Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Security Token Service must only run one web app.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239660 | VCST-67-000009 | SV-239660r816705_rule | Medium |
| Description |
|---|
| VMware ships the Security Token Service on the VCSA with one web app, in ROOT.war. Any other .war file is potentially malicious and must be removed. |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide | 2022-01-03 |
Details
| Check Text ( C-42893r816703_chk ) |
|---|
| Connect to the PSC, whether external or embedded. At the command prompt, execute the following command: # ls /usr/lib/vmware-sso/vmware-sts/webapps/*.war Expected result: /usr/lib/vmware-sso/vmware-sts/webapps/ROOT.war If the result of this command does not match the expected result, this is a finding. |
| Fix Text (F-42852r816704_fix) |
|---|
| Connect to the PSC, whether external or embedded. For each unexpected file returned in the check, run the following command: # rm /usr/lib/vmware-sso/vmware-sts/webapps/ Restart the service with the following command: # service-control --restart vmware-stsd |