Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector/@connectionTimeout' /usr/lib/vmware-eam/web/conf/server.xml Expected result: connectionTimeout="60000" If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Configure the <Connector> node with the value: connectionTimeout="60000" Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Executor[@name="tomcatThreadPool"]/@maxThreads' /usr/lib/vmware-eam/web/conf/server.xml Expected result: maxThreads="300" If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Navigate to the <Executor> mode with the name of "tomcatThreadPool" and configure with the value 'maxThreads="300"'. Note: The <Executor> node should be configured as follows: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector/@maxPostSize' /usr/lib/vmware-eam/web/conf/server.xml Expected result: XPath set is empty If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Remove any configuration for "maxPostSize" from the <Connector> node. Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/http-only' - Expected result: <http-only>true</http-only> If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Navigate to the <session-config> node and configure it as follows: <session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <session-timeout>30</session-timeout> </session-config> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]/@pattern' /usr/lib/vmware-eam/web/conf/server.xml Expected result: pattern="%h %{X-Forwarded-For}i %l %u %t [%I] &quot;%r&quot; %s %b [Processing time %D msec] &quot;%{User-Agent}i&quot;" If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Inside the <Host> node, find the "AccessLogValve" <Valve> node and replace the "pattern" element as follows: pattern="%h %{X-Forwarded-For}i %l %u %t [%I] "%r" %s %b [Processing time %D msec] "%{User-Agent}i"" Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/eam.json Expected output: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/eam/jvm.log", If no log file is specified for the "StreamRedirectFile" setting, this is a finding.
Navigate to and open: /etc/vmware/vmware-vmon/svcCfgfiles/eam.json Below the last line of the "PreStartCommandArg" block, add the following line: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/eam/jvm.log", Restart the appliance for changes to take effect.
At the command prompt, run the following command: # find /var/log/vmware/eam/web/ -xdev -type f -a '(' -perm -o+w -o -not -user eam -o -not -group users ')' -exec ls -ld {} \; If any files are returned, this is a finding.
At the command prompt, run the following commands: # chmod o-w <file> # chown eam:users <file> Note: Substitute <file> with the listed file.
At the command prompt, run the following command: # rpm -V vmware-eam|grep "^..5......" | grep -v 'c /' | grep -v -E ".installer|.properties|.xml" If there is any output, this is a finding.
Reinstall the vCenter Server Appliance (VCSA) or roll back to a backup. Modifying the EAM installation files manually is not supported by VMware.
At the command prompt, run the following command: # ls -A /usr/lib/vmware-eam/web/webapps Expected result: eam If the output does not match the expected result, this is a finding.
For each unexpected directory returned in the check, run the following command: # rm /usr/lib/vmware-eam/web/webapps/<NAME> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep UserDatabaseRealm /usr/lib/vmware-eam/web/conf/server.xml If the command produces any output, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Remove the <Realm> node returned in the check. Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep "package.access" -A 5 /etc/vmware-eam/catalina.properties Expected result: package.access=\ sun.,\ org.apache.catalina.,\ org.apache.coyote.,\ org.apache.tomcat.,\ org.apache.jasper. If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-eam/catalina.properties Ensure the "package.access" line is configured as follows: package.access=\ sun.,\ org.apache.catalina.,\ org.apache.coyote.,\ org.apache.tomcat.,\ org.apache.jasper. Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep -En '(x-csh<)|(x-sh<)|(x-shar<)|(x-ksh<)' /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml If the command produces any output, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Remove all of the following nodes lines: <mime-type>application/x-csh</mime-type> <mime-type>application/x-shar</mime-type> <mime-type>application/x-sh</mime-type> <mime-type>application/x-ksh</mime-type> Restart the service with the following command: # vmon-cli --restart eam Note: Delete the entire mime-mapping node for the target mime-type. Example: <mime-mapping> <extension>sh</extension> <mime-type>application/x-sh</mime-type> </mime-mapping>
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet-mapping/servlet-name[text()="JspServlet"]/parent::servlet-mapping' - Expected result: <servlet-mapping> <servlet-name>JspServlet</servlet-name> <url-pattern>*.jsp</url-pattern> </servlet-mapping> If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>JspServlet</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below: <servlet-mapping> <servlet-name>JspServlet</servlet-name> <url-pattern>*.jsp</url-pattern> </servlet-mapping> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep -n 'webdav' /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml If the command produces any output, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Find the <servlet-name>webdav</servlet-name> node and remove the entire parent <servlet> block. Find the <servlet-name>webdav</servlet-name> node and remove the entire parent <servlet-mapping> block. Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep JreMemoryLeakPreventionListener /usr/lib/vmware-eam/web/conf/server.xml Expected result: <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node. Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # find /usr/lib/vmware-eam/web/webapps/ -type l -ls If the command produces any output, this is a finding.
