HAProxy must limit access to the statistics feature.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-240058 | VRAU-HA-000130 | SV-240058r879587_rule | Medium |
| Description |
|---|
| A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to be accessible on a production DoD system. HAProxy provide a statistics page, which will display web browser statistics from any web browser if HAProxy has not been configured to connect the server statistics to a UNIX socket. |
| STIG | Date |
|---|---|
| VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide | 2023-09-12 |
Details
| Check Text ( C-43291r665341_chk ) |
|---|
| At the command prompt, execute the following command: grep 'stats socket' /etc/haproxy/haproxy.cfg If the command does not return the line below, this is a finding. stats socket /var/run/haproxy.sock mode 600 level admin |
| Fix Text (F-43250r665342_fix) |
|---|
| Uninstall or deactivate features, services, and processes not needed by the web server for operation. |