UCF STIG Viewer Logo

VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide


Date Finding Count (27)
2022-01-03 CAT I (High): 2 CAT II (Med): 25 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-239741 High VAMI must implement TLS1.2 exclusively.
V-239716 High VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-239740 Medium VAMI must be protected from being stopped by a non-privileged user.
V-239720 Medium VAMI must produce log records containing sufficient information to establish what type of events occurred.
V-239721 Medium VAMI log files must only be accessible by privileged users.
V-239722 Medium Rsyslog must be configured to monitor VAMI logs.
V-239723 Medium VAMI server binaries and libraries must be verified for their integrity.
V-239724 Medium VAMI must only load allowed server modules.
V-239725 Medium VAMI must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-239726 Medium VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mappings based on "Content-Type".
V-239727 Medium VAMI must remove all mappings to unused scripts.
V-239728 Medium VAMI must have resource mappings set to disable the serving of certain file types.
V-239729 Medium VAMI must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-239719 Medium VAMI must generate log records for system startup and shutdown.
V-239718 Medium VAMI must be configured to monitor remote access.
V-239715 Medium VAMI must limit the number of simultaneous requests.
V-239717 Medium VAMI must use cryptography to protect the integrity of remote sessions.
V-239733 Medium VAMI must restrict access to the web root.
V-239732 Medium VAMI must protect the keystore from unauthorized access.
V-239731 Medium VAMI must not have any symbolic links in the web content directory tree.
V-239730 Medium VAMI must prevent hosted applications from exhausting system resources.
V-239737 Medium VAMI must not be configured to use "mod_status".
V-239736 Medium VAMI must disable directory browsing.
V-239735 Medium VAMI must set the encoding for all text mime types to UTF-8.
V-239734 Medium VAMI must protect against or limit the effects of HTTP types of denial-of-service (DoS) attacks.
V-239739 Medium VAMI configuration files must be protected from unauthorized access.
V-239738 Medium VAMI must have debug logging disabled.