Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector[@port="${http.port}"]/@maxThreads' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: maxThreads="800" If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Connector> node and configure with the value "maxThreads="800"". Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: <secure>true</secure> If the output of the command does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the <session-config> node and configure the <secure> setting as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json Expected output: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/vsphere-ui/logs/vsphere-ui-runtime.log", If no log file is specified for the "StreamRedirectFile" setting, this is a finding.
Navigate to and open: /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json Below the last line of the "PreStartCommandArg" block, add the following line: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/vsphere-ui/logs/vsphere-ui-runtime.log", Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]/@pattern' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: pattern="%h %{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b %{#hashedClientId#}s %{#hashedRequestId#}r %I %D" Required elements: %h %{X-Forwarded-For}i %l %t %u &quot;%r&quot; %s %b If the log pattern does not contain the required elements in any order, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Inside the <Host> node, find the "AccessLogValve" <Valve> node and replace the "pattern" element as follows: pattern="%h %{x-forwarded-for}i %l %u %t "%r" %s %b %{#hashedClientId#}s %{#hashedRequestId#}r %I %D" Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # find /var/log/vmware/vsphere-ui/ -xdev -type f -a '(' -perm -o+w -o -not -user vsphere-ui -o -not -group users -a -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.
At the command prompt, run the following commands: # chmod o-w <file> # chown vsphere-ui:users <file> Note: Substitute <file> with the listed file.
At the command prompt, run the following command: # xmllint --xpath '/Server/Listener[@className="org.apache.catalina.security.SecurityListener"]' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: <Listener className="org.apache.catalina.security.SecurityListener"/> If the "org.apache.catalina.security.SecurityListener" listener is not present, this is a finding. If the "org.apache.catalina.security.SecurityListener" listener is configured with a "minimumUmask" and is not "0007", this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Server> node and add or update the "org.apache.catalina.security.SecurityListener" as follows: <Listener className="org.apache.catalina.security.SecurityListener"/> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//Connector[@allowTrace = 'true']" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting. Note: If "allowTrace" is not present, it defaults to false. Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//Connector[(@port = '0') or not(@address)]" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Connector> node and configure the port and address as follows. port="${http.port}" address="localhost" Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command line, run the following command: # grep RECYCLE_FACADES /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.RECYCLE_FACADES=true If "org.apache.catalina.connector.RECYCLE_FACADES" is not set to "true", this is a finding. If the "org.apache.catalina.connector.RECYCLE_FACADES" setting does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.RECYCLE_FACADES=true Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command line, run the following command: # grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true If there are no results, or if the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" is not set to "true", this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Add or change the following line: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//Connector[@URIEncoding != 'UTF-8'] | //Connector[not[@URIEncoding]]" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Connector> node with the value: URIEncoding="UTF-8" Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.ErrorReportValve"]' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> If the "ErrorReportValve" element is not defined or "showServerInfo" is not set to "false", this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Locate the following Host block: <Host ...> ... </Host> Inside this block, add or update the following on a new line: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' - Example result: <session-timeout>30</session-timeout> If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the <session-config> node and configure the <session-timeout> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart vsphere-ui
By default, a vmware-services-vsphere-ui.conf rsyslog configuration file that includes the service logs when syslog is configured on vCenter, but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-vsphere-ui.conf Expected result: #vsphere-ui main log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log" Tag="ui-main" Severity="info" Facility="local0") #vsphere-ui change log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/changelog.log" Tag="ui-changelog" Severity="info" Facility="local0") #vsphere-ui dataservice log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/dataservice.log" Tag="ui-dataservice" Severity="info" Facility="local0") #vsphere-ui apigw log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/apigw.log" Tag="ui-apigw" Severity="info" Facility="local0") #vsphere-ui equinox log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/equinox.log" Tag="ui-equinox" Severity="info" Facility="local0") #vsphere-ui event log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/eventlog.log" Tag="ui-eventlog" Severity="info" Facility="local0") #vsphere-ui