STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

V-256737

CAT II (Medium)

Envoy must drop connections to disconnected clients.

Rule ID

SV-256737r889149_rule

STIG

VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000054

Discussion

Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. Envoy is hard coded to drop connections after three minutes of idle time. The absence of any "tcpKeepAliveTimeSec" settings means this default is in effect. This configuration must be verified and maintained.

Check Content

At the command prompt, run the following command: 
 
# xmllint --xpath '/config/envoy/L4Filter/tcpKeepAliveTimeSec/text()' /etc/vmware-rhttpproxy/config.xml 
 
Expected result: 
 
180 
 
or 
 
XPath set is empty 
 
If the output does not match the expected result, this is a finding.

Fix Text

Navigate to and open: 
 
/etc/vmware-rhttpproxy/config.xml 
 
Locate the <config>/<envoy>/<L4Filter> block and configure <tcpKeepAliveTimeSec> as follows: 
 
<tcpKeepAliveTimeSec>180</tcpKeepAliveTimeSec> 
 
Restart the service for changes to take effect. 
 
# vmon-cli --restart rhttpproxy