VAMI must protect against or limit the effects of HTTP types of denial-of-service (DoS) attacks.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-256662 | SRG-APP-000246-WSR-000149 | VCLD-70-000018 | SV-256662r888508_rule | 2023-06-15 | 1 |
| Description |
|---|
| In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe or network connection. File descriptors index into a per-process file descriptor table maintained by the kernel, which in turn indexes into a systemwide table of files opened by all processes, called the file table. As a single-threaded server, Lighttpd must be limited in the number of file descriptors that can be allocated. This will prevent Lighttpd from being used in a form of DoS attack against the operating system. |
| ℹ️ Check |
|---|
| At the command prompt, run the following command: # /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf 2>/dev/null|grep "server.max-fds"|sed 's: ::g' Expected result: server.max-fds=2048 If the output does not match the expected result, this is a finding. Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details: https://kb.vmware.com/s/article/2100508 |
| ✔️ Fix |
|---|
| Navigate to and open: /opt/vmware/etc/lighttpd/lighttpd.conf Add or reconfigure the following value: server.max-fds = 2048 Restart the service with the following command: # vmon-cli --restart applmgmt |