rule IDs

SV-241654r879609_rule
SV-99593

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's “SSLEnabled” flag, SSL handshake/encryption/decryption is enabled.

Checks: C-44930r683822_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to the <Connector> node that contains 'port="${vmware-ssl.https.port}"' If the value of “SSLEnabled” is not set to “true” or is missing, this is a finding.

Fix: F-44889r683823_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'SSLEnabled="true"'

b

tc Server CaSa must encrypt passwords during transmission.

IA-5 - Medium - CCI-000197 - V-241655 - SV-241655r879609_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000197

Version

VROM-TC-000450

Vuln IDs

V-241655
V-88945

Rule IDs

SV-241655r879609_rule
SV-99595

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's “SSLEnabled” flag, SSL handshake/encryption/decryption is enabled.

Checks: C-44931r683825_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to the <Connector> node that contains 'port="${vmware-ssl.https.port}"'. If the value of “SSLEnabled” is not set to “true” or is missing, this is a finding.

Fix: F-44890r683826_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'SSLEnabled="true"'

b

tc Server API must encrypt passwords during transmission.

IA-5 - Medium - CCI-000197 - V-241656 - SV-241656r879609_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000197

Version

VROM-TC-000455

Vuln IDs

V-241656
V-88947

Rule IDs

SV-241656r879609_rule
SV-99597

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update. HTTP connections in tc Server are managed through the Connector object. Setting the Connector's “SSLEnabled” flag, SSL handshake/encryption/decryption is enabled.

Checks: C-44932r683828_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Connector> node that contains 'port="${vmware-ssl.https.port}"'. If the value of “SSLEnabled” is not set to “true” or is missing, this is a finding.

Fix: F-44891r683829_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'SSLEnabled="true"'

b

tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable.

IA-5 - Medium - CCI-000185 - V-241657 - SV-241657r879612_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

VROM-TC-000460

Vuln IDs

V-241657
V-88949

Rule IDs

SV-241657r879612_rule
SV-99599

The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-44933r684163_chk

Obtain supporting documentation from the ISSO. Review tc Server ALL configuration to verify that certificates being provided by the client are being validated in accordance with RFC 5280. If PKI is not being used, this is NA. If certificates are not being validated in accordance with RFC 5280, this is a finding.

Fix: F-44892r683832_fix

Validate client certificates are being validated in accordance with RFC 5280.

b

tc Server ALL must only allow authenticated system administrators to have access to the keystore.

IA-5 - Medium - CCI-000186 - V-241658 - SV-241658r879613_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000186

Version

VROM-TC-000465

Vuln IDs

V-241658
V-88951

Rule IDs

SV-241658r879613_rule
SV-99601

The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server. tc Server stores the server's private key in a keystore file. The vROps keystore file is “tcserver.keystore”, and this file must be protected to only allow system administrators and other authorized users to have access to it.

Checks: C-44934r684165_chk

At the command prompt, execute the following command: ls -al /storage/vcops/user/conf/ssl/tcserver.keystore Verify that file permissions are set to “640” or more restrictive. Verify that the owner and group-owner are set to admin. If either of these conditions are not met, this is a finding.

Fix: F-44893r683835_fix

At the command prompt, execute the following commands: chown admin:admin /storage/vcops/user/conf/ssl/tcserver.keystore chmod 640 /storage/vcops/user/conf/ssl/tcserver.keystore

b

tc Server ALL must only allow authenticated system administrators to have access to the truststore.

IA-5 - Medium - CCI-000186 - V-241659 - SV-241659r879613_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000186

Version

VROM-TC-000470

Vuln IDs

V-241659
V-88953

Rule IDs

SV-241659r879613_rule
SV-99603

The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server. As a Tomcat derivative tc Server is designed to store the server's private key in a keystore file. An important vROps keystore file is “tcserver.truststore”, and this file must be protected to only allow system administrators and other authorized users to have access to it.

Checks: C-44935r684167_chk

At the command prompt, execute the following command: ls -al /storage/vcops/user/conf/ssl/tcserver.truststore Verify that file permissions are set to “640” or more restrictive. Verify that the owner and group-owner are set to admin. If either of these conditions are not met, this is a finding.

Fix: F-44894r683838_fix

At the command prompt, execute the following commands: chown admin:admin /storage/vcops/user/conf/ssl/tcserver.truststore chmod 640 /storage/vcops/user/conf/ssl/tcserver.truststore

b

tc Server UI must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.

IA-7 - Medium - CCI-000803 - V-241660 - SV-241660r879616_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

VROM-TC-000480

Vuln IDs

V-241660
V-88955

Rule IDs

SV-241660r879616_rule
SV-99605

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. vROps relies upon the OpenSSL suite of encryption libraries. A special carefully defined software component called the OpenSSL FIPS Object Module has been created from the OpenSSL libraries to provide FIPS 140-2 validated encryption. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.

Checks: C-44936r684169_chk

At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties If the value of “vmware-ssl.ssl.ciphers.list” does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-44895r683841_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties. Navigate to and locate “vmware-ssl.ssl.ciphers.list”. Configure the “vmware-ssl.ssl.ciphers.list” with FIPS 140-2 compliant ciphers.

b

tc Server CaSa must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.

IA-7 - Medium - CCI-000803 - V-241661 - SV-241661r879616_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

VROM-TC-000485

Vuln IDs

V-241661
V-88957

Rule IDs

SV-241661r879616_rule
SV-99607

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. vROps relies upon the OpenSSL suite of encryption libraries. A special carefully defined software component called the OpenSSL FIPS Object Module has been created from the OpenSSL libraries to provide FIPS 140-2 validated encryption. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.

Checks: C-44937r684171_chk

At the command prompt, execute the following command: grep -A 10 vmware-casa.ssl.ciphers.list /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties If the value of “vmware-casa.ssl.ciphers.list” does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-44896r683844_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties. Navigate to and locate “vmware-casa.ssl.ciphers.list”. Configure the “vmware-casa.ssl.ciphers.list” with FIPS 140-2 compliant ciphers.

b

tc Server API must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.

IA-7 - Medium - CCI-000803 - V-241662 - SV-241662r879616_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

VROM-TC-000490

Vuln IDs

V-241662
V-88959

Rule IDs

SV-241662r879616_rule
SV-99609

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. vROps relies upon the OpenSSL suite of encryption libraries. A special carefully defined software component called the OpenSSL FIPS Object Module has been created from the OpenSSL libraries to provide FIPS 140-2 validated encryption. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.

Checks: C-44938r684173_chk

At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties If the value of “vmware-ssl.ssl.ciphers.list” does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix: F-44897r683847_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties. Navigate to and locate “vmware-ssl.ssl.ciphers.list”. Configure the “vmware-ssl.ssl.ciphers.list” with FIPS 140-2 compliant ciphers.

c

tc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.

SC-2 - High - CCI-001082 - V-241663 - SV-241663r879631_rule

RMF Control

SC-2

Severity

H

CCI

Version

VROM-TC-000500

Vuln IDs

V-241663
V-88961

Rule IDs

SV-241663r879631_rule
SV-99611

As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. As with all secure web server installations, tc Server files and directories must be adequately protected with correct permissions.

Checks: C-44939r683849_chk

At the command prompt, execute the following commands: cd /usr/lib/vmware-vcops/tomcat-web-app ls -alR bin lib conf | grep -E '^-' | awk '$3 !~ /admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44898r683850_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. chown admin:admin <file_name> Repeat the command for each file that was returned.

c

tc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.

SC-2 - High - CCI-001082 - V-241664 - SV-241664r879631_rule

RMF Control

SC-2

Severity

H

CCI

Version

VROM-TC-000505

Vuln IDs

V-241664
V-88963

Rule IDs

SV-241664r879631_rule
SV-99613

As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. As with all secure web server installations, tc Server files and directories must be adequately protected with correct permissions.

Checks: C-44940r683852_chk

At the command prompt, execute the following commands: cd /usr/lib/vmware-casa/casa-webapp ls -alR bin lib conf | grep -E '^-' | awk '$3 !~ /admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44899r683853_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. chown admin:admin <file_name> Repeat the command for each file that was returned.

c

tc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.

