VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-AS-000237
Group -
The vCenter Perfcharts service must disable "ALLOW_BACKSLASH".
When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restr...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The vCenter Perfcharts service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-885...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
The vCenter Perfcharts service manager webapp must be removed.
Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager webapp files must be deleted, and administration mu...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
The vCenter Perfcharts service host-manager webapp must be removed.
Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The host-manager webapp files must be deleted, and ad...Rule Medium Severity -
The vCenter Perfcharts service must limit the number of maximum concurrent connections permitted.
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web...Rule Medium Severity -
The vCenter Perfcharts service cookies must have secure flag set.
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being...Rule Medium Severity -
The vCenter Perfcharts service must produce log records containing sufficient information regarding event details.
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of su...Rule Medium Severity -
The vCenter Perfcharts service must disable stack tracing.
Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, Tomcat will provide this call stack information ...Rule Medium Severity -
The vCenter Perfcharts service must set an inactive timeout for sessions.
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By cl...Rule Medium Severity -
The vCenter Perfcharts service must offload log records onto a different system or media from the system being logged.
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to...Rule Medium Severity -
The vCenter Perfcharts service must configure the "setCharacterEncodingFilter" filter.
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unantici...Rule Medium Severity -
The vCenter Perfcharts service default documentation must be removed.
Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.