The vCenter ESX Agent Manager service must limit privileges for creating or modifying hosted application shared files.

An XCCDF Rule

Description

<VulnDiscussion>Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that nonprivileged users cannot modify any shared library code at all. Ensuring the Security Lifecycle Listener element is uncommented and sets a minimum Umask value will allow the server to perform a number of security checks when starting and prevent the service from starting if they fail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259008r934682_rule
Severity: Medium
References: CCI-001499
Updated: 8 months ago

Navigate to and open:

/usr/lib/vmware-eam/web/conf/server.xml

Navigate to the <Server> node and add or update the "org.apache.catalina.security.SecurityListener" as follows:
<Listener className="org.apache.catalina.security.SecurityListener"/>

Restart the service with the following command:

# vmon-cli --restart eam

The vCenter ESX Agent Manager service must limit privileges for creating or modifying hosted application shared files.

Description

Remediation - Manual Procedure