Envoy must drop connections to disconnected clients.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-256737	SRG-APP-000001-WSR-000001	VCRP-70-000001	SV-256737r889149_rule	2023-02-21	1

Description
Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. Envoy is hard coded to drop connections after three minutes of idle time. The absence of any "tcpKeepAliveTimeSec" settings means this default is in effect. This configuration must be verified and maintained.

Description

Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. Envoy is hard coded to drop connections after three minutes of idle time. The absence of any "tcpKeepAliveTimeSec" settings means this default is in effect. This configuration must be verified and maintained.

ℹ️ Check
At the command prompt, run the following command: # xmllint --xpath '/config/envoy/L4Filter/tcpKeepAliveTimeSec/text()' /etc/vmware-rhttpproxy/config.xml Expected result: 180 or XPath set is empty If the output does not match the expected result, this is a finding.

✔️ Fix
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the <config>/<envoy>/<L4Filter> block and configure <tcpKeepAliveTimeSec> as follows: <tcpKeepAliveTimeSec>180</tcpKeepAliveTimeSec> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy