STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SI-11 — Error Handling

CCI-001312

Definition

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited.

Parent Control

SI-11Error HandlingSystem and Information Integrity

Linked STIG Checks (198)

V-237040CAT IIThe A10 Networks ADC, when used to load balance web applications, must strip HTTP response headers.A10 Networks ADC ALG Security Technical Implementation Guide V-237041CAT IIThe A10 Networks ADC, when used to load balance web applications, must replace response codes.A10 Networks ADC ALG Security Technical Implementation Guide V-279044CAT IIColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging.Adobe ColdFusion Security Technical Implementation Guide V-279050CAT IIColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.Adobe ColdFusion Security Technical Implementation Guide V-279071CAT IIColdFusion must have the Tomcat DefaultServlet debug parameter disabled.Adobe ColdFusion Security Technical Implementation Guide V-268118CAT IINixOS systemd-journald logs must have a mode of 0640 or less permissive.Anduril NixOS Security Technical Implementation Guide V-214256CAT IIWarning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214257CAT IIDebugging and trace information used to diagnose the Apache web server must be disabled.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214292CAT IIThe Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214293CAT IIWarning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214294CAT IIDebugging and trace information used to diagnose the Apache web server must be disabled.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214339CAT IIWarning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214340CAT IIDebugging and trace information used to diagnose the Apache web server must be disabled.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214383CAT IIThe Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222975CAT IIErrorReportValve showServerInfo must be set to false.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-259494CAT IIThe macOS system must disable sending diagnostic and usage data to Apple.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259553CAT IIThe macOS system must configure Apple System Log files to be owned by root and group to wheel.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259554CAT IIThe macOS system must configure Apple System Log files to mode 640 or less permissive.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259556CAT IIThe macOS system must configure system log files to be owned by root and group to wheel.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259557CAT IIThe macOS system must configure system log files to mode 640 or less permissive.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268494CAT IIThe macOS system must disable sending diagnostic and usage data to Apple.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268550CAT IIThe macOS system must configure Apple System Log (ASL) files owned by root and group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268551CAT IIThe macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268552CAT IIThe macOS system must configure system log files owned by root and group to wheel.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268553CAT IIThe macOS system must configure system log files to mode 640 or less permissive.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277101CAT IIThe macOS system must disable sending diagnostic and usage data to Apple.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277158CAT IIThe macOS system must configure Apple System Log (ASL) files owned by root and group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277159CAT IIThe macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277161CAT IIThe macOS system must configure system log files owned by root and group to wheel.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277162CAT IIThe macOS system must configure system log files to mode 640 or less permissive.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204969CAT IIThe ALG must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.Application Layer Gateway Security Requirements Guide V-274615CAT IIThe API must not disclose sensitive data in error messages.Application Programming Interface (API) Security Requirements Guide V-222610CAT IIThe application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Application Security and Development Security Technical Implementation Guide V-204773CAT IIThe application server must identify potentially security-relevant error conditions.Application Server Security Requirements Guide V-204774CAT IIThe application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.Application Server Security Requirements Guide V-237381CAT IIThe CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.CA API Gateway ALG Security Technical Implementation Guide V-251624CAT IIIDMS must suppress security-related messages so that no information is returned that can be exploited.CA IDMS Security Technical Implementation Guide V-251625CAT IICustom database code and associated application code must not contain information beyond what is needed for troubleshooting.CA IDMS Security Technical Implementation Guide V-251653CAT IIThe DBMS must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.CA IDMS Security Technical Implementation Guide V-219188CAT IIThe Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238337CAT IIThe Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260489CAT IIUbuntu 22.04 LTS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260490CAT IIUbuntu 22.04 LTS must generate system journal entries without revealing information that could be exploited by adversaries.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260512CAT IIUbuntu 22.04 LTS must be configured so that the "journalctl" command is not accessible by unauthorized users.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270756CAT IIUbuntu 24.04 LTS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270757CAT IIUbuntu 24.04 LTS must generate system journal entries without revealing information that could be exploited by adversaries.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270758CAT IIUbuntu 24.04 LTS must be configured so that the "journalctl" command is not accessible by unauthorized users.