Detections
Analytics
VCLD-70-000002 - VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
Information
Encryption of data in flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, the server's communications could be compromised.The U.S. Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), identifies 11 areas for a cryptographic module used inside a security system that protects information. FIPS 140-2 approved ciphers provide the maximum level of encryption possible for a private web server.
VAMI is compiled to use VMware's FIPS-validated OpenSSL module and cannot be configured otherwise. Ciphers may still be specified in order of preference, but no non-FIPS approved ciphers will be implemented.
Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188
Solution
Navigate to and open:/etc/applmgmt/appliance/lighttpd.conf
Add or reconfigure the following value:
ssl.cipher-list = '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES'
Restart the service with the following command:
# vmon-cli --restart applmgmt
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 7.0 VAMI v1r2
Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|SC-8, 800-53|SC-13, CAT|I, CCI|CCI-000068, CCI|CCI-002418, CCI|CCI-002450, Rule-ID|SV-256646r888460_rule, STIG-ID|VCLD-70-000002, Vuln-ID|V-256646
Plugin: Unix
Control ID: fa35537b62b8a4000780df53ba851f4f0a81001ea85c91642f52b8d5d765730e