VAMI server binaries and libraries must be verified for their integrity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239723	VCLD-67-000015	SV-239723r816795_rule		Medium

Description
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. VMware delivers product updates and patches regularly. When VAMI is updated, the signed packages will also be updated. These packages can be used to verify that VAMI has not been inappropriately modified since it was installed.

Description

Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. VMware delivers product updates and patches regularly. When VAMI is updated, the signed packages will also be updated. These packages can be used to verify that VAMI has not been inappropriately modified since it was installed.

STIG	Date
VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide	2022-01-03

Details

Check Text ( C-42956r816794_chk )
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # rpm -qa\|grep lighttpd\|xargs rpm -V\|grep -vE "lighttpd.conf\|vami-lighttp.*\.service" If the command returns any output, this is a finding.

Fix Text (F-42915r679278_fix)
If the VAMI binaries have been modified from the default state when deployed as part of the VCSA, the system must be wiped and redeployed or restored from backup. VMware does not recommend or support recovering from such a state by reinstalling RPMs or similar efforts.