At the command prompt, run the following command: Note: Replace <file_name> for the name of any files that were returned. unlink <file_name> Repeat the command for each file that was returned.
At the command prompt, run the following command: # find /usr/lib/vmware-eam/web/ -xdev -type f -a '(' -not -user root -o -not -group root ')' -exec ls -ld {} \; If the command produces any output, this is a finding.
At the command prompt, run the following command: # chown root:root <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.
At the command line, run the following command: # grep EXIT_ON_INIT_FAILURE /etc/vmware-eam/catalina.properties Expected result: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-eam/catalina.properties Add or change the following line: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector/@acceptCount' /usr/lib/vmware-eam/web/conf/server.xml Expected result: acceptCount="300" If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Configure the <Connector> node with the value: acceptCount="300" Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector/@URIEncoding' /usr/lib/vmware-eam/web/conf/server.xml Expected result: URIEncoding="UTF-8" If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Configure the <Connector> node with the value: URIEncoding="UTF-8" Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/filter-mapping/filter-name[text()="setCharacterEncodingFilter"]/parent::filter-mapping' - Expected result: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> If the output is does not match the expected result, this is a finding. At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/filter/filter-name[text()="setCharacterEncodingFilter"]/parent::filter' - Expected result: <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> <async-supported>true</async-supported> </filter> If the output is does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Configure the <web-app> node with the child nodes listed below: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> <async-supported>true</async-supported> </filter> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/welcome-file-list' - Expected result: <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Add the following section under the <web-apps> node: <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="listings"]/parent::init-param' - Expected result: XPath set is empty If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Find and remove the entire block returned in the check. Example: <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/error-page/exception-type["text()=java.lang.Throwable"]/parent::error-page' - Expected result: <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.jsp</location> </error-page> If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Add the following section under the <web-apps> node: <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.jsp</location> </error-page> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.ErrorReportValve"]' /usr/lib/vmware-eam/web/conf/server.xml Expected result: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Locate the following Host block: <Host ...> ... </Host> Inside this block, add the following on a new line: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector/@server' /usr/lib/vmware-eam/web/conf/server.xml Expected result: server="Anonymous" If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Configure the <Connector> node with the value: server="Anonymous" Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep allowTrace /usr/lib/vmware-eam/web/conf/server.xml If "allowTrace" is set to "true", this is a finding. If no line is returned, this is not a finding.
Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Locate and navigate to 'allowTrace="true"'. Remove the 'allowTrace="true"' setting. Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="debug"]/parent::init-param' - Expected result: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> If the output does not match the expected result, this is a finding. If no lines are returned, this is not a finding. If "XPath set is empty" is returned, this is not a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the following: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # rpm -V VMware-visl-integration|grep vmware-services-eam.conf|grep "^..5......" If the command returns any output, this is a finding.
Navigate to and open: /etc/vmware-syslog/vmware-services-eam.conf Create the file if it does not exist. Set the contents of the file as follows: #eam.log input(type="imfile" File="/var/log/vmware/eam/eam.log" Tag="eam-main" Severity="info" Facility="local0") #eam web access logs input(type="imfile" File="/var/log/vmware/eam/web/localhost_access.log" Tag="eam-access" Severity="info" Facility="local0") #eam jvm logs input(type="imfile" File="/var/log/vmware/eam/jvm.log.stdout" Tag="eam-stdout" Severity="info" Facility="local0") input(type="imfile" File="/var/log/vmware/eam/jvm.log.stderr" Tag="eam-stderr" Severity="info" Facility="local0") #eam catalina logs input(type="imfile" File="/var/log/vmware/eam/web/catalina.log" Tag="eam-catalina" Severity="info" Facility="local0") #eam catalina localhost logs input(type="imfile" File="/var/log/vmware/eam/web/localhost.log" Tag="eam-catalina" Severity="info" Facility="local0") #eam firstboot logs input(type="imfile" File="/var/log/vmware/firstboot/eam_firstboot.py*.log" Tag="eam-firstboot" Severity="info" Facility="local0")
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: <secure>true</secure> If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Navigate to the /<web-apps>/<session-config>/<cookie-config> node and configure it as follows: <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep 'bio.http.port' /etc/vmware-eam/catalina.properties Expected result: bio.http.port=15005 If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-eam/catalina.properties Navigate to the port's specification section. Set the ESX Agent Manager port specifications according to the following: bio.http.port=15005 Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # grep 'base.shutdown.port' /etc/vmware-eam/catalina.properties Expected result: base.shutdown.port=-1 If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-eam/catalina.properties Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file. Restart the service with the following command: # vmon-cli --restart eam
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet/servlet-name[text()="default"]/../init-param/param-name[text()="readonly"]/../param-value[text()="false"]' - Expected result: XPath set is empty If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml Navigate to the /<web-apps>/<servlet>/<servlet-name>default</servlet-name>/ node and remove the following node: <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart eam