Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-240256 | VRAU-LI-000350 | SV-240256r879655_rule | Medium |
Description |
---|
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Lighttpd must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The mod_status module generates the status overview of the webserver. The information covers: uptime average throughput current throughput active connections and their state While this information is useful on a development system, production systems must not have mod_status enabled. |
STIG | Date |
---|---|
VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide | 2023-09-12 |
Check Text ( C-43489r667943_chk ) |
---|
At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the "mod_status" module is listed, this is a finding. |
Fix Text (F-43448r667944_fix) |
---|
Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the "server.modules" section. In the "server.modules" section, delete the "mod_status" entry. |