HAProxy must be run in a chroot jail.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-89157 | VRAU-HA-000175 | SV-99807r1_rule | Medium |
| Description |
|---|
| Chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a chroot jail. |
| STIG | Date |
|---|---|
| VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88849r1_chk ) |
|---|
| At the command prompt, execute the following command: grep 'chroot' /etc/haproxy/haproxy.cfg If the value "/var/lib/haproxy" is not listed, this is a finding. |
| Fix Text (F-95899r2_fix) |
|---|
| Navigate to and open /etc/haproxy/haproxy.cfg Navigate to and configure the globals section with the following value: 'chroot /var/lib/haproxy' |