VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2024-07-11
  • Released: 2024-08-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The vCenter STS service must limit the number of maximum concurrent connections permitted.
AC-10 - Medium - CCI-000054 - V-258970 - SV-258970r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCST-80-000001
Vuln IDs
  • V-258970
Rule IDs
  • SV-258970r960735_rule
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. In Tomcat, each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute. Satisfies: SRG-APP-000001-AS-000001, SRG-APP-000435-AS-000163
Checks: C-62710r934566_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Executor[@name="tomcatThreadPool"]/@maxThreads' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: maxThreads="150" If the output does not match the expected result, this is a finding.

Fix: F-62619r934567_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Navigate to the <Executor> node with the name of tomcatThreadPool and configure with the value "maxThreads="150"". Note: The <Executor> node should be configured similar to the following: <Executor maxThreads="150" minSpareThreads="50" name="tomcatThreadPool" namePrefix="tomcat-http--"/> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service cookies must have secure flag set.
AC-3 - Medium - CCI-000213 - V-258972 - SV-258972r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCST-80-000005
Vuln IDs
  • V-258972
Rule IDs
  • SV-258972r960792_rule
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
Checks: C-62712r934572_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: &lt;secure&gt;true&lt;/secure&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-62621r934573_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to the <session-config> node and configure the <secure> setting as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must initiate session logging upon startup.
AU-14 - Medium - CCI-001464 - V-258973 - SV-258973r960888_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
VCST-80-000013
Vuln IDs
  • V-258973
Rule IDs
  • SV-258973r960888_rule
Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go unlogged.
Checks: C-62713r934575_chk

At the command prompt, run the following command: # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/sts-lin.json Expected output: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/sso/sts-runtime.log", If no log file is specified for the "StreamRedirectFile" setting, this is a finding.

Fix: F-62622r934576_fix

Navigate to and open: /etc/vmware/vmware-vmon/svcCfgfiles/sts-lin.json Below the last line of the "PreStartCommandArg" block, add the following line: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/sso/sts-runtime.log", Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must produce log records containing sufficient information regarding event details.
AC-17 - Medium - CCI-000067 - V-258974 - SV-258974r960891_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VCST-80-000014
Vuln IDs
  • V-258974
Rule IDs
  • SV-258974r960891_rule
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. Tomcat can be configured with an "AccessLogValve", a component that can be inserted into the request processing pipeline to provide robust access logging. The "AccessLogValve" creates log files in the same format as those created by standard web servers. When "AccessLogValve" is properly configured, log files will contain all the forensic information necessary in the case of a security incident. Satisfies: SRG-APP-000095-AS-000056, SRG-APP-000016-AS-000013, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000080-AS-000045, SRG-APP-000089-AS-000050, SRG-APP-000090-AS-000051, SRG-APP-000091-AS-000052, SRG-APP-000343-AS-000030, SRG-APP-000375-AS-000211, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228
Checks: C-62714r934578_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]/@pattern' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Example result: pattern="%t %I [Request] &amp;quot;%{User-Agent}i&amp;quot; %{X-Forwarded-For}i/%h:%{remote}p %l %u to local %{local}p - &amp;quot;%r&amp;quot; %H %m %U%q [Response] %s - %b bytes [Perf] process %Dms / commit %Fms / conn [%X]" Required elements: %h %{X-Forwarded-For}i %l %t %u &amp;quot;%r&amp;quot; %s %b If the log pattern does not contain the required elements in any order, this is a finding.

