VAMI must have resource mappings set to disable the serving of certain file types.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239728	VCLD-67-000020	SV-239728r816805_rule		Medium

Description
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, VAMI could potentially deliver sensitive files.

STIG	Date
VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide	2022-01-03

Details

Check Text ( C-42961r816804_chk )
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf\|grep "url.access-deny" Expected result: url.access-deny = ("~", ".inc") If the output does not match the expected result, this is a finding.

Check Text ( C-42961r816804_chk )

Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash".

At the command prompt, execute the following command:

# /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "url.access-deny"

Expected result:

url.access-deny = ("~", ".inc")

If the output does not match the expected result, this is a finding.

Fix Text (F-42920r679293_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Add or reconfigure the following value: url.access-deny = ( "~", ".inc" )