Envoy must drop connections to disconnected clients.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256737	VCRP-70-000001	SV-256737r889149_rule		Medium

Description
Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. Envoy is hard coded to drop connections after three minutes of idle time. The absence of any "tcpKeepAliveTimeSec" settings means this default is in effect. This configuration must be verified and maintained.

Description

Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. Envoy is hard coded to drop connections after three minutes of idle time. The absence of any "tcpKeepAliveTimeSec" settings means this default is in effect. This configuration must be verified and maintained.

STIG	Date
VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide	2023-02-21

Details

Check Text ( C-60412r889147_chk )
At the command prompt, run the following command: # xmllint --xpath '/config/envoy/L4Filter/tcpKeepAliveTimeSec/text()' /etc/vmware-rhttpproxy/config.xml Expected result: 180 or XPath set is empty If the output does not match the expected result, this is a finding.

Fix Text (F-60355r889148_fix)
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the // block and configure as follows: 180 Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy