UCF STIG Viewer Logo

VMware vRealize Automation 7.x SLES Security Technical Implementation Guide


Overview

Date Finding Count (208)
2021-06-24 CAT I (High): 8 CAT II (Med): 196 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-240458 High The SLES for vRealize must prevent direct logon into the root account.
V-240519 High The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-240518 High The SLES for vRealize must protect the confidentiality and integrity of transmitted information.
V-240517 High The SLES for vRealize must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the SLES for vRealize is implementing rate-limiting measures on impacted network interfaces.
V-240516 High The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-240397 High The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.
V-240399 High The SLES for vRealize must store only encrypted representations of passwords.
V-240398 High The SLES for vRealize must store only encrypted representations of passwords.
V-240470 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-240471 Medium The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-240472 Medium The /var/log directory must be group-owned by root.
V-240473 Medium The /var/log directory must be owned by root.
V-240474 Medium The /var/log directory must have mode 0750 or less permissive.
V-240475 Medium The /var/log/messages file must be group-owned by root.
V-240476 Medium The /var/log/messages file must be owned by root.
V-240477 Medium The /var/log/messages file must have mode 0640 or less permissive.
V-240478 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-240479 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-240396 Medium The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.
V-240379 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chmod.
V-240378 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group-ownership.
V-240373 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/faillog.
V-240372 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setscheduler.
V-240371 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setparam.
V-240370 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname.
V-240377 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.
V-240376 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.
V-240375 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/tallylog.
V-240374 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/lastlog.
V-240405 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations - old passwords are being stored.
V-240404 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations.
V-240407 Medium The system must require root password authentication upon booting into single-user mode.
V-240406 Medium The SLES for vRealize must enforce a minimum 15-character password length.
V-240401 Medium Users must not be able to change passwords more than once every 24 hours.
V-240400 Medium SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.
V-240403 Medium User passwords must be changed at least every 60 days.
V-240402 Medium SLES for vRealize must enforce a 60-day maximum password lifetime restriction.
V-240409 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
V-240408 Medium Bootloader authentication must be enabled to prevent users without privilege to gain access to restricted file system resources.
V-240416 Medium The rsh-server package must not be installed.
V-240463 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-240462 Medium The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-240461 Medium The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.
V-240460 Medium The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.
V-240467 Medium The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-240466 Medium The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.
V-240465 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-240464 Medium All GIDs referenced in /etc/passwd must be defined in /etc/group.
V-240469 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-240428 Medium Xinetd logging/tracing must be enabled.
V-240348 Medium The SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
V-240346 Medium In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
V-240347 Medium The SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-240344 Medium The SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours.
V-240345 Medium The SLES for vRealize must audit all account creations.
V-240388 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.
V-240433 Medium The alias files must be owned by root.
V-240393 Medium The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.
V-240456 Medium The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.
V-240457 Medium Duplicate User IDs (UIDs) must not exist for users within the organization.
V-240454 Medium The SLES for vRealize must not have Teredo enabled.
V-240455 Medium The DHCP client must be disabled if not needed.
V-240452 Medium Proxy Neighbor Discovery Protocol (NDP) must not be enabled on the system.
V-240453 Medium The SLES for vRealize must not have 6to4 enabled.
V-240450 Medium The AppleTalk protocol must be disabled or not installed.
V-240451 Medium The DECnet protocol must be disabled or not installed.
V-240459 Medium The SLES for vRealize must enforce SSHv2 for network access to privileged accounts.
V-240351 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection.
V-240350 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types.
V-240353 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions- SSH Daemon.
V-240352 Medium The SLES for vRealize must monitor remote access methods - SSH Daemon.
V-240355 Medium The SLES for vRealize must produce audit records.
V-240354 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.
V-240357 Medium The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).
V-240356 Medium The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-240359 Medium The SLES for vRealize must protect audit information from unauthorized read access - group-ownership.
V-240358 Medium The SLES for vRealize must protect audit information from unauthorized read access - ownership.
V-240424 Medium The xinetd service must be disabled if no network services using it are enabled.
V-240508 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
V-240509 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-240504 Medium The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-240505 Medium The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-240506 Medium The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-240507 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-240500 Medium The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.
V-240417 Medium The ypserv package must not be installed.
V-240384 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.
V-240539 Medium The SLES for vRealize must generate audit records for all direct access to the information system.
V-240431 Medium NIS maps must be protected through hard-to-guess domain names.
V-240515 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-240514 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-240513 Medium The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.
V-240512 Medium The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-240511 Medium The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.
V-240510 Medium The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-240498 Medium The SLES for vRealize must control remote access methods.
V-240499 Medium The SLES for vRealize must audit all account enabling actions.
V-240438 Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
V-240449 Medium The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
V-240448 Medium The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
V-240522 Medium The SLES for vRealize must verify correct operation of all security functions.
V-240523 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-240520 Medium The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.
