UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide


Overview

Date Finding Count (62)
2023-09-12 CAT I (High): 7 CAT II (Med): 55 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-240239 High Lighttpd must only contain components that are operationally necessary.
V-258452 High The version of vRealize Automation 7.x Lighttpd running on the system must be a supported version.
V-240246 High Lighttpd must not use symbolic links in the Lighttpd web content directory tree.
V-240271 High Lighttpd must use an approved TLS version for encryption.
V-240258 High Lighttpd must be configured to utilize the Common Information Model Object Manager.
V-240251 High Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.
V-240252 High Lighttpd must have the latest version installed.
V-240236 Medium Lighttpd expansion modules must be verified for their integrity before being added to a production web server.
V-240237 Medium Lighttpd must prohibit unnecessary services, functions or processes.
V-240234 Medium Lighttpd log data and records must be backed up onto a different system or media.
V-240235 Medium Lighttpd files must be verified for their integrity before being added to a production web server.
V-240232 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion.
V-240215 Medium Lighttpd must limit the number of simultaneous requests.
V-240230 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification.
V-240217 Medium Lighttpd must be configured to use the SSL engine.
V-240218 Medium Lighttpd must be configured to use mod_accesslog.
V-240219 Medium Lighttpd must generate log records for system startup and shutdown.
V-240238 Medium Lighttpd proxy settings must be configured.
V-240233 Medium Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion.
V-240265 Medium Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.
V-240216 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
V-240228 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification.
V-240231 Medium Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion.
V-240243 Medium Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed.
V-240229 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification.
V-240264 Medium Lighttpd must record time stamps for log records to a minimum granularity of time.
V-240267 Medium Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
V-240266 Medium Lighttpd must not be configured to listen to unnecessary ports.
V-240261 Medium Lighttpd must be configured to use syslog.
V-240260 Medium Lighttpd must be configured to use syslog.
V-240249 Medium Lighttpd must have private key access restricted.
V-240248 Medium Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client.
V-240221 Medium Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred.
V-240220 Medium Lighttpd must produce log records containing sufficient information to establish what type of events occurred.
V-240223 Medium Lighttpd must produce log records containing sufficient information to establish the source of events.
V-240222 Medium Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred.
V-240225 Medium Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users.
V-240224 Medium Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events.
V-240227 Medium Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users.
V-240226 Medium Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users.
V-240263 Medium Lighttpd audit records must be mapped to a time stamp.
V-240262 Medium The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
V-240247 Medium Lighttpd must be configured to use port 5480.
V-240253 Medium The Lighttpd baseline must be maintained.
V-240273 Medium Lighttpd must be configured to use SSL.
V-240245 Medium Lighttpd must prevent hosted applications from exhausting system resources.
V-240244 Medium Lighttpd must not have the webdav configuration file included.
V-240269 Medium Lighttpd must be configured to use the SSL engine.
V-240241 Medium Lighttpd must only enable mappings to necessary and approved scripts.
V-240242 Medium Lighttpd must have resource mappings set to disable the serving of certain file types.
V-240272 Medium Lighttpd must remove all export ciphers to transmitted information.
V-240268 Medium Lighttpd must be protected from being stopped by a non-privileged user.
V-240270 Medium Lighttpd must be configured to use the SSL engine.
V-240259 Medium Lighttpd must restrict inbound connections from nonsecure zones.
V-240274 Medium Lighttpd must have the latest approved security-relevant software updates installed.
V-240275 Medium Lighttpd must disable IP forwarding.
V-240254 Medium Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
V-240255 Medium Lighttpd must disable directory browsing.
V-240256 Medium Lighttpd must not be configured to use mod_status.
V-240257 Medium Lighttpd must have debug logging disabled.
V-240250 Medium Lighttpd must be configured to use only FIPS 140-2 approved ciphers.
V-240240 Medium Lighttpd must have MIME types for csh or sh shell programs disabled.