UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vRealize Automation 7.x SLES Security Technical Implementation Guide


Overview

Date Finding Count (209)
2018-10-12 CAT I (High): 8 CAT II (Med): 197 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-89693 High The SLES for vRealize must prevent direct logon into the root account.
V-89571 High The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.
V-89809 High The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-89813 High The SLES for vRealize must protect the confidentiality and integrity of transmitted information.
V-89811 High The SLES for vRealize must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the SLES for vRealize is implementing rate-limiting measures on impacted network interfaces.
V-89815 High The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-89573 High The SLES for vRealize must store only encrypted representations of passwords.
V-89575 High The SLES for vRealize must store only encrypted representations of passwords.
V-89849 Medium The SLES for vRealize audit system must be configured to audit user deletions of files and programs.
V-89677 Medium The AppleTalk protocol must be disabled or not installed.
V-89675 Medium The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
V-89551 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.
V-89671 Medium The SMTP service must not have the VRFY feature active.
V-89841 Medium The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.
V-89843 Medium The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.
V-89845 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-89847 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-89679 Medium The DECnet protocol must be disabled or not installed.
V-89521 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setscheduler.
V-89569 Medium The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.
V-89777 Medium The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.
V-89567 Medium The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.
V-89775 Medium The SLES for vRealize must audit all account enabling actions.
V-89565 Medium Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.
V-89773 Medium The SLES for vRealize must control remote access methods.
V-89563 Medium The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.
V-89771 Medium The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.
V-89561 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.
V-89715 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-89701 Medium The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-89495 Medium The SLES for vRealize must protect audit information from unauthorized read access - group-ownership.
V-89559 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.
V-89707 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-89483 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions- SSH Daemon.
V-89493 Medium The SLES for vRealize must protect audit information from unauthorized read access - ownership.
V-89603 Medium The system must have USB Mass Storage disabled unless needed.
V-89601 Medium The Bluetooth protocol handler must be disabled or not installed.
V-89529 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.
V-89607 Medium The telnet-server package must not be installed.
V-89605 Medium The system must have USB disabled unless needed.
V-89609 Medium The rsh-server package must not be installed.
V-89711 Medium The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-89519 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setparam.
V-89769 Medium The SLES for vRealize must enforce password complexity by requiring that at least one special character be used.
V-89513 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-89765 Medium System executables must have restrictive permissions.
V-89511 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime.
V-89767 Medium System executables must have root ownership.
V-89517 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname.
V-89761 Medium The shared library files must have restrictive permissions.
V-89515 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname.
V-89763 Medium Shared library files must have root ownership.
V-89689 Medium The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.
V-89683 Medium The SLES for vRealize must not have 6to4 enabled.
V-89681 Medium Proxy Neighbor Discovery Protocol (NDP) must not be enabled on the system.
V-89687 Medium The DHCP client must be disabled if not needed.
V-89685 Medium The SLES for vRealize must not have Teredo enabled.
V-89499 Medium The SLES for vRealize must protect audit information from unauthorized deletion.
V-89611 Medium The ypserv package must not be installed.
V-89613 Medium The yast2-tftp-server package must not be installed.
V-89615 Medium The tftp package must not be installed.
V-89617 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-89619 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-89759 Medium The SLES for vRealize must protect audit tools from unauthorized deletion.
V-89509 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime.
V-89751 Medium The SLES for vRealize must initiate session audits at system start-up.
V-89501 Medium The SLES for vRealize must protect audit information from unauthorized deletion - log directories.
V-89753 Medium The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.
V-89503 Medium The SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions.
V-89755 Medium The SLES for vRealize must protect audit tools from unauthorized access.
V-89505 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex.
V-89757 Medium The SLES for vRealize must protect audit tools from unauthorized modification.
V-89507 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday.
V-89699 Medium The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.
V-89737 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-89691 Medium Duplicate User IDs (UIDs) must not exist for users within the organization.
V-89695 Medium The SLES for vRealize must enforce SSHv2 for network access to privileged accounts.
V-89697 Medium The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.
V-89593 Medium Bootloader authentication must be enabled to prevent users without privilege to gain access to restricted file system resources.
V-89857 Medium The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.
V-89591 Medium The system must require root password authentication upon booting into single-user mode.
V-89855 Medium The SLES for vRealize must generate audit records for all direct access to the information system.
V-89597 Medium The system boot loader configuration files must be owned by root.
V-89853 Medium SLES for vRealize audit logs must be rotated daily.
V-89595 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
V-89851 Medium The SLES for vRealize audit system must be configured to audit file deletions.
V-89599 Medium The system boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
V-89859 Medium The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
V-89535 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chmod.
V-89747 Medium The SLES for vRealize must audit all account removal actions.
V-89537 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.
V-89745 Medium The SLES for vRealize must audit all account disabling actions.
V-89629 Medium The inetd.conf file, xinetd.conf file, and xinetd.d directory must be group owned by root, bin, sys, or system.