Fix: F-62623r934579_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Inside the <Host> node, find the "AccessLogValve" <Valve> node and replace the "pattern" element as follows: pattern="%t %I [Request] &quot;%{User-Agent}i&quot; %{X-Forwarded-For}i/%h:%{remote}p %l %u to local %{local}p - &quot;%r&quot; %H %m %U%q [Response] %s - %b bytes [Perf] process %Dms / commit %Fms / conn [%X]" Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service logs folder permissions must be set correctly.
AU-9 - Medium - CCI-000162 - V-258975 - SV-258975r960930_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VCST-80-000025
Vuln IDs
  • V-258975
Rule IDs
  • SV-258975r960930_rule
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will take is the modification or deletion of log records to cover tracks and prolong discovery. The web server must protect the log data from unauthorized modification. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080
Checks: C-62715r934581_chk

At the command prompt, run the following command: # find /var/log/vmware/sso/ -xdev ! -name lookupsvc-init.log ! -name sts-prestart.log -type f -a '(' -perm -o+w -o -not -user sts -o -not -group lwis ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-62624r934582_fix

At the command prompt, run the following commands: # chmod o-w <file> # chown sts:lwis <file> Note: Substitute <file> with the listed file.

b
The vCenter STS service must limit privileges for creating or modifying hosted application shared files.
CM-5 - Medium - CCI-001499 - V-258976 - SV-258976r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
VCST-80-000034
Vuln IDs
  • V-258976
Rule IDs
  • SV-258976r960960_rule
Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that nonprivileged users cannot modify any shared library code at all. Ensuring the Security Lifecycle Listener element is uncommented and sets a minimum Umask value will allow the server to perform a number of security checks when starting and prevent the service from starting if they fail.
Checks: C-62716r934584_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Listener[@className="org.apache.catalina.security.SecurityListener"]' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Example result: &lt;Listener className="org.apache.catalina.security.SecurityListener"/&gt; If the "org.apache.catalina.security.SecurityListener" listener is not present, this is a finding. If the "org.apache.catalina.security.SecurityListener" listener is configured with a "minimumUmask" and is not "0007", this is a finding.

Fix: F-62625r934585_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Navigate to the <Server> node and add or update the "org.apache.catalina.security.SecurityListener" as follows: <Listener className="org.apache.catalina.security.SecurityListener"/> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must disable stack tracing.
CM-7 - Medium - CCI-000381 - V-258977 - SV-258977r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000036
Vuln IDs
  • V-258977
Rule IDs
  • SV-258977r960963_rule
Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, Tomcat will provide this call stack information to the requestor, which could result in the loss of sensitive information or data that could be used to compromise the system.
Checks: C-62717r934587_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[@allowTrace = 'true']" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62626r934588_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting. Note: If "allowTrace" is not present, it defaults to false. Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must be configured to use a specified IP address and port.
CM-7 - Medium - CCI-000382 - V-258978 - SV-258978r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VCST-80-000037
Vuln IDs
  • V-258978
Rule IDs
  • SV-258978r960966_rule
The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server will listen on all IP addresses available. Accessing the hosted application through an IP address normally used for nonapplication functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-62718r934590_chk

At the command prompt, run the following command: # xmllint --xpath '//Connector[not(@port = "${bio-ssl-clientauth.https.port}") and (@port = "0" or not(@address))]' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62627r934591_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml The STS service has 2 connectors with the below pairs of ports and addresses. Navigate to the target <Connector> node and configure the port and address as follows. port="${bio-custom.http.port}" address="localhost" port="${bio-ssl-localhost.https.port}" address="localhost" Restart the service with the following command: # vmon-cli --restart sts Note: The connector with port="${bio-ssl-clientauth.https.port}" should not have address set.

b
The vCenter STS service must be configured to limit data exposure between applications.
SC-23 - Medium - CCI-001664 - V-258979 - SV-258979r961116_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
VCST-80-000057
Vuln IDs
  • V-258979
Rule IDs
  • SV-258979r961116_rule
If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another.
Checks: C-62719r934593_chk

At the command line, run the following command: # grep RECYCLE_FACADES /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Example result: org.apache.catalina.connector.RECYCLE_FACADES=true If "org.apache.catalina.connector.RECYCLE_FACADES" is not set to "true", this is a finding. If the "org.apache.catalina.connector.RECYCLE_FACADES" setting does not exist, this is not a finding.

