Detections
Analytics
VCLD-80-000099 The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).
Information
HSTS instructs web browsers to only use secure connections for all future requests when communicating with a website. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.Solution
Navigate to and open:/opt/vmware/etc/lighttpd/applmgmt-lighttpd.conf
If header "Strict-Transport-Security" is not present, add the following line to the end of the file:
setenv.add-response-header += ("Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload")
If header "Strict-Transport-Security" is present and not set to "Deny", update the value as shown below:
"Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload",
Note: The last line in the parameter does not need a trailing comma if part of a multi-line configuration.
Restart the service with the following command:
# systemctl restart cap-lighttpd
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip
Item Details
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-259157r1003730_rule, STIG-ID|VCLD-80-000099, Vuln-ID|V-259157
Plugin: Unix
Control ID: b0ae73e58f4021e1e36a572b77010c9198859177079628c9a635b28f9272735b