{"stig":{"title":"VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-256737","ruleId":"SV-256737r889149_rule","severity":"medium","ruleTitle":"Envoy must drop connections to disconnected clients.","description":"Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. \n \nEnvoy is hard coded to drop connections after three minutes of idle time. The absence of any \"tcpKeepAliveTimeSec\" settings means this default is in effect. This configuration must be verified and maintained.","checkContent":"At the command prompt, run the following command: \n \n# xmllint --xpath '/config/envoy/L4Filter/tcpKeepAliveTimeSec/text()' /etc/vmware-rhttpproxy/config.xml \n \nExpected result: \n \n180 \n \nor \n \nXPath set is empty \n \nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open: \n \n/etc/vmware-rhttpproxy/config.xml \n \nLocate the // block and configure as follows: \n \n180 \n \nRestart the service for changes to take effect. \n \n# vmon-cli --restart rhttpproxy","ccis":["CCI-000054"]},{"vulnId":"V-256738","ruleId":"SV-256738r889152_rule","severity":"medium","ruleTitle":"Envoy must set a limit on established connections.","description":"Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed. \n \nEnvoy comes hard coded with a tested and supported value for \"maxHttpsConnections\" that must be verified and maintained.","checkContent":"At the command prompt, run the following command: \n \n# xmllint --xpath '/config/envoy/L4Filter/maxHttpsConnections/text()' /etc/vmware-rhttpproxy/config.xml \n \nExpected result: \n \n2048 \n \nor \n \nXPath set is empty \n \nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open: \n \n/etc/vmware-rhttpproxy/config.xml \n \nLocate the // block and configure as follows: \n \n2048 \n \nRestart the service for changes to take effect. \n \n# vmon-cli --restart rhttpproxy","ccis":["CCI-000054"]},{"vulnId":"V-256739","ruleId":"SV-256739r889155_rule","severity":"medium","ruleTitle":"Envoy must be configured to operate in FIPS mode.","description":"Envoy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all cryptographic operations performed by Envoy, including protection of data-in-transit over the client Transport Layer Security (TLS) connection.\n\nSatisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000111, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188, SRG-APP-000179-WSR-000110","checkContent":"At the command prompt, run the following command: \n \n# xmllint --xpath '/config/vmacore/ssl/fips' /etc/vmware-rhttpproxy/config.xml \n \nExpected result: \n \ntrue \n \nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open: \n \n/etc/vmware-rhttpproxy/config.xml \n \nLocate the // block and configure as follows: \n \ntrue \n \nRestart the service for changes to take effect. \n \n# vmon-cli --restart rhttpproxy","ccis":["CCI-000068","CCI-000803","CCI-002418","CCI-002450"]},{"vulnId":"V-256740","ruleId":"SV-256740r889158_rule","severity":"medium","ruleTitle":"Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.","description":"Envoy can be configured to support TLS 1.0, 1.1, and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The block in the rhttpproxy configuration is commented out by default, and this configuration forces TLS 1.2. \n \nThe block may also be set to \"tls1.2\" in certain upgrade scenarios, but the effect is the same. Uncommenting the block and enabling older protocols is possible; therefore, TLS 1.2 restriction must be verified and maintained.\n\nSatisfies: SRG-APP-000015-WSR-000014, SRG-APP-000172-WSR-000104, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182","checkContent":"At the command prompt, run the following command: \n \n# xmllint --xpath '/config/vmacore/ssl/protocols' /etc/vmware-rhttpproxy/config.xml \n \nExpected result: \n \nXPath set is empty \n \nor \n \ntls1.2 \n \nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open: \n \n/etc/vmware-rhttpproxy/config.xml \n \nLocate the // block and configure as follows: \n \ntls1.2 \n \nRestart the service for changes to take effect. \n \n# vmon-cli --restart rhttpproxy","ccis":["CCI-000197","CCI-001453","CCI-002418","CCI-002420","CCI-002422"]},{"vulnId":"V-256741","ruleId":"SV-256741r889161_rule","severity":"medium","ruleTitle":"The Envoy private key