UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide


Overview

Date Finding Count (161)
2018-10-12 CAT I (High): 10 CAT II (Med): 151 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-90181 High tc Server VCAC must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-90115 High tc Server ALL must be configured to the correct user authentication source.
V-90179 High tc Server HORIZON must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-90009 High tc Server ALL must exclude documentation, sample code, example applications, and tutorials.
V-90049 High tc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-90047 High tc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-90051 High tc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-90055 High tc Server VCO web server application directories must not be accessible to anonymous user.
V-90057 High tc Server VCAC web server application directories must not be accessible to anonymous user.
V-90053 High tc Server HORIZON web server application directories must not be accessible to anonymous user.
V-89917 Medium tc Server ALL must generate log records for system startup and shutdown.
V-90069 Medium tc Server VCO document directory must be in a separate partition from the web servers system files.
V-89915 Medium tc Server VCAC must record user access in a format that enables monitoring of remote access.
V-89913 Medium tc Server VCO must record user access in a format that enables monitoring of remote access.
V-90187 Medium tc Server HORIZON must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-89911 Medium tc Server HORIZON must record user access in a format that enables monitoring of remote access.
V-90183 Medium tc Server HORIZON must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-90061 Medium tc Server HORIZON must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-90063 Medium tc Server VCO must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-90189 Medium tc Server VCAC must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-90065 Medium tc Server VCAC must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-89887 Medium tc Server HORIZON must limit the amount of time that each TCP connection is kept alive.
V-89919 Medium tc Server HORIZON must generate log records for user access and authentication events.
V-90185 Medium tc Server VCAC must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-89963 Medium tc Server HORIZON must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-89961 Medium tc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-90119 Medium tc Server VCAC must be configured to use the https scheme.
V-89967 Medium tc Server VCAC must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-89965 Medium tc Server VCO must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-90117 Medium tc Server HORIZON must be configured to use the https scheme.
V-89969 Medium tc Server HORIZON must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-90111 Medium tc Server VCO must set an inactive timeout for sessions.
V-90113 Medium tc Server VCAC must set an inactive timeout for sessions.
V-89989 Medium tc Server HORIZON log files must be protected from unauthorized deletion.
V-89905 Medium tc Server HORIZON must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-89907 Medium tc Server VCAC must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-89901 Medium tc Server VCO must perform server-side session management.
V-89903 Medium tc Server VCAC must perform server-side session management.
V-90177 Medium tc Server VCAC must set the secure flag for cookies.
V-89957 Medium tc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-90175 Medium tc Server VCO must set the secure flag for cookies.
V-90173 Medium tc Server HORIZON must set the secure flag for cookies.
V-89909 Medium tc Server HORIZON must use cryptography to protect the integrity of remote sessions.
V-90171 Medium tc Server VCAC must set the useHttpOnly parameter.
V-90067 Medium tc Server HORIZON document directory must be in a separate partition from the web servers system files.
V-90109 Medium tc Server HORIZON must set an inactive timeout for sessions.
V-89999 Medium tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
V-89997 Medium tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
V-90103 Medium tc Server HORIZON must have the debug option turned off.
V-89995 Medium tc Server ALL log data and records must be backed up onto a different system or media.
V-90079 Medium tc Server HORIZON must set URIEncoding to UTF-8.
V-89993 Medium tc Server VCAC log files must be protected from unauthorized deletion.
V-90107 Medium tc Server VCAC must have the debug option turned off.
V-89991 Medium tc Server VCO log files must be protected from unauthorized deletion.
V-90105 Medium tc Server VCO must have the debug option turned off.
V-89931 Medium tc Server VCAC must capture, record, and log all content related to a user session.
V-89933 Medium tc Server HORIZON must produce log records containing sufficient information to establish what type of events occurred.
V-89935 Medium tc Server VCO must produce log records containing sufficient information to establish what type of events occurred.
