The vCenter Perfcharts service shutdown port must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259091	VCPF-80-000134	SV-259091r934931_rule	CCI-000381	medium
Description
Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Setting the port to "-1" in $CATALINA_BASE/conf/server.xml instructs Tomcat to not listen for the shutdown command.
STIG			Date
VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide			2023-10-29

Related Frameworks

3 paths across 3 frameworks

NIST 800-531 mapping

CM-7

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1711 mapping

3.4.6

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000381

1.00

DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-259091r934931_chk)

At the command prompt, run the following commands: # xmllint --xpath "//Server/@port" /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml # grep 'base.shutdown.port' /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Example results: port="${base.shutdown.port}" base.shutdown.port=-1 If "port" does not equal "${base.shutdown.port}", this is a finding. If "base.shutdown.port" does not equal "-1", this is a finding.

Fix Text (F-62740r934930_fix)

Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file. Navigate to and open: /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml Configure the <Server> node with the value: port="${base.shutdown.port}" Restart the service with the following command: # vmon-cli --restart perfcharts