Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Executor[@name="tomcatThreadPool"]/@maxThreads' /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: maxThreads="300" If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Navigate to the <Executor> node with the name of tomcatThreadPool and configure with the value "maxThreads="300"". Note: The <Executor> node should be configured similar to the following: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-lookupsvc/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: <secure>true</secure> If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/web.xml Navigate to the <session-config> node and configure the <secure> setting as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/lookupsvc.json Expected output: "StreamRedirectFile": "%VMWARE_LOG_DIR%/vmware/lookupsvc/lookupsvc_stream.log", If no log file is specified for the "StreamRedirectFile" setting, this is a finding.
Navigate to and open: /etc/vmware/vmware-vmon/svcCfgfiles/lookupsvc.json Below the last line of the "PreStartCommandArg" block, add the following line: "StreamRedirectFile": "%VMWARE_LOG_DIR%/vmware/lookupsvc/lookupsvc_stream.log", Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]/@pattern' /usr/lib/vmware-lookupsvc/conf/server.xml Example result: pattern="%t %I [Request] &quot;%{User-Agent}i&quot; %{X-Forwarded-For}i/%h:%{remote}p %l %u to local %{local}p - &quot;%r&quot; %H %m %U%q [Response] %s - %b bytes [Perf] process %Dms / commit %Fms / conn [%X]" Required elements: %h %{X-Forwarded-For}i %l %t %u &quot;%r&quot; %s %b If the log pattern does not contain the required elements in any order, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Inside the <Host> node, find the "AccessLogValve" <Valve> node and replace the "pattern" element as follows: pattern="%t %I [Request] "%{User-Agent}i" %{X-Forwarded-For}i/%h:%{remote}p %l %u to local %{local}p - "%r" %H %m %U%q [Response] %s - %b bytes [Perf] process %Dms / commit %Fms / conn [%X]" Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # find /var/log/vmware/lookupsvc/ -xdev ! -name lookupsvc-init.log ! -name lookupsvc-prestart.log -type f -a '(' -perm -o+w -o -not -user lookupsvc -o -not -group lookupsvc ')' -exec ls -ld {} \; If any files are returned, this is a finding.
At the command prompt, run the following commands: # chmod o-w <file> # chown lookupsvc:lookupsvc <file> Note: Substitute <file> with the listed file.
At the command prompt, run the following command: # xmllint --xpath '/Server/Listener[@className="org.apache.catalina.security.SecurityListener"]' /usr/lib/vmware-lookupsvc/conf/server.xml Example result: <Listener className="org.apache.catalina.security.SecurityListener"/> If the "org.apache.catalina.security.SecurityListener" listener is not present, this is a finding. If the "org.apache.catalina.security.SecurityListener" listener is configured with a "minimumUmask" and is not "0007", this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Navigate to the <Server> node and add or update the "org.apache.catalina.security.SecurityListener" as follows: <Listener className="org.apache.catalina.security.SecurityListener"/> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//Connector[@allowTrace = 'true']" /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting. Note: If "allowTrace" is not present, it defaults to "false". Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//Connector[(@port = '0') or not(@address)]" /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Navigate to the <Connector> node and configure the port and address as follows: port="${bio-custom.http.port}" address="localhost" Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command line, run the following command: # grep RECYCLE_FACADES /usr/lib/vmware-lookupsvc/conf/catalina.properties Example result: org.apache.catalina.connector.RECYCLE_FACADES=true If "org.apache.catalina.connector.RECYCLE_FACADES" is not set to "true", this is a finding. If the "org.apache.catalina.connector.RECYCLE_FACADES" setting does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.RECYCLE_FACADES=true Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command line, run the following command: # grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-lookupsvc/conf/catalina.properties Example result: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true If there are no results, or if the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" is not set to "true", this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/catalina.properties Add or change the following line: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//Connector[@URIEncoding != 'UTF-8'] | //Connector[not[@URIEncoding]]" /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Configure the <Connector> node with the value: URIEncoding="UTF-8" Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.ErrorReportValve"]' /usr/lib/vmware-lookupsvc/conf/server.xml Example result: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> If the "ErrorReportValve" element is not defined or "showServerInfo" is not set to "false", this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Locate the following Host block: <Host ...> ... </Host> Inside this block, add or update the following on a new line: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-lookupsvc/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' - Example result: <session-timeout>30</session-timeout> If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/web.xml Navigate to the <session-config> node and configure the <session-timeout> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart lookupsvc
