VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2023-10-29
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
b
The vCenter Perfcharts service must limit the number of maximum concurrent connections permitted.
AC-10 - Medium - CCI-000054 - V-259071 - SV-259071r934871_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCPF-80-000001
Vuln IDs
  • V-259071
Rule IDs
  • SV-259071r934871_rule
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. In Tomcat, each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute. Satisfies: SRG-APP-000001-AS-000001, SRG-APP-000435-AS-000163
Checks: C-62811r934869_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Executor[@name="tomcatThreadPool"]/@maxThreads' /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: maxThreads="300" If the output does not match the expected result, this is a finding.

Fix: F-62720r934870_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Navigate to the <Executor> node with the name of tomcatThreadPool and configure with the value "maxThreads="300"". Note: The <Executor> node should be configured similar to the following: <Executor maxThreads="300" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service cookies must have secure flag set.
AC-3 - Medium - CCI-000213 - V-259072 - SV-259072r934874_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCPF-80-000005
Vuln IDs
  • V-259072
Rule IDs
  • SV-259072r934874_rule
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
Checks: C-62812r934872_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: &lt;secure&gt;true&lt;/secure&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-62721r934873_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Navigate to the <session-config> node and configure the <secure> setting as follows: <session-config> <session-timeout>6</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must initiate session logging upon startup.
AU-14 - Medium - CCI-001464 - V-259073 - SV-259073r934877_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
VCPF-80-000013
Vuln IDs
  • V-259073
Rule IDs
  • SV-259073r934877_rule
Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go unlogged.
Checks: C-62813r934875_chk

At the command prompt, run the following command: # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/perfcharts.json Expected output: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/perfcharts/vmware-perfcharts-runtime.log", If no log file is specified for the "StreamRedirectFile" setting, this is a finding.

Fix: F-62722r934876_fix

Navigate to and open: /etc/vmware/vmware-vmon/svcCfgfiles/perfcharts.json Below the last line of the "PreStartCommandArg" block, add the following line: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/perfcharts/vmware-perfcharts-runtime.log", Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must produce log records containing sufficient information regarding event details.
AC-17 - Medium - CCI-000067 - V-259074 - SV-259074r935472_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VCPF-80-000014
Vuln IDs
  • V-259074
Rule IDs
  • SV-259074r935472_rule
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. Tomcat can be configured with an "AccessLogValve", a component that can be inserted into the request processing pipeline to provide robust access logging. The "AccessLogValve" creates log files in the same format as those created by standard web servers. When "AccessLogValve" is properly configured, log files will contain all the forensic information necessary in the case of a security incident. Satisfies: SRG-APP-000095-AS-000056, SRG-APP-000016-AS-000013, SRG-APP-000080-AS-000045, SRG-APP-000089-AS-000050, SRG-APP-000090-AS-000051, SRG-APP-000091-AS-000052, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000343-AS-000030, SRG-APP-000375-AS-000211, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228
Checks: C-62814r934878_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]/@pattern' /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Example result: pattern="%h %{X-Forwarded-For}i %l %u %t &amp;quot;%r&amp;quot; %s %b &amp;quot;%{User-Agent}i&amp;quot;" Required elements: %h %{X-Forwarded-For}i %l %t %u &amp;quot;%r&amp;quot; %s %b If the log pattern does not contain the required elements in any order, this is a finding.