op id log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/opId.log" Tag="ui-opid" Severity="info" Facility="local0") #vsphere-ui performance audit log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/performanceAudit.log" Tag="ui-performanceAudit" Severity="info" Facility="local0") #vsphere-ui plugin-medic log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/plugin-medic.log" Tag="ui-plugin-medic" Severity="info" Facility="local0") #vsphere-ui threadmonitor log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadmonitor.log" Tag="ui-threadmonitor" Severity="info" Facility="local0") #vsphere-ui threadpools log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadpools.log" Tag="ui-threadpools" Severity="info" Facility="local0") #vsphere-ui vspheremessaging log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vspheremessaging.log" Tag="ui-vspheremessaging" Severity="info" Facility="local0") #vsphere-ui rpm log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-rpm.log" Tag="ui-rpm" Severity="info" Facility="local0") #vsphere-ui runtime log stdout input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stdout" Severity="info" Facility="local0") #vsphere-ui runtime log stderr input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stderr" Severity="info" Facility="local0") #vsphere-ui access log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/access/localhost_access_log.txt" Tag="ui-access" Severity="info" Facility="local0") #vsphere-ui gc log input(type="imfile" File="/var/log/vmware/vsphere-ui/vsphere-ui-gc*" Tag="ui-gc" Severity="info" Facility="local0") #vsphere-ui firstboot log input(type="imfile" File="/var/log/firstboot/vsphere_ui_firstboot*" Tag="ui-firstboot" Severity="info" Facility="local0") #vsphere-ui catalina input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/catalina.*.log" Tag="ui-runtime-catalina" Severity="info" Facility="local0") #vsphere-ui endpoint input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/endpoint.log" Tag="ui-runtime-endpoint" Severity="info" Facility="local0") #vsphere-ui localhost input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/localhost.*.log" Tag="ui-runtime-localhost" Severity="info" Facility="local0") #vsphere-ui vsan input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsan-plugin.log" Tag="ui-runtime-vsan" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding.
Navigate to and open: vmware-services-vsphere-ui.conf Create the file if it does not exist. Set the contents of the file as follows: #vsphere-ui main log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log" Tag="ui-main" Severity="info" Facility="local0") #vsphere-ui change log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/changelog.log" Tag="ui-changelog" Severity="info" Facility="local0") #vsphere-ui dataservice log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/dataservice.log" Tag="ui-dataservice" Severity="info" Facility="local0") #vsphere-ui apigw log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/apigw.log" Tag="ui-apigw" Severity="info" Facility="local0") #vsphere-ui equinox log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/equinox.log" Tag="ui-equinox" Severity="info" Facility="local0") #vsphere-ui event log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/eventlog.log" Tag="ui-eventlog" Severity="info" Facility="local0") #vsphere-ui op id log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/opId.log" Tag="ui-opid" Severity="info" Facility="local0") #vsphere-ui performance audit log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/performanceAudit.log" Tag="ui-performanceAudit" Severity="info" Facility="local0") #vsphere-ui plugin-medic log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/plugin-medic.log" Tag="ui-plugin-medic" Severity="info" Facility="local0") #vsphere-ui threadmonitor log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadmonitor.log" Tag="ui-threadmonitor" Severity="info" Facility="local0") #vsphere-ui threadpools log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadpools.log" Tag="ui-threadpools" Severity="info" Facility="local0") #vsphere-ui vspheremessaging log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vspheremessaging.log" Tag="ui-vspheremessaging" Severity="info" Facility="local0") #vsphere-ui rpm log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-rpm.log" Tag="ui-rpm" Severity="info" Facility="local0") #vsphere-ui runtime log stdout input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stdout" Severity="info" Facility="local0") #vsphere-ui runtime log stderr input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stderr" Severity="info" Facility="local0") #vsphere-ui access log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/access/localhost_access_log.txt" Tag="ui-access" Severity="info" Facility="local0") #vsphere-ui gc log input(type="imfile" File="/var/log/vmware/vsphere-ui/vsphere-ui-gc*" Tag="ui-gc" Severity="info" Facility="local0") #vsphere-ui firstboot log input(type="imfile" File="/var/log/firstboot/vsphere_ui_firstboot*" Tag="ui-firstboot" Severity="info" Facility="local0") #vsphere-ui catalina input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/catalina.*.log" Tag="ui-runtime-catalina" Severity="info" Facility="local0") #vsphere-ui endpoint input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/endpoint.log" Tag="ui-runtime-endpoint" Severity="info" Facility="local0") #vsphere-ui localhost input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/localhost.*.log" Tag="ui-runtime-localhost" Severity="info" Facility="local0") #vsphere-ui vsan input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsan-plugin.log" Tag="ui-runtime-vsan" Severity="info" Facility="local0")
