VAMI must only load allowed server modules.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239724 | VCLD-67-000016 | SV-239724r816797_rule | Medium |
| Description |
|---|
| A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. VAMI can be configured to load any number of external modules, but only a specific few are provided and supported by VMware. Additional, unexpected modules must be removed. |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide | 2022-01-03 |
Details
| Check Text ( C-42957r816796_chk ) |
|---|
| Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf|awk '/server\.modules/,/\)/' Expected result: server.modules = ( "mod_access", "mod_accesslog", "mod_proxy", "mod_cgi", "mod_rewrite", "mod_magnet", "mod_setenv", # 7 ) If the output does not match the expected result, this is a finding. |
| Fix Text (F-42916r679281_fix) |
|---|
| Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the "server.modules" section to the following: server.modules = ( "mod_access", "mod_accesslog", "mod_proxy", "mod_cgi", "mod_rewrite", ) server.modules += ( "mod_magnet" ) |