Fix: F-62723r934879_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Inside the <Host> node, find the "AccessLogValve" <Valve> node and replace the "pattern" element as follows: pattern="%h %{X-Forwarded-For}i %l %u %t &quot;%r&quot; %s %b &quot;%{User-Agent}i&quot;" Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service logs folder permissions must be set correctly.
AU-9 - Medium - CCI-000162 - V-259075 - SV-259075r934883_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VCPF-80-000025
Vuln IDs
  • V-259075
Rule IDs
  • SV-259075r934883_rule
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will take is the modification or deletion of log records to cover tracks and prolong discovery. The web server must protect the log data from unauthorized modification. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080
Checks: C-62815r934881_chk

At the command prompt, run the following command: # find /var/log/vmware/perfcharts/ -xdev -type f -a '(' -perm -o+w -o -not -user perfcharts -o -not -group users ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-62724r934882_fix

At the command prompt, run the following commands: # chmod o-w <file> # chown perfcharts:users <file> Note: Substitute <file> with the listed file.

b
The vCenter Perfcharts service must limit privileges for creating or modifying hosted application shared files.
CM-5 - Medium - CCI-001499 - V-259076 - SV-259076r934886_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
VCPF-80-000034
Vuln IDs
  • V-259076
Rule IDs
  • SV-259076r934886_rule
Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that nonprivileged users cannot modify any shared library code at all. Ensuring the Security Lifecycle Listener element is uncommented and sets a minimum Umask value will allow the server to perform a number of security checks when starting and prevent the service from starting if they fail.
Checks: C-62816r934884_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Listener[@className="org.apache.catalina.security.SecurityListener"]' /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Example result: &lt;Listener className="org.apache.catalina.security.SecurityListener"/&gt; If the "org.apache.catalina.security.SecurityListener" listener is not present, this is a finding. If the "org.apache.catalina.security.SecurityListener" listener is configured with a "minimumUmask" and is not "0007", this is a finding.

Fix: F-62725r934885_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Navigate to the <Server> node and add or update the "org.apache.catalina.security.SecurityListener" as follows: <Listener className="org.apache.catalina.security.SecurityListener"/> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must disable stack tracing.
CM-7 - Medium - CCI-000381 - V-259077 - SV-259077r934889_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000036
Vuln IDs
  • V-259077
Rule IDs
  • SV-259077r934889_rule
Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, Tomcat will provide this call stack information to the requestor, which could result in the loss of sensitive information or data that could be used to compromise the system.
Checks: C-62817r934887_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[@allowTrace = 'true']" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62726r934888_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting. Note: If "allowTrace" is not present, it defaults to "false". Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must be configured to use a specified IP address and port.
CM-7 - Medium - CCI-000382 - V-259078 - SV-259078r934892_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VCPF-80-000037
Vuln IDs
  • V-259078
Rule IDs
  • SV-259078r934892_rule
The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server will listen on all IP addresses available. Accessing the hosted application through an IP address normally used for nonapplication functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-62818r934890_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[(@port = '0') or not(@address)]" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62727r934891_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Navigate to the <Connector> node and configure the port and address as follows. port="${bio.http.port}" address="localhost" Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must be configured to limit data exposure between applications.
SC-23 - Medium - CCI-001664 - V-259079 - SV-259079r934895_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
VCPF-80-000057
Vuln IDs
  • V-259079
Rule IDs
  • SV-259079r934895_rule
If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another.
Checks: C-62819r934893_chk

At the command line, run the following command: # grep RECYCLE_FACADES /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Example result: org.apache.catalina.connector.RECYCLE_FACADES=true If "org.apache.catalina.connector.RECYCLE_FACADES" is not set to "true", this is a finding. If the "org.apache.catalina.connector.RECYCLE_FACADES" setting does not exist, this is not a finding.

Fix: F-62728r934894_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.RECYCLE_FACADES=true Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must be configured to fail to a known safe state if system initialization fails.
SC-24 - Medium - CCI-001190 - V-259080 - SV-259080r934898_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VCPF-80-000062
Vuln IDs
  • V-259080
Rule IDs
  • SV-259080r934898_rule
Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web server is hosting. It is preferable that the service abort startup on any initialization failure rather than continuing in a degraded, and potentially insecure, state.
Checks: C-62820r934896_chk

At the command line, run the following command: # grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Example result: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true If there are no results, or if the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" is not set to "true", this is a finding.

