Details

The Security Token Service performs user authentication at the application level and not through Tomcat. To eliminate unnecessary features and ensure that the Security Token Service remains in its shipping state, the lack of a ‘UserDatabaseRealm’ configuration must be confirmed.

Solution

Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/server.xml.

Remove the node returned in the check.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7a.
• CAT|II
• CCI|CCI-000381
• Rule-ID|SV-239661r679055_rule
• STIG-ID|VCST-67-000010
• Vuln-ID|V-239661

Source

• Tenable.com/audits