Rule ID
SV-258986r934616_rule
Version
V1R1
CCIs
KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. Tomcat can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client.
The connection timeout should not be unlimited by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@maxKeepAliveRequests = '-1']" /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.
Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Configure the <Connector> node with the value: maxKeepAliveRequests="100" Restart the service with the following command: # vmon-cli --restart sts