VAMI must disable directory browsing.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239736	VCLD-67-000029	SV-239736r816821_rule		Medium

Description
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an "index.html" file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by locating directories without default pages. In this scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.

Description

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an "index.html" file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by locating directories without default pages. In this scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.

STIG	Date
VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide	2022-01-03

Details

Check Text ( C-42969r816820_chk )
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf\|grep "dir-listing.activate" Expected result: dir-listing.activate = "disable" If the output does not match the expected result, this is a finding.

Check Text ( C-42969r816820_chk )

Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash".

At the command prompt, execute the following command:

# /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "dir-listing.activate"

Expected result:

dir-listing.activate = "disable"

If the output does not match the expected result, this is a finding.

Fix Text (F-42928r679317_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Add or reconfigure the following value: dir-listing.activate = "disable"