SC-2 - High - CCI-001082 - V-241665 - SV-241665r879631_rule

RMF Control

SC-2

Severity

H

CCI

Version

VROM-TC-000510

Vuln IDs

V-241665
V-88965

Rule IDs

SV-241665r879631_rule
SV-99615

As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. As with all secure web server installations, tc Server files and directories must be adequately protected with correct permissions.

Checks: C-44941r684175_chk

Find any files that are not owned by admin or not group owned by admin, execute the following command: cd /usr/lib/vmware-vcops/tomcat-enterprise ls -alR bin conf | grep -E '^-' | awk '$3 !~ /admin/ {print}' If the command produces any output, this is a finding.

Fix: F-44900r683856_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. chown admin:admin <file_name> Repeat the command for each file that was returned.

c

tc Server UI web server application directories must not be accessible to anonymous user.

SC-2 - High - CCI-001082 - V-241666 - SV-241666r879631_rule

RMF Control

SC-2

Severity

H

CCI

Version

VROM-TC-000515

Vuln IDs

V-241666
V-88967

Rule IDs

SV-241666r879631_rule
SV-99617

In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.

Checks: C-44942r683858_chk

At the command prompt, execute the following commands: cd /usr/lib/vmware-vcops/tomcat-web-app ls -alR bin lib conf | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44901r683859_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. If the file was found in /bin or /lib, execute the following command: chmod 700 <file_name> If the file was found in /conf, execute the following command: chmod 600 <file_name> Repeat the command for each file that was returned.

c

tc Server CaSa web server application directories must not be accessible to anonymous user.

SC-2 - High - CCI-001082 - V-241667 - SV-241667r879631_rule

RMF Control

SC-2

Severity

H

CCI

Version

VROM-TC-000520

Vuln IDs

V-241667
V-88969

Rule IDs

SV-241667r879631_rule
SV-99619

In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.

Checks: C-44943r683861_chk

At the command prompt, execute the following commands: cd /usr/lib/vmware-casa/casa-webapp ls -alR bin lib conf | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44902r683862_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. If the file was found in /bin or /lib, execute the following command: chmod 700 <file_name> If the file was found in /conf, execute the following command: chmod 600 <file_name> Repeat the command for each file that was returned.

c

tc Server API web server application directories must not be accessible to anonymous user.

SC-2 - High - CCI-001082 - V-241668 - SV-241668r879631_rule

RMF Control

SC-2

Severity

H

CCI

Version

VROM-TC-000525

Vuln IDs

V-241668
V-88971

Rule IDs

SV-241668r879631_rule
SV-99621

In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes made and the names of those who made the changes. Allowing anonymous users the capability to change the web server or the hosted application will not generate proper log information that can then be used for forensic reporting in the case of a security issue. Allowing anonymous users to make changes will also grant change capabilities to anybody without forcing a user to authenticate before the changes can be made.

Checks: C-44944r684177_chk

At the command prompt, find any world accessible files by executing the following commands: ls -alR /usr/lib/vmware-vcops/tomcat-enterprise/bin /usr/lib/vmware-vcops/tomcat-enterprise/conf | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44903r683865_fix

At the command prompt, execute the following commands: find /usr/lib/vmware-vcops/tomcat-enterprise/conf -type f -exec chmod o=--- {} \; find /usr/lib/vmware-vcops/tomcat-enterprise/bin -type f -exec chmod o=--- {} \;

b

tc Server ALL baseline must be documented and maintained.

SC-24 - Medium - CCI-001190 - V-241669 - SV-241669r879640_rule

RMF Control

SC-24

Severity

M

CCI

Version

VROM-TC-000575

Vuln IDs

V-241669
V-88973

Rule IDs

SV-241669r879640_rule
SV-99623

Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the possibility for security risks. The web server must offer, and not hinder, a method that allows for the quick and easy reinstallation of a verified and patched baseline to guarantee the production web server is up-to-date and has not been modified to add functionality or expose security risks. Because tc Server is installed as part of the entire vROps application, and not installed separately, VMware has ensured that all updates, upgrades, and patches have been thoroughly tested before becoming part of the production build process.

Checks: C-44945r684179_chk

Obtain supporting documentation from the ISSO. Review the web server documentation and deployed configuration to determine if the tc Server code baseline is documented and maintained. If the tc Server code baseline is not documented and maintained, this is a finding.

Fix: F-44904r683868_fix

Develop baseline documentation of the tc Server codebase and ensure the tc Server baseline is configured properly.

b

tc Server UI must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.

SC-24 - Medium - CCI-001190 - V-241670 - SV-241670r879640_rule

RMF Control

SC-24

Severity

M

CCI

Version

VROM-TC-000580

Vuln IDs

V-241670
V-88975

Rule IDs

SV-241670r879640_rule
SV-99625

Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server. The VMware engineering process includes regression testing of new and modified components before they become part of the production build process.

Checks: C-44946r684181_chk

At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties If the “org.apache.catalina.startup.EXIT_ON_INIT_FAILURE” setting is not set to "true" or is missing, this is a finding.

Fix: F-44905r683871_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties. Configure the setting “org.apache.catalina.startup.EXIT_ON_INIT_FAILURE” with the value “true”. Note: The word “true” should not be surrounded with quotation marks.

b

tc Server CaSa must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.

SC-24 - Medium - CCI-001190 - V-241671 - SV-241671r879640_rule

RMF Control

SC-24

Severity

M

CCI

Version

VROM-TC-000585

Vuln IDs

V-241671
V-88977

Rule IDs

SV-241671r879640_rule
SV-99627

Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server. The VMware engineering process includes regression testing of new and modified components before they become part of the production build process.

Checks: C-44947r684183_chk

At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties If the “org.apache.catalina.startup.EXIT_ON_INIT_FAILURE” setting is not set to "true" or is missing, this is a finding.

Fix: F-44906r683874_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties. Configure the setting “org.apache.catalina.startup.EXIT_ON_INIT_FAILURE” with the value “true”. Note: The word “true” should not be surrounded with quotation marks.

b

tc Server API must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.

SC-24 - Medium - CCI-001190 - V-241672 - SV-241672r879640_rule

RMF Control

SC-24

Severity

M

CCI

Version

VROM-TC-000590

Vuln IDs

V-241672
V-88979

Rule IDs

SV-241672r879640_rule
SV-99629

Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server. The VMware engineering process includes regression testing of new and modified components before they become part of the production build process.

Checks: C-44948r684185_chk

At the command line, execute the following command: grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties If the “org.apache.catalina.startup.EXIT_ON_INIT_FAILURE” setting is not set to "true" or is missing, this is a finding.

Fix: F-44907r683877_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties. Configure the setting “org.apache.catalina.startup.EXIT_ON_INIT_FAILURE” with the value “true”. Note: The word “true” should not be surrounded with quotation marks.

b

tc Server UI document directory must be in a separate partition from the web servers system files.

SC-3 - Medium - CCI-001084 - V-241673 - SV-241673r879643_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

VROM-TC-000605

Vuln IDs

V-241673
V-88981

Rule IDs

SV-241673r879643_rule
SV-99631

A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. As a Tomcat derivative, tc Server stores the web applications in a special “webapps” folder. The Java engine, however, is stored in a separate are of the OS directory structure. For greatest security it is important to verify that the “webapps” and the Java directories remain separated.

Checks: C-44949r683879_chk

At the command prompt, execute the following commands: df -k /usr/java/default/bin/java df -k /usr/lib/vmware-vcops/tomcat-web-app/webapps If the two directories above are on the same partition, this is a finding.

Fix: F-44908r683880_fix

Consult with the ISSO. Move the tc Server UI /usr/lib/vmware-vcops/tomcat-web-app/webapps directory to a separate partition.

b

tc Server CaSa document directory must be in a separate partition from the web servers system files.

SC-3 - Medium - CCI-001084 - V-241674 - SV-241674r879643_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

VROM-TC-000610

Vuln IDs

V-241674
V-88983

Rule IDs

SV-241674r879643_rule
SV-99633

A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. As a Tomcat derivative, tc Server stores the web applications in a special “webapps” folder. The Java engine, however, is stored in a separate are of the OS directory structure. For greatest security it is important to verify that the “webapps” and the Java directories remain separated.

