VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide
Overview
| Version | Date | Finding Count (8) | Downloads | ||
| 1 | 2023-02-21 | CAT I (High): 0 | CAT II (Medium): 8 | CAT III (Low): 0 | |
| STIG Description |
| This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. |
Findings - MAC I - Mission Critical Sensitive
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-256737 | Envoy must drop connections to disconnected clients. | Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It... | |
| V-256738 | Envoy must set a limit on established connections. | Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, th... | |
| V-256739 | Envoy must be configured to operate in FIPS mode. | Envoy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all cr... | |
| V-256740 | Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections. | Envoy can be configured to support TLS 1.0, 1.1, and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protoco... | |
| V-256741 | The Envoy private key file must be protected from unauthorized access. | Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications ... | |
| V-256742 | Envoy must exclusively use the HTTPS protocol for client connections. | Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communi... | |
| V-256743 | Envoy (rhttpproxy) log files must be shipped via syslog to a central log server. | Envoy produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic purposes, forensics p... | |
| V-256744 | Envoy log files must be shipped via syslog to a central log server. | Envoy rsyslog configuration is included in the "VMware-visl-integration" package and unpacked to "/etc/vmware-syslog/vmware-services-envoy.conf". Ensu... |