Fix: F-62729r934897_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Add or change the following line: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must set URIEncoding to UTF-8.
SI-10 - Medium - CCI-001310 - V-259081 - SV-259081r934901_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VCPF-80-000065
Vuln IDs
  • V-259081
Rule IDs
  • SV-259081r934901_rule
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode characters into hosted applications in an effort to break out of the document home or root home directory or bypass security checks.
Checks: C-62821r934899_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[@URIEncoding != 'UTF-8'] | //Connector[not[@URIEncoding]]" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62730r934900_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Configure the <Connector> node with the value: URIEncoding="UTF-8" Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service "ErrorReportValve showServerInfo" must be set to "false".
SI-11 - Medium - CCI-001312 - V-259082 - SV-259082r934904_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCPF-80-000067
Vuln IDs
  • V-259082
Rule IDs
  • SV-259082r934904_rule
The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return predefined static HTML pages for specific status codes and/or exception types. Disabling "showServerInfo" will only return the HTTP status code and remove all CSS from the default nonerror-related HTTP responses.
Checks: C-62822r934902_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.ErrorReportValve"]' /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Example result: &lt;Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/&gt; If the "ErrorReportValve" element is not defined or "showServerInfo" is not set to "false", this is a finding.

Fix: F-62731r934903_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Locate the following Host block: <Host ...> ... </Host> Inside this block, add or update the following on a new line: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must set an inactive timeout for sessions.
IA-11 - Medium - CCI-002038 - V-259083 - SV-259083r934907_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002038
Version
VCPF-80-000070
Vuln IDs
  • V-259083
Rule IDs
  • SV-259083r934907_rule
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
Checks: C-62823r934905_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' - Example result: &lt;session-timeout&gt;6&lt;/session-timeout&gt; If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.

Fix: F-62732r934906_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Navigate to the <session-config> node and configure the <session-timeout> as follows: <session-config> <session-timeout>6</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must offload log records onto a different system or media from the system being logged.
AU-4 - Medium - CCI-001851 - V-259084 - SV-259084r934910_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VCPF-80-000081
Vuln IDs
  • V-259084
Rule IDs
  • SV-259084r934910_rule
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, and access control or flow control rules invoked. Offloading is a common process in information systems with limited log storage capacity. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to offload log records onto a different system or media than the system being logged.
Checks: C-62824r934908_chk

By default, a vmware-services-perfcharts.conf rsyslog configuration file includes the service logs when syslog is configured on vCenter, but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-perfcharts.conf Expected result: #stats input(type="imfile" File="/var/log/vmware/perfcharts/stats.log" Tag="perfcharts-stats" Severity="info" Facility="local0") #localhost_access_log input(type="imfile" File="/var/log/vmware/perfcharts/localhost_access_log.txt" Tag="perfcharts-localhost_access" Severity="info" Facility="local0") #vmware-perfcharts-gc.log input(type="imfile" File="/var/log/vmware/perfcharts/vmware-perfcharts-gc.log.*.current" Tag="perfcharts-gc" Severity="info" Facility="local0") #vmware-perfcharts-runtime.log input(type="imfile" File="/var/log/vmware/perfcharts/vmware-perfcharts-runtime.log.std*" Tag="perfcharts-runtime" Severity="info" Facility="local0") #tomcat/catalina_log input(type="imfile" File="/var/log/vmware/perfcharts/tomcat/catalina.*.log" Tag="perfcharts-tomcat-catalina" Severity="info" Facility="local0") #tomcat/localhost_log input(type="imfile" File="/var/log/vmware/perfcharts/tomcat/localhost.*.log" Tag="perfcharts-tomcat-localhost" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding.