Fix: F-62628r934594_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.RECYCLE_FACADES=true Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must be configured to fail to a known safe state if system initialization fails.
SC-24 - Medium - CCI-001190 - V-258980 - SV-258980r961122_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VCST-80-000062
Vuln IDs
  • V-258980
Rule IDs
  • SV-258980r961122_rule
Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web server is hosting. It is preferable that the service abort startup on any initialization failure rather than continuing in a degraded, and potentially insecure, state.
Checks: C-62720r934596_chk

At the command line, run the following command: # grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Example result: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true If there are no results, or if the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" is not set to "true", this is a finding.

Fix: F-62629r934597_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Add or change the following line: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must set URIEncoding to UTF-8.
SI-10 - Medium - CCI-001310 - V-258981 - SV-258981r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VCST-80-000065
Vuln IDs
  • V-258981
Rule IDs
  • SV-258981r961158_rule
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode characters into hosted applications in an effort to break out of the document home or root home directory or bypass security checks.
Checks: C-62721r934599_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[@URIEncoding != 'UTF-8'] | //Connector[not[@URIEncoding]]" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62630r934600_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Configure the <Connector> node with the value: URIEncoding="UTF-8" Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service "ErrorReportValve showServerInfo" must be set to "false".
SI-11 - Medium - CCI-001312 - V-258982 - SV-258982r961167_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCST-80-000067
Vuln IDs
  • V-258982
Rule IDs
  • SV-258982r961167_rule
The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return predefined static HTML pages for specific status codes and/or exception types. Disabling "showServerInfo" will only return the HTTP status code and remove all CSS from the default nonerror-related HTTP responses.
Checks: C-62722r934602_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.ErrorReportValve"]' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Example result: &lt;Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/&gt; If the "ErrorReportValve" element is not defined or "showServerInfo" is not set to "false", this is a finding.

Fix: F-62631r934603_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Locate the following Host block: <Host ...> ... </Host> Inside this block, add or update the following on a new line: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must set an inactive timeout for sessions.
- Medium - CCI-004895 - V-258983 - SV-258983r1003673_rule
RMF Control
Severity
Medium
CCI
CCI-004895
Version
VCST-80-000070
Vuln IDs
  • V-258983
Rule IDs
  • SV-258983r1003673_rule
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
Checks: C-62723r934605_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' - Example result: &lt;session-timeout&gt;30&lt;/session-timeout&gt; If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.

Fix: F-62632r934606_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to the <session-config> node and configure the <session-timeout> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must offload log records onto a different system or media from the system being logged.
AU-4 - Medium - CCI-001851 - V-258984 - SV-258984r961395_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VCST-80-000081
Vuln IDs
  • V-258984
Rule IDs
  • SV-258984r961395_rule
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, and access control or flow control rules invoked. Offloading is a common process in information systems with limited log storage capacity. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to offload log records onto a different system or media than the system being logged.
Checks: C-62724r934608_chk

