| V-89273 | High | Lighttpd must not use symbolic links in the Lighttpd web content directory tree. | A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and... |
| V-89259 | High | Lighttpd must only contain components that are operationally necessary. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production... |
| V-89297 | High | Lighttpd must be configured to utilize the Common Information Model Object Manager. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89317 | High | Lighttpd must use an approved TLS version for encryption. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-89285 | High | Lighttpd must have the latest version installed. | Allowing malicious users the capability to traverse server directory tree can create significant vulnerabilities. Such information and the contents of files listed should not be normally readable... |
| V-89283 | High | Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities. | As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the... |
| V-89231 | Medium | Lighttpd must produce log records containing sufficient information to establish what type of events occurred. | Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events... |
| V-89253 | Medium | Lighttpd files must be verified for their integrity before being added to a production web server. | Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the... |
| V-89263 | Medium | Lighttpd must only enable mappings to necessary and approved scripts. | Lighttpd will only allow or deny script execution based on file extension. The ability to control script execution is controlled with the cgi.assign variable in lighttpd.conf. For script mappings,... |
| V-89255 | Medium | Lighttpd expansion modules must be verified for their integrity before being added to a production web server. | Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the... |
| V-89233 | Medium | Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred. | Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly... |
| V-89271 | Medium | Lighttpd must prevent hosted applications from exhausting system resources. | When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to... |
| V-89277 | Medium | Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-89275 | Medium | Lighttpd must be configured to use port 5480. | Lighttpd is used as the web server for vRealize Automation's Virtual Appliance Management Interface (vAMI). To segregate appliance management from appliance operation, Lighttpd can be configured... |
| V-89295 | Medium | Lighttpd must have debug logging disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89279 | Medium | Lighttpd must have private key access restricted. | Lighttpd's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients.
Only... |
| V-89291 | Medium | Lighttpd must disable directory browsing. | If not disabled, the directory listing feature can be used to facilitate a directory traversal exploit. Directory listing must be disabled.
Lighttpd provides a configuration setting,... |
| V-89293 | Medium | Lighttpd must not be configured to use mod_status. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and... |
| V-89311 | Medium | Lighttpd must be protected from being stopped by a non-privileged user. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
To prohibit... |
| V-89313 | Medium | Lighttpd must be configured to use the SSL engine. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-89315 | Medium | Lighttpd must be configured to use the SSL engine. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-89239 | Medium | Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events. | Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By... |
| V-89319 | Medium | Lighttpd must remove all export ciphers to transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The Lighttpd will reply with... |
| V-89237 | Medium | Lighttpd must produce log records containing sufficient information to establish the source of events. | Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the... |
| V-89235 | Medium | Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred. | Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will... |
| V-89219 | Medium | Lighttpd must limit the number of simultaneous requests. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include... |
| V-89257 | Medium | Lighttpd must prohibit unnecessary services, functions or processes. | Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application... |
| V-90327 | Medium | Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-90325 | Medium | Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-90329 | Medium | Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89305 | Medium | Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files. | As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the... |
| V-90339 | Medium | Lighttpd must be configured to use syslog. | A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic... |
| V-89223 | Medium | Lighttpd must be configured to use the SSL engine. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-89265 | Medium | Lighttpd must have resource mappings set to disable the serving of certain file types. | Resource mapping is the process of tying a particular file type to a process in Lighttpd that can serve that type of file to a requesting client and to identify which file types are not to be... |
| V-89267 | Medium | Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed. | A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to... |
| V-89261 | Medium | Lighttpd must have MIME types for csh or sh shell programs disabled. | Users must not be allowed to access the shell programs. Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web... |
| V-89289 | Medium | Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks. | In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe or network connection. File descriptors index... |
| V-89287 | Medium | The Lighttpd baseline must be maintained. | Without maintenance of a baseline of current Lighttpd software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to Lighttpd could be... |
| V-89281 | Medium | Lighttpd must be configured to use only FIPS 140-2 approved ciphers. | Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken... |
| V-89221 | Medium | Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections. | Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required.
Without the use of TLS, the... |
| V-89325 | Medium | Lighttpd must disable IP forwarding. | IP forwarding permits Lighttpd to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.... |
| V-89249 | Medium | Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89225 | Medium | Lighttpd must be configured to use mod_accesslog. | Lighttpd is the administration panel for vRealize Automation. Because it is intended to provide remote access to the appliance, vRA must provide remote access information to external monitoring... |
| V-89321 | Medium | Lighttpd must be configured to use SSL. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-89227 | Medium | Lighttpd must generate log records for system startup and shutdown. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-89323 | Medium | Lighttpd must have the latest approved security-relevant software updates installed. | All vRA components, to include Lighttpd, are under VMware configuration management control. The CM process ensures that all patches, functions, and modules have been thoroughly tested before being... |
| V-89229 | Medium | Lighttpd must capture, record, and log the IP address associated with a user session. | A user session to a web server is in the context of a user accessing a hosted application that extends to any plug-ins/modules and services that may execute on behalf of the user.
Lighttpd logs... |
| V-89307 | Medium | Lighttpd must not be configured to listen to unnecessary ports. | Web servers must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM... |
| V-89241 | Medium | Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89309 | Medium | Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections. | Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required.
Without the use of TLS, the... |
| V-89247 | Medium | Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89303 | Medium | Lighttpd must record time stamps for log records to a minimum granularity of time. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the web server include date and time and... |
| V-89245 | Medium | Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-89301 | Medium | Lighttpd audit records must be mapped to a time stamp. | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-90335 | Medium | Lighttpd must restrict inbound connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89243 | Medium | Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-90337 | Medium | Lighttpd must be configured to use syslog. | Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency... |
| V-90331 | Medium | Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-90333 | Medium | Lighttpd proxy settings must be configured. | A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy... |
| V-89251 | Medium | Lighttpd log data and records must be backed up onto a different system or media. | Protection of Lighttpd log data includes assuring log data is not accidentally lost or deleted. Backing up Lighttpd log records to an unrelated system or onto separate media than the system the... |
| V-89269 | Medium | Lighttpd must not have the webdav configuration file included. | A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to... |
| V-89299 | Medium | The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the... |