Checks: C-44950r683882_chk

At the command prompt, execute the following commands: df -k /usr/java/default/bin/java df -k /usr/lib/vmware-casa/casa-webapp/webapps If the two directories above are on the same partition, this is a finding

Fix: F-44909r683883_fix

Consult with the ISSO. Move the tc Server CaSa /usr/lib/vmware-casa/casa-webapp/webapps directory to a separate partition.

b

tc Server API document directory must be in a separate partition from the web servers system files.

SC-3 - Medium - CCI-001084 - V-241675 - SV-241675r879643_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

VROM-TC-000615

Vuln IDs

V-241675
V-88985

Rule IDs

SV-241675r879643_rule
SV-99635

A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. As a Tomcat derivative, tc Server stores the web applications in a special “webapps” folder. The Java engine, however, is stored in a separate are of the OS directory structure. For greatest security it is important to verify that the “webapps” and the Java directories remain separated.

Checks: C-44951r683885_chk

At the command prompt, execute the following commands: df -k /usr/java/default/bin/java df -k /usr/lib/vmware-vcops/tomcat-enterprise/webapps If the two directories above are on the same partition, this is a finding

Fix: F-44910r683886_fix

Consult with the ISSO. Move the tc Server API /usr/lib/vmware-vcops/tomcat-enterprise/webapps directory to a separate partition.

b

tc Server UI must be configured with a cross-site scripting (XSS) filter.

SC-5 - Medium - CCI-001094 - V-241676 - SV-241676r879650_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001094

Version

VROM-TC-000620

Vuln IDs

V-241676
V-88987

Rule IDs

SV-241676r879650_rule
SV-99637

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. As a web server, tc Server can be vulnerable to XSS if steps are not taken to mitigate the threat. VMware provides the XssFilter component to provide a layer of defense against XSS. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.

Checks: C-44952r683888_chk

At the command prompt, execute the following command: grep -B 2 -A 7 XssFilter /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INF/web.xml If the XSS filter is not present, this is a finding.

Fix: F-44911r683889_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INF/web.xml. Configure a <filter> node with the below configuration: <filter> <filter-name>xssfilter</filter-name> <filter-class>com.vmware.vcops.ui.util.XssFilter</filter-class> <init-param>  <param-name>fileIncludes</param-name> <param-value>/vcops/services/api.js,/vcops/services/api-debug.js,/vcops/services/api-debug-doc.js</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssfilter</filter-name> <url-pattern>/vcops/services/*</url-pattern> </filter-mapping>

b

tc Server CaSa must be configured with a cross-site scripting (XSS) filter.

SC-5 - Medium - CCI-001094 - V-241677 - SV-241677r879650_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001094

Version

VROM-TC-000625

Vuln IDs

V-241677
V-88989

Rule IDs

SV-241677r879650_rule
SV-99639

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. As a web server, tc Server can be vulnerable to XSS if steps are not taken to mitigate the threat. VMware provides the XssFilter component to provide a layer of defense against XSS. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.

Checks: C-44953r683891_chk

At the command prompt, execute the following command: grep -B 2 -A 7 XssFilter /usr/lib/vmware-casa/casa-webapp/webapps/admin/WEB-INF/web.xml If the XSS filter is not present and there is no result returned, then this is a finding.

Fix: F-44912r683892_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/webapps/admin/WEB-INF/web.xml. Configure a <filter> node with the below configuration: <filter> <filter-name>xssfilter</filter-name> <filter-class>com.vmware.vcops.ui.util.XssFilter</filter-class> <init-param>  <param-name>fileIncludes</param-name> <param-value>/vcops/services/api.js,/vcops/services/api-debug.js,/vcops/services/api-debug-doc.js</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssfilter</filter-name> <url-pattern>/vcops/services/*</url-pattern> </filter-mapping>

b

tc Server API must be configured with a cross-site scripting (XSS) filter.

SC-5 - Medium - CCI-001094 - V-241678 - SV-241678r879650_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001094

Version

VROM-TC-000630

Vuln IDs

V-241678
V-88991

Rule IDs

SV-241678r879650_rule
SV-99641

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. As a web server, tc Server can be vulnerable to XSS if steps are not taken to mitigate the threat. VMware provides the XssFilter component to provide a layer of defense against XSS. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.

Checks: C-44954r683894_chk

At the command prompt, execute the following command: grep -B 2 -A 7 XssFilter /usr/lib/vmware-vcops/tomcat-enterprise/webapps/suite-api/WEB-INF/web.xml If the XSS filter is not present and there is no result returned, then this is a finding.

Fix: F-44913r683895_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/webapps/suite-api/WEB-INF/web.xml. Configure a <filter> node with the below configuration: <filter> <filter-name>xssfilter</filter-name> <filter-class>com.vmware.vcops.ui.util.XssFilter</filter-class> <init-param>  <param-name>fileIncludes</param-name> <param-value>/vcops/services/api.js,/vcops/services/api-debug.js,/vcops/services/api-debug-doc.js</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssfilter</filter-name> <url-pattern>/vcops/services/*</url-pattern> </filter-mapping>

b

tc Server UI must set URIEncoding to UTF-8.

SI-10 - Medium - CCI-001310 - V-241679 - SV-241679r879652_rule

RMF Control

SI-10

Severity

M

CCI

Version

VROM-TC-000635

Vuln IDs

V-241679
V-88993

Rule IDs

SV-241679r879652_rule
SV-99643

Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. To mitigate against many types of character-based vulnerabilities, tc Server should be configured to use a consistent character set. The “URIEncoding” attribute on the Connector nodes provides the means for tc Server to enforce a consistent character set encoding.

Checks: C-44955r683897_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “URIEncoding” is not set to “UTF-8” or is missing, this is a finding.

Fix: F-44914r683898_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value "URIEncoding="UTF-8"'.

b

tc Server CaSa must set URIEncoding to UTF-8.

SI-10 - Medium - CCI-001310 - V-241680 - SV-241680r879652_rule

RMF Control

SI-10

Severity

M

CCI

Version

VROM-TC-000640

Vuln IDs

V-241680
V-88995

Rule IDs

SV-241680r879652_rule
SV-99645

Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. To mitigate against many types of character-based vulnerabilities, tc Server should be configured to use a consistent character set. The “URIEncoding” attribute on the Connector nodes provides the means for tc Server to enforce a consistent character set encoding.

Checks: C-44956r683900_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “URIEncoding” is not set to “UTF-8” or is missing, this is a finding.

Fix: F-44915r683901_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'URIEncoding="UTF-8"'.

b

tc Server API must set URIEncoding to UTF-8.

SI-10 - Medium - CCI-001310 - V-241681 - SV-241681r879652_rule

RMF Control

SI-10

Severity

M

CCI

Version

VROM-TC-000645

Vuln IDs

V-241681
V-88997

Rule IDs

SV-241681r879652_rule
SV-99647

Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. To mitigate against many types of character-based vulnerabilities, tc Server should be configured to use a consistent character set. The “URIEncoding” attribute on the Connector nodes provides the means for tc Server to enforce a consistent character set encoding.

Checks: C-44957r683903_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “URIEncoding” is not set to “UTF-8” or is missing, this is a finding.

Fix: F-44916r683904_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value 'URIEncoding="UTF-8"'.

b

tc Server UI must use the setCharacterEncodingFilter filter.

SI-10 - Medium - CCI-001310 - V-241682 - SV-241682r879652_rule

RMF Control

SI-10

Severity

M

CCI

Version

VROM-TC-000650

Vuln IDs

V-241682
V-88999

Rule IDs

SV-241682r879652_rule
SV-99649

Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. As a web server, tc Server can be vulnerable to character encoding attacks if steps are not taken to mitigate the threat. VMware utilizes the standard Tomcat “setCharacterEncodingFilter” filter to provide a layer of defense against character encoding attacks. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.

Checks: C-44958r684187_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml. Verify that the 'setCharacterEncodingFilter' <filter> has been specified with the following command: grep -B 2 -A 7 setCharacterEncodingFilter /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml If the “setCharacterEncodingFilter” filter has not been specified or is commented out, this is a finding.

