The Security Token Service default servlet must be set to "readonly".

An XCCDF Rule

Description

<VulnDiscussion>The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resources as well as directory listings. The DefaultServlet is configured by default with the "readonly" parameter set to "true" where HTTP commands such as PUT and DELETE are rejected. Changing this to "false" allows clients to delete or modify static resources on the server and to upload new resources. DefaultServlet readonly must be set to "true", either literally or by absence (default).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256774r889292_rule
Severity: Medium
References: CCI-000366
Updated: 9 months ago

Navigate to and open: 
 
/usr/lib/vmware-sso/vmware-sts/conf/web.xml 
 
Navigate to the /<web-apps>/<servlet>/<servlet-name>default</servlet-name>/ node and remove the following node: 
 <init-param> 
      <param-name>readonly</param-name> 
      <param-value>false</param-value> 
</init-param> 
 
Restart the service with the following command: 
 
# vmon-cli --restart sts

The Security Token Service default servlet must be set to "readonly".

Description

Remediation - Manual Procedure