{"stig":{"title":"VMware vSphere 8.0 vCenter Appliance Envoy Security Technical Implementation Guide","version":"2","release":"1"},"checks":[{"vulnId":"V-259161","ruleId":"SV-259161r960930_rule","severity":"medium","ruleTitle":"The vCenter Envoy and Rhttpproxy service log files permissions must be set correctly.","description":"Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, usernames, etc.\n\nThe web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by nonprivileged users.\n\nSatisfies: SRG-APP-000118-WSR-000068, SRG-APP-000119-WSR-000069, SRG-APP-000120-WSR-000070","checkContent":"At the command prompt, run the following commands:\n\n# find /var/log/vmware/rhttpproxy/ -xdev -type f -a '(' -perm -o+w -o -not -user rhttpproxy -o -not -group rhttpproxy ')' -exec ls -ld {} \\;\n# find /var/log/vmware/envoy/ -xdev -type f -a '(' -perm -o+w -o -not -user envoy -o -not -group envoy ')' -exec ls -ld {} \\;\n\nIf any files are returned, this is a finding.","fixText":"At the command prompt, run the following commands for rhttpproxy log files:\n\n# chmod o-w <file>\n# chown rhttpproxy:rhttpproxy <file>\n\nor\n\nAt the command prompt, run the following commands for envoy log files:\n\n# chmod o-w <file>\n# chown envoy:envoy <file>","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-259162","ruleId":"SV-259162r961041_rule","severity":"medium","ruleTitle":"The vCenter Envoy service private key file must be protected from unauthorized access.","description":"Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients.\n \nBy gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the Transport Layer Security (TLS) traffic between a client and the web server.","checkContent":"At the command prompt, run the following command:\n\n# stat -c \"%n permissions are %a, is owned by %U and group owned by %G\" /etc/vmware-rhttpproxy/ssl/rui.key\n\nExpected result:\n\n/etc/vmware-rhttpproxy/ssl/rui.key permissions are 600, is owned by rhttpproxy and group owned by rhttpproxy\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command prompt, run the following commands:\n\n# chmod 600 /etc/vmware-rhttpproxy/ssl/rui.key\n# chown rhttpproxy:rhttpproxy /etc/vmware-rhttpproxy/ssl/rui.key","ccis":["CCI-000186"]},{"vulnId":"V-259163","ruleId":"SV-259163r961395_rule","severity":"medium","ruleTitle":"The vCenter Rhttpproxy service log files must be sent to a central log server.","description":"Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.\n\nSatisfies: SRG-APP-000358-WSR-000063, SRG-APP-000125-WSR-000071","checkContent":"By default, there is a vmware-services-rhttpproxy.conf rsyslog configuration file that includes the service logs when syslog is configured on vCenter, but it must be verified.\n\nAt the command prompt, run the following command:\n\n# cat /etc/vmware-syslog/vmware-services-rhttpproxy.conf\n\nExpected result:\n\n#rhttpproxy log\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/rhttpproxy/rhttpproxy.log\"\n      Tag=\"rhttpproxy-main\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#rhttpproxy init stdout\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/rhttpproxy/rproxy_init.log.stdout\"\n      Tag=\"rhttpproxy-stdout\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#rhttpproxy init stderr\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/rhttpproxy/rproxy_init.log.stderr\"\n      Tag=\"rhttpproxy-stderr\"\n      Severity=\"info\"\n      Facility=\"local0\")\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/vmware-syslog/vmware-services-rhttpproxy.conf\n\nCreate the file if it does not exist.\n\nSet the contents of the file as follows:\n\n#rhttpproxy log\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/rhttpproxy/rhttpproxy.log\"\n      Tag=\"rhttpproxy-main\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#rhttpproxy init stdout\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/rhttpproxy/rproxy_init.log.stdout\"\n      Tag=\"rhttpproxy-stdout\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#rhttpproxy init stderr\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/rhttpproxy/rproxy_init.log.stderr\"\n      Tag=\"rhttpproxy-stderr\"\n      Severity=\"info\"\n      Facility=\"local0\")","ccis":["CCI-001348","CCI-001851"]},{"vulnId":"V-259164","ruleId":"SV-259164r961395_rule","severity":"medium","ruleTitle":"The vCenter Envoy service log files must be sent to a central log server.","description":"Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers.","checkContent":"By default, there is a vmware-services-envoy.conf rsyslog configuration file that includes the service logs when syslog is configured on vCenter, but it must be verified.\n\nAt the command prompt, run the following command:\n\n# cat /etc/vmware-syslog/vmware-services-envoy.conf\n\nExpected result:\n\n#envoy service log\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy.log\"\n      Tag=\"envoy-main\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#envoy access log\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy-access.log\"\n      Tag=\"envoy-access\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#envoy init stdout\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy_init.log.stdout\"\n      Tag=\"envoy-stdout\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#envoy init stderr\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy_init.log.stderr\"\n      Tag=\"envoy-stderr\"\n      Severity=\"info\"\n      Facility=\"local0\")\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/vmware-syslog/vmware-services-envoy.conf\n\nCreate the file if it does not exist.\n\nSet the contents of the file as follows:\n\n#envoy service log\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy.log\"\n      Tag=\"envoy-main\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#envoy access log\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy-access.log\"\n      Tag=\"envoy-access\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#envoy init stdout\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy_init.log.stdout\"\n      Tag=\"envoy-stdout\"\n      Severity=\"info\"\n      Facility=\"local0\")\n#envoy init stderr\ninput(type=\"imfile\"\n      File=\"/var/log/vmware/envoy/envoy_init.log.stderr\"\n      Tag=\"envoy-stderr\"\n      Severity=\"info\"\n      Facility=\"local0\")","ccis":["CCI-001851"]},{"vulnId":"V-259165","ruleId":"SV-259165r960735_rule","severity":"medium","ruleTitle":"The vCenter Envoy service must set a limit on remote connections.","description":"Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed.\n\nEnvoy comes hard coded with a tested and supported value for \"maxRemoteHttpsConnections\" and \"maxRemoteHttpConnections\" that must be verified and maintained.","checkContent":"At the command prompt, run the following commands:\n\n# xmllint --xpath '/config/envoy/L4Filter/maxRemoteHttpsConnections/text()' /etc/vmware-rhttpproxy/config.xml\n# xmllint --xpath '/config/envoy/L4Filter/maxRemoteHttpConnections/text()' /etc/vmware-rhttpproxy/config.xml\n\nExample result:\n\n2048\n\nor\n\nXPath set is empty\n\nIf the output is not \"2048\" or \"XPath set it empty\", this is a finding.\n\nNote: If \"XPath set is empty\" is returned the default values are in effect and is 2048.","fixText":"Navigate to and open:\n\n/etc/vmware-rhttpproxy/config.xml\n\nLocate the <config>/<envoy>/<L4Filter> block and configure it as follows:\n\n<maxRemoteHttpsConnections>2048</maxRemoteHttpsConnections>\n<maxRemoteHttpConnections>2048</maxRemoteHttpConnections>\n\nRestart the service for changes to take effect.\n\n# vmon-cli --restart rhttpproxy","ccis":["CCI-000054"]}]}