Fix: F-44917r683907_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

b

tc Server CaSa must use the setCharacterEncodingFilter filter.

SI-10 - Medium - CCI-001310 - V-241683 - SV-241683r879652_rule

RMF Control

SI-10

Severity

M

CCI

Version

VROM-TC-000655

Vuln IDs

V-241683
V-89001

Rule IDs

SV-241683r879652_rule
SV-99651

Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. As a web server, tc Server can be vulnerable to character encoding attacks if steps are not taken to mitigate the threat. VMware utilizes the standard Tomcat setCharacterEncodingFilter filter to provide a layer of defense against character encoding attacks. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.

Checks: C-44959r684189_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml. Verify that the 'setCharacterEncodingFilter' <filter> has been specified with the following command: grep -B 2 -A 7 setCharacterEncodingFilter /usr/lib/vmware-casa/casa-webapp/conf/web.xml If the “setCharacterEncodingFilter” filter has not been specified or is commented out, this is a finding.

Fix: F-44918r683910_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

b

tc Server API must use the setCharacterEncodingFilter filter.

SI-10 - Medium - CCI-001310 - V-241684 - SV-241684r879652_rule

RMF Control

SI-10

Severity

M

CCI

Version

VROM-TC-000660

Vuln IDs

V-241684
V-89003

Rule IDs

SV-241684r879652_rule
SV-99653

Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. As a web server, tc Server can be vulnerable to character encoding attacks if steps are not taken to mitigate the threat. VMware utilizes the standard Tomcat setCharacterEncodingFilter filter to provide a layer of defense against character encoding attacks. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.

Checks: C-44960r684191_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml. Verify that the 'setCharacterEncodingFilter' <filter> has been specified with the following command: grep -B 2 -A 7 setCharacterEncodingFilter /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml If the “setCharacterEncodingFilter” filter has not been specified or is commented out, this is a finding.

Fix: F-44919r683913_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml. Configure the <web-app> node with the <filter> node listed below. <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> <param-name>ignore</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

b

tc Server UI must set the welcome-file node to a default web page.

SI-11 - Medium - CCI-001312 - V-241685 - SV-241685r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000665

Vuln IDs

V-241685
V-89005

Rule IDs

SV-241685r879655_rule
SV-99655

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an “index.jsp” (or equivalent) file is one common sense approach to mitigating the vulnerability.

Checks: C-44961r683915_chk

At the command prompt, execute the following command: grep -E -A 4 '<welcome-file-list' /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml If a <welcome-file> node is not set to a default web page, this is a finding.

Fix: F-44920r683916_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

b

tc Server CaSa must set the welcome-file node to a default web page.

SI-11 - Medium - CCI-001312 - V-241686 - SV-241686r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000670

Vuln IDs

V-241686
V-89007

Rule IDs

SV-241686r879655_rule
SV-99657

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an “index.jsp” (or equivalent) file is one common sense approach to mitigating the vulnerability.

Checks: C-44962r683918_chk

At the command prompt, execute the following command: grep -E -A 4 '<welcome-file-list' /usr/lib/vmware-casa/casa-webapp/conf/web.xml If a <welcome-file> node is not set to a default web page, this is a finding.

Fix: F-44921r683919_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

b

tc Server API must set the welcome-file node to a default web page.

SI-11 - Medium - CCI-001312 - V-241687 - SV-241687r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000675

Vuln IDs

V-241687
V-89009

Rule IDs

SV-241687r879655_rule
SV-99659

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an “index.jsp” (or equivalent) file is one common sense approach to mitigating the vulnerability.

Checks: C-44963r683921_chk

At the command prompt, execute the following command: grep -E -A 4 '<welcome-file-list' /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml If a <welcome-file> node is not set to a default web page, this is a finding.

Fix: F-44922r683922_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml. Inspect the file and ensure that it contains the below section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

b

tc Server UI must have the allowTrace parameter set to false.

SI-11 - Medium - CCI-001312 - V-241688 - SV-241688r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000685

Vuln IDs

V-241688
V-89011

Rule IDs

SV-241688r879655_rule
SV-99661

Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage.

Checks: C-44964r683924_chk

At the command prompt, execute the following command: grep allowTrace /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml If “allowTrace” is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.

Fix: F-44923r683925_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to and locate the <Connector> nodes that have 'allowTrace="true"' Remove the 'allowTrace="true"' setting.

b

tc Server CaSa must have the allowTrace parameter set to false.

SI-11 - Medium - CCI-001312 - V-241689 - SV-241689r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000690

Vuln IDs

V-241689
V-89013

Rule IDs

SV-241689r879655_rule
SV-99663

Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage.

Checks: C-44965r683927_chk

At the command prompt, execute the following command: grep allowTrace /usr/lib/vmware-casa/casa-webapp/conf/server.xml If “allowTrace” is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.

Fix: F-44924r683928_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to and locate the <Connector> nodes that have 'allowTrace="true"' Remove the 'allowTrace="true"' setting.

b

tc Server API must have the allowTrace parameter set to false.

SI-11 - Medium - CCI-001312 - V-241690 - SV-241690r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000695

Vuln IDs

V-241690
V-89015

Rule IDs

SV-241690r879655_rule
SV-99665

Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage.

Checks: C-44966r683930_chk

At the command prompt, execute the following command: grep allowTrace /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml If “allowTrace” is set to "true", this is a finding. Note: If no line is returned this is NOT a finding.

Fix: F-44925r683931_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate the <Connector> nodes that have 'allowTrace="true"' Remove the 'allowTrace="true"' setting.

b

tc Server UI must have the debug option turned off.

SI-11 - Medium - CCI-001312 - V-241691 - SV-241691r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000700

Vuln IDs

V-241691
V-89017

Rule IDs

SV-241691r879655_rule
SV-99667

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. As a Tomcat derivative, tc Server can be configured to set the debugging level. By setting the debugging level to zero (0), no debugging information will be provided to a malicious user. This provides a layer of defense to vROps.

Checks: C-44967r683933_chk

At the command prompt, execute the following command: grep -En -A 2 -B 1 '<param-name>debug</param-name>' /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml If all instances of the debug parameter are not set to "0", this is a finding.

Fix: F-44926r683934_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>

b

tc Server CaSa must have the debug option turned off.

SI-11 - Medium - CCI-001312 - V-241692 - SV-241692r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000705

Vuln IDs

V-241692
V-89019

Rule IDs

SV-241692r879655_rule
SV-99669

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. As a Tomcat derivative, tc Server can be configured to set the debugging level. By setting the debugging level to zero (0), no debugging information will be provided to a malicious user. This provides a layer of defense to vROps.

Checks: C-44968r683936_chk

At the command prompt, execute the following command: grep -En -A 2 -B 1 '<param-name>debug</param-name>' /usr/lib/vmware-casa/casa-webapp/conf/web.xml If all instances of the debug parameter are not set to "0", this is a finding.

Fix: F-44927r683937_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>

b

tc Server API must have the debug option turned off.

SI-11 - Medium - CCI-001312 - V-241693 - SV-241693r879655_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-TC-000710

Vuln IDs

V-241693
V-89021

Rule IDs

SV-241693r879655_rule
SV-99671

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. As a Tomcat derivative, tc Server can be configured to set the debugging level. By setting the debugging level to zero (0), no debugging information will be provided to a malicious user. This provides a layer of defense to vROps.

Checks: C-44969r683939_chk

At the command prompt, execute the following command: grep -En -A 2 -B 1 '<param-name>debug</param-name>' /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml If all instances of the debug parameter are not set to "0", this is a finding.

Fix: F-44928r683940_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the below: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>

b

tc Server UI must set an inactive timeout for sessions.

AC-12 - Medium - CCI-002361 - V-241694 - SV-241694r879673_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

VROM-TC-000720

Vuln IDs

V-241694
V-89023

Rule IDs

SV-241694r879673_rule
SV-99673

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. tc Server provides a session timeout parameter in the web.xml configuration file.

