Lighttpd must have resource mappings set to disable the serving of certain file types.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-240242	VRAU-LI-000195	SV-240242r879587_rule		Medium

Description
Resource mapping is the process of tying a particular file type to a process in Lighttpd that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. Lighttpd provides the url.access-deny parameter to specify a blacklist of file types which should be denied.

STIG	Date
VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide	2023-09-12

Details

Check Text ( C-43475r668015_chk )
Obtain supporting documentation from the ISSO. Determine the file types (blacklist) that are deemed for denial. Note: Lighttpd provides the url.access-deny parameter to specify the blacklist of files. Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the url.access-deny parameter. If url.access-deny parameter is not configured with the file types that are blacklisted, this is a finding. If url.access-deny parameter is not set properly, this is a finding.

Check Text ( C-43475r668015_chk )

Obtain supporting documentation from the ISSO.

Determine the file types (blacklist) that are deemed for denial.

Note: Lighttpd provides the url.access-deny parameter to specify the blacklist of files.

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file

Navigate to the url.access-deny parameter.

If url.access-deny parameter is not configured with the file types that are blacklisted, this is a finding.

If url.access-deny parameter is not set properly, this is a finding.

Fix Text (F-43434r667902_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the url.access-deny parameter. Configure the url.access-deny parameter with the file types that are blacklisted.