By default, a vmware-services-sso-services.conf rsyslog configuration file includes the service logs when syslog is configured on vCenter, but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-sso-services.conf Expected result: #vmidentity logs input(type="imfile" File="/var/log/vmware/sso/activedirectoryservice.log" Tag="activedirectoryservice" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/lookupsvc-init.log" Tag="ssolookupsvc-init" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/openidconnect.log" Tag="openidconnect" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/ssoAdminServer.log" Tag="ssoadminserver" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/svcaccountmgmt.log" Tag="svcaccountmgmt" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/tokenservice.log" Tag="tokenservice" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") #sts health log input(type="imfile" File="/var/log/vmware/sso/sts-health-status.log" Tag="sts-health-status" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2} [[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2},[[:digit:]]{0,4}" Facility="local0") #sts runtime log stdout input(type="imfile" File="/var/log/vmware/sso/sts-runtime.log.stdout" Tag="sts-runtime-stdout" PersistStateInterval="200" Severity="info" Facility="local0") #sts runtime log stderr input(type="imfile" File="/var/log/vmware/sso/sts-runtime.log.stderr" Tag="sts-runtime-stderr" PersistStateInterval="200" Severity="info" Facility="local0") #gclogFile.0.current log input(type="imfile" File="/var/log/vmware/sso/gclogFile.*.current" Tag="gclog" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}+[[:digit:]]{0,4}" Facility="local0") #identity sts default input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts-default.log" Tag="sso-identity-sts-default" PersistStateInterval="200" Severity="info" Facility="local0") #identity sts input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts.log" Tag="sso-identity-sts" PersistStateInterval="200" Severity="info" Facility="local0") #identity perf input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts-perf.log" Tag="sso-identity-perf" PersistStateInterval="200" Severity="info" Facility="local0") #identity prestart input(type="imfile" File="/var/log/vmware/sso/sts-prestart.log" Tag="sso-identity-prestart" PersistStateInterval="200" Severity="info" Facility="local0") #rest idm input(type="imfile" File="/var/log/vmware/sso/vmware-rest-idm.log" Tag="sso-rest-idm" PersistStateInterval="200" Severity="info" Facility="local0") #rest vmdir input(type="imfile" File="/var/log/vmware/sso/vmware-rest-vmdir.log" Tag="sso-rest-vmdir" PersistStateInterval="200" Severity="info" Facility="local0") #rest afd input(type="imfile" File="/var/log/vmware/sso/vmware-rest-afd.log" Tag="sso-rest-afd" PersistStateInterval="200" Severity="info" Facility="local0") #websso input(type="imfile" File="/var/log/vmware/sso/websso.log" Tag="sso-websso" PersistStateInterval="200" Severity="info" Facility="local0") #tomcat catalina input(type="imfile" File="/var/log/vmware/sso/tomcat/catalina.*.log" Tag="sso-tomcat-catalina" PersistStateInterval="200" Severity="info" Facility="local0") #tomcat localhost input(type="imfile" File="/var/log/vmware/sso/tomcat/localhost.*.log" Tag="sso-tomcat-localhost" PersistStateInterval="200" Severity="info" Facility="local0") #tomcat localhost access input(type="imfile" File="/var/log/vmware/sso/tomcat/localhost_access.log" Tag="sso-tomcat-localhost-access" PersistStateInterval="200" Severity="info" Facility="local0") #vmdir log input(type="imfile" File="/var/log/vmware/vmdir/*.log" Tag="vmdir" PersistStateInterval="200" Severity="info" Facility="local0") #vmafd log input(type="imfile" File="/var/log/vmware/vmafd/*.log" Tag="vmafd" PersistStateInterval="200" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding.

