VAMI must have resource mappings set to disable the serving of certain file types.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239728 | VCLD-67-000020 | SV-239728r679294_rule | Medium |
| Description |
|---|
| Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, VAMI could potentially deliver sensitive files. |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide | 2021-04-15 |
Details
| Check Text ( C-42961r679292_chk ) |
|---|
| At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|grep "url.access-deny" Expected result: url.access-deny = ("~", ".inc") If the output does not match the expected result, this is a finding. |
| Fix Text (F-42920r679293_fix) |
|---|
| Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Add or reconfigure the following value: url.access-deny = ( "~", ".inc" ) |