STIGQter: STIG Summary: VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

Lighttpd must restrict inbound connections from nonsecure zones.

DISA Rule

SV-100985r1_rule

Vulnerability Number

V-90335

Group Title

SRG-APP-000315-WSR-000004

Rule Version

VRAU-LI-000375

Severity

CAT II

CCI(s)

• CCI-002314 - The information system controls remote access methods.

Weight

10

Fix Recommendation

Determine the IP addresses which will be allowed to access Lighttpd.

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf

Configure the "lighttpd.conf" file with the following:

$HTTP["remoteip"] !~ "a.a.a.a" {
url.access-deny = ( "" )
}

Note: a.a.a.a is the IPv4 address provided by the ISSO. If additional IPv4 addresses are allowed, use the information shown below instead (3 addresses shown):

$HTTP["remoteip"] !~ "a.a.a.a|b.b.b.b|c.c.c.c" {
url.access-deny = ( "" )
}

Check Contents

At the command prompt, execute the following command:

grep -A 4 'remoteip' /opt/vmware/etc/lighttpd/lighttpd.conf

If the command does not return any output, this is a finding.

Note: The output should look like the following:

$HTTP["remoteip"] !~ "a.a.a.a" {
url.access-deny = ( "" )
}
Where a.a.a.a is an allowed IP address.

Vulnerability Number

V-90335

Documentable

False

Rule Version

VRAU-LI-000375

Severity Override Guidance

At the command prompt, execute the following command:

grep -A 4 'remoteip' /opt/vmware/etc/lighttpd/lighttpd.conf

If the command does not return any output, this is a finding.

Note: The output should look like the following:

$HTTP["remoteip"] !~ "a.a.a.a" {
url.access-deny = ( "" )
}
Where a.a.a.a is an allowed IP address.

Check Content Reference

M

Target Key

3457

Comments