Checks: C-44970r683942_chk

At the command prompt, execute the following command: grep session-timeout /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INF/web.xml If the value of <session-timeout> is not “30” or is missing, this is a finding.

Fix: F-44929r683943_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INF/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.

b

tc Server CaSa must set an inactive timeout for sessions.

AC-12 - Medium - CCI-002361 - V-241695 - SV-241695r879673_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

VROM-TC-000725

Vuln IDs

V-241695
V-89025

Rule IDs

SV-241695r879673_rule
SV-99675

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. tc Server provides a session timeout parameter in the web.xml configuration file.

Checks: C-44971r683945_chk

At the command prompt, execute the following command: grep session-timeout /usr/lib/vmware-casa/casa-webapp/webapps/admin/WEB-INF/web.xml If the value of <session-timeout> is not “30” or is missing, this is a finding.

Fix: F-44930r683946_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/webapps/admin/WEB-INF/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.

b

tc Server API must set an inactive timeout for sessions.

AC-12 - Medium - CCI-002361 - V-241696 - SV-241696r879673_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

VROM-TC-000730

Vuln IDs

V-241696
V-89027

Rule IDs

SV-241696r879673_rule
SV-99677

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. tc Server provides a session timeout parameter in the web.xml configuration file.

Checks: C-44972r683948_chk

At the command prompt, execute the following command: grep session-timeout /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml If the value of <session-timeout> is not “30” or is missing, this is a finding.

Fix: F-44931r683949_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml. Navigate to the <session-config> node. Add the <session-timeout>30</session-timeout> node setting to the <session-config> node.

c

tc Server ALL must be configured to the correct user authentication source.

AC-17 - High - CCI-002314 - V-241697 - SV-241697r879692_rule

RMF Control

AC-17

Severity

H

CCI

Version

VROM-TC-000735

Vuln IDs

V-241697
V-89029

Rule IDs

SV-241697r879692_rule
SV-99679

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. vRealize Operations can be configured with a variety of authentication sources. Site policies and procedures will dictate the appropriate authentication mechanism.

Checks: C-44973r854906_chk

Obtain the correct configuration data for the Authentication Source from the ISSO. Open a web browser, and put in the vROps URL. 1. Log into the Administration Portal 2. Click on Administration >> Authentication Sources 3. Click on Authentication Source 4. Verify that User Authentication is configured correctly If the Authentication Source is not configured in accordance with site policy, this is a finding.

Fix: F-44932r683952_fix

Document the correct configuration data for the Authentication Source and provide to the ISSO. Open a web browser, and put in the vROps URL. 1. Log into the Administration Portal 2. Click on Administration >> Authentication Sources 3. Click on Authentication Source 4. Ensure that that User Authentication is configured correctly

b

tc Server UI must be configured to use the https scheme.

AC-17 - Medium - CCI-002314 - V-241698 - SV-241698r879692_rule

RMF Control

AC-17

Severity

M

CCI

Version

VROM-TC-000740

Vuln IDs

V-241698
V-89031

Rule IDs

SV-241698r879692_rule
SV-99681

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the Connector object class. By configuring external Connector objects to use the HTTPS scheme, vROps's information in flight will be protected.

Checks: C-44974r683954_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “scheme” is not set to “https” or is missing, this is a finding.

Fix: F-44933r683955_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'scheme="https"'

b

tc Server CaSa must be configured to use the https scheme.

AC-17 - Medium - CCI-002314 - V-241699 - SV-241699r879692_rule

RMF Control

AC-17

Severity

M

CCI

Version

VROM-TC-000745

Vuln IDs

V-241699
V-89033

Rule IDs

SV-241699r879692_rule
SV-99683

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the Connector object class. By configuring external Connector objects to use the HTTPS scheme, vROps's information in flight will be protected.

Checks: C-44975r683957_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “scheme” is not set to “https” or is missing, this is a finding.

Fix: F-44934r683958_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'scheme="https"'

b

tc Server API must be configured to use the https scheme.

AC-17 - Medium - CCI-002314 - V-241700 - SV-241700r879692_rule

RMF Control

AC-17

Severity

M

CCI

Version

VROM-TC-000750

Vuln IDs

V-241700
V-89035

Rule IDs

SV-241700r879692_rule
SV-99685

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. tc Server connections are managed by the Connector object class. By configuring external Connector objects to use the HTTPS scheme, vROps's information in flight will be protected.

Checks: C-44976r683960_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “scheme” is not set to “https” or is missing, this is a finding.

Fix: F-44935r683961_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> with the value 'scheme="https"'

b

tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.

AU-4 - Medium - CCI-001849 - V-241701 - SV-241701r879730_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

VROM-TC-000780

Vuln IDs

V-241701
V-89037

Rule IDs

SV-241701r879730_rule
SV-99687

In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity. The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.

Checks: C-44977r854911_chk

Obtain supporting documentation from the ISSO. Determine if tc Server ALL is using a logging mechanism that is configured to have a capacity large enough to accommodate logging requirements. If the logging mechanism does not have sufficient capacity, this is a finding.

Fix: F-44936r683964_fix

Configure the web server to use a logging mechanism that is configured to allocate log record storage capacity in accordance with NIST SP 800-92 log record storage requirements.

b

tc Server ALL log files must be moved to a permanent repository in accordance with site policy.

AU-4 - Medium - CCI-001851 - V-241702 - SV-241702r879731_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

VROM-TC-000790

Vuln IDs

V-241702
V-89039

Rule IDs

SV-241702r879731_rule
SV-99689

A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. Log files must be periodically moved from the web server to a permanent storage location. This serves two beneficial purposes. First, the web server's resources are freed up for productions. Also, this ensures that the site has, and enforces, policies designed to preserve the integrity of historical logs.

Checks: C-44978r854913_chk

Obtain supporting documentation from the ISSO. Review the site policy for moving log files from the web server to a permanent repository. Ensure that log files are being moved from the web server in accordance with the site policy. If the site does not have a policy for periodically moving log files to an archive repository or such policy is not being enforced, this is a finding.

Fix: F-44937r683967_fix

Develop and enforce a site policy for moving log files periodically from the web server to a permanent repository in accordance with site retention policies.

b

tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.

AU-5 - Medium - CCI-001855 - V-241703 - SV-241703r879732_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

VROM-TC-000795

Vuln IDs

V-241703
V-89041

Rule IDs

SV-241703r879732_rule
SV-99691

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. If log capacity were to be exceeded, then events subsequently occurring would not be recorded. Organizations must define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., web server has exceeded 75% of log storage capacity allocated), at which time the web server or the logging mechanism the web server utilizes will provide a warning to the ISSO and SA at a minimum. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.

Checks: C-44979r854915_chk

Obtain supporting documentation from the ISSO. Review site documentation and system configuration. Determine if the system has a logging mechanism that will provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. If such an alert mechanism is not in use, this is a finding.

Fix: F-44938r683970_fix

Configure the tc Server ALL logging mechanism to alert the ISSO/SA when the logs have reached 75% of storage capacity.

b

tc Server UI must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-241704 - SV-241704r879747_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

VROM-TC-000800

Vuln IDs

V-241704
V-89043

Rule IDs

SV-241704r879747_rule
SV-99693

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an “AccessLogValve”, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The “Access Log Valve” creates log files in the same format as those created by standard web servers including GMT offset.

Checks: C-44980r854917_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The “+0000” part is the time zone mapping.

Fix: F-44939r683973_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the “pattern” setting with "%h %l %u %t "%r" %s %b" Note: The <Valve> node should be configured per the below: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-241705 - SV-241705r879747_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

VROM-TC-000805

Vuln IDs

V-241705
V-89045

Rule IDs

SV-241705r879747_rule
SV-99695

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an “AccessLogValve”, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The “Access Log Valve” creates log files in the same format as those created by standard web servers including GMT offset.

Checks: C-44981r854919_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The “+0000” part is the time zone mapping.

Fix: F-44940r683976_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the “pattern” setting with "%h %l %u %t "%r" %s %b" Note: The <Valve> node should be configured per the below: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-241706 - SV-241706r879747_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

VROM-TC-000810

Vuln IDs

V-241706
V-89047

Rule IDs

SV-241706r879747_rule
SV-99697

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an “AccessLogValve”, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The “Access Log Valve” creates log files in the same format as those created by standard web servers including GMT offset.