V-240521 Medium The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.
V-240526 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-240527 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.
V-240524 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-240525 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-240441 Medium The SMTP service log files must be owned by root.
V-240440 Medium The system syslog service must log informational and more severe SMTP service messages.
V-240443 Medium The SMTP service HELP command must not be enabled.
V-240442 Medium The SMTP service log file must have mode 0644 or less permissive.
V-240445 Medium The SMTP service must not use .forward files.
V-240444 Medium The SMTP service SMTP greeting must not provide version information.
V-240447 Medium The SMTP service must not have the VRFY feature active.
V-240446 Medium The SMTP service must not have the EXPN feature active.
V-240540 Medium The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.
V-240541 Medium The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
V-240542 Medium The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-240543 Medium The SLES for vRealize must, at a minimum, off-load audit information on interconnected systems in real time and off-load standalone systems weekly.
V-240544 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-240545 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-240546 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-240547 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-240548 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-240549 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-240528 Medium The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.
V-240529 Medium The SLES for vRealize must generate audit records for privileged activities or other system-level access.
V-240535 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-240534 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-240537 Medium The SLES for vRealize audit system must be configured to audit file deletions.
V-240536 Medium The SLES for vRealize audit system must be configured to audit user deletions of files and programs.
V-240531 Medium The SLES for vRealize must generate audit records showing starting and ending time for user access to the system.
V-240530 Medium The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-240533 Medium The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.
V-240532 Medium The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.
V-240434 Medium The alias files must be group-owned by root or a system group.
V-240435 Medium The alias files must have mode 0644 or less permissive.
V-240436 Medium Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-240437 Medium Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.
V-240430 Medium The system must not use UDP for NIS/NIS+.
V-240538 Medium SLES for vRealize audit logs must be rotated daily.
V-240432 Medium Mail relaying must be restricted.
V-240439 Medium Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-240551 Medium The SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-240550 Medium The SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-240492 Medium The shared library files must have restrictive permissions.
V-240493 Medium Shared library files must have root ownership.
V-240490 Medium The SLES for vRealize must protect audit tools from unauthorized modification.
V-240491 Medium The SLES for vRealize must protect audit tools from unauthorized deletion.
V-240496 Medium The SLES for vRealize must enforce password complexity by requiring that at least one special character be used.
V-240497 Medium The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.
V-240494 Medium System executables must have restrictive permissions.
V-240495 Medium System executables must have root ownership.
V-240412 Medium The Bluetooth protocol handler must be disabled or not installed.
V-240413 Medium The system must have USB Mass Storage disabled unless needed.
V-240410 Medium The system boot loader configuration files must be owned by root.
V-240382 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.
V-240383 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.
V-240380 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.
V-240381 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.
V-240386 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.
V-240387 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.
V-240429 Medium The ypbind service must not be running if no network services utilizing it are enabled.
V-240385 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.
V-240427 Medium The xinetd.d directory must have mode 0755 or less permissive.
V-240426 Medium The inetd.conf file, xinetd.conf file, and xinetd.d directory must be group owned by root, bin, sys, or system.
V-240425 Medium The xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
V-240389 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.
V-240423 Medium The Transparent Inter-Process Communication (TIPC) must be disabled or not installed.
V-240422 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-240421 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-240420 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-240468 Medium The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-240489 Medium The SLES for vRealize must protect audit tools from unauthorized access.
V-240488 Medium The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.
V-240485 Medium The SLES for vRealize must audit all account removal actions.
V-240484 Medium The SLES for vRealize must audit all account disabling actions.
V-240487 Medium The SLES for vRealize must initiate session audits at system start-up.
V-240486 Medium The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.
V-240481 Medium Any publically accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-240480 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-240483 Medium The SLES for vRealize must audit all account modifications.
V-240482 Medium The SLES for vRealize must audit all account modifications.
V-240368 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-240369 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname.
V-240360 Medium The SLES for vRealize must protect audit information from unauthorized modification.
V-240361 Medium The SLES for vRealize must protect audit information from unauthorized deletion.
V-240362 Medium The SLES for vRealize must protect audit information from unauthorized deletion - log directories.
V-240363 Medium The SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions.
V-240364 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex.
V-240365 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday.
V-240366 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime.
V-240367 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime.
V-240395 Medium The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.
V-240394 Medium Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.
V-240411 Medium The system boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
V-240391 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.
V-240390 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.
V-240414 Medium The system must have USB disabled unless needed.
V-240392 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.
V-240415 Medium The telnet-server package must not be installed.
V-240418 Medium The yast2-tftp-server package must not be installed.
V-240419 Medium The tftp package must not be installed.
V-240349 Low The SLES for vRealize must limit the number of concurrent sessions to 10 for all accounts and/or account types.
V-240501 Low The SLES for vRealize must audit the execution of privileged functions.
V-240502 Low The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-240503 Low The SLES for vRealize must off-load audit records onto a different system or media from the system being audited.