STIGQter: STIG Summary: VMware vSphere 6.7 Perfcharts Tomcat Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

Performance Charts must record user access in a format that enables monitoring of remote access.

DISA Rule

SV-239406r675021_rule

Vulnerability Number

V-239406

Group Title

SRG-APP-000016-WSR-000005

Rule Version

VCPF-67-000005

Severity

CAT II

CCI(s)

• CCI-000067 - The information system monitors remote access methods.
• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
• CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
• CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
• CCI-001462 - The information system provides the capability for authorized users to capture/record and log content related to a user session.
• CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
• CCI-001889 - The information system records time stamps for audit records that meet organization-defined granularity of time measurement.
• CCI-001890 - The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

Weight

10

Fix Recommendation

Navigate to and open /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml.

Add the following line at the very top of the <Host> node.

<Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="80" httpsServerPort="443" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" remoteIpHeader="x-forwarded-for" requestAttributesEnabled="true" internalProxies="127\.0\.0\.1"/>

Inside the <Host> node, remove the existing "AccessLogValve" <Valve> node entirely and replace it with the following line:

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${vim.logdir}" pattern="%h %{X-Forwarded-For}i %l %u %t &quot;%r&quot; %s %b &quot;%{User-Agent}i&quot;" resolveHosts="false" prefix="localhost_access_log" suffix=".txt"/>

Check Contents

At the command prompt, execute the following command:

# xmllint --format /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern -

Expected result:

pattern="%h %{X-Forwarded-For}i %l %u %t &quot;%r&quot; %s %b &quot;%{User-Agent}i&quot;" resolveHosts="false" prefix="localhost_access_log" suffix=".txt" />

If the output does not match the expected result, this is a finding.

Vulnerability Number

V-239406

Documentable

False

Rule Version

VCPF-67-000005

Severity Override Guidance

At the command prompt, execute the following command:

# xmllint --format /usr/lib/vmware-perfcharts/tc-instance/conf/server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern -

Expected result:

pattern="%h %{X-Forwarded-For}i %l %u %t &quot;%r&quot; %s %b &quot;%{User-Agent}i&quot;" resolveHosts="false" prefix="localhost_access_log" suffix=".txt" />

If the output does not match the expected result, this is a finding.

Check Content Reference

M

Target Key

5329

Comments