STIGQter STIGQter: STIG Summary: VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 28 Sep 2018

CheckedNameTitle
SV-99869r1_ruleLighttpd must limit the number of simultaneous requests.
SV-99871r1_ruleLighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
SV-99873r1_ruleLighttpd must be configured to use the SSL engine.
SV-99875r1_ruleLighttpd must be configured to use mod_accesslog.
SV-99877r1_ruleLighttpd must generate log records for system startup and shutdown.
SV-99879r1_ruleLighttpd must capture, record, and log the IP address associated with a user session.
SV-99881r1_ruleLighttpd must produce log records containing sufficient information to establish what type of events occurred.
SV-99883r1_ruleLighttpd must produce log records containing sufficient information to establish when (date and time) events occurred.
SV-99885r1_ruleLighttpd must produce log records containing sufficient information to establish where within the web server the events occurred.
SV-99887r1_ruleLighttpd must produce log records containing sufficient information to establish the source of events.
SV-99889r1_ruleLighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events.
SV-99891r1_ruleLighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users.
SV-99893r1_ruleLighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users.
SV-99895r1_ruleLighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users.
SV-99897r1_ruleLighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification.
SV-99899r1_ruleLighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion.
SV-99901r1_ruleLighttpd log data and records must be backed up onto a different system or media.
SV-99903r1_ruleLighttpd files must be verified for their integrity before being added to a production web server.
SV-99905r1_ruleLighttpd expansion modules must be verified for their integrity before being added to a production web server.
SV-99907r1_ruleLighttpd must prohibit unnecessary services, functions or processes.
SV-99909r1_ruleLighttpd must only contain components that are operationally necessary.
SV-99911r1_ruleLighttpd must have MIME types for csh or sh shell programs disabled.
SV-99913r1_ruleLighttpd must only enable mappings to necessary and approved scripts.
SV-99915r1_ruleLighttpd must have resource mappings set to disable the serving of certain file types.
SV-99917r1_ruleLighttpd must not have the Web Distributed Authoring (WebDAV) module installed.
SV-99919r1_ruleLighttpd must not have the webdav configuration file included.
SV-99921r1_ruleLighttpd must prevent hosted applications from exhausting system resources.
SV-99923r1_ruleLighttpd must not use symbolic links in the Lighttpd web content directory tree.
SV-99925r1_ruleLighttpd must be configured to use port 5480.
SV-99927r1_ruleLighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client.
SV-99929r1_ruleLighttpd must have private key access restricted.
SV-99931r1_ruleLighttpd must be configured to use only FIPS 140-2 approved ciphers.
SV-99933r1_ruleLighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.
SV-99935r1_ruleLighttpd must have the latest version installed.
SV-99937r1_ruleThe Lighttpd baseline must be maintained.
SV-99939r1_ruleLighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
SV-99941r1_ruleLighttpd must disable directory browsing.
SV-99943r1_ruleLighttpd must not be configured to use mod_status.
SV-99945r1_ruleLighttpd must have debug logging disabled.
SV-99947r1_ruleLighttpd must be configured to utilize the Common Information Model Object Manager.
SV-99949r1_ruleThe web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
SV-99951r1_ruleLighttpd audit records must be mapped to a time stamp.
SV-99953r1_ruleLighttpd must record time stamps for log records to a minimum granularity of time.
SV-99955r1_ruleLighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.
SV-99957r1_ruleLighttpd must not be configured to listen to unnecessary ports.
SV-99959r1_ruleLighttpd must be configured with FIPS 140-2 compliant ciphers for https connections.
SV-99961r1_ruleLighttpd must be protected from being stopped by a non-privileged user.
SV-99963r1_ruleLighttpd must be configured to use the SSL engine.
SV-99965r1_ruleLighttpd must be configured to use the SSL engine.
SV-99967r1_ruleLighttpd must use an approved TLS version for encryption.
SV-99969r1_ruleLighttpd must remove all export ciphers to transmitted information.
SV-99971r1_ruleLighttpd must be configured to use SSL.
SV-99973r1_ruleLighttpd must have the latest approved security-relevant software updates installed.
SV-99975r1_ruleLighttpd must disable IP forwarding.
SV-100975r1_ruleLighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification.
SV-100977r1_ruleLighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification.
SV-100979r1_ruleLighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion.
SV-100981r1_ruleLighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion.
SV-100983r1_ruleLighttpd proxy settings must be configured.
SV-100985r1_ruleLighttpd must restrict inbound connections from nonsecure zones.
SV-100987r1_ruleLighttpd must be configured to use syslog.
SV-100989r1_ruleLighttpd must be configured to use syslog.