Lighttpd must prevent hosted applications from exhausting system resources.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-89271	VRAU-LI-000210	SV-99921r1_rule		Medium

Description
When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that extent, a variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. Applications and application developers must take the steps needed to ensure users cannot use these applications to launch DoS attacks against other systems and networks. An example would be preventing Lighttpd from keeping idle connections open for too long.

Description

When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that extent, a variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. Applications and application developers must take the steps needed to ensure users cannot use these applications to launch DoS attacks against other systems and networks. An example would be preventing Lighttpd from keeping idle connections open for too long.

STIG	Date
VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-88963r1_chk )
At the command prompt, execute the following command: grep '^server.max-keep-alive-idle' /opt/vmware/etc/lighttpd/lighttpd.conf If the "server.max-keep-alive-idle" is not set to "30", this is a finding.

Fix Text (F-96013r1_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: server.max-keep-alive-idle = 30