UCF STIG Viewer Logo

VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide


Overview

Date Finding Count (155)
2021-06-23 CAT I (High): 10 CAT II (Med): 145 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-240875 High tc Server HORIZON must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-240876 High tc Server VCAC must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-240842 High tc Server ALL must be configured to the correct user authentication source.
V-240787 High tc Server ALL must exclude documentation, sample code, example applications, and tutorials.
V-240812 High tc Server VCO web server application directories must not be accessible to anonymous user.
V-240813 High tc Server VCAC web server application directories must not be accessible to anonymous user.
V-240810 High tc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-240811 High tc Server HORIZON web server application directories must not be accessible to anonymous user.
V-240809 High tc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-240808 High tc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-240878 Medium tc Server VCAC must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-240879 Medium tc Server HORIZON must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-240874 Medium tc Server VCAC must set the secure flag for cookies.
V-240877 Medium tc Server HORIZON must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-240870 Medium tc Server VCO must set the useHttpOnly parameter.
V-240871 Medium tc Server VCAC must set the useHttpOnly parameter.
V-240872 Medium tc Server HORIZON must set the secure flag for cookies.
V-240873 Medium tc Server VCO must set the secure flag for cookies.
V-240869 Medium tc Server HORIZON must set the useHttpOnly parameter.
V-240868 Medium tc Server VCAC session IDs must be sent to the client using SSL/TLS.
V-240867 Medium tc Server HORIZON session IDs must be sent to the client using SSL/TLS.
V-240866 Medium tc Server VCAC must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-240865 Medium tc Server HORIZON must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-240864 Medium tc Server VCAC must disable the shutdown port.
V-240863 Medium tc Server VCO must disable the shutdown port.
V-240862 Medium tc Server HORIZON must disable the shutdown port.
V-240861 Medium tc Server VCAC must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-240860 Medium tc Server HORIZON must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-240748 Medium tc Server ALL must initiate logging during service start-up.
V-240749 Medium tc Server HORIZON must produce log records containing sufficient information to establish what type of events occurred.
V-240742 Medium tc Server VCO must record user access in a format that enables monitoring of remote access.
V-240743 Medium tc Server VCAC must record user access in a format that enables monitoring of remote access.
V-240740 Medium tc Server VCAC must use cryptography to protect the integrity of remote sessions.
V-240741 Medium tc Server HORIZON must record user access in a format that enables monitoring of remote access.
V-240746 Medium tc Server VCO must generate log records for user access and authentication events.
V-240747 Medium tc Server VCAC must generate log records for user access and authentication events.
V-240744 Medium tc Server ALL must generate log records for system startup and shutdown.
V-240745 Medium tc Server HORIZON must generate log records for user access and authentication events.
V-240728 Medium tc Server HORIZON must limit the amount of time that each TCP connection is kept alive.
V-240729 Medium tc Server VCO must limit the amount of time that each TCP connection is kept alive.
V-240782 Medium tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
V-240725 Medium tc Server HORIZON must limit the number of maximum concurrent connections permitted.
V-240726 Medium tc Server VCO must limit the number of maximum concurrent connections permitted.
V-240727 Medium tc Server VCAC must limit the number of maximum concurrent connections permitted.
V-240852 Medium tc Server VCO must record time stamps for log records to a minimum granularity of one second.
V-240853 Medium tc Server VCAC must record time stamps for log records to a minimum granularity of one second.
V-240850 Medium tc Server VCAC must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-240851 Medium tc Server HORIZON must record time stamps for log records to a minimum granularity of one second.
V-240856 Medium tc Server VCAC application, libraries, and configuration files must only be accessible to privileged users.
V-240857 Medium tc Server HORIZON must be configured with the appropriate ports.
V-240854 Medium tc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users.
V-240855 Medium tc Server VCO application, libraries, and configuration files must only be accessible to privileged users.
V-240858 Medium tc Server VCO must be configured with the appropriate ports.
V-240859 Medium tc Server VCAC must be configured with the appropriate ports.
V-240785 Medium tc Server VCAC must not use the tomcat-users XML database for user management.
V-240759 Medium tc Server VCO must produce log records containing sufficient information to establish the source of events.
V-240758 Medium tc Server HORIZON must produce log records containing sufficient information to establish the source of events.
V-240755 Medium tc Server HORIZON must produce log records containing sufficient information to establish where within the web server the events occurred.
V-240754 Medium tc Server VCAC must produce log records containing sufficient information to establish when (date and time) events occurred.
V-240757 Medium tc Server VCAC must produce log records containing sufficient information to establish where within the web server the events occurred.
V-240756 Medium tc Server VCO must produce log records containing sufficient information to establish where within the web server the events occurred.
V-240751 Medium tc Server VCAC must produce log records containing sufficient information to establish what type of events occurred.
V-240750 Medium tc Server VCO must produce log records containing sufficient information to establish what type of events occurred.
V-240753 Medium tc Server VCO must produce log records containing sufficient information to establish when (date and time) events occurred.
V-240752 Medium tc Server HORIZON must produce log records containing sufficient information to establish when (date and time) events occurred.
V-240739 Medium tc Server HORIZON must use cryptography to protect the integrity of remote sessions.
V-240738 Medium tc Server VCAC must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-240780 Medium tc Server ALL log data and records must be backed up onto a different system or media.
V-240733 Medium tc Server VCAC must limit the number of times that each TCP connection is kept alive.