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-233133CAT IIThe container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Container Platform Security Requirements Guide V-233516CAT IIPostgreSQL must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261908CAT IIPostgreSQL must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206578CAT IIThe DBMS must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Database Security Requirements Guide V-224185CAT IIThe EDB Postgres Advanced Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213611CAT IIThe EDB Postgres Advanced Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-260019CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must be configured to generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259266CAT IIThe EDB Postgres Advanced Server must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-278395CAT IINGINX must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.F5 NGINX Security Technical Implementation Guide V-233328CAT IIForescout must reveal error messages only to the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and System Administrator (SA). This is required for compliance with C2C Step 1.Forescout Network Access Control Security Technical Implementation Guide V-203663CAT IIThe operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.General Purpose Operating System Security Requirements Guide V-221599CAT IIIChrome development tools must be disabled.Google Chrome Current Windows Security Technical Implementation Guide V-255242CAT IISSMC must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-213713CAT IIDB2 must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65241CAT IIThe DataPower Gateway must have ICMP responses disabled on all interfaces facing untrusted networks.IBM DataPower ALG Security Technical Implementation Guide V-255783CAT IIThe MQ Appliance messaging server must identify potentially security-relevant error conditions.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-250325CAT IIThe WebSphere Liberty Server must log remote session and security activity.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255820CAT IIThe WebSphere Application Server security auditing must be enabled.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-34788CAT IIThe IDPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-55355CAT IIThe IDPS must block malicious ICMP packets by properly configuring ICMP signatures and rules.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206893CAT IIThe IPS must block outbound Internet Control Message Protocol (ICMP) Destination Unreachable, Redirect, and Address Mask reply messages.Intrusion Detection and Prevention Systems Security Requirements Guide V-206894CAT IIThe IPS must block malicious Internet Control Message Protocol (ICMP) packets by properly configuring ICMP signatures and rules.Intrusion Detection and Prevention Systems Security Requirements Guide V-214536CAT IIThe Juniper SRX Services Gateway Firewall must configure ICMP to meet DoD requirements.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-213777CAT IIThe DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.MS SQL Server 2014 Database Security Technical Implementation Guide V-213917CAT IISQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.MS SQL Server 2016 Database Security Technical Implementation Guide V-205524CAT IIThe Mainframe Product must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Mainframe Product Security Requirements Guide V-220374CAT IIMarkLogic Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.MarkLogic Server v9 Security Technical Implementation Guide V-218810CAT IIWarning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 web server, patches, loaded modules, and directory paths.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-241789CAT IIIASP.NET version must be removed from the HTTP Response Header information.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218760CAT IIWarning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218761CAT IIDebugging and trace information used to diagnose the IIS 10.0 website must be disabled.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-278953CAT IIHTTPAPI Server version must be removed from the HTTP Response Header information.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-223056CAT IIIInternet Explorer Development Tools Must Be Disabled.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-271179CAT IISQL Server must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-253393CAT IIWindows Telemetry must not be configured to Full.Microsoft Windows 11 Security Technical Implementation Guide V-215640CAT IIThe DNS Name Server software must be configured to refuse queries for its version information.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215641CAT IIThe HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-254240CAT IWindows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.Microsoft Windows Server 2022 Security Technical Implementation Guide V-277987CAT IWindows Server 2025 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.Microsoft Windows Server 2025 Security Technical Implementation Guide V-221183CAT IIMongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252168CAT IIMongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265931CAT IIMongoDB must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279367CAT IIMongoDB must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-251559CAT IIIFirefox development tools must be disabled.Mozilla Firefox Security Technical Implementation Guide V-254232CAT IINutanix AOS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279667CAT IINutanix AHV must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Nutanix Acropolis GPOS Security Technical Implementation Guide V-219785CAT IIThe DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.Oracle Database 11.2g Security Technical Implementation Guide V-220301CAT IIThe DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.Oracle Database 12c Security Technical Implementation Guide V-270583CAT IIOracle Database must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.Oracle Database 19c Security Technical Implementation Guide V-221546CAT IIIOHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221547CAT IIOHS must have the ServerSignature directive disabled.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221548CAT IIIOHS must have the ServerTokens directive set to limit the response header.