VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide


Overview

Date Finding Count (33)
2023-02-21 CAT I (High): 0 CAT II (Med): 33 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-256810 Medium The vSphere UI default servlet must be set to "readonly".
V-256785 Medium vSphere UI application files must be verified for their integrity.
V-256784 Medium vSphere UI log files must only be accessible by privileged users.
V-256787 Medium vSphere UI must not be configured with the "UserDatabaseRealm" enabled.
V-256786 Medium vSphere UI plugins must be authorized before use.
V-256781 Medium vSphere UI must protect cookies from cross-site scripting (XSS).
V-256780 Medium vSphere UI must limit the maximum size of a POST request.
V-256783 Medium vSphere UI must generate log records for system startup and shutdown.
V-256782 Medium vSphere UI must record user access in a format that enables monitoring of remote access.
V-256789 Medium vSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
V-256788 Medium vSphere UI must be configured to limit access to internal packages.
V-256808 Medium vSphere UI must disable the shutdown port.
V-256809 Medium vSphere UI must set the secure flag for cookies.
V-256802 Medium vSphere UI must be configured to show error pages with minimal information.
V-256803 Medium vSphere UI must not enable support for TRACE requests.
V-256800 Medium The vSphere UI must not show directory listings.
V-256801 Medium vSphere UI must be configured to hide the server version.
V-256806 Medium vSphere UI log files must be moved to a permanent repository in accordance with site policy.
V-256807 Medium vSphere UI must be configured with the appropriate ports.
V-256804 Medium vSphere UI must have the debug option turned off.
V-256805 Medium vSphere UI must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
V-256792 Medium vSphere UI must be configured with memory leak protection.
V-256793 Medium vSphere UI must not have any symbolic links in the web content directory tree.
V-256790 Medium vSphere UI must have mappings set for Java servlet pages.
V-256791 Medium vSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-256796 Medium vSphere UI must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-256797 Medium vSphere UI must limit the number of allowed connections.
V-256794 Medium The vSphere UI directory tree must have permissions in an out-of-the-box state.
V-256795 Medium vSphere UI must restrict its cookie path.
V-256798 Medium vSphere UI must set URIEncoding to UTF-8.
V-256799 Medium vSphere UI must set the welcome-file node to a default web page.
V-256778 Medium vSphere UI must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
V-256779 Medium vSphere UI must limit the number of concurrent connections permitted.