V-240732 Medium tc Server VCO must limit the number of times that each TCP connection is kept alive.
V-240731 Medium tc Server HORIZON must limit the number of times that each TCP connection is kept alive.
V-240730 Medium tc Server VCAC must limit the amount of time that each TCP connection is kept alive.
V-240737 Medium tc Server HORIZON must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-240736 Medium tc Server VCAC must perform server-side session management.
V-240735 Medium tc Server VCO must perform server-side session management.
V-240734 Medium tc Server HORIZON must perform server-side session management.
V-240845 Medium tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
V-240844 Medium tc Server VCAC must be configured to use the https scheme.
V-240847 Medium tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
V-240846 Medium tc Server ALL log files must be moved to a permanent repository in accordance with site policy.
V-240841 Medium tc Server VCAC must set an inactive timeout for sessions.
V-240840 Medium tc Server VCO must set an inactive timeout for sessions.
V-240843 Medium tc Server HORIZON must be configured to use the https scheme.
V-240849 Medium tc Server VCO must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-240848 Medium tc Server HORIZON must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-240764 Medium tc Server HORIZON must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-240765 Medium tc Server VCO must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-240767 Medium tc Server HORIZON must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-240783 Medium tc Server HORIZON must not use the tomcat-users XML database for user management.
V-240830 Medium tc Server HORIZON must set the welcome-file node to a default web page.
V-240831 Medium tc Server VCO must set the welcome-file node to a default web page.
V-240832 Medium tc Server VCAC must set the welcome-file node to a default web page.
V-240833 Medium tc Server HORIZON must have the allowTrace parameter set to false.
V-240834 Medium tc Server VCO must have the allowTrace parameter set to false.
V-240835 Medium tc Server VCAC must have the allowTrace parameter set to false.
V-240836 Medium tc Server HORIZON must have the debug option turned off.
V-240837 Medium tc Server VCO must have the debug option turned off.
V-240838 Medium tc Server VCAC must have the debug option turned off.
V-240839 Medium tc Server HORIZON must set an inactive timeout for sessions.
V-240786 Medium tc Server ALL must only contain services and functions necessary for operation.
V-240784 Medium tc Server VCO must not use the tomcat-users XML database for user management.
V-240820 Medium tc Server VCAC document directory must be in a separate partition from the web servers system files.
V-240827 Medium tc Server VCO must use the setCharacterEncodingFilter filter.
V-240826 Medium tc Server HORIZON must use the setCharacterEncodingFilter filter.
V-240825 Medium tc Server VCO must set URIEncoding to UTF-8.
V-240824 Medium tc Server HORIZON must set URIEncoding to UTF-8.
V-240829 Medium tc Server VCAC must use the setCharacterEncodingFilter filter.
V-240828 Medium tc Server VCAC must set URIEncoding to UTF-8.
V-240788 Medium tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
V-240789 Medium tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-240881 Medium tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.
V-240880 Medium tc Server VCAC must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-240766 Medium tc Server VCAC must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-240882 Medium tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-240760 Medium tc Server VCAC must produce log records containing sufficient information to establish the source of events.
V-240761 Medium tc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-240762 Medium tc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-240763 Medium tc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-240768 Medium tc Server VCO must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-240769 Medium tc Server VCAC must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-240799 Medium tc Server HORIZON must be configured to use a specified IP address and port.
V-240798 Medium tc Server VCO must not have any symbolic links in the web content directory tree.
V-240791 Medium tc Server HORIZON must have mappings set for Java Servlet Pages.
V-240790 Medium tc Server ALL must have all mappings to unused and vulnerable scripts to be removed.
V-240793 Medium tc Server VCAC must have mappings set for Java Servlet Pages.
V-240792 Medium tc Server VCO must have mappings set for Java Servlet Pages.
V-240795 Medium tc Server HORIZON must be configured with memory leak protection.
V-240794 Medium tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-240797 Medium tc Server VCAC must be configured with memory leak protection.
V-240796 Medium tc Server VCO must be configured with memory leak protection.
V-240816 Medium tc Server VCO must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-240817 Medium tc Server VCAC must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-240814 Medium tc Server ALL baseline must be documented and maintained.
V-240815 Medium tc Server HORIZON must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-240818 Medium tc Server HORIZON document directory must be in a separate partition from the web servers system files.
V-240819 Medium tc Server VCO document directory must be in a separate partition from the web servers system files.
V-240777 Medium tc Server HORIZON log files must be protected from unauthorized deletion.
V-240776 Medium tc Server VCAC log files must be protected from unauthorized modification.
V-240775 Medium tc Server VCO log files must be protected from unauthorized modification.
V-240774 Medium tc Server HORIZON log files must be protected from unauthorized modification.
V-240773 Medium tc Server VCAC log files must only be accessible by privileged users.
V-240772 Medium tc Server VCO log files must only be accessible by privileged users.
V-240771 Medium tc Server HORIZON log files must only be accessible by privileged users.
V-240770 Medium tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
V-240779 Medium tc Server VCAC log files must be protected from unauthorized deletion.
V-240778 Medium tc Server VCO log files must be protected from unauthorized deletion.
V-240781 Medium tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
V-240801 Medium tc Server VCAC must be configured to use a specified IP address and port.
V-240800 Medium tc Server VCO must be configured to use a specified IP address and port.
V-240803 Medium tc Server VCAC must encrypt passwords during transmission.
V-240802 Medium tc Server HORIZON must encrypt passwords during transmission.
V-240805 Medium tc Server ALL must only allow authenticated system administrators to have access to the keystore.
V-240804 