Fix: F-62733r934909_fix

Navigate to and open: /etc/vmware-syslog/vmware-services-perfcharts.conf Create the file if it does not exist. Set the contents of the file as follows: #stats input(type="imfile" File="/var/log/vmware/perfcharts/stats.log" Tag="perfcharts-stats" Severity="info" Facility="local0") #localhost_access_log input(type="imfile" File="/var/log/vmware/perfcharts/localhost_access_log.txt" Tag="perfcharts-localhost_access" Severity="info" Facility="local0") #vmware-perfcharts-gc.log input(type="imfile" File="/var/log/vmware/perfcharts/vmware-perfcharts-gc.log.*.current" Tag="perfcharts-gc" Severity="info" Facility="local0") #vmware-perfcharts-runtime.log input(type="imfile" File="/var/log/vmware/perfcharts/vmware-perfcharts-runtime.log.std*" Tag="perfcharts-runtime" Severity="info" Facility="local0") #tomcat/catalina_log input(type="imfile" File="/var/log/vmware/perfcharts/tomcat/catalina.*.log" Tag="perfcharts-tomcat-catalina" Severity="info" Facility="local0") #tomcat/localhost_log input(type="imfile" File="/var/log/vmware/perfcharts/tomcat/localhost.*.log" Tag="perfcharts-tomcat-localhost" Severity="info" Facility="local0")

b
The vCenter Perfcharts service must enable "STRICT_SERVLET_COMPLIANCE".
CM-6 - Medium - CCI-000366 - V-259085 - SV-259085r934913_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCPF-80-000124
Vuln IDs
  • V-259085
Rule IDs
  • SV-259085r934913_rule
Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP session management. This setting affects several other settings that primarily pertain to cookie headers, cookie values, and sessions. Cookies will be parsed for strict adherence to specifications. Note that changing a number of these default settings may break some systems, as some browsers are unable to correctly handle the cookie headers that result from a strict adherence to the specifications. This one setting changes the default values for the following settings: org.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH org.apache.catalina.core.ApplicationDispatcher.WRAP_SAME_OBJECT org.apache.catalina.core.StandardHostValve.ACCESS_SESSION org.apache.catalina.session.StandardSession.ACTIVITY_CHECK org.apache.catalina.session.StandardSession.LAST_ACCESS_AT_START org.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING The "resourceOnlyServlets" attribute of any Context element. The "tldValidation" attribute of any Context element. The "useRelativeRedirects" attribute of any Context element. The "xmlNamespaceAware" attribute of any Context element. The "xmlValidation" attribute of any Context element.
Checks: C-62825r934911_chk

At the command line, run the following command: # grep STRICT_SERVLET_COMPLIANCE /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Example result: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true If there are no results, or if the "org.apache.catalina.STRICT_SERVLET_COMPLIANCE" is not set to "true", this is a finding.

Fix: F-62734r934912_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Add or change the following line: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
AC-10 - Medium - CCI-000054 - V-259086 - SV-259086r934916_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCPF-80-000125
Vuln IDs
  • V-259086
Rule IDs
  • SV-259086r934916_rule
Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. In Tomcat, the "connectionTimeout" attribute sets the number of milliseconds the server will wait after accepting a connection for the request Uniform Resource Identifier (URI) line to be presented. This timeout will also be used when reading the request body (if any). This prevents idle sockets that are not sending HTTP requests from consuming system resources and potentially denying new connections.
Checks: C-62826r934914_chk

The connection timeout should not be disabled by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@connectionTimeout = '-1']" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62735r934915_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Configure the <Connector> node with the value: connectionTimeout="20000" Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
AC-10 - Medium - CCI-000054 - V-259087 - SV-259087r934919_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCPF-80-000126
Vuln IDs
  • V-259087
Rule IDs
  • SV-259087r934919_rule
KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. Tomcat can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client.
Checks: C-62827r934917_chk

