The vCenter ESX Agent Manager service shutdown port must be disabled.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-259023 | SRG-APP-000141-AS-000095 | VCEM-80-000134 | SV-259023r960963_rule | 2024-12-16 | 2 |
| Description |
|---|
| Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Setting the port to "-1" in $CATALINA_BASE/conf/server.xml instructs Tomcat to not listen for the shutdown command. |
| ℹ️ Check |
|---|
| At the command prompt, run the following commands: # xmllint --xpath "//Server/@port" /usr/lib/vmware-eam/web/conf/server.xml # grep 'base.shutdown.port' /etc/vmware-eam/catalina.properties Example results: port="${base.shutdown.port}" base.shutdown.port=-1 If "port" does not equal "${base.shutdown.port}", this is a finding. If "base.shutdown.port" does not equal "-1", this is a finding. |
| ✔️ Fix |
|---|
| Navigate to and open: /etc/vmware-eam/catalina.properties Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file. Navigate to and open: /usr/lib/vmware-eam/web/conf/server.xml Configure the <Server> node with the value: port="${base.shutdown.port}" Restart the service with the following command: # vmon-cli --restart eam |