Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Security Token Service default servlet must be set to "readonly".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-256774 | VCST-70-000031 | SV-256774r889292_rule | Medium |
| Description |
|---|
| The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resources as well as directory listings. The DefaultServlet is configured by default with the "readonly" parameter set to "true" where HTTP commands such as PUT and DELETE are rejected. Changing this to "false" allows clients to delete or modify static resources on the server and to upload new resources. DefaultServlet readonly must be set to "true", either literally or by absence (default). |
| STIG | Date |
|---|---|
| VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide | 2023-06-15 |
Details
| Check Text ( C-60449r889290_chk ) |
|---|
| At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet/servlet-name[text()="default"]/../init-param/param-name[text()="readonly"]/../param-value[text()="false"]' - Expected result: XPath set is empty If the output of the command does not match the expected result, this is a finding. |
| Fix Text (F-60392r889291_fix) |
|---|
| Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to the / Restart the service with the following command: # vmon-cli --restart sts |