V-90169 Medium tc Server VCO must set the useHttpOnly parameter.
V-89937 Medium tc Server VCAC must produce log records containing sufficient information to establish what type of events occurred.
V-89939 Medium tc Server HORIZON must produce log records containing sufficient information to establish when (date and time) events occurred.
V-90165 Medium tc Server VCAC session IDs must be sent to the client using SSL/TLS.
V-90167 Medium tc Server HORIZON must set the useHttpOnly parameter.
V-90161 Medium tc Server VCAC must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-90163 Medium tc Server HORIZON session IDs must be sent to the client using SSL/TLS.
V-90089 Medium tc Server VCAC must use the setCharacterEncodingFilter filter.
V-90083 Medium tc Server HORIZON must use the setCharacterEncodingFilter filter.
V-90081 Medium tc Server VCO must set URIEncoding to UTF-8.
V-90087 Medium tc Server VCAC must set URIEncoding to UTF-8.
V-90085 Medium tc Server VCO must use the setCharacterEncodingFilter filter.
V-90059 Medium tc Server ALL baseline must be documented and maintained.
V-90077 Medium tc Server VCAC must be configured with a cross-site scripting (XSS) filter.
V-90075 Medium tc Server VCO must be configured with a cross-site scripting (XSS) filter.
V-90073 Medium tc Server HORIZON must be configured with a cross-site scripting (XSS) filter.
V-90071 Medium tc Server VCAC document directory must be in a separate partition from the web servers system files.
V-89985 Medium tc Server VCO log files must be protected from unauthorized modification.
V-89987 Medium tc Server VCAC log files must be protected from unauthorized modification.
V-89981 Medium tc Server VCAC log files must only be accessible by privileged users.
V-89983 Medium tc Server HORIZON log files must be protected from unauthorized modification.
V-90159 Medium tc Server HORIZON must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-89929 Medium tc Server VCO must capture, record, and log all content related to a user session.
V-90151 Medium tc Server VCAC must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-89927 Medium tc Server HORIZON must capture, record, and log all content related to a user session.
V-90153 Medium tc Server HORIZON must disable the shutdown port.
V-89925 Medium tc Server ALL must initiate logging during service start-up.
V-90155 Medium tc Server VCO must disable the shutdown port.
V-89923 Medium tc Server VCAC must generate log records for user access and authentication events.
V-90157 Medium tc Server VCAC must disable the shutdown port.
V-89921 Medium tc Server VCO must generate log records for user access and authentication events.
V-90099 Medium tc Server VCO must have the allowTrace parameter set to false.
V-90091 Medium tc Server HORIZON must set the welcome-file node to a default web page.
V-90093 Medium tc Server VCO must set the welcome-file node to a default web page.
V-90095 Medium tc Server VCAC must set the welcome-file node to a default web page.
V-90097 Medium tc Server HORIZON must have the allowTrace parameter set to false.
V-90101 Medium tc Server VCAC must have the allowTrace parameter set to false.
V-90003 Medium tc Server VCO must not use the tomcat-users XML database for user management.
V-90001 Medium tc Server HORIZON must not use the tomcat-users XML database for user management.
V-90007 Medium tc Server ALL must only contain services and functions necessary for operation.
V-90005 Medium tc Server VCAC must not use the tomcat-users XML database for user management.
V-89885 Medium tc Server VCAC must limit the number of maximum concurrent connections permitted.
V-89959 Medium tc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-89883 Medium tc Server VCO must limit the number of maximum concurrent connections permitted.
V-89953 Medium tc Server VCO must produce log records containing sufficient information to establish the source of events.
V-89951 Medium tc Server HORIZON must produce log records containing sufficient information to establish the source of events.
V-89889 Medium tc Server VCO must limit the amount of time that each TCP connection is kept alive.
V-89955 Medium tc Server VCAC must produce log records containing sufficient information to establish the source of events.
