The vCenter UI service must limit privileges for creating or modifying hosted application shared files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259109	VCUI-80-000034	SV-259109r935231_rule		Medium

Description
Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that nonprivileged users cannot modify any shared library code at all. Ensuring the Security Lifecycle Listener element is uncommented and sets a minimum Umask value will allow the server to perform a number of security checks when starting and prevent the service from starting if they fail.

Description

Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that nonprivileged users cannot modify any shared library code at all. Ensuring the Security Lifecycle Listener element is uncommented and sets a minimum Umask value will allow the server to perform a number of security checks when starting and prevent the service from starting if they fail.

STIG	Date
VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide	2023-10-29

Details

Check Text ( C-62849r935229_chk )
At the command prompt, run the following command: # xmllint --xpath '/Server/Listener[@className="org.apache.catalina.security.SecurityListener"]' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: If the "org.apache.catalina.security.SecurityListener" listener is not present, this is a finding. If the "org.apache.catalina.security.SecurityListener" listener is configured with a "minimumUmask" and is not "0007", this is a finding.

Check Text ( C-62849r935229_chk )

At the command prompt, run the following command:

# xmllint --xpath '/Server/Listener[@className="org.apache.catalina.security.SecurityListener"]' /usr/lib/vmware-vsphere-ui/server/conf/server.xml

Example result:

If the "org.apache.catalina.security.SecurityListener" listener is not present, this is a finding.

If the "org.apache.catalina.security.SecurityListener" listener is configured with a "minimumUmask" and is not "0007", this is a finding.

Fix Text (F-62758r935230_fix)
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the node and add or update the "org.apache.catalina.security.SecurityListener" as follows: Restart the service with the following command: # vmon-cli --restart vsphere-ui