The Security Token Service must not be configured with unused realms.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256754 | VCST-70-000010 | SV-256754r889232_rule | CCI-000381 | medium |
| Description | ||||
| The Security Token Service performs user authentication at the application level and not through Tomcat. To eliminate unnecessary features and ensure the Security Token Service remains in its shipping state, the lack of a "UserDatabaseRealm" configuration must be confirmed. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide | 2023-06-15 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · V1R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · V1R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · V1R2 · disa_xccdf · related
Details
Check Text (C-256754r889232_chk)
At the command prompt, run the following command:
# grep UserDatabaseRealm /usr/lib/vmware-sso/vmware-sts/conf/server.xml
If the command produces any output, this is a finding.
Fix Text (F-60372r889231_fix)
Navigate to and open:
/usr/lib/vmware-sso/vmware-sts/conf/server.xml
Remove the <Realm> node returned in the check.
Restart the service with the following command:
# vmon-cli --restart sts