The connection timeout should not be unlimited by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@maxKeepAliveRequests = '-1']" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62736r934918_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Configure the <Connector> node with the value: maxKeepAliveRequests="15" Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must configure the "setCharacterEncodingFilter" filter.
SI-10 - Medium - CCI-001310 - V-259088 - SV-259088r934922_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VCPF-80-000127
Vuln IDs
  • V-259088
Rule IDs
  • SV-259088r934922_rule
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode characters into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. VMware uses the standard Tomcat "SetCharacterEncodingFilter" to provide a layer of defense against character encoding attacks. Filters are Java objects that perform filtering tasks on the request to a resource (a servlet or static content), on the response from a resource, or both.
Checks: C-62828r934920_chk

At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'setCharacterEncodingFilter')]/parent::*" /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Expected result: &lt;filter-mapping&gt; &lt;filter-name&gt;setCharacterEncodingFilter&lt;/filter-name&gt; &lt;url-pattern&gt;/*&lt;/url-pattern&gt; &lt;/filter-mapping&gt; &lt;filter&gt; &lt;filter-name&gt;setCharacterEncodingFilter&lt;/filter-name&gt; &lt;filter-class&gt;org.apache.catalina.filters.SetCharacterEncodingFilter&lt;/filter-class&gt; &lt;async-supported&gt;true&lt;/async-supported&gt; &lt;init-param&gt; &lt;param-name&gt;encoding&lt;/param-name&gt; &lt;param-value&gt;UTF-8&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;ignore&lt;/param-name&gt; &lt;param-value&gt;true&lt;/param-value&gt; &lt;/init-param&gt; &lt;/filter&gt; If the output is does not match the expected result, this is a finding.

Fix: F-62737r934921_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Configure the <web-app> node with the child nodes listed below: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service cookies must have "http-only" flag set.
AC-3 - Medium - CCI-000213 - V-259089 - SV-259089r934925_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCPF-80-000129
Vuln IDs
  • V-259089
Rule IDs
  • SV-259089r934925_rule
Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. When a cookie is tagged with the "HttpOnly" flag, it tells the browser this particular cookie should only be accessed by the originating server. Any attempt to access the cookie from client script is strictly forbidden.
Checks: C-62829r934923_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/http-only' - Expected result: &lt;http-only&gt;true&lt;/http-only&gt; If the output does not match the expected result, this is a finding.

Fix: F-62738r934924_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Navigate to the <session-config> node and configure the <http-only> as follows: <session-config> <session-timeout>6</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
AC-3 - Medium - CCI-000213 - V-259090 - SV-259090r934928_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCPF-80-000130
Vuln IDs
  • V-259090
Rule IDs
  • SV-259090r934928_rule
The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resources as well as directory listings. The DefaultServlet is configured by default with the "readonly" parameter set to "true" where HTTP commands such as PUT and DELETE are rejected. Changing this to "false" allows clients to delete or modify static resources on the server and to upload new resources. DefaultServlet "readonly" must be set to "true", either literally or by absence (default).
Checks: C-62830r934926_chk

At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'DefaultServlet')]/parent::*" /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Example output: &lt;servlet&gt; &lt;description&gt;File servlet&lt;/description&gt; &lt;servlet-name&gt;FileServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;org.apache.catalina.servlets.DefaultServlet&lt;/servlet-class&gt; &lt;/servlet&gt; If the "readOnly" param-value for the "DefaultServlet" servlet class is set to "false", this is a finding. If the "readOnly" param-value does not exist, this is not a finding.

Fix: F-62739r934927_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Navigate to the /<web-apps>/<servlet>/<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>/ node and remove the following node: <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service shutdown port must be disabled.
CM-7 - Medium - CCI-000381 - V-259091 - SV-259091r934931_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000134
Vuln IDs
  • V-259091
Rule IDs
  • SV-259091r934931_rule
Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Setting the port to "-1" in $CATALINA_BASE/conf/server.xml instructs Tomcat to not listen for the shutdown command.
Checks: C-62831r934929_chk

At the command prompt, run the following commands: # xmllint --xpath "//Server/@port" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml # grep 'base.shutdown.port' /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Example results: port="${base.shutdown.port}" base.shutdown.port=-1 If "port" does not equal "${base.shutdown.port}", this is a finding. If "base.shutdown.port" does not equal "-1", this is a finding.

