UCF STIG Viewer Logo

VMW vRealize Automation 7.x vAMI Security Technical Implementation Guide


Overview

Date Finding Count (44)
2018-10-12 CAT I (High): 6 CAT II (Med): 38 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-90197 High The vAMI must restrict inbound connections from nonsecure zones.
V-90217 High The vAMI must not contain any unnecessary functions and only provide essential capabilities.
V-90225 High The vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor.
V-90195 High The vAMI must use FIPS 140-2 approved ciphers when transmitting management data during remote access management sessions.
V-90223 High The vAMI must transmit only encrypted representations of passwords.
V-90227 High The vAMI must use approved versions of TLS.
V-90235 Medium The vAMI installation procedures must be part of a complete vRealize Automation deployment.
V-90237 Medium The vAMI must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-90231 Medium The vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator.
V-90219 Medium The vAMI must use the sfcb HTTPS port for communication with Lighttpd.
V-90215 Medium The vAMI installation procedures must be capable of being rolled back to a last known good configuration.
V-90211 Medium Patches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization.
V-90205 Medium The vAMI must protect log information from unauthorized modification.
V-90221 Medium The vAMI must use a site-defined, user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
V-90213 Medium The vAMI executable files and library must not be world-writeable.
V-90233 Medium The vAMI must have the correct authentication set for HTTPS connections.
V-90245 Medium The vAMI must utilize syslog.
V-90209 Medium The vAMI log records must be backed up at least every seven days onto a different system or system component than the system or component being logged.
V-90247 Medium The vAMI configuration file must be protected from unauthorized access.
V-90241 Medium The vAMI account credentials must protected by site policies.
V-90243 Medium The vAMI sfcb config file must be group-owned by root.
V-90271 Medium The vAMI sfcb server certificate must only be accessible to authenticated system administrators or the designated PKI Sponsor.
V-90281 Medium The application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-90249 Medium The vAMI must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-90201 Medium The vAMI must have sfcb logging enabled.
V-90203 Medium The vAMI must protect log information from unauthorized read access.
V-90273 Medium If the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved. If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable.
V-90207 Medium The vAMI must protect log information from unauthorized deletion.
V-90263 Medium The vAMI must log all successful login events.
V-90199 Medium The vAMI configuration file must be owned by root.
V-90261 Medium The vAMI must have security-relevant software updates installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
V-90267 Medium The vAMI must have PAM logging enabled.
V-90229 Medium The vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator.
V-90239 Medium The vAMI error logs must be reviewed.
V-90265 Medium The vAMI must enable logging.
V-90277 Medium The vAMI must be configured to listen on a specific IPv4 address.
V-90279 Medium The vAMI must be configured to listen on a specific network interface.
V-90275 Medium The vAMI must utilize syslog.
V-90269 Medium The vAMI must log all login events.
V-90253 Medium The vAMI must have the keepaliveMaxRequest enabled.
V-90251 Medium The vAMI must have the keepaliveTimeout enabled.
V-90257 Medium The vAMI sfcb must have HTTPS enabled.
V-90255 Medium The vAMI must use approved versions of TLS.
V-90259 Medium The vAMI sfcb must have HTTP disabled.