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221549CAT IIOHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221550CAT IIOHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221551CAT IIIOHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221552CAT IIIOHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221553CAT IIDebugging and trace information used to diagnose OHS must be disabled.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-235993CAT IIIOracle WebLogic must identify potentially security-relevant error conditions.Oracle WebLogic Server 12c Security Technical Implementation Guide V-235994CAT IIOracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.Oracle WebLogic Server 12c Security Technical Implementation Guide V-207698CAT IIThe Palo Alto Networks security platform must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.Palo Alto Networks IDPS Security Technical Implementation Guide V-207699CAT IIThe Palo Alto Networks security platform must block malicious ICMP packets.Palo Alto Networks IDPS Security Technical Implementation Guide V-253541CAT IIPrisma Cloud Compute must not write sensitive data to event logs.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-214053CAT IIPostgreSQL must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.PostgreSQL 9.x Security Technical Implementation Guide V-275583CAT IIUbuntu OS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Riverbed NetIM OS Security Technical Implementation Guide V-275584CAT IIUbuntu OS must generate system journal entries without revealing information that could be exploited by adversaries.Riverbed NetIM OS Security Technical Implementation Guide V-275606CAT IIUbuntu OS must be configured so that the "journalctl" command is not accessible by unauthorized users.Riverbed NetIM OS Security Technical Implementation Guide V-206740CAT IIThe SDN controller must be configured to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.SDN Controller Security Requirements Guide V-261309CAT IISLEM 5 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-279194CAT IIThe Edge SWG must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.Symantec Edge SWG ALG Security Technical Implementation Guide V-94331CAT IISymantec ProxySG must tailor the Exceptions messages to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.Symantec ProxySG ALG Security Technical Implementation Guide V-253788CAT IIThe Tanium application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Tanium 7.x Security Technical Implementation Guide V-242194CAT IIThe TPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-242195CAT IIThe TPS must block malicious ICMP packets by properly configuring ICMP signatures and rules.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-282580CAT IITOSS 5 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234424CAT IIThe UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Unified Endpoint Management Server Security Requirements Guide V-240070CAT IIHAProxy must provide default error files.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240071CAT IIHAProxy must not be started with the debug switch.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240255CAT IILighttpd must disable directory browsing.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240256CAT IILighttpd must not be configured to use mod_status.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240257CAT IILighttpd must have debug logging disabled.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240830CAT IItc Server HORIZON must set the welcome-file node to a default web page.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240831CAT IItc Server VCO must set the welcome-file node to a default web page.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240832CAT IItc Server VCAC must set the welcome-file node to a default web page.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240833CAT IItc Server HORIZON must have the allowTrace parameter set to false.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240834CAT IItc Server VCO must have the allowTrace parameter set to false.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240835CAT IItc Server VCAC must have the allowTrace parameter set to false.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240836CAT IItc Server HORIZON must have the debug option turned off.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240837CAT IItc Server VCO must have the debug option turned off.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240838CAT IItc Server VCAC must have the debug option turned off.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240948CAT IIThe vAMI error logs must be reviewed.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-240973CAT IIvIDM must be configured to log activity to the horizon.log file.VMware vRealize Automation 7.x vIDM Security Technical Implementation Guide V-241685CAT IItc Server UI must set the welcome-file node to a default web page.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241686CAT IItc Server CaSa must set the welcome-file node to a default web page.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241687CAT IItc Server API must set the welcome-file node to a default web page.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241688CAT IItc Server UI must have the allowTrace parameter set to false.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241689CAT IItc Server CaSa must have the allowTrace parameter set to false.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241690CAT IItc Server API must have the allowTrace parameter set to false.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241691CAT IItc Server UI must have the debug option turned off.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241692CAT IItc Server CaSa must have the debug option turned off.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241693CAT IItc Server API must have the debug option turned off.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256664CAT IIVAMI must disable directory browsing.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256665CAT IIVAMI must not be configured to use "mod_status".VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256666CAT IIVAMI must have debug logging disabled.