Fix: F-62740r934930_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file. Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Configure the <Server> node with the value: port="${base.shutdown.port}" Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service debug parameter must be disabled.
CM-7 - Medium - CCI-000381 - V-259092 - SV-259092r934934_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000136
Vuln IDs
  • V-259092
Rule IDs
  • SV-259092r934934_rule
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Because this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.
Checks: C-62832r934932_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="debug"]/parent::init-param' - Example result: &lt;init-param&gt; &lt;param-name&gt;debug&lt;/param-name&gt; &lt;param-value&gt;0&lt;/param-value&gt; &lt;/init-param&gt; If the "debug" parameter is specified and is not "0", this is a finding. If the "debug" parameter does not exist, this is not a finding.

Fix: F-62741r934933_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the following: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service directory listings parameter must be disabled.
CM-7 - Medium - CCI-000381 - V-259093 - SV-259093r934937_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000137
Vuln IDs
  • V-259093
Rule IDs
  • SV-259093r934937_rule
Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by locating directories without default pages. In this scenario, the web server will display to the user a listing of the files in the directory being accessed. Ensuring that directory listing is disabled is one approach to mitigating the vulnerability. In Tomcat, directory listing is disabled by default but can be enabled via the "listings" parameter. Ensure this node is not present to have the default effect.
Checks: C-62833r934935_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="listings"]/parent::init-param' - Example result: XPath set is empty If the "listings" parameter is specified and is not "false", this is a finding. If the "listings" parameter does not exist, this is not a finding.

Fix: F-62742r934936_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/webapps/statsreport/WEB-INF/web.xml Find and remove the entire block returned in the check. Example: <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service deployXML attribute must be disabled.
CM-7 - Medium - CCI-000381 - V-259094 - SV-259094r934940_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000138
Vuln IDs
  • V-259094
Rule IDs
  • SV-259094r934940_rule
The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a malicious application. Automatic deployment is controlled by the autoDeploy and deployOnStartup attributes. If both are false, only Contexts defined in server.xml will be deployed, and any changes will require a Tomcat restart. In a hosted environment where web applications may not be trusted, set the deployXML attribute to "false" to ignore any context.xml packaged with the web application that may try to assign increased privileges to the web application. Note that if the security manager is enabled, the deployXML attribute will default to false.
Checks: C-62834r934938_chk

At the command prompt, run the following command: # xmllint --xpath "//Host/@deployXML" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: deployXML="false" If "deployXML" does not equal "false", this is a finding.

Fix: F-62743r934939_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Navigate to the <Host> node and configure with the value "deployXML="false"". Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must have Autodeploy disabled.
CM-7 - Medium - CCI-000381 - V-259095 - SV-259095r934943_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000139
Vuln IDs
  • V-259095
Rule IDs
  • SV-259095r934943_rule
Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production.
Checks: C-62835r934941_chk

At the command prompt, run the following command: # xmllint --xpath "//Host/@autoDeploy" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Expected result: autoDeploy="false" If "autoDeploy" does not equal "false", this is a finding.

Fix: F-62744r934942_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Navigate to the <Host> node and configure with the value "autoDeploy="false"". Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service xpoweredBy attribute must be disabled.
CM-7 - Medium - CCI-000381 - V-259096 - SV-259096r934946_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000140
Vuln IDs
  • V-259096
Rule IDs
  • SV-259096r934946_rule
Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass server information to clients. The default value for xpoweredBy is "false".
Checks: C-62836r934944_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector/@xpoweredBy" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Example result: XPath set is empty If the "xpoweredBy" parameter is specified and is not "false", this is a finding. If the "xpoweredBy" parameter does not exist, this is not a finding.

