Rule ID
SV-259004r960792_rule
STIG
VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation GuideVersion
V2R2
CCIs
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: <secure>true</secure> If the output of the command does not match the expected result, this is a finding.
Navigate to and open:
/usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml
Navigate to the <session-config> node and configure the <secure> setting as follows:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Restart the service with the following command:
# vmon-cli --restart eam