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256671CAT IIVAMI must be configured to hide the server type and version in client responses.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256694CAT IIESX Agent Manager must set the welcome-file node to a default web page.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256695CAT IIESX Agent Manager must not show directory listings.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256696CAT IIESX Agent Manager must be configured to show error pages with minimal information.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256697CAT IIESX Agent Manager must be configured to not show error reports.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256698CAT IIESX Agent Manager must hide the server version.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256699CAT IIESX Agent Manager must not enable support for TRACE requests.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256700CAT IIESX Agent Manager must have the debug option disabled.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256726CAT IILookup Service must set the welcome-file node to a default web page.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256727CAT IIThe Lookup Service must not show directory listings.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256728CAT IILookup Service must be configured to hide the server version.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256729CAT IILookup Service must be configured to show error pages with minimal information.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256730CAT IILookup Service must not enable support for TRACE requests.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256731CAT IILookup Service must have the debug option turned off.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256632CAT IIPerformance Charts must set the welcome-file node to a default web page.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256633CAT IIPerformance Charts must not show directory listings.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256634CAT IIPerformance Charts must be configured to show error pages with minimal information.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256635CAT IIPerformance Charts must be configured to not show error reports.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256636CAT IIPerformance Charts must hide the server version.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256637CAT IIPerformance Charts must not enable support for TRACE requests.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256638CAT IIPerformance Charts must have the debug option turned off.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256606CAT IIVMware Postgres must provide nonprivileged users with minimal error information.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-256766CAT IIThe Security Token Service must set the welcome-file node to a default web page.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256767CAT IIThe Security Token Service must not show directory listings.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256768CAT IIThe Security Token Service must be configured to not show error reports.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256769CAT IIThe Security Token Service must not enable support for TRACE requests.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256770CAT IIThe Security Token Service must have the debug option disabled.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256799CAT IIvSphere UI must set the welcome-file node to a default web page.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256800CAT IIThe vSphere UI must not show directory listings.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256801CAT IIvSphere UI must be configured to hide the server version.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256802CAT IIvSphere UI must be configured to show error pages with minimal information.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256803CAT IIvSphere UI must not enable support for TRACE requests.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256804CAT IIvSphere UI must have the debug option turned off.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-259014CAT IIThe vCenter ESX Agent Manager service "ErrorReportValve showServerInfo" must be set to "false".VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide V-259048CAT IIThe vCenter Lookup service "ErrorReportValve showServerInfo" must be set to "false".VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-259151CAT IIThe vCenter VAMI service must disable directory listing.VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide V-259152CAT IIThe vCenter VAMI service must not be configured to use the "mod_status" module.VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide V-259153CAT IIThe vCenter VAMI service must have debug logging disabled.VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide V-259082CAT IIThe vCenter Perfcharts service "ErrorReportValve showServerInfo" must be set to "false".VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-258831CAT IIThe Photon operating system /var/log directory must be restricted.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-259180CAT IIThe vCenter PostgreSQL service must provide nonprivileged users with minimal error information.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-258982CAT IIThe vCenter STS service "ErrorReportValve showServerInfo" must be set to "false".VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide V-259115CAT IIThe vCenter UI service "ErrorReportValve showServerInfo" must be set to "false".VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide V-207410CAT IIThe VMM must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.Virtual Machine Manager Security Requirements Guide V-206411CAT IIThe web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.Web Server Security Requirements Guide V-206412CAT IIWarning and error messages displayed to clients must be modified to minimize the identity of the web server, patches, loaded modules, and directory paths.Web Server Security Requirements Guide V-206413CAT IIDebugging and trace information used to diagnose the web server must be disabled.Web Server Security Requirements Guide V-269580CAT IIThe Xylok Security Suite configuration for DEBUG must be False.Xylok Security Suite 20.x Security Technical Implementation Guide