By default, a vmware-services-lookupsvc.conf rsyslog configuration file that includes the service logs when syslog is configured on vCenter, but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-lookupsvc.conf Expected result: #catalina input(type="imfile" File="/var/log/vmware/lookupsvc/tomcat/catalina.*.log" Tag="lookupsvc-tc-catalina" Severity="info" Facility="local0") #localhost input(type="imfile" File="/var/log/vmware/lookupsvc/tomcat/localhost.*.log" Tag="lookupsvc-tc-localhost" Severity="info" Facility="local0") #localhost_access_log input(type="imfile" File="/var/log/vmware/lookupsvc/tomcat/localhost_access.log" Tag="lookupsvc-localhost_access" Severity="info" Facility="local0") #lookupsvc-init input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc-init.log" Tag="lookupsvc-init" Severity="info" Facility="local0") #prestart input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc-prestart.log" Tag="lookupsvc-prestart" Severity="info" Facility="local0") #health input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc-health.log" Tag="lookupsvc-health" Severity="info" Facility="local0") #lookupserver-default input(type="imfile" File="/var/log/vmware/lookupsvc/lookupserver-default.log" Tag="lookupsvc-lookupserver-default" Severity="info" Facility="local0") #lookupsvc_stream.log.std input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc_stream.log.std*" Tag="lookupsvc-std" Severity="info" Facility="local0") #ls-gc input(type="imfile" File="/var/log/vmware/lookupsvc/vmware-lookupsvc-gc.log.*.current" Tag="lookupsvc-gc" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding.
Navigate to and open: /etc/vmware-syslog/vmware-services-lookupsvc.conf Create the file if it does not exist. Set the contents of the file as follows: #catalina input(type="imfile" File="/var/log/vmware/lookupsvc/tomcat/catalina.*.log" Tag="lookupsvc-tc-catalina" Severity="info" Facility="local0") #localhost input(type="imfile" File="/var/log/vmware/lookupsvc/tomcat/localhost.*.log" Tag="lookupsvc-tc-localhost" Severity="info" Facility="local0") #localhost_access_log input(type="imfile" File="/var/log/vmware/lookupsvc/tomcat/localhost_access.log" Tag="lookupsvc-localhost_access" Severity="info" Facility="local0") #lookupsvc-init input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc-init.log" Tag="lookupsvc-init" Severity="info" Facility="local0") #prestart input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc-prestart.log" Tag="lookupsvc-prestart" Severity="info" Facility="local0") #health input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc-health.log" Tag="lookupsvc-health" Severity="info" Facility="local0") #lookupserver-default input(type="imfile" File="/var/log/vmware/lookupsvc/lookupserver-default.log" Tag="lookupsvc-lookupserver-default" Severity="info" Facility="local0") #lookupsvc_stream.log.std input(type="imfile" File="/var/log/vmware/lookupsvc/lookupsvc_stream.log.std*" Tag="lookupsvc-std" Severity="info" Facility="local0") #ls-gc input(type="imfile" File="/var/log/vmware/lookupsvc/vmware-lookupsvc-gc.log.*.current" Tag="lookupsvc-gc" Severity="info" Facility="local0")
At the command line, run the following command: # grep STRICT_SERVLET_COMPLIANCE /usr/lib/vmware-lookupsvc/conf/catalina.properties Example result: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true If there are no results, or if the "org.apache.catalina.STRICT_SERVLET_COMPLIANCE" is not set to "true", this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/catalina.properties Add or change the following line: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true Restart the service with the following command: # vmon-cli --restart lookupsvc
The connection timeout should not be disabled by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@connectionTimeout = '-1']" /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Configure the <Connector> node with the value: connectionTimeout="60000" Restart the service with the following command: # vmon-cli --restart lookupsvc
