The vCenter VAMI service must not be configured to use the "mod_status" module.

An XCCDF Rule

Description

<VulnDiscussion>Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. VAMI must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The "mod_status" module generates the status overview of the webserver. The information covers the following: - Uptime. - Average throughput. - Current throughput. - Active connections and their state. While this information is useful on a development system, production systems must not have "mod_status" enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259152r935360_rule
Severity: Medium
References: CCI-001312
Updated: 8 months ago

Navigate to and open:

/opt/vmware/etc/lighttpd/lighttpd.conf.

Remove the line containing "mod_status".
Note: The line may be in an included config and not in the parent config.

Restart the service with the following command:

# vmon-cli --restart applmgmt

The vCenter VAMI service must not be configured to use the "mod_status" module.

Description

Remediation - Manual Procedure