Checks: C-44982r854921_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The “+0000” part is the time zone mapping.

Fix: F-44941r683979_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the “pattern” setting with "%h %l %u %t "%r" %s %b" Note: The <Valve> node should be configured per the below: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server UI must record time stamps for log records to a minimum granularity of one second.

AU-8 - Medium - CCI-001889 - V-241707 - SV-241707r879748_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001889

Version

VROM-TC-000815

Vuln IDs

V-241707
V-89049

Rule IDs

SV-241707r879748_rule
SV-99699

Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an “AccessLogValve”, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The “Access Log Valve” should be configured to ensure that investigators have sufficient information to conduct an appropriate audit.

Checks: C-44983r854923_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The “57” part is the “seconds” part of the timestamp.

Fix: F-44942r683982_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the “pattern” setting with "%h %l %u %t "%r" %s %b" Note: The <Valve> node should be configured per the below: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server CaSa must record time stamps for log records to a minimum granularity of one second.

AU-8 - Medium - CCI-001889 - V-241708 - SV-241708r879748_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001889

Version

VROM-TC-000820

Vuln IDs

V-241708
V-89051

Rule IDs

SV-241708r879748_rule
SV-99701

Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an “AccessLogValve”, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The “Access Log Valve” should be configured to ensure that investigators have sufficient information to conduct an appropriate audit.

Checks: C-44984r854925_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The “57” part is the “seconds” part of the timestamp.

Fix: F-44943r683985_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the “pattern” setting with "%h %l %u %t "%r" %s %b" Note: The <Valve> node should be configured per the below: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server API must record time stamps for log records to a minimum granularity of one second.

AU-8 - Medium - CCI-001889 - V-241709 - SV-241709r879748_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001889

Version

VROM-TC-000825

Vuln IDs

V-241709
V-89053

Rule IDs

SV-241709r879748_rule
SV-99703

Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an AccessLogValve, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The Access Log Valve should be configured to ensure that investigators have sufficient information to conduct an appropriate audit.

Checks: C-44985r854927_chk

At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a minimum granularity of one second, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The “57” part is the “seconds” part of the timestamp.

Fix: F-44944r683988_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node. Set the “pattern” setting with "%h %l %u %t "%r" %s %b" Note: The <Valve> node should be configured per the below: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/>

b

tc Server UI application, libraries, and configuration files must only be accessible to privileged users.

CM-5 - Medium - CCI-001813 - V-241710 - SV-241710r879753_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

VROM-TC-000830

Vuln IDs

V-241710
V-89055

Rule IDs

SV-241710r879753_rule
SV-99705

A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.

Checks: C-44986r683990_chk

At the command prompt, execute the following commands: cd /usr/lib/vmware-vcops/tomcat-web-app ls -alR bin lib conf | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44945r683991_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. If the file was found in “/bin” or “/lib”, execute the following command: chmod 700 <file_name> If the file was found in “/conf”, execute the following command: chmod 600 <file_name> Repeat the command for each file that was returned

b

tc Server CaSa application, libraries, and configuration files must only be accessible to privileged users.

CM-5 - Medium - CCI-001813 - V-241711 - SV-241711r879753_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

VROM-TC-000835

Vuln IDs

V-241711
V-89057

Rule IDs

SV-241711r879753_rule
SV-99707

A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.

Checks: C-44987r683993_chk

At the command prompt, execute the following commands: cd /usr/lib/vmware-casa/casa-webapp ls -alR bin lib conf | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44946r683994_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. If the file was found in “/bin” or “/lib”, execute the following command: chmod 700 <file_name> If the file was found in “/conf”, execute the following command: chmod 600 <file_name> Repeat the command for each file that was returned

b

tc Server API application, libraries, and configuration files must only be accessible to privileged users.

CM-5 - Medium - CCI-001813 - V-241712 - SV-241712r879753_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

VROM-TC-000840

Vuln IDs

V-241712
V-89059

Rule IDs

SV-241712r879753_rule
SV-99709

A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.

Checks: C-44988r683996_chk

At the command prompt, execute the following commands: cd /usr/lib/vmware-vcops/tomcat-enterprise ls -alR bin conf | grep -E '^-' | awk '$1 !~ /---$/ {print}' If the command produces any output, this is a finding.

Fix: F-44947r683997_fix

At the command prompt, execute the following command: Note: Replace <file_name> for the name of the file that was returned. If the file was found in “/bin” or “/lib”, execute the following command: chmod 700 <file_name> If the file was found in “/conf”, execute the following command: chmod 600 <file_name> Repeat the command for each file that was returned

b

tc Server UI must be configured with the appropriate ports.

CM-7 - Medium - CCI-001762 - V-241713 - SV-241713r879756_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001762

Version

VROM-TC-000845

Vuln IDs

V-241713
V-89061

Rule IDs

SV-241713r879756_rule
SV-99711

Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. An essential configuration file for tc Server is “catalina.properties”. The ports that tc Server listens to will be configured in that file.

Checks: C-44989r854932_chk

At the command prompt, execute the following command: cat /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server UI ports. base.shutdown.port=-1 base.jmx.port=6969 vmware-ssl.https.port=8443 vmware-ajp13.jk.port=8009 vmware-ajp13.https.port=8443 vmware-bio.http.port=8080 vmware-bio.https.port=8443 If the ports are not as listed, this is a finding.

Fix: F-44948r684000_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties Navigate to the ports specification section. Set the tc Server UI port specifications according to the list below: base.shutdown.port=-1 base.jmx.port=6969 vmware-ssl.https.port=8443 vmware-ajp13.jk.port=8009 vmware-ajp13.https.port=8443 vmware-bio.http.port=8080 vmware-bio.https.port=8443

b

tc Server CaSa must be configured with the appropriate ports.

CM-7 - Medium - CCI-001762 - V-241714 - SV-241714r879756_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001762

Version

VROM-TC-000850

Vuln IDs

V-241714
V-89063

Rule IDs

SV-241714r879756_rule
SV-99713

Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. An essential configuration file for tc Server is “catalina.properties”. The ports that tc Server listens to will be configured in that file.

Checks: C-44990r854934_chk

At the command prompt, execute the following command: cat /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server CaSa ports. base.shutdown.port=-1 base.jmx.port=6968 vmware-ajp13.jk.port=8011 vmware-ajp13.https.port=8445 vmware-casa.https.port=8445 vmware-casa.client.auth.port=8447 vmware-bio.http.port=8082 vmware-bio.https.port=8445 If the ports are not as listed, this is a finding.

Fix: F-44949r684003_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties. Navigate to the ports specification section. Set the tc Server CaSa port specifications according to the list below: base.shutdown.port=-1 base.jmx.port=6968 vmware-ajp13.jk.port=8011 vmware-ajp13.https.port=8445 vmware-casa.https.port=8445 vmware-casa.client.auth.port=8447 vmware-bio.http.port=8082 vmware-bio.https.port=8445

b

tc Server API must be configured with the appropriate ports.

CM-7 - Medium - CCI-001762 - V-241715 - SV-241715r879756_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001762

Version

VROM-TC-000855

Vuln IDs

V-241715
V-89065

Rule IDs

SV-241715r879756_rule
SV-99715

Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. An essential configuration file for tc Server is “catalina.properties”. The ports that tc Server listens to will be configured in that file.

Checks: C-44991r854936_chk

At the command prompt, execute the following command: cat /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties | grep -E '\.port' Review the listed ports. Verify that they match the list below of tc Server API ports. base.shutdown.port=-1 bio-ssl.https.port=8440 bio.http.port=8081 bio.https.port=8440 jk.port=8010 vmware-ajp13.jk.port=8010 vmware-ajp13.https.port=8440 vmware-ssl.https.port=8440 vmware-ajp13.jk.port=8010 vmware-ajp13.https.port=8440 If the ports are not as listed, this is a finding.