Fix: F-62633r934609_fix

Navigate to and open: /etc/vmware-syslog/vmware-services-sso-services.conf Create the file if it does not exist. Set the contents of the file as follows: #vmidentity logs input(type="imfile" File="/var/log/vmware/sso/activedirectoryservice.log" Tag="activedirectoryservice" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/lookupsvc-init.log" Tag="ssolookupsvc-init" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/openidconnect.log" Tag="openidconnect" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/ssoAdminServer.log" Tag="ssoadminserver" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/svcaccountmgmt.log" Tag="svcaccountmgmt" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/tokenservice.log" Tag="tokenservice" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z" Facility="local0") #sts health log input(type="imfile" File="/var/log/vmware/sso/sts-health-status.log" Tag="sts-health-status" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2} [[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2},[[:digit:]]{0,4}" Facility="local0") #sts runtime log stdout input(type="imfile" File="/var/log/vmware/sso/sts-runtime.log.stdout" Tag="sts-runtime-stdout" PersistStateInterval="200" Severity="info" Facility="local0") #sts runtime log stderr input(type="imfile" File="/var/log/vmware/sso/sts-runtime.log.stderr" Tag="sts-runtime-stderr" PersistStateInterval="200" Severity="info" Facility="local0") #gclogFile.0.current log input(type="imfile" File="/var/log/vmware/sso/gclogFile.*.current" Tag="gclog" PersistStateInterval="200" Severity="info" startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}+[[:digit:]]{0,4}" Facility="local0") #identity sts default input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts-default.log" Tag="sso-identity-sts-default" PersistStateInterval="200" Severity="info" Facility="local0") #identity sts input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts.log" Tag="sso-identity-sts" PersistStateInterval="200" Severity="info" Facility="local0") #identity perf input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts-perf.log" Tag="sso-identity-perf" PersistStateInterval="200" Severity="info" Facility="local0") #identity prestart input(type="imfile" File="/var/log/vmware/sso/sts-prestart.log" Tag="sso-identity-prestart" PersistStateInterval="200" Severity="info" Facility="local0") #rest idm input(type="imfile" File="/var/log/vmware/sso/vmware-rest-idm.log" Tag="sso-rest-idm" PersistStateInterval="200" Severity="info" Facility="local0") #rest vmdir input(type="imfile" File="/var/log/vmware/sso/vmware-rest-vmdir.log" Tag="sso-rest-vmdir" PersistStateInterval="200" Severity="info" Facility="local0") #rest afd input(type="imfile" File="/var/log/vmware/sso/vmware-rest-afd.log" Tag="sso-rest-afd" PersistStateInterval="200" Severity="info" Facility="local0") #websso input(type="imfile" File="/var/log/vmware/sso/websso.log" Tag="sso-websso" PersistStateInterval="200" Severity="info" Facility="local0") #tomcat catalina input(type="imfile" File="/var/log/vmware/sso/tomcat/catalina.*.log" Tag="sso-tomcat-catalina" PersistStateInterval="200" Severity="info" Facility="local0") #tomcat localhost input(type="imfile" File="/var/log/vmware/sso/tomcat/localhost.*.log" Tag="sso-tomcat-localhost" PersistStateInterval="200" Severity="info" Facility="local0") #tomcat localhost access input(type="imfile" File="/var/log/vmware/sso/tomcat/localhost_access.log" Tag="sso-tomcat-localhost-access" PersistStateInterval="200" Severity="info" Facility="local0") #vmdir log input(type="imfile" File="/var/log/vmware/vmdir/*.log" Tag="vmdir" PersistStateInterval="200" Severity="info" Facility="local0") #vmafd log input(type="imfile" File="/var/log/vmware/vmafd/*.log" Tag="vmafd" PersistStateInterval="200" Severity="info" Facility="local0")

b
The vCenter STS service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
AC-10 - Medium - CCI-000054 - V-258985 - SV-258985r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCST-80-000125
Vuln IDs
  • V-258985
Rule IDs
  • SV-258985r960735_rule
Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. In Tomcat, the "connectionTimeout" attribute sets the number of milliseconds the server will wait after accepting a connection for the request Uniform Resource Identifier (URI) line to be presented. This timeout will also be used when reading the request body (if any). This prevents idle sockets that are not sending HTTP requests from consuming system resources and potentially denying new connections.
Checks: C-62725r934611_chk

The connection timeout should not be disabled by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@connectionTimeout = '-1']" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62634r934612_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Configure the <Connector> node with the value: connectionTimeout="60000" Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
AC-10 - Medium - CCI-000054 - V-258986 - SV-258986r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCST-80-000126
Vuln IDs
  • V-258986
Rule IDs
  • SV-258986r960735_rule
KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. Tomcat can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client.
Checks: C-62726r934614_chk

The connection timeout should not be unlimited by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@maxKeepAliveRequests = '-1']" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62635r934615_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Configure the <Connector> node with the value: maxKeepAliveRequests="100" Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must configure the "setCharacterEncodingFilter" filter.
SI-10 - Medium - CCI-001310 - V-258987 - SV-258987r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VCST-80-000127
Vuln IDs
  • V-258987
Rule IDs
  • SV-258987r961158_rule
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode characters into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. VMware uses the standard Tomcat "SetCharacterEncodingFilter" to provide a layer of defense against character encoding attacks. Filters are Java objects that perform filtering tasks on the request to a resource (a servlet or static content), on the response from a resource, or both.
Checks: C-62727r934617_chk

