VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

Overview

Version	Date	Finding Count (8)			Downloads
1	2023-02-21	CAT I (High): 0	CAT II (Med): 8	CAT III (Low): 0	Excel	JSON	XML

STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-256741	Medium	The Envoy private key file must be protected from unauthorized access.	Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By...
V-256740	Medium	Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.	Envoy can be configured to support TLS 1.0, 1.1, and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protocol> block in the rhttpproxy configuration is...
V-256743	Medium	Envoy (rhttpproxy) log files must be shipped via syslog to a central log server.	Envoy produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to...
V-256742	Medium	Envoy must exclusively use the HTTPS protocol for client connections.	Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an...
V-256744	Medium	Envoy log files must be shipped via syslog to a central log server.	Envoy rsyslog configuration is included in the "VMware-visl-integration" package and unpacked to "/etc/vmware-syslog/vmware-services-envoy.conf". Ensuring the package hashes are as expected also...
V-256737	Medium	Envoy must drop connections to disconnected clients.	Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections...
V-256738	Medium	Envoy must set a limit on established connections.	Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial...
V-256739	Medium	Envoy must be configured to operate in FIPS mode.	Envoy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all cryptographic operations performed by Envoy,...