DISA STIG VMware vSphere 7.0 STS Tomcat v1r2

Audit Details

Name: DISA STIG VMware vSphere 7.0 STS Tomcat v1r2

Updated: 6/17/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 33

File Details

Filename: DISA_STIG_VMware_vSphere_7.0_vCA_STS_v1r2.audit

Size: 75.5 kB

MD5: 7c354a266093bc9c51946d175a0e92c1
SHA256: e486fe15937ad662579d634f1a5cb817e20c148b21b7646db550acc09cac7235

Audit Items

DescriptionCategories
DISA_STIG_VMware_vSphere_7.0_vCA_STS_v1r2.audit from DISA VMware vSphere 7.0 vCenter Appliance STS v1r2 STIG
VCST-70-000001 - The Security Token Service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.

ACCESS CONTROL

VCST-70-000002 - The Security Token Service must limit the number of concurrent connections permitted.

ACCESS CONTROL

VCST-70-000003 - The Security Token Service must limit the maximum size of a POST request.

ACCESS CONTROL

VCST-70-000004 - The Security Token Service must protect cookies from cross-site scripting (XSS).

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

VCST-70-000005 - The Security Token Service must record user access in a format that enables monitoring of remote access.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

VCST-70-000006 - The Security Token Service must generate log records during Java startup and shutdown. - bufferSize

AUDIT AND ACCOUNTABILITY

VCST-70-000007 - Security Token Service log files must only be modifiable by privileged users.

AUDIT AND ACCOUNTABILITY

VCST-70-000008 - The Security Token Service application files must be verified for their integrity.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

VCST-70-000009 - The Security Token Service must only run one webapp.

CONFIGURATION MANAGEMENT

VCST-70-000010 - The Security Token Service must not be configured with unused realms.

CONFIGURATION MANAGEMENT

VCST-70-000011 - The Security Token Service must be configured to limit access to internal packages.

CONFIGURATION MANAGEMENT

VCST-70-000012 - The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

CONFIGURATION MANAGEMENT

VCST-70-000013 - The Security Token Service must have mappings set for Java servlet pages.

CONFIGURATION MANAGEMENT

VCST-70-000014 - The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.

CONFIGURATION MANAGEMENT

VCST-70-000015 - The Security Token Service must be configured with memory leak protection.

CONFIGURATION MANAGEMENT

VCST-70-000016 - The Security Token Service must not have any symbolic links in the web content directory tree.

CONFIGURATION MANAGEMENT

VCST-70-000017 - The Security Token Service directory tree must have permissions in an out-of-the-box state.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

VCST-70-000018 - The Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.

SYSTEM AND COMMUNICATIONS PROTECTION

VCST-70-000019 - The Security Token Service must limit the number of allowed connections.

SYSTEM AND COMMUNICATIONS PROTECTION

VCST-70-000020 - The Security Token Service must set 'URIEncoding' to UTF-8.

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000021 - The Security Token Service must use the 'setCharacterEncodingFilter' filter. - filter

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000021 - The Security Token Service must use the 'setCharacterEncodingFilter' filter. - filter-mapping

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000022 - The Security Token Service must set the welcome-file node to a default web page.

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000023 - The Security Token Service must not show directory listings.

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000024 - The Security Token Service must be configured to not show error reports.

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000025 - The Security Token Service must not enable support for TRACE requests.

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000026 - The Security Token Service must have the debug option disabled.

SYSTEM AND INFORMATION INTEGRITY

VCST-70-000028 - The Security Token Service must be configured with the appropriate ports. - ssl-clientauth.https

CONFIGURATION MANAGEMENT

VCST-70-000029 - The Security Token Service must disable the shutdown port.

SYSTEM AND COMMUNICATIONS PROTECTION

VCST-70-000030 - The Security Token Service must set the secure flag for cookies.

SYSTEM AND COMMUNICATIONS PROTECTION

VCST-70-000031 - The Security Token Service default servlet must be set to 'readonly'.

CONFIGURATION MANAGEMENT

VCST-70-000050 - Security Token Service log data and records must be backed up onto a different system or media.

AUDIT AND ACCOUNTABILITY