file must be protected from unauthorized access.","description":"Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. \n \nBy gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the Transport Layer Security (TLS) traffic between a client and the web server.","checkContent":"At  the command prompt, run the following command: \n \n# stat -c \"%n permissions are %a, is owned by %U and group owned by %G\" /etc/vmware-rhttpproxy/ssl/rui.key \n \nExpected result: \n \n/etc/vmware-rhttpproxy/ssl/rui.key permissions are 600, is owned by root and group owned by root \n \nIf the output does not match the expected result, this is a finding.","fixText":"At the command prompt, run the following commands: \n \n# chmod 600 /etc/vmware-rhttpproxy/ssl/rui.key \n# chown root:root /etc/vmware-rhttpproxy/ssl/rui.key","ccis":["CCI-000186"]},{"vulnId":"V-256742","ruleId":"SV-256742r889164_rule","severity":"medium","ruleTitle":"Envoy must exclusively use the HTTPS protocol for client connections.","description":"Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an encrypted session of HTTPS rather than plain-text HTTP. The Secure Sockets Layer (SSL) configuration block inside the rhttpproxy configuration must be present and correctly configured to safely enable Transport Layer Security (TLS).","checkContent":"At the command prompt, run the following command: \n \n# xmllint --xpath '/config/ssl' /etc/vmware-rhttpproxy/config.xml \n \nExpected result: \n \n \n \n /etc/vmware-rhttpproxy/ssl/rui.key \n \n /etc/vmware-rhttpproxy/ssl/rui.crt \n \n localhost \n \n \nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open: \n \n/etc/vmware-rhttpproxy/config.xml \n \nLocate the first block and set its content to the following: \n \n \n \n /etc/vmware-rhttpproxy/ssl/rui.key \n \n /etc/vmware-rhttpproxy/ssl/rui.crt \n \n localhost \n \n \nRestart the service for changes to take effect. \n \n# vmon-cli --restart rhttpproxy","ccis":["CCI-002314"]},{"vulnId":"V-256743","ruleId":"SV-256743r889167_rule","severity":"medium","ruleTitle":"Envoy (rhttpproxy) log files must be shipped via syslog to a central log server.","description":"Envoy produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. \n \nEnvoy (rhttpproxy) rsyslog configuration is included in the \"VMware-visl-integration\" package and unpacked to \"/etc/vmware-syslog/vmware-services-rhttpproxy.conf\". Ensuring the package hashes are as expected also ensures the shipped rsyslog configuration is present and unmodified.","checkContent":"At the command prompt, run the following command: \n \n# rpm -V VMware-visl-integration|grep vmware-services-rhttpproxy.conf|grep \"^..5......\" \n \nIf the command returns any output, this is a finding.","fixText":"Navigate to and open: \n \n/etc/vmware-syslog/vmware-services-rhttpproxy.conf \n \nCreate the file if it does not exist. \n \nSet the contents of the file as follows: \n \n#rhttpproxy log \ninput(type=\"imfile\" \n File=\"/var/log/vmware/rhttpproxy/rhttpproxy.log\" \n Tag=\"rhttpproxy-main\" \n Severity=\"info\" \n Facility=\"local0\")","ccis":["CCI-001851"]},{"vulnId":"V-256744","ruleId":"SV-256744r889170_rule","severity":"medium","ruleTitle":"Envoy log files must be shipped via syslog to a central log server.","description":"Envoy rsyslog configuration is included in the \"VMware-visl-integration\" package and unpacked to \"/etc/vmware-syslog/vmware-services-envoy.conf\". Ensuring the package hashes are as expected also ensures the shipped rsyslog configuration is present and unmodified.","checkContent":"At the command prompt, run the following command: \n \n# rpm -V VMware-visl-integration|grep vmware-services-envoy.conf|grep \"^..5......\" \n \nIf the command returns any output, this is a finding.","fixText":"Navigate to and open: \n \n/etc/vmware-syslog/vmware-services-envoy.conf \n \nCreate the file if it does not exist. \n \nSet the contents of the file as follows: \n \n#envoy service log \ninput(type=\"imfile\" \n File=\"/var/log/vmware/envoy/envoy.log\" \n Tag=\"envoy-main\" \n Severity=\"info\" \n Facility=\"local0\") \n#envoy access log \ninput(type=\"imfile\" \n File=\"/var/log/vmware/envoy/envoy-access.log\" \n Tag=\"envoy-access\" \n Severity=\"info\" \n Facility=\"local0\")","ccis":["CCI-001851"]}]}