Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239716 | VCLD-67-000002 | SV-239716r816781_rule | High |
Description |
---|
Encryption of data in flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, the server's communications can potentially be compromised. The U.S. Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), identifies 11 areas for a cryptographic module used inside a security system that protects information. FIPS 140-2 approved ciphers provide the maximum level of encryption possible for a private web server. VAMI is compiled to use VMware's FIPS-validated OpenSSL module and cannot be configured otherwise. Ciphers may still be specified in order of preference, but no non-FIPS-approved ciphers will be implemented. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000111, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188 |
STIG | Date |
---|---|
VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide | 2022-01-03 |
Check Text ( C-42949r816780_chk ) |
---|
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "ssl.cipher-list" Expected result: ssl.cipher-list = "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES" If the output does not match the expected result, this is a finding. |
Fix Text (F-42908r679257_fix) |
---|
Navigate to and open /etc/applmgmt/appliance/lighttpd.conf. Add or reconfigure the following value: ssl.cipher-list = "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES" |