Patches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-90211 | VRAU-VA-000170 | SV-100861r1_rule | Medium |
| Description |
|---|
| Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. |
| STIG | Date |
|---|---|
| VMW vRealize Automation 7.x vAMI Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-89903r1_chk ) |
|---|
| Interview the ISSO and/or the SA. Determine if there is a local procedure to verify the digital signature of the vAMI files prior to being installed on a production system. If a procedure does not exist or is not being followed, this is a finding. |
| Fix Text (F-96953r1_fix) |
|---|
| Develop and implement a site procedure to verify the digital signature of the vAMI files prior to being installed on a production system. |