The vCenter STS service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-258986 | VCST-80-000126 | SV-258986r934616_rule | Medium |
| Description |
|---|
| KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. Tomcat can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide | 2023-10-29 |
Details
| Check Text ( C-62726r934614_chk ) |
|---|
| The connection timeout should not be unlimited by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@maxKeepAliveRequests = '-1']" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding. |
| Fix Text (F-62635r934615_fix) |
|---|
| Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Configure the maxKeepAliveRequests="100" Restart the service with the following command: # vmon-cli --restart sts |