| Finding ID |
Severity |
Title |
Description |
|
V-256744
|
Medium |
Envoy log files must be shipped via syslog to a central log server. |
Envoy rsyslog configuration is included in the "VMware-visl-integration" package and unpacked to "/etc/vmware-syslog/vmware-services-envoy.conf". Ensuring the package hashes are as expected also ensures the shipped rsyslog configuration is present and unmodified. |
|
V-256743
|
Medium |
Envoy (rhttpproxy) log files must be shipped via syslog to a central log server. |
Envoy produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application.
Envoy (rhttpproxy) rsyslog configuration is included in the "VMware-visl-integration" package and unpacked to... |
|
V-256742
|
Medium |
Envoy must exclusively use the HTTPS protocol for client connections. |
Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an encrypted session of HTTPS rather than plain-text HTTP. The Secure Sockets Layer (SSL) configuration block inside the rhttpproxy configuration must be present... |
|
V-256741
|
Medium |
The Envoy private key file must be protected from unauthorized access. |
Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients.
By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the... |
|
V-256740
|
Medium |
Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections. |
|
|
V-256739
|
Medium |
Envoy must be configured to operate in FIPS mode. |
Envoy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all cryptographic operations performed by Envoy, including protection of data-in-transit over the client Transport Layer Security (TLS) connection.
Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000111, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188, SRG-APP-000179-WSR-000110 |
|
V-256738
|
Medium |
Envoy must set a limit on established connections. |
Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed.
Envoy comes hard coded with a tested and... |
|
V-256737
|
Medium |
Envoy must drop connections to disconnected clients. |
Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client.
Envoy is hard coded to drop connections after three minutes of idle... |