The connection timeout should not be unlimited by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@maxKeepAliveRequests = '-1']" /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Configure the <Connector> node with the value: maxKeepAliveRequests="50" Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'setCharacterEncodingFilter')]/parent::*" /usr/lib/vmware-lookupsvc/conf/web.xml Expected result: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> If the output is does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/web.xml Configure the <web-app> node with the child nodes listed below: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-lookupsvc/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/http-only' - Expected result: <http-only>true</http-only> If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/web.xml Navigate to the <session-config> node and configure the <http-only> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'DefaultServlet')]/parent::*" /usr/lib/vmware-lookupsvc/conf/web.xml Example output: <servlet> <description>File servlet</description> <servlet-name>FileServlet</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> </servlet> If the "readOnly" param-value for the "DefaultServlet" servlet class is set to "false", this is a finding. If the "readOnly" param-value does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/web.xml Navigate to the /<web-apps>/<servlet>/<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>/ node and remove the following node: <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following commands: # xmllint --xpath "//Server/@port" /usr/lib/vmware-lookupsvc/conf/server.xml # grep 'base.shutdown.port' /usr/lib/vmware-lookupsvc/conf/catalina.properties Example results: port="${base.shutdown.port}" base.shutdown.port=-1 If "port" does not equal "${base.shutdown.port}", this is a finding. If "base.shutdown.port" does not equal "-1", this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/catalina.properties Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file. Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Configure the <Server> node with the value: port="${base.shutdown.port}" Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-lookupsvc/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="debug"]/parent::init-param' - Example result: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> If the "debug" parameter is specified and is not "0", this is a finding. If the "debug" parameter does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/web.xml Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the following: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-lookupsvc/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="listings"]/parent::init-param' - Example result: XPath set is empty If the "listings" parameter is specified and is not "false", this is a finding. If the "listings" parameter does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/web.xml Find and remove the entire block returned in the check. Example: <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//Host/@deployXML" /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: deployXML="false" If "deployXML" does not equal "false", this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Navigate to the <Host> node and configure with the value "deployXML="false"". Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//Host/@autoDeploy" /usr/lib/vmware-lookupsvc/conf/server.xml Expected result: autoDeploy="false" If "autoDeploy" does not equal "false", this is a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Navigate to the <Host> node and configure with the value "autoDeploy="false"". Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # xmllint --xpath "//Connector/@xpoweredBy" /usr/lib/vmware-lookupsvc/conf/server.xml Example result: XPath set is empty If the "xpoweredBy" parameter is specified and is not "false", this is a finding. If the "xpoweredBy" parameter does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/server.xml Navigate to the <Connector> node and remove the "xpoweredBy" attribute. Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/examples If the examples folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/examples
At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/ROOT If the ROOT web application contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/ROOT/*
At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/docs If the "docs" folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/docs
At the command prompt, run the following command: # find /usr/lib/vmware-lookupsvc/ -xdev -type f -a '(' -perm -o+w -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.
At the command prompt, run the following commands: # chmod o-w <file> # chown root:root <file> Note: Substitute <file> with the listed file.
At the command line, run the following command: # grep ALLOW_BACKSLASH /usr/lib/vmware-lookupsvc/conf/catalina.properties Example result: org.apache.catalina.connector.ALLOW_BACKSLASH=false If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding. If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.ALLOW_BACKSLASH=false Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command line, run the following command: # grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-lookupsvc/conf/catalina.properties Example result: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding. If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-lookupsvc/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true Restart the service with the following command: # vmon-cli --restart lookupsvc
At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/manager If the manager folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/manager
At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/host-manager If the host-manager folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/host-manager