The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-259157 | SRG-APP-000516-WSR-000174 | VCLD-80-000099 | SV-259157r1003730_rule | 2024-07-11 | 2 |
| Description |
|---|
| HSTS instructs web browsers to only use secure connections for all future requests when communicating with a website. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection. |
| ℹ️ Check |
|---|
| At the command prompt, run the following command: # /opt/vmware/cap_lighttpd/sbin/lighttpd -p -f /var/lib/vmware/cap-lighttpd/lighttpd.conf 2>/dev/null|awk '/setenv\.add-response-header/,/\)/'|sed -e 's/^[ ]*//'|grep "Strict-Transport-Security" Example result: "Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload" If the response header "Strict-Transport-Security" is missing or not configured to "max-age=31536000; includeSubDomains; preload", this is a finding. Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details: https://kb.vmware.com/s/article/2100508 |
| ✔️ Fix |
|---|
| Navigate to and open: /opt/vmware/etc/lighttpd/applmgmt-lighttpd.conf If header "Strict-Transport-Security" is not present, add the following line to the end of the file: setenv.add-response-header += ("Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload") If header "Strict-Transport-Security" is present and not set to "Deny", update the value as shown below: "Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload", Note: The last line in the parameter does not need a trailing comma if part of a multi-line configuration. Restart the service with the following command: # systemctl restart cap-lighttpd |