VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide


Overview

Date Finding Count (33)
2023-10-29 CAT I (High): 0 CAT II (Med): 33 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-258981 Medium The vCenter STS service must set URIEncoding to UTF-8.
V-258980 Medium The vCenter STS service must be configured to fail to a known safe state if system initialization fails.
V-258983 Medium The vCenter STS service must set an inactive timeout for sessions.
V-258982 Medium The vCenter STS service "ErrorReportValve showServerInfo" must be set to "false".
V-258985 Medium The vCenter STS service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
V-258984 Medium The vCenter STS service must offload log records onto a different system or media from the system being logged.
V-258987 Medium The vCenter STS service must configure the "setCharacterEncodingFilter" filter.
V-258986 Medium The vCenter STS service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
V-258989 Medium The vCenter STS service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
V-258988 Medium The vCenter STS service cookies must have "http-only" flag set.
V-258978 Medium The vCenter STS service must be configured to use a specified IP address and port.
V-258979 Medium The vCenter STS service must be configured to limit data exposure between applications.
V-259002 Medium The vCenter STS service host-manager webapp must be removed.
V-258974 Medium The vCenter STS service must produce log records containing sufficient information regarding event details.
V-258975 Medium The vCenter STS service logs folder permissions must be set correctly.
V-258976 Medium The vCenter STS service must limit privileges for creating or modifying hosted application shared files.
V-258977 Medium The vCenter STS service must disable stack tracing.
V-258970 Medium The vCenter STS service must limit the number of maximum concurrent connections permitted.
V-258971 Medium The vCenter STS service must be configured to use strong encryption ciphers.
V-258972 Medium The vCenter STS service cookies must have secure flag set.
V-258973 Medium The vCenter STS service must initiate session logging upon startup.
V-259000 Medium The vCenter STS service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
V-258998 Medium The vCenter STS service files must have permissions in an out-of-the-box state.
V-258999 Medium The vCenter STS service must disable "ALLOW_BACKSLASH".
V-258996 Medium The vCenter STS service default ROOT web application must be removed.
V-258997 Medium The vCenter STS service default documentation must be removed.
V-258994 Medium The vCenter STS service xpoweredBy attribute must be disabled.
V-258995 Medium The vCenter STS service example applications must be removed.
V-258992 Medium The vCenter STS service directory listings parameter must be disabled.
V-258993 Medium The vCenter STS service must have Autodeploy disabled.
V-258990 Medium The vCenter STS service shutdown port must be disabled.
V-258991 Medium The vCenter STS service debug parameter must be disabled.
V-259001 Medium The vCenter STS service manager webapp must be removed.