UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

tc Server VCO must perform server-side session management.


Overview

Finding ID Version Rule ID IA Controls Severity
V-240735 VRAU-TC-000055 SV-240735r673949_rule Medium
Description
Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Automation. By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.
STIG Date
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide 2021-06-23

Details

Check Text ( C-43968r673947_chk )
At the command prompt, execute the following command:

grep -E 'cookies=.false' /etc/vco/app-server/context.xml

If the command produces any output, this is a finding.
Fix Text (F-43927r673948_fix)
Navigate to and open /etc/vco/app-server/context.xml.

Navigate to and locate the node.

Remove the value 'cookies="false"' from the node.