Lighttpd files must be verified for their integrity before being added to a production web server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-89253 | VRAU-LI-000145 | SV-99903r1_rule | Medium |
| Description |
|---|
| Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. The Lighttpd web server files on vRA must be part of a documented build process. Checksums of the production files must be available to verify their integrity. |
| STIG | Date |
|---|---|
| VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88945r1_chk ) |
|---|
| Obtain supporting documentation from the ISSO. Determine whether web server files are verified/validated before being implemented into the production environment. If the web server files are not verified or validated before being implemented into the production environment, this is a finding. |
| Fix Text (F-95995r1_fix) |
|---|
| Verify or validate the web server files for integrity before being implemented the production environment. |