V-89743 Medium The SLES for vRealize must audit all account modifications.
V-89533 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group-ownership.
V-89741 Medium The SLES for vRealize must audit all account modifications.
V-89625 Medium The xinetd service must be disabled if no network services using it are enabled.
V-89621 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-89627 Medium The xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
V-89539 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.
V-89623 Medium The Transparent Inter-Process Communication (TIPC) must be disabled or not installed.
V-89749 Medium The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.
V-89705 Medium All GIDs referenced in /etc/passwd must be defined in /etc/group.
V-89479 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection.
V-89823 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-89581 Medium SLES for vRealize must enforce a 60-day maximum password lifetime restriction.
V-89821 Medium The SLES for vRealize must verify correct operation of all security functions.
V-89583 Medium User passwords must be changed at least every 60 days.
V-89827 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-89585 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations.
V-89825 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-89587 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations - old passwords are being stored.
V-89589 Medium The SLES for vRealize must enforce a minimum 15-character password length.
V-89829 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-89787 Medium The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-89733 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-89523 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/faillog.
V-89731 Medium The /var/log/messages file must have mode 0640 or less permissive.
V-89639 Medium NIS maps must be protected through hard-to-guess domain names.
V-89881 Medium The SLES for vRealize must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-89527 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/tallylog.
V-89735 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-89525 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/lastlog.
V-89481 Medium The SLES for vRealize must monitor remote access methods - SSH Daemon.
V-89633 Medium Xinetd logging/tracing must be enabled.
V-89739 Medium Any publically accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-89631 Medium The xinetd.d directory must have mode 0755 or less permissive.
V-89485 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.
V-89637 Medium The system must not use UDP for NIS/NIS+.
V-89487 Medium The SLES for vRealize must produce audit records.
V-89635 Medium The ypbind service must not be running if no network services utilizing it are enabled.
V-89579 Medium Users must not be able to change passwords more than once every 24 hours.
V-89473 Medium The SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
V-89831 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.
V-89833 Medium The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.
V-89835 Medium The SLES for vRealize must generate audit records for privileged activities or other system-level access.
V-89837 Medium The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-89839 Medium The SLES for vRealize must generate audit records showing starting and ending time for user access to the system.
V-89717 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-89721 Medium The /var/log directory must be group-owned by root.
V-89723 Medium The /var/log directory must be owned by root.
V-89725 Medium The /var/log directory must have mode 0750 or less permissive.
V-89727 Medium The /var/log/messages file must be group-owned by root.
V-89729 Medium The /var/log/messages file must be owned by root.
V-89557 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.
V-89555 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.
V-89553 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.
V-89713 Medium The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-89649 Medium Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-89647 Medium The alias files must have mode 0644 or less permissive.
V-89645 Medium The alias files must be group-owned by root or a system group.
V-89643 Medium The alias files must be owned by root.
V-89641 Medium Mail relaying must be restricted.
V-89469 Medium In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
V-89805 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-89807 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-89801 Medium The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-89803 Medium The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.
V-89541 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.
V-89719 Medium The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-89869 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-89867 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-89865 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-89863 Medium The SLES for vRealize must, at a minimum, off-load audit information on interconnected systems in real time and off-load standalone systems weekly.
V-89861 Medium The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-89795 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-89545 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.
V-89797 Medium The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-89547 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.
V-89791 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-89659 Medium The SMTP service log files must be owned by root.
V-89793 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
V-89543 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.
V-89655 Medium Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-89657 Medium The system syslog service must log informational and more severe SMTP service messages.
V-89467 Medium The SLES for vRealize must audit all account creations.
V-89549 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.
V-89489 Medium The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-89653 Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
V-89799 Medium The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.
V-89651 Medium Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.
V-89497 Medium The SLES for vRealize must protect audit information from unauthorized modification.
V-89819 Medium The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.
V-89465 Medium The SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours.
V-89491 Medium The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).
V-89817 Medium The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.
V-89709 Medium The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.
V-89879 Medium The SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-89703 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-89877 Medium The SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-89871 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-89873 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-89669 Medium The SMTP service must not have the EXPN feature active.
V-89531 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.
V-89577 Medium SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.
V-89785 Medium The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-89661 Medium The SMTP service log file must have mode 0644 or less permissive.
V-89471 Medium The SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-89663 Medium The SMTP service HELP command must not be enabled.
V-89789 Medium The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-89665 Medium The SMTP service SMTP greeting must not provide version information.
V-89667 Medium The SMTP service must not use .forward files.
V-89477 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types.
V-89875 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-89673 Medium The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
V-89779 Low The SLES for vRealize must audit the execution of privileged functions.
V-89783 Low The SLES for vRealize must off-load audit records onto a different system or media from the system being audited.
V-89781 Low The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-89475 Low The SLES for vRealize must limit the number of concurrent sessions to 10 for all accounts and/or account types.