V-90011 Medium tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-90013 Medium tc Server ALL must have all mappings to unused and vulnerable scripts to be removed.
V-90015 Medium tc Server HORIZON must have mappings set for Java Servlet Pages.
V-90017 Medium tc Server VCO must have mappings set for Java Servlet Pages.
V-90019 Medium tc Server VCAC must have mappings set for Java Servlet Pages.
V-89893 Medium tc Server HORIZON must limit the number of times that each TCP connection is kept alive.
V-89891 Medium tc Server VCAC must limit the amount of time that each TCP connection is kept alive.
V-89897 Medium tc Server VCAC must limit the number of times that each TCP connection is kept alive.
V-89895 Medium tc Server VCO must limit the number of times that each TCP connection is kept alive.
V-89941 Medium tc Server VCO must produce log records containing sufficient information to establish when (date and time) events occurred.
V-89943 Medium tc Server VCAC must produce log records containing sufficient information to establish when (date and time) events occurred.
V-89945 Medium tc Server HORIZON must produce log records containing sufficient information to establish where within the web server the events occurred.
V-89947 Medium tc Server VCO must produce log records containing sufficient information to establish where within the web server the events occurred.
V-90147 Medium tc Server VCAC must be configured with the appropriate ports.
V-90145 Medium tc Server VCO must be configured with the appropriate ports.
V-90029 Medium tc Server VCO must not have any symbolic links in the web content directory tree.
V-90143 Medium tc Server HORIZON must be configured with the appropriate ports.
V-90141 Medium tc Server VCAC application, libraries, and configuration files must only be accessible to privileged users.
V-90025 Medium tc Server VCO must be configured with memory leak protection.
V-90027 Medium tc Server VCAC must be configured with memory leak protection.
V-90021 Medium tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-90023 Medium tc Server HORIZON must be configured with memory leak protection.
V-90149 Medium tc Server HORIZON must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-89949 Medium tc Server VCAC must produce log records containing sufficient information to establish where within the web server the events occurred.
V-90045 Medium tc Server VCAC must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-90043 Medium tc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-90041 Medium tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid.
V-90133 Medium tc Server VCO must record time stamps for log records to a minimum granularity of one second.
V-90131 Medium tc Server HORIZON must record time stamps for log records to a minimum granularity of one second.
V-90039 Medium tc Server VCAC must encrypt passwords during transmission.
V-90137 Medium tc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users.
V-90135 Medium tc Server VCAC must record time stamps for log records to a minimum granularity of one second.
V-90033 Medium tc Server VCO must be configured to use a specified IP address and port.
V-90139 Medium tc Server VCO application, libraries, and configuration files must only be accessible to privileged users.
V-90031 Medium tc Server HORIZON must be configured to use a specified IP address and port.
V-90037 Medium tc Server HORIZON must encrypt passwords during transmission.
V-90035 Medium tc Server VCAC must be configured to use a specified IP address and port.
V-90345 Medium tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
V-90347 Medium tc Server ALL must only allow authenticated system administrators to have access to the keystore.
V-90191 Medium tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.
V-90341 Medium tc Server HORIZON must limit the number of maximum concurrent connections permitted.
V-90193 Medium tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-90343 Medium tc Server VCAC must use cryptography to protect the integrity of remote sessions.
V-90349 Medium tc Server ALL log files must be moved to a permanent repository in accordance with site policy.
V-89899 Medium tc Server HORIZON must perform server-side session management.
V-89975 Medium tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
V-90121 Medium tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
V-89977 Medium tc Server HORIZON log files must only be accessible by privileged users.
V-90123 Medium tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
V-89971 Medium tc Server VCO must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-90125 Medium tc Server HORIZON must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-89973 Medium tc Server VCAC must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-90127 Medium tc Server VCO must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-90129 Medium tc Server VCAC must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-89979 Medium tc Server VCO log files must only be accessible by privileged users.