At the command line, run the following command: # grep STRICT_SERVLET_COMPLIANCE /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true If there are no results, or if the "org.apache.catalina.STRICT_SERVLET_COMPLIANCE" is not set to "true", this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Add or change the following line: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true Restart the service with the following command: # vmon-cli --restart vsphere-ui
The connection timeout should not be disabled by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@connectionTimeout = '-1']" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Connector> node with the value: connectionTimeout="300000" Restart the service with the following command: # vmon-cli --restart vsphere-ui
The connection timeout should not be unlimited by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@maxKeepAliveRequests = '-1']" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Connector> node with the value: maxKeepAliveRequests="100" Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'setCharacterEncodingFilter')]/parent::*" /usr/lib/vmware-vsphere-ui/server/conf/web.xml Expected result: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> If the output is does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Configure the <web-app> node with the child nodes listed below: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/http-only' - Expected result: <http-only>true</http-only> If the output does not match the expected result, this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the <session-config> node and configure the <http-only> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'DefaultServlet')]/parent::*" /usr/lib/vmware-vsphere-ui/server/conf/web.xml Example output: <servlet> <description>File servlet</description> <servlet-name>FileServlet</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> </servlet> If the "readOnly" param-value for the "DefaultServlet" servlet class is set to "false", this is a finding. If the "readOnly" param-value does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the /<web-apps>/<servlet>/<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>/ node and remove the following node: <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following commands: # xmllint --xpath "//Server/@port" /usr/lib/vmware-vsphere-ui/server/conf/server.xml # grep shutdown.port /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json Example results: port="${shutdown.port}" "-Dshutdown.port=-1", If "port" does not equal "${shutdown.port}", this is a finding. If "shutdown.port" does not equal "-1", this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Add or modify the setting "shutdown.port=-1" in the "catalina.properties" file. Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Server> node with the value: port="${shutdown.port}" Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="debug"]/parent::init-param' - Example result: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> If the "debug" parameter is specified and is not "0", this is a finding. If the "debug" parameter does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the following: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="listings"]/parent::init-param' - Example result: XPath set is empty If the "listings" parameter is specified and is not "false", this is a finding. If the "listings" parameter does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Find and remove the entire block returned in the check. Example: <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//Host/@deployXML" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: deployXML="false" If "deployXML" does not equal "false", this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Host> node and configure with the value "deployXML="false"". Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//Host/@autoDeploy" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: autoDeploy="false" If "autoDeploy" does not equal "false", this is a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Host> node and configure with the value "autoDeploy="false"". Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # xmllint --xpath "//Connector/@xpoweredBy" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: XPath set is empty If the "xpoweredBy" parameter is specified and is not "false", this is a finding. If the "xpoweredBy" parameter does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Connector> node and remove the "xpoweredBy" attribute. Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/examples If the examples folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/examples
At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/ROOT If the ROOT web application contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/ROOT/*
At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/docs If the "docs" folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/docs
At the command line, run the following command: # grep ALLOW_BACKSLASH /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.ALLOW_BACKSLASH=false If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding. If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.ALLOW_BACKSLASH=false Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command line, run the following command: # grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding. If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding.
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true Restart the service with the following command: # vmon-cli --restart vsphere-ui
At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/manager If the manager folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/manager
At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/host-manager If the host-manager folder exists or contains any content, this is a finding.
At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/host-manager