UCF STIG Viewer Logo

VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide


Overview

Date Finding Count (62)
2018-10-12 CAT I (High): 6 CAT II (Med): 56 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-89273 High Lighttpd must not use symbolic links in the Lighttpd web content directory tree.
V-89259 High Lighttpd must only contain components that are operationally necessary.
V-89297 High Lighttpd must be configured to utilize the Common Information Model Object Manager.
V-89317 High Lighttpd must use an approved TLS version for encryption.
V-89285 High Lighttpd must have the latest version installed.
V-89283 High Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.
V-89231 Medium Lighttpd must produce log records containing sufficient information to establish what type of events occurred.
V-89253 Medium Lighttpd files must be verified for their integrity before being added to a production web server.
V-89263 Medium Lighttpd must only enable mappings to necessary and approved scripts.
V-89255 Medium Lighttpd expansion modules must be verified for their integrity before being added to a production web server.
V-89233 Medium Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred.
V-89271 Medium Lighttpd must prevent hosted applications from exhausting system resources.
V-89277 Medium Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client.
V-89275 Medium Lighttpd must be configured to use port 5480.
V-89295 Medium Lighttpd must have debug logging disabled.
V-89279 Medium Lighttpd must have private key access restricted.
V-89291 Medium Lighttpd must disable directory browsing.
V-89293 Medium Lighttpd must not be configured to use mod_status.
V-89311 Medium Lighttpd must be protected from being stopped by a non-privileged user.
V-89313 Medium Lighttpd must be configured to use the SSL engine.
V-89315 Medium Lighttpd must be configured to use the SSL engine.
V-89239 Medium Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events.
V-89319 Medium Lighttpd must remove all export ciphers to transmitted information.
V-89237 Medium Lighttpd must produce log records containing sufficient information to establish the source of events.
V-89235 Medium Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred.
V-89219 Medium Lighttpd must limit the number of simultaneous requests.
V-89257 Medium Lighttpd must prohibit unnecessary services, functions or processes.
V-90327 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification.
V-90325 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification.
V-90329 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion.
V-89305 Medium Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.
V-90339 Medium Lighttpd must be configured to use syslog.
V-89223 Medium Lighttpd must be configured to use the SSL engine.
V-89265 Medium Lighttpd must have resource mappings set to disable the serving of certain file types.
V-89267 Medium Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed.
V-89261 Medium Lighttpd must have MIME types for csh or sh shell programs disabled.
V-89289 Medium Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
V-89287 Medium The Lighttpd baseline must be maintained.
V-89281 Medium Lighttpd must be configured to use only FIPS 140-2 approved ciphers.
V-89221 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
V-89325 Medium Lighttpd must disable IP forwarding.
V-89249 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion.
V-89225 Medium Lighttpd must be configured to use mod_accesslog.
V-89321 Medium Lighttpd must be configured to use SSL.
V-89227 Medium Lighttpd must generate log records for system startup and shutdown.
V-89323 Medium Lighttpd must have the latest approved security-relevant software updates installed.
V-89229 Medium Lighttpd must capture, record, and log the IP address associated with a user session.
V-89307 Medium Lighttpd must not be configured to listen to unnecessary ports.
V-89241 Medium Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users.
V-89309 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
V-89247 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification.
V-89303 Medium Lighttpd must record time stamps for log records to a minimum granularity of time.
V-89245 Medium Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users.
V-89301 Medium Lighttpd audit records must be mapped to a time stamp.
V-90335 Medium Lighttpd must restrict inbound connections from nonsecure zones.
V-89243 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users.
V-90337 Medium Lighttpd must be configured to use syslog.
V-90331 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion.
V-90333 Medium Lighttpd proxy settings must be configured.
V-89251 Medium Lighttpd log data and records must be backed up onto a different system or media.
V-89269 Medium Lighttpd must not have the webdav configuration file included.
V-89299 Medium The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.