UCF STIG Viewer Logo

HAProxy must limit access to the statistics feature.


Overview

Finding ID Version Rule ID IA Controls Severity
V-89153 VRAU-HA-000130 SV-99803r1_rule Medium
Description
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to be accessible on a production DoD system. HAProxy provide a statistics page, which will display web browser statistics from any web browser if HAProxy has not been configured to connect the server statistics to a UNIX socket.
STIG Date
VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide 2018-10-12

Details

Check Text ( C-88845r1_chk )
At the command prompt, execute the following command:

grep 'stats socket' /etc/haproxy/haproxy.cfg

If the command does not return the line below, this is a finding.

stats socket /var/run/haproxy.sock mode 600 level admin
Fix Text (F-95895r1_fix)
Uninstall or deactivate features, services, and processes not needed by the web server for operation.