At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'setCharacterEncodingFilter')]/parent::*" /usr/lib/vmware-sso/vmware-sts/conf/web.xml Expected result: &lt;filter-mapping&gt; &lt;filter-name&gt;setCharacterEncodingFilter&lt;/filter-name&gt; &lt;url-pattern&gt;/*&lt;/url-pattern&gt; &lt;/filter-mapping&gt; &lt;filter&gt; &lt;filter-name&gt;setCharacterEncodingFilter&lt;/filter-name&gt; &lt;filter-class&gt;org.apache.catalina.filters.SetCharacterEncodingFilter&lt;/filter-class&gt; &lt;async-supported&gt;true&lt;/async-supported&gt; &lt;init-param&gt; &lt;param-name&gt;encoding&lt;/param-name&gt; &lt;param-value&gt;UTF-8&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;ignore&lt;/param-name&gt; &lt;param-value&gt;true&lt;/param-value&gt; &lt;/init-param&gt; &lt;/filter&gt; If the output is does not match the expected result, this is a finding.

Fix: F-62636r934618_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Configure the <web-app> node with the child nodes listed below: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service cookies must have "http-only" flag set.
AC-3 - Medium - CCI-000213 - V-258988 - SV-258988r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCST-80-000129
Vuln IDs
  • V-258988
Rule IDs
  • SV-258988r960792_rule
Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. When a cookie is tagged with the "HttpOnly" flag, it tells the browser this particular cookie should only be accessed by the originating server. Any attempt to access the cookie from client script is strictly forbidden.
Checks: C-62728r934620_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/http-only' - Expected result: &lt;http-only&gt;true&lt;/http-only&gt; If the output does not match the expected result, this is a finding.

Fix: F-62637r934621_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to the <session-config> node and configure the <http-only> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
AC-3 - Medium - CCI-000213 - V-258989 - SV-258989r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCST-80-000130
Vuln IDs
  • V-258989
Rule IDs
  • SV-258989r960792_rule
The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resources as well as directory listings. The DefaultServlet is configured by default with the "readonly" parameter set to "true" where HTTP commands such as "PUT" and "DELETE" are rejected. Changing this to "false" allows clients to delete or modify static resources on the server and to upload new resources. DefaultServlet "readonly" must be set to "true", either literally or by absence (default).
Checks: C-62729r934623_chk

At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'DefaultServlet')]/parent::*" /usr/lib/vmware-sso/vmware-sts/conf/web.xml Example output: &lt;servlet&gt; &lt;description&gt;File servlet&lt;/description&gt; &lt;servlet-name&gt;FileServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;org.apache.catalina.servlets.DefaultServlet&lt;/servlet-class&gt; &lt;/servlet&gt; If the "readOnly" param-value for the "DefaultServlet" servlet class is set to "false", this is a finding. If the "readOnly" param-value does not exist, this is not a finding.

Fix: F-62638r934624_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to the /<web-apps>/<servlet>/<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>/ node and remove the following node: <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service shutdown port must be disabled.
CM-7 - Medium - CCI-000381 - V-258990 - SV-258990r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000134
Vuln IDs
  • V-258990
Rule IDs
  • SV-258990r960963_rule
Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Setting the port to "-1" in $CATALINA_BASE/conf/server.xml instructs Tomcat to not listen for the shutdown command.
Checks: C-62730r934626_chk

At the command prompt, run the following commands: # xmllint --xpath "//Server/@port" /usr/lib/vmware-sso/vmware-sts/conf/server.xml # grep 'base.shutdown.port' /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Example results: port="${base.shutdown.port}" base.shutdown.port=-1 If "port" does not equal "${base.shutdown.port}", this is a finding. If "base.shutdown.port" does not equal "-1", this is a finding.

