UCF STIG Viewer Logo

The Security Token Service must only run one web app.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239660 VCST-67-000009 SV-239660r816705_rule Medium
Description
VMware ships the Security Token Service on the VCSA with one web app, in ROOT.war. Any other .war file is potentially malicious and must be removed.
STIG Date
VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide 2022-01-03

Details

Check Text ( C-42893r816703_chk )
Connect to the PSC, whether external or embedded.

At the command prompt, execute the following command:

# ls /usr/lib/vmware-sso/vmware-sts/webapps/*.war

Expected result:

/usr/lib/vmware-sso/vmware-sts/webapps/ROOT.war

If the result of this command does not match the expected result, this is a finding.
Fix Text (F-42852r816704_fix)
Connect to the PSC, whether external or embedded.

For each unexpected file returned in the check, run the following command:

# rm /usr/lib/vmware-sso/vmware-sts/webapps/.war

Restart the service with the following command:

# service-control --restart vmware-stsd