tc Server CaSa must set the welcome-file node to a default web page.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-89007	VROM-TC-000670	SV-99657r1_rule		Medium

Description
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an “index.jsp” (or equivalent) file is one common sense approach to mitigating the vulnerability.

Description

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. As a web server, tc Server can be vulnerable to enumeration techniques if steps are not taken to mitigate the vulnerability. Ensuring that every document directory has an “index.jsp” (or equivalent) file is one common sense approach to mitigating the vulnerability.

STIG	Date
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-88699r1_chk )
At the command prompt, execute the following command: grep -E -A 4 ' If a node is not set to a default web page, this is a finding.

Fix Text (F-95749r1_fix)
Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml. Inspect the file and ensure that it contains the below section: index.html index.htm index.jsp