Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The vCenter STS service must be configured to use a specified IP address and port.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-258978 | VCST-80-000037 | SV-258978r934592_rule | Medium |
| Description |
|---|
| The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server will listen on all IP addresses available. Accessing the hosted application through an IP address normally used for nonapplication functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide | 2023-10-29 |
Details
| Check Text ( C-62718r934590_chk ) |
|---|
| At the command prompt, run the following command: # xmllint --xpath '//Connector[not(@port = "${bio-ssl-clientauth.https.port}") and (@port = "0" or not(@address))]' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding. |
| Fix Text (F-62627r934591_fix) |
|---|
| Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml The STS service has 2 connectors with the below pairs of ports and addresses. Navigate to the target port="${bio-custom.http.port}" address="localhost" port="${bio-ssl-localhost.https.port}" address="localhost" Restart the service with the following command: # vmon-cli --restart sts Note: The connector with port="${bio-ssl-clientauth.https.port}" should not have address set. |