Skip to content
Log In

VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000001-WSR-000001

    Group
    Show

  • Envoy must drop connections to disconnected clients.

    Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections th...
    Rule Medium Severity
    Show

  • SRG-APP-000001-WSR-000001

    Group
    Show

  • SRG-APP-000014-WSR-000006

    Group
    Show

  • Envoy must be configured to operate in FIPS mode.

    Envoy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all cryptographic operations performed by Envoy, incl...
    Rule Medium Severity
    Show

  • SRG-APP-000015-WSR-000014

    Group
    Show

  • SRG-APP-000176-WSR-000096

    Group
    Show

  • The Envoy private key file must be protected from unauthorized access.

    Envoy's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaini...
    Rule Medium Severity
    Show

  • SRG-APP-000315-WSR-000003

    Group
    Show

  • Envoy must exclusively use the HTTPS protocol for client connections.

    Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an enc...
    Rule Medium Severity
    Show

  • SRG-APP-000358-WSR-000063

    Group
    Show

  • Envoy (rhttpproxy) log files must be shipped via syslog to a central log server.

    Envoy produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring...
    Rule Medium Severity
    Show

  • SRG-APP-000358-WSR-000063

    Group
    Show

  • Envoy must set a limit on established connections.

    Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denia...
    Rule Medium Severity
    Show

  • Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.

    Envoy can be configured to support TLS 1.0, 1.1, and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protocol> block in the rhttpproxy configuration is com...
    Rule Medium Severity
    Show

  • Envoy log files must be shipped via syslog to a central log server.

    Envoy rsyslog configuration is included in the "VMware-visl-integration" package and unpacked to "/etc/vmware-syslog/vmware-services-envoy.conf". Ensuring the package hashes are as expected also en...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules