VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000266-WSR-000160
Group -
vSphere UI must not enable support for TRACE requests.
"TRACE" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a ...Rule Medium Severity -
SRG-APP-000266-WSR-000160
Group -
SRG-APP-000357-WSR-000150
Group -
vSphere UI must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
To ensure the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be able to allocate log record storage capacity. vSpher...Rule Medium Severity -
SRG-APP-000358-WSR-000163
Group -
SRG-APP-000383-WSR-000175
Group -
vSphere UI must be configured with the appropriate ports.
Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The por...Rule Medium Severity -
SRG-APP-000435-WSR-000147
Group -
vSphere UI must disable the shutdown port.
An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the attacker made to the web server configuration. If...Rule Medium Severity -
SRG-APP-000439-WSR-000155
Group -
SRG-APP-000516-WSR-000174
Group -
The vSphere UI default servlet must be set to "readonly".
The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resour...Rule Medium Severity -
vSphere UI must limit the maximum size of a POST request.
The "maxPostSize" value is the maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service attack. ...Rule Medium Severity -
vSphere UI must protect cookies from cross-site scripting (XSS).
Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server ...Rule Medium Severity -
vSphere UI log files must only be accessible by privileged users.
Log data is essential in the investigation of events. If log data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity w...Rule Medium Severity -
vSphere UI application files must be verified for their integrity.
Verifying the vSphere UI application code is unchanged from its shipping state is essential for file validation and nonrepudiation of the vSphere UI. There is no reason the MD5 hash of the RPM orig...Rule Medium Severity -
vSphere UI must not be configured with the "UserDatabaseRealm" enabled.
The vSphere UI performs user authentication at the application level and not through Tomcat. By default, there is no configuration for the "UserDatabaseRealm" Tomcat authentication mechanism. To el...Rule Medium Severity -
vSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
MIME mappings tell the vSphere UI what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. By ensuring various shell s...Rule Medium Severity -
vSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed.
WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. WebDAV is not wide...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.