Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

VMware vSphere 8.0 vCenter Appliance Envoy Security Technical Implementation Guide

V2R1 · · · Released 01 Aug 2024 · 5 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 31 Oct 2023 No substantive changes

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

No substantive changes detected against the previous release. 5 rules matched cleanly.

Sort by
b
The vCenter Envoy and Rhttpproxy service log files permissions must be set correctly.
AU-9 - Medium - CCI-000162 - V-259161 - SV-259161r960930_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
VCRP-80-000019
Vuln IDs
  • V-259161
Rule IDs
  • SV-259161r960930_rule
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, usernames, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by nonprivileged users. Satisfies: SRG-APP-000118-WSR-000068, SRG-APP-000119-WSR-000069, SRG-APP-000120-WSR-000070
Checks: C-62901r935385_chk

At the command prompt, run the following commands: # find /var/log/vmware/rhttpproxy/ -xdev -type f -a '(' -perm -o+w -o -not -user rhttpproxy -o -not -group rhttpproxy ')' -exec ls -ld {} \; # find /var/log/vmware/envoy/ -xdev -type f -a '(' -perm -o+w -o -not -user envoy -o -not -group envoy ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-62810r935386_fix

At the command prompt, run the following commands for rhttpproxy log files: # chmod o-w <file> # chown rhttpproxy:rhttpproxy <file> or At the command prompt, run the following commands for envoy log files: # chmod o-w <file> # chown envoy:envoy <file>

b
The vCenter Envoy service private key file must be protected from unauthorized access.
IA-5 - Medium - CCI-000186 - V-259162 - SV-259162r961041_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000186
Version
VCRP-80-000040
Vuln IDs
  • V-259162
Rule IDs
  • SV-259162r961041_rule
Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the Transport Layer Security (TLS) traffic between a client and the web server.
Checks: C-62902r935388_chk

At the command prompt, run the following command: # stat -c "%n permissions are %a, is owned by %U and group owned by %G" /etc/vmware-rhttpproxy/ssl/rui.key Expected result: /etc/vmware-rhttpproxy/ssl/rui.key permissions are 600, is owned by rhttpproxy and group owned by rhttpproxy If the output does not match the expected result, this is a finding.

Fix: F-62811r935389_fix

At the command prompt, run the following commands: # chmod 600 /etc/vmware-rhttpproxy/ssl/rui.key # chown rhttpproxy:rhttpproxy /etc/vmware-rhttpproxy/ssl/rui.key

b
The vCenter Rhttpproxy service log files must be sent to a central log server.
AU-9 - Medium - CCI-001348 - V-259163 - SV-259163r961395_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
VCRP-80-000073
Vuln IDs
  • V-259163
Rule IDs
  • SV-259163r961395_rule
Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers. Satisfies: SRG-APP-000358-WSR-000063, SRG-APP-000125-WSR-000071
Checks: C-62903r935391_chk

By default, there is a vmware-services-rhttpproxy.conf rsyslog configuration file that includes the service logs when syslog is configured on vCenter, but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-rhttpproxy.conf Expected result: #rhttpproxy log input(type="imfile" File="/var/log/vmware/rhttpproxy/rhttpproxy.log" Tag="rhttpproxy-main" Severity="info" Facility="local0") #rhttpproxy init stdout input(type="imfile" File="/var/log/vmware/rhttpproxy/rproxy_init.log.stdout" Tag="rhttpproxy-stdout" Severity="info" Facility="local0") #rhttpproxy init stderr input(type="imfile" File="/var/log/vmware/rhttpproxy/rproxy_init.log.stderr" Tag="rhttpproxy-stderr" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding.

Fix: F-62812r935392_fix

Navigate to and open: /etc/vmware-syslog/vmware-services-rhttpproxy.conf Create the file if it does not exist. Set the contents of the file as follows: #rhttpproxy log input(type="imfile" File="/var/log/vmware/rhttpproxy/rhttpproxy.log" Tag="rhttpproxy-main" Severity="info" Facility="local0") #rhttpproxy init stdout input(type="imfile" File="/var/log/vmware/rhttpproxy/rproxy_init.log.stdout" Tag="rhttpproxy-stdout" Severity="info" Facility="local0") #rhttpproxy init stderr input(type="imfile" File="/var/log/vmware/rhttpproxy/rproxy_init.log.stderr" Tag="rhttpproxy-stderr" Severity="info" Facility="local0")

b
The vCenter Envoy service log files must be sent to a central log server.
AU-4 - Medium - CCI-001851 - V-259164 - SV-259164r961395_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
VCRP-80-000097
Vuln IDs
  • V-259164
Rule IDs
  • SV-259164r961395_rule
Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.
Checks: C-62904r935394_chk

By default, there is a vmware-services-envoy.conf rsyslog configuration file that includes the service logs when syslog is configured on vCenter, but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-envoy.conf Expected result: #envoy service log input(type="imfile" File="/var/log/vmware/envoy/envoy.log" Tag="envoy-main" Severity="info" Facility="local0") #envoy access log input(type="imfile" File="/var/log/vmware/envoy/envoy-access.log" Tag="envoy-access" Severity="info" Facility="local0") #envoy init stdout input(type="imfile" File="/var/log/vmware/envoy/envoy_init.log.stdout" Tag="envoy-stdout" Severity="info" Facility="local0") #envoy init stderr input(type="imfile" File="/var/log/vmware/envoy/envoy_init.log.stderr" Tag="envoy-stderr" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding.

Fix: F-62813r935395_fix

Navigate to and open: /etc/vmware-syslog/vmware-services-envoy.conf Create the file if it does not exist. Set the contents of the file as follows: #envoy service log input(type="imfile" File="/var/log/vmware/envoy/envoy.log" Tag="envoy-main" Severity="info" Facility="local0") #envoy access log input(type="imfile" File="/var/log/vmware/envoy/envoy-access.log" Tag="envoy-access" Severity="info" Facility="local0") #envoy init stdout input(type="imfile" File="/var/log/vmware/envoy/envoy_init.log.stdout" Tag="envoy-stdout" Severity="info" Facility="local0") #envoy init stderr input(type="imfile" File="/var/log/vmware/envoy/envoy_init.log.stderr" Tag="envoy-stderr" Severity="info" Facility="local0")

b
The vCenter Envoy service must set a limit on remote connections.
AC-10 - Medium - CCI-000054 - V-259165 - SV-259165r960735_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
VCRP-80-000098
Vuln IDs
  • V-259165
Rule IDs
  • SV-259165r960735_rule
Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed. Envoy comes hard coded with a tested and supported value for "maxRemoteHttpsConnections" and "maxRemoteHttpConnections" that must be verified and maintained.
Checks: C-62905r935397_chk

At the command prompt, run the following commands: # xmllint --xpath '/config/envoy/L4Filter/maxRemoteHttpsConnections/text()' /etc/vmware-rhttpproxy/config.xml # xmllint --xpath '/config/envoy/L4Filter/maxRemoteHttpConnections/text()' /etc/vmware-rhttpproxy/config.xml Example result: 2048 or XPath set is empty If the output is not "2048" or "XPath set it empty", this is a finding. Note: If "XPath set is empty" is returned the default values are in effect and is 2048.

Fix: F-62814r935398_fix

Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<envoy>/<L4Filter> block and configure it as follows: <maxRemoteHttpsConnections>2048</maxRemoteHttpsConnections> <maxRemoteHttpConnections>2048</maxRemoteHttpConnections> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy