UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide


Overview

Date Finding Count (24)
2023-10-29 CAT I (High): 1 CAT II (Med): 23 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-259148 High The vCenter VAMI service must enable FIPS mode.
V-259137 Medium The vCenter VAMI service must limit the number of allowed simultaneous session requests.
V-259149 Medium The vCenter VAMI service must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-259160 Medium The vCenter VAMI service must enable Content Security Policy.
V-259147 Medium The vCenter VAMI service must restrict access to the web server's private key.
V-259144 Medium The vCenter VAMI service must have resource mappings set to disable the serving of certain file types.
V-259145 Medium The vCenter VAMI service must have Web Distributed Authoring (WebDAV) disabled.
V-259142 Medium The vCenter VAMI service must off-load log records onto a different system or media from the system being logged.
V-259143 Medium The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".
V-259140 Medium The vCenter VAMI service must produce log records containing sufficient information to establish what type of events occurred.
V-259141 Medium The vCenter VAMI service log files must only be accessible by privileged users.
V-259146 Medium The vCenter VAMI service must protect system resources and privileged operations from hosted applications.
V-259151 Medium The vCenter VAMI service must disable directory listing.
V-259150 Medium The vCenter VAMI service must set the encoding for all text mime types to UTF-8.
V-259153 Medium The vCenter VAMI service must have debug logging disabled.
V-259152 Medium The vCenter VAMI service must not be configured to use the "mod_status" module.
V-259155 Medium The vCenter VAMI service must disable client initiated TLS renegotiation.
V-259154 Medium The vCenter VAMI service must enable honoring the SSL cipher order.
V-259157 Medium The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).
V-259156 Medium The vCenter VAMI service must be configured to hide the server type and version in client responses.
V-259159 Medium The vCenter VAMI service must protect against MIME sniffing.
V-259158 Medium The vCenter VAMI service must implement prevent rendering inside a frame or iframe on another site.
V-259139 Medium The vCenter VAMI service must generate information to monitor remote access.
V-259138 Medium The vCenter VAMI service must use cryptography to protect the integrity of remote sessions.