Fix: F-44950r684006_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties. Navigate to the ports specification section. Set the tc Server API port specifications according to the list below: base.shutdown.port=-1 bio-ssl.https.port=8440 bio.http.port=8081 bio.https.port=8440 jk.port=8010 vmware-ajp13.jk.port=8010 vmware-ajp13.https.port=8440 vmware-ssl.https.port=8440 vmware-ajp13.jk.port=8010 vmware-ajp13.https.port=8440

b

tc Server UI must use NSA Suite A cryptography when encrypting data that must be compartmentalized.

SC-13 - Medium - CCI-002450 - V-241716 - SV-241716r879944_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

VROM-TC-000860

Vuln IDs

V-241716
V-89067

Rule IDs

SV-241716r879944_rule
SV-99717

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.

Checks: C-44992r854938_chk

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties If the value of "vmware-ssl.ssl.ciphers.list" does not match the list of NSA Suite A ciphers or is missing, this is a finding.

Fix: F-44951r684009_fix

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties. Navigate to the “vmware-ssl.ssl.ciphers.list” setting. Configure "vmware-ssl.ssl.ciphers.list" with a list of NSA Suite A ciphers.

b

tc Server CaSa must use NSA Suite A cryptography when encrypting data that must be compartmentalized.

SC-13 - Medium - CCI-002450 - V-241717 - SV-241717r879944_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

VROM-TC-000865

Vuln IDs

V-241717
V-89069

Rule IDs

SV-241717r879944_rule
SV-99719

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.

Checks: C-44993r854940_chk

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. At the command prompt, execute the following command: grep -A 10 vmware-casa.ssl.ciphers.list /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties If the value of "vmware-casa.ssl.ciphers.list" does not match the list of NSA Suite A ciphers or is missing, this is a finding.

Fix: F-44952r684012_fix

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties. Navigate to the "vmware-casa.ssl.ciphers.list" setting. Set "vmware-casa.ssl.ciphers.list" to a list of NSA Suite A ciphers.

b

tc Server API must use NSA Suite A cryptography when encrypting data that must be compartmentalized.

SC-13 - Medium - CCI-002450 - V-241718 - SV-241718r879944_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

VROM-TC-000870

Vuln IDs

V-241718
V-89071

Rule IDs

SV-241718r879944_rule
SV-99721

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.

Checks: C-44994r854942_chk

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties If the value of "vmware-ssl.ssl.ciphers.list" does not match the list of NSA Suite A ciphers or is missing, this is a finding.

Fix: F-44953r684015_fix

If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties. Navigate to the "vmware-ssl.ssl.ciphers.list" setting. Configure "vmware-ssl.ssl.ciphers.list" with a list of NSA Suite A ciphers.

b

tc Server UI must disable the shutdown port.

SC-5 - Medium - CCI-002385 - V-241719 - SV-241719r879806_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

VROM-TC-000885

Vuln IDs

V-241719
V-89073

Rule IDs

SV-241719r879806_rule
SV-99723

An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shutdown port. If enabled, a shutdown signal can be sent to tc Server through this port. To ensure availability, the shutdown port should be disabled.

Checks: C-44995r684017_chk

At the command prompt, execute the following command: grep base.shutdown.port /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties If the value of "base.shutdown.port" is not set to "-1" or is missing, this is a finding.

Fix: F-44954r684018_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties. Navigate to the "base.shutdown.port" setting. Add the setting 'base.shutdown.port=-1' to the "catalina.properties" file.

b

tc Server CaSa must disable the shutdown port.

SC-5 - Medium - CCI-002385 - V-241720 - SV-241720r879806_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

VROM-TC-000890

Vuln IDs

V-241720
V-89075

Rule IDs

SV-241720r879806_rule
SV-99725

An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shutdown port. If enabled, a shutdown signal can be sent to tc Server through this port. To ensure availability, the shutdown port should be disabled.

Checks: C-44996r684020_chk

At the command prompt, execute the following command: grep base.shutdown.port /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties If the value of "base.shutdown.port" is not set to "-1" or is missing, this is a finding.

Fix: F-44955r684021_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties. Navigate to the "base.shutdown.port" setting. Add the setting 'base.shutdown.port=-1' to the "catalina.properties" file.

b

tc Server API must disable the shutdown port.

SC-5 - Medium - CCI-002385 - V-241721 - SV-241721r879806_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

VROM-TC-000895

Vuln IDs

V-241721
V-89077

Rule IDs

SV-241721r879806_rule
SV-99727

An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. As a Tomcat derivative, tc Server uses a port (defaults to 8005) as a shutdown port. If enabled, a shutdown signal can be sent to tc Server through this port. To ensure availability, the shutdown port should be disabled.

Checks: C-44997r684023_chk

At the command prompt, execute the following command: grep base.shutdown.port /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties If the value of "base.shutdown.port" is not set to "-1" or is missing, this is a finding.

Fix: F-44956r684024_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/catalina.properties. Navigate to the "base.shutdown.port" setting. Add the setting 'base.shutdown.port=-1' to the "catalina.properties" file.

b

tc Server UI must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.

SC-8 - Medium - CCI-002418 - V-241722 - SV-241722r928837_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000905

Vuln IDs

V-241722
V-89079

Rule IDs

SV-241722r928837_rule
SV-99729

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use modern, secure forms of transport encryption.

Checks: C-44998r684026_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslProtocol” is not set to “TLS” or is missing, this is a finding.

Fix: F-44957r684027_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'

b

tc Server CaSa must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.

SC-8 - Medium - CCI-002418 - V-241723 - SV-241723r928837_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000910

Vuln IDs

V-241723
V-89081

Rule IDs

SV-241723r928837_rule
SV-99731

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use modern, secure forms of transport encryption.

Checks: C-44999r684029_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslProtocol” is not set to “TLS’ or is missing, this is a finding.

Fix: F-44958r684030_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'

b

tc Server API must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.

SC-8 - Medium - CCI-002418 - V-241724 - SV-241724r928837_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000915

Vuln IDs

V-241724
V-89083

Rule IDs

SV-241724r928837_rule
SV-99733

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use modern, secure forms of transport encryption.

Checks: C-45000r684032_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Connector> node that contains [port="${vmware-ssl.https.port}"]. If the value of “sslProtocol” is not set to “TLS” or is missing, this is a finding.

Fix: F-44959r684033_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to the <Connector> node that contains 'port="${vmware-ssl.https.port}"'. Add the setting 'sslProtocol="TLS"'

b

tc Server UI session IDs must be sent to the client using SSL/TLS.

SC-8 - Medium - CCI-002418 - V-241725 - SV-241725r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000920

Vuln IDs

V-241725
V-89085

Rule IDs

SV-241725r879810_rule
SV-99735

The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use modern, secure forms of transport encryption.

Checks: C-45001r684035_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslProtocol” is not set to “TLS” or is missing, this is a finding.

Fix: F-44960r684036_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'

b

tc Server CaSa session IDs must be sent to the client using SSL/TLS.

SC-8 - Medium - CCI-002418 - V-241726 - SV-241726r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000925

Vuln IDs

V-241726
V-89087

Rule IDs

SV-241726r879810_rule
SV-99737

The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use modern, secure forms of transport encryption.

Checks: C-45002r684038_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslProtocol” is not set to “TLS” or is missing, this is a finding.

Fix: F-44961r684039_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'

b

tc Server API session IDs must be sent to the client using SSL/TLS.

SC-8 - Medium - CCI-002418 - V-241727 - SV-241727r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000930

Vuln IDs

V-241727
V-89089

Rule IDs

SV-241727r879810_rule
SV-99739

The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use modern, secure forms of transport encryption.

Checks: C-45003r684041_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslProtocol” is not set to “TLS” or is missing, this is a finding.

Fix: F-44962r684042_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> nodes with the setting 'sslProtocol="TLS"'

b

tc Server UI must set the useHttpOnly parameter.

SC-8 - Medium - CCI-002418 - V-241728 - SV-241728r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000940

Vuln IDs

V-241728
V-89091

Rule IDs

SV-241728r879810_rule
SV-99741

A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. As a Tomcat derivative, tc Server contains a Context object, which represents a web application running within a particular virtual host. One of the configurable parameters of the Context object will prevent the tc Server cookies from being accessed by JavaScript from another site.