Fix: F-62745r934945_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Navigate to the <Connector> node and remove the "xpoweredBy" attribute. Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service example applications must be removed.
CM-7 - Medium - CCI-000381 - V-259097 - SV-259097r934949_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000141
Vuln IDs
  • V-259097
Rule IDs
  • SV-259097r934949_rule
Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files must be deleted.
Checks: C-62837r934947_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-perfcharts/tc-instance/webapps/examples If the examples folder exists or contains any content, this is a finding.

Fix: F-62746r934948_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-perfcharts/tc-instance/webapps/examples

b
The vCenter Perfcharts service default documentation must be removed.
CM-7 - Medium - CCI-000381 - V-259098 - SV-259098r934952_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000143
Vuln IDs
  • V-259098
Rule IDs
  • SV-259098r934952_rule
Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.
Checks: C-62838r934950_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-perfcharts/tc-instance/webapps/docs If the "docs" folder exists or contains any content, this is a finding.

Fix: F-62747r934951_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-perfcharts/tc-instance/webapps/docs

b
The vCenter Perfcharts service files must have permissions in an out-of-the-box state.
CM-5 - Medium - CCI-001813 - V-259099 - SV-259099r934955_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
VCPF-80-000144
Vuln IDs
  • V-259099
Rule IDs
  • SV-259099r934955_rule
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled.
Checks: C-62839r934953_chk

At the command prompt, run the following command: # find /usr/lib/vmware-perfcharts/ -xdev -type f -a '(' -perm -o+w -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-62748r934954_fix

At the command prompt, run the following commands: # chmod o-w <file> # chown root:root <file> Note: Substitute <file> with the listed file.

b
The vCenter Perfcharts service must disable "ALLOW_BACKSLASH".
CM-6 - Medium - CCI-000366 - V-259100 - SV-259100r934958_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCPF-80-000151
Vuln IDs
  • V-259100
Rule IDs
  • SV-259100r934958_rule
When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If "allow_backslash" is "true", the "\" character will be permitted as a path delimiter. The default value for the setting is "false", but Tomcat must always be configured as if no proxy restricting context access was used, and "allow_backslash" should be set to "false" to prevent directory-traversal-style attacks. This setting can create operability issues with noncompliant clients.
Checks: C-62840r934956_chk

At the command line, run the following command: # grep ALLOW_BACKSLASH /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Example result: org.apache.catalina.connector.ALLOW_BACKSLASH=false If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding. If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding.

Fix: F-62749r934957_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.ALLOW_BACKSLASH=false Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
CM-6 - Medium - CCI-000366 - V-259101 - SV-259101r934961_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCPF-80-000152
Vuln IDs
  • V-259101
Rule IDs
  • SV-259101r934961_rule
Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.
Checks: C-62841r934959_chk

At the command line, run the following command: # grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Example result: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding. If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding.

Fix: F-62750r934960_fix

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true Restart the service with the following command: # vmon-cli --restart perfcharts

b
The vCenter Perfcharts service manager webapp must be removed.
CM-7 - Medium - CCI-000381 - V-259102 - SV-259102r934964_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000154
Vuln IDs
  • V-259102
Rule IDs
  • SV-259102r934964_rule
Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.
Checks: C-62842r934962_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-perfcharts/tc-instance/webapps/manager If the manager folder exists or contains any content, this is a finding.

Fix: F-62751r934963_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-perfcharts/tc-instance/webapps/manager

b
The vCenter Perfcharts service host-manager webapp must be removed.
CM-7 - Medium - CCI-000381 - V-259103 - SV-259103r934967_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCPF-80-000155
Vuln IDs
  • V-259103
Rule IDs
  • SV-259103r934967_rule
Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The host-manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.
Checks: C-62843r934965_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-perfcharts/tc-instance/webapps/host-manager If the manager folder exists or contains any content, this is a finding.

Fix: F-62752r934966_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-perfcharts/tc-instance/webapps/host-manager