STIGQter STIGQter: STIG Summary:

VMware vSphere 6.7 UI Tomcat Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 09 Mar 2021

SV-239682r679152_rulevSphere UI must limit the amount of time that each TCP connection is kept alive.
SV-239683r679155_rulevSphere UI must limit the number of concurrent connections permitted.
SV-239684r679158_rulevSphere UI must limit the maximum size of a POST request.
SV-239685r679161_rulevSphere UI must protect cookies from XSS.
SV-239686r679252_rulevSphere UI must record user access in a format that enables monitoring of remote access.
SV-239687r679167_rulevSphere UI must generate log records for system startup and shutdown.
SV-239688r679170_rulevSphere UI log files must only be accessible by privileged users.
SV-239689r679173_rulevSphere UI application files must be verified for their integrity.
SV-239690r679176_rulevSphere UI plugins must be authorized before use.
SV-239691r679179_rulevSphere UI must be configured to limit access to internal packages.
SV-239692r679182_rulevSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
SV-239693r679185_rulevSphere UI must have mappings set for Java servlet pages.
SV-239694r679188_rulevSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed.
SV-239695r679191_rulevSphere UI must be configured with memory leak protection.
SV-239696r679194_rulevSphere UI must not have any symbolic links in the web content directory tree.
SV-239697r679197_rulevSphere UI directory tree must have permissions in an "out-of-the-box" state.
SV-239698r679200_rulevSphere UI must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-239699r679203_rulevSphere UI must limit the number of allowed connections.
SV-239700r679206_rulevSphere UI must set URIEncoding to UTF-8.
SV-239701r679209_rulevSphere UI must set the welcome-file node to a default web page.
SV-239702r679212_ruleThe vSphere UI must not show directory listings.
SV-239703r679215_rulevSphere UI must be configured to hide the server version.
SV-239704r679218_rulevSphere UI must be configured to show error pages with minimal information.
SV-239705r679221_rulevSphere UI must not enable support for TRACE requests.
SV-239706r679224_rulevSphere UI must have the debug option turned off.
SV-239707r679227_rulevSphere UI must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
SV-239708r679230_rulevSphere UI log files must be moved to a permanent repository in accordance with site policy.
SV-239709r679233_rulevSphere UI must be configured with the appropriate ports.
SV-239710r679236_rulevSphere UI must disable the shutdown port.
SV-239711r679239_rulevSphere UI must set the secure flag for cookies.
SV-239712r679242_rulevSphere UI must not be configured with the "UserDatabaseRealm" enabled.
SV-239713r679245_rulevSphere UI must restrict its cookie path.