← Back to VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

V-241637

CAT I (High)

tc Server ALL must exclude documentation, sample code, example applications, and tutorials.

Rule ID

SV-241637r879587_rule

STIG

VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000381

Discussion

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. Because tc Server is installed as part of the entire vROps application, and not installed separately, VMware has ensured that all documentation, sample code, example applications, and tutorials have been removed from tc Server as part of the build process.

Check Content

Obtain supporting documentation from the ISSO.

Review the web server documentation and deployed configuration to determine if documentation, sample code, example applications, and tutorials have been removed.

If documentation, sample code, example applications, and tutorials have not been removed, this is a finding.

Fix Text

Document the removal of all documentation, sample code, example applications, and tutorials and ensure the web server configuration does not contain any documentation, sample code, example applications, and tutorials.