The vCenter VAMI service must not be configured to use the "mod

The vCenter VAMI service must not be configured to use the "mod_status" module.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259152	VCLD-80-000063	SV-259152r935360_rule		Medium

Description
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. VAMI must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The "mod_status" module generates the status overview of the webserver. The information covers the following: - Uptime. - Average throughput. - Current throughput. - Active connections and their state. While this information is useful on a development system, production systems must not have "mod_status" enabled.

Description

Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. VAMI must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The "mod_status" module generates the status overview of the webserver. The information covers the following: - Uptime. - Average throughput. - Current throughput. - Active connections and their state. While this information is useful on a development system, production systems must not have "mod_status" enabled.

STIG	Date
VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide	2023-10-29

Details

Check Text ( C-62892r935358_chk )
At the command prompt, run the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf 2>/dev/null\|awk '/server\.modules/,/\)/'\|grep mod_status If any value is returned, this is a finding. Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details: https://kb.vmware.com/s/article/2100508

Check Text ( C-62892r935358_chk )

At the command prompt, run the following command:

# /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf 2>/dev/null|awk '/server\.modules/,/\)/'|grep mod_status

If any value is returned, this is a finding.

Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details:

https://kb.vmware.com/s/article/2100508

Fix Text (F-62801r935359_fix)
Navigate to and open: /opt/vmware/etc/lighttpd/lighttpd.conf. Remove the line containing "mod_status". Note: The line may be in an included config and not in the parent config. Restart the service with the following command: # vmon-cli --restart applmgmt