Lighttpd must not be configured to listen to unnecessary ports.

From VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide

Associated with: CCI-001762

SV-99957r1_rule Lighttpd must not be configured to listen to unnecessary ports.

Vulnerability discussion

Web servers must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments.Lighttpd will listen on ports that are specified with the server.port configuration parameter. Lighttpd listens to port 5480 to provide remote access to the Virtual Appliance Management Interface (vAMI). Lighttpd must not be configured to listen to any other port.

Check content

At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '$0 ~ /server\.port/ { print }' If any value returned other than "server.port=5480", this is a finding.

Fix text

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Note: Do not delete the entry for "server.port=5480" Delete all other server.port entries.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.