Checks: C-45004r854953_chk

At the command prompt, execute the following command: grep useHttpOnly /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/META-INF/context.xml If the value of “useHttpOnly” is not set to "true" or is missing, this is a finding. Expected Result: <Context useHttpOnly="true">

Fix: F-44963r684045_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/META-INF/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the below: <Context useHttpOnly="true">

b

tc Server CaSa must set the useHttpOnly parameter.

SC-8 - Medium - CCI-002418 - V-241729 - SV-241729r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000945

Vuln IDs

V-241729
V-89093

Rule IDs

SV-241729r879810_rule
SV-99743

A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. As a Tomcat derivative, tc Server contains a Context object, which represents a web application running within a particular virtual host. One of the configurable parameters of the Context object will prevent the tc Server cookies from being accessed by JavaScript from another site.

Checks: C-45005r684047_chk

At the command prompt, execute the following command: grep useHttpOnly /usr/lib/vmware-casa/casa-webapp/conf/context.xml If the value of “useHttpOnly” is not set to "true" or is missing, this is a finding. Expected Result: <Context useHttpOnly="true">

Fix: F-44964r684048_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the below: <Context useHttpOnly="true">

b

tc Server API must set the useHttpOnly parameter.

SC-8 - Medium - CCI-002418 - V-241730 - SV-241730r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000950

Vuln IDs

V-241730
V-89095

Rule IDs

SV-241730r879810_rule
SV-99745

A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. As a Tomcat derivative, tc Server contains a Context object, which represents a web application running within a particular virtual host. One of the configurable parameters of the Context object will prevent the tc Server cookies from being accessed by JavaScript from another site.

Checks: C-45006r854956_chk

At the command prompt, execute the following command: grep useHttpOnly /usr/lib/vmware-vcops/tomcat-enterprise/conf/context.xml If the value of “useHttpOnly” is not set to "true" or is missing, this is a finding. Expected Result: <Context useHttpOnly="true">

Fix: F-44965r684051_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/context.xml. Navigate to the <Context> node. Add the 'useHttpOnly="true"' setting to the <Context> node. Note: The <Context> node should be configured per the below: <Context useHttpOnly="true">

b

tc Server UI must set the secure flag for cookies.

SC-8 - Medium - CCI-002418 - V-241731 - SV-241731r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000955

Vuln IDs

V-241731
V-89097

Rule IDs

SV-241731r879810_rule
SV-99747

Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set. As a Tomcat derivative, tc Server is based in part on the Java Servlet specification. Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the correct configuration in web.xml.

Checks: C-45007r684053_chk

At the command prompt, execute the following command: grep -E '<secure>' /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INF/web.xml If the value of the <secure> node is not set to "true" or is missing, this is a finding.

Fix: F-44966r684054_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/webapps/ui/WEB-INF/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured per as shown below: <cookie-config> <secure>true</secure> </cookie-config>

b

tc Server CaSa must set the secure flag for cookies.

SC-8 - Medium - CCI-002418 - V-241732 - SV-241732r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000960

Vuln IDs

V-241732
V-89099

Rule IDs

SV-241732r879810_rule
SV-99749

Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set. As a Tomcat derivative, tc Server is based in part on the Java Servlet specification. Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the correct configuration in web.xml.

Checks: C-45008r684056_chk

At the command prompt, execute the following command: grep -E '<secure>' /usr/lib/vmware-casa/casa-webapp/conf/web.xml If the value of the <secure> node is not set to "true" or is missing, this is a finding.

Fix: F-44967r684057_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured as shown below: <cookie-config> <secure>true</secure> </cookie-config>

b

tc Server API must set the secure flag for cookies.

SC-8 - Medium - CCI-002418 - V-241733 - SV-241733r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000965

Vuln IDs

V-241733
V-89101

Rule IDs

SV-241733r879810_rule
SV-99751

Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set. As a Tomcat derivative, tc Server is based in part on the Java Servlet specification. Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the correct configuration in web.xml.

Checks: C-45009r684059_chk

At the command prompt, execute the following command: grep -E '<secure>' /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml If the value of the <secure> node is not set to "true" or is missing, this is a finding.

Fix: F-44968r684060_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/web.xml. Navigate to the <session-config> node. Add the <cookie-config> --> <secure> node setting to the <session-config> node. Note: The <cookie-config> --> <secure> node should be configured as shown below: <cookie-config> <secure>true</secure> </cookie-config>

c

tc Server UI must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.

SC-8 - High - CCI-002418 - V-241734 - SV-241734r879810_rule

RMF Control

SC-8

Severity

H

CCI

Version

VROM-TC-000970

Vuln IDs

V-241734
V-89103

Rule IDs

SV-241734r879810_rule
SV-99753

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use the “sslEnabledProtocols” correctly to ensure that older, less secure forms of transport security are not used.

Checks: C-45010r684062_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslEnabledProtocols” is not set to “TLSv1.2,TLSv1.1,TLSv1” or is missing, this is a finding.

Fix: F-44969r684063_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'

c

tc Server CaSa must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.

SC-8 - High - CCI-002418 - V-241735 - SV-241735r879810_rule

RMF Control

SC-8

Severity

H

CCI

Version

VROM-TC-000975

Vuln IDs

V-241735
V-89105

Rule IDs

SV-241735r879810_rule
SV-99755

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use the “sslEnabledProtocols” correctly to ensure that older, less secure forms of transport security are not used.

Checks: C-45011r684065_chk

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslEnabledProtocols” is not set to “TLSv1.2,TLSv1.1,TLSv1” or is missing, this is a finding.

Fix: F-44970r684066_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'

c

tc Server API must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.

SC-8 - High - CCI-002418 - V-241736 - SV-241736r879810_rule

RMF Control

SC-8

Severity

H

CCI

Version

VROM-TC-000980

Vuln IDs

V-241736
V-89107

Rule IDs

SV-241736r879810_rule
SV-99757

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. vROps should be configured to use the “sslEnabledProtocols” correctly to ensure that older, less secure forms of transport security are not used.

Checks: C-45012r684068_chk

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. If the value of “sslEnabledProtocols” is not set to “TLSv1.2,TLSv1.1,TLSv1” or is missing, this is a finding.

Fix: F-44971r684069_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the setting 'sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"'

b

tc Server UI must remove all export ciphers to protect the confidentiality and integrity of transmitted information.

SC-8 - Medium - CCI-002418 - V-241737 - SV-241737r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000985

Vuln IDs

V-241737
V-89109

Rule IDs

SV-241737r879810_rule
SV-99759

During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours. An essential configuration file for tc Server is “catalina.properties”. Properly configured, tc Server will not provide the weaker, export ciphers.

Checks: C-45013r854964_chk

At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties If any export ciphers are listed, this is a finding. Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'

Fix: F-44972r684072_fix

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties. Navigate to the “vmware-ssl.ssl.ciphers.list” setting. Remove any export ciphers from “vmware-ssl.ssl.ciphers.list”. Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'

b

tc Server CaSa must remove all export ciphers to protect the confidentiality and integrity of transmitted information.

SC-8 - Medium - CCI-002418 - V-241738 - SV-241738r879810_rule

RMF Control

SC-8

Severity

M

CCI

Version

VROM-TC-000990

Vuln IDs

V-241738
V-89111

Rule IDs

SV-241738r879810_rule
SV-99761

During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the web server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours. An essential configuration file for tc Server is “catalina.properties”. Properly configured, tc Server will not provide the weaker, export ciphers.

Checks: C-45014r854966_chk

At the command prompt, execute the following command: grep -A 10 vmware-casa.ssl.ciphers.list /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties If any export ciphers are listed, this is a finding. Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'

Fix: F-44973r684075_fix

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/catalina.properties. Navigate to the “vmware-casa.ssl.ciphers.list” setting. Remove any export ciphers from “vmware-casa.ssl.ciphers.list”. Note: To view a list of export ciphers, at the command prompt execute the following command: openssl ciphers 'EXP'

b

tc Server API must remove all export ciphers to protect the confidentiality and integrity of transmitted information.

SC-8 - Medium - CCI-002418 - V-241739 - SV-241739r879810_rule

RMF Control

SC-8

Severity

M

CCI