Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-256656 | VCLD-70-000012 | SV-256656r888490_rule | Medium |
Description |
---|
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually, and automatic mapping must be disabled. |
STIG | Date |
---|---|
VMware vSphere 7.0 VAMI Security Technical Implementation Guide | 2023-02-22 |
Check Text ( C-60331r888488_chk ) |
---|
At the command prompt, run the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf 2>/dev/null|grep "mimetype.use-xattr"|sed 's: ::g' Expected result: mimetype.use-xattr="disable" If the output does not match the expected result, this is a finding. Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details: https://kb.vmware.com/s/article/2100508 |
Fix Text (F-60274r888489_fix) |
---|
Navigate to and open: /opt/vmware/etc/lighttpd/lighttpd.conf Add or reconfigure the following value: mimetype.use-xattr = "disable" Restart the service with the following command: # vmon-cli --restart applmgmt |