VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256646 | VCLD-70-000002 | SV-256646r888460_rule | CCI-000068 | high |
| Description | ||||
| Encryption of data in flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, the server's communications could be compromised. The U.S. Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), identifies 11 areas for a cryptographic module used inside a security system that protects information. FIPS 140-2 approved ciphers provide the maximum level of encryption possible for a private web server. VAMI is compiled to use VMware's FIPS-validated OpenSSL module and cannot be configured otherwise. Ciphers may still be specified in order of preference, but no non-FIPS approved ciphers will be implemented. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188 | ||||
| STIG | Date | |||
| VMware vSphere 7.0 VAMI Security Technical Implementation Guide | 2023-06-15 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-17(2)
1.00
- DISA · V1R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.13
1.00
- DISA · V1R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000068
1.00
- DISA · V1R2 · disa_xccdf · related
Details
Check Text (C-256646r888460_chk)
At the command prompt, run the following command:
# /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf 2>/dev/null|grep "ssl.cipher-list"|sed -e 's/^[ ]*//'
Expected result:
ssl.cipher-list = "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES"
If the output does not match the expected result, this is a finding.
Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details:
https://kb.vmware.com/s/article/2100508
Fix Text (F-60264r888459_fix)
Navigate to and open:
/etc/applmgmt/appliance/lighttpd.conf
Add or reconfigure the following value:
ssl.cipher-list = "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES"
Restart the service with the following command:
# vmon-cli --restart applmgmt