Fix: F-62639r934627_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file. Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Configure the <Server> node with the value: port="${base.shutdown.port}" Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service debug parameter must be disabled.
CM-7 - Medium - CCI-000381 - V-258991 - SV-258991r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000136
Vuln IDs
  • V-258991
Rule IDs
  • SV-258991r960963_rule
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Because this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.
Checks: C-62731r934629_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="debug"]/parent::init-param' - Example result: &lt;init-param&gt; &lt;param-name&gt;debug&lt;/param-name&gt; &lt;param-value&gt;0&lt;/param-value&gt; &lt;/init-param&gt; If the "debug" parameter is specified and is not "0", this is a finding. If the "debug" parameter does not exist, this is not a finding.

Fix: F-62640r934630_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the following: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service directory listings parameter must be disabled.
CM-7 - Medium - CCI-000381 - V-258992 - SV-258992r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000137
Vuln IDs
  • V-258992
Rule IDs
  • SV-258992r960963_rule
Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by locating directories without default pages. In this scenario, the web server will display to the user a listing of the files in the directory being accessed. Ensuring that directory listing is disabled is one approach to mitigating the vulnerability. In Tomcat, directory listing is disabled by default but can be enabled via the "listings" parameter. Ensure this node is not present to have the default effect.
Checks: C-62732r934632_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="listings"]/parent::init-param' - Example result: XPath set is empty If the "listings" parameter is specified and is not "false", this is a finding. If the "listings" parameter does not exist, this is not a finding.

Fix: F-62641r934633_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Find and remove the entire block returned in the check. Example: <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must have Autodeploy disabled.
CM-7 - Medium - CCI-000381 - V-258993 - SV-258993r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000139
Vuln IDs
  • V-258993
Rule IDs
  • SV-258993r960963_rule
Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production.
Checks: C-62733r934635_chk

At the command prompt, run the following command: # xmllint --xpath "//Host/@autoDeploy" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: autoDeploy="false" If "autoDeploy" does not equal "false", this is a finding.

Fix: F-62642r934636_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Navigate to the <Host> node and configure with the value "autoDeploy="false"". Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service xpoweredBy attribute must be disabled.
CM-7 - Medium - CCI-000381 - V-258994 - SV-258994r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000140
Vuln IDs
  • V-258994
Rule IDs
  • SV-258994r960963_rule
Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass server information to clients. The default value for xpoweredBy is "false".
Checks: C-62734r934638_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector/@xpoweredBy" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Example result: XPath set is empty If the "xpoweredBy" parameter is specified and is not "false", this is a finding. If the "xpoweredBy" parameter does not exist, this is not a finding.

Fix: F-62643r934639_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Navigate to the <Connector> node and remove the "xpoweredBy" attribute. Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service example applications must be removed.
CM-7 - Medium - CCI-000381 - V-258995 - SV-258995r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000141
Vuln IDs
  • V-258995
Rule IDs
  • SV-258995r960963_rule
Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files must be deleted.
Checks: C-62735r934641_chk

At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/examples If the examples folder exists or contains any content, this is a finding.

Fix: F-62644r934642_fix

At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/examples

b
The vCenter STS service default ROOT web application must be removed.
CM-7 - Medium - CCI-000381 - V-258996 - SV-258996r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000142
Vuln IDs
  • V-258996
Rule IDs
  • SV-258996r960963_rule
The default ROOT web application includes the version of Tomcat being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The default ROOT web application must be removed from a publicly accessible instance and a more appropriate default page shown to users.
Checks: C-62736r934644_chk

At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/ROOT If the ROOT web application contains any content, this is a finding.

Fix: F-62645r934645_fix

At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/ROOT/*

b
The vCenter STS service default documentation must be removed.
CM-7 - Medium - CCI-000381 - V-258997 - SV-258997r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000143
Vuln IDs
  • V-258997
Rule IDs
  • SV-258997r960963_rule
Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.
Checks: C-62737r934647_chk

At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/docs If the "docs" folder exists or contains any content, this is a finding.

Fix: F-62646r934648_fix

At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/docs

b
The vCenter STS service files must have permissions in an out-of-the-box state.
CM-5 - Medium - CCI-001813 - V-258998 - SV-258998r961461_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
VCST-80-000144
Vuln IDs
  • V-258998
Rule IDs
  • SV-258998r961461_rule
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled.
Checks: C-62738r934650_chk

At the command prompt, run the following command: # find /usr/lib/vmware-sso/ -xdev -type f -a '(' -perm -o+w -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-62647r934651_fix

At the command prompt, run the following commands: # chmod o-w <file> # chown root:root <file> Note: Substitute <file> with the listed file.

b
The vCenter STS service must disable "ALLOW_BACKSLASH".
CM-6 - Medium - CCI-000366 - V-258999 - SV-258999r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCST-80-000151
Vuln IDs
  • V-258999
Rule IDs
  • SV-258999r961863_rule
When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If "allow_backslash" is "true", the "\" character will be permitted as a path delimiter. The default value for the setting is "false", but Tomcat must always be configured as if no proxy restricting context access was used, and "allow_backslash" should be set to "false" to prevent directory-traversal-style attacks. This setting can create operability issues with noncompliant clients.
Checks: C-62739r934653_chk

At the command line, run the following command: # grep ALLOW_BACKSLASH /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Example result: org.apache.catalina.connector.ALLOW_BACKSLASH=false If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding. If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding.

Fix: F-62648r934654_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.ALLOW_BACKSLASH=false Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
CM-6 - Medium - CCI-000366 - V-259000 - SV-259000r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCST-80-000152
Vuln IDs
  • V-259000
Rule IDs
  • SV-259000r961863_rule
Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.
Checks: C-62740r934656_chk

At the command line, run the following command: # grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Example result: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding. If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding.

Fix: F-62649r934657_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true Restart the service with the following command: # vmon-cli --restart sts

b
The vCenter STS service manager webapp must be removed.
CM-7 - Medium - CCI-000381 - V-259001 - SV-259001r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000154
Vuln IDs
  • V-259001
Rule IDs
  • SV-259001r960963_rule
Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.
Checks: C-62741r934659_chk

At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/manager If the manager folder exists or contains any content, this is a finding.

Fix: F-62650r934660_fix

At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/manager

b
The vCenter STS service host-manager webapp must be removed.
CM-7 - Medium - CCI-000381 - V-259002 - SV-259002r1003674_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000155
Vuln IDs
  • V-259002
Rule IDs
  • SV-259002r1003674_rule
Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The host-manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.
Checks: C-62742r1003668_chk

At the command prompt, run the following command: # ls -l /var/opt/apache-tomcat/webapps/host-manager If the host-manager folder exists or contains any content, this is a finding.

Fix: F-62651r934663_fix

At the command prompt, run the following command: # rm -rf /var/opt/apache-tomcat/webapps/host-manager

b
The vCenter STS service deployXML attribute must be disabled.
CM-7 - Medium - CCI-000381 - V-266136 - SV-266136r1003677_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCST-80-000138
Vuln IDs
  • V-266136
Rule IDs
  • SV-266136r1003677_rule
The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a malicious application. Automatic deployment is controlled by the autoDeploy and deployOnStartup attributes. If both are false, only Contexts defined in server.xml will be deployed, and any changes will require a Tomcat restart. In a hosted environment where web applications may not be trusted, set the deployXML attribute to "false" to ignore any context.xml packaged with the web application that may try to assign increased privileges to the web application. Note that if the security manager is enabled, the deployXML attribute will default to false.
Checks: C-70060r1003675_chk

At the command prompt, run the following command: # xmllint --xpath "//Host/@deployXML" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: deployXML="false" If "deployXML" does not equal "false", this is a finding.

Fix: F-69963r1003676_fix

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Navigate to the <Host> node and configure with the value "deployXML="false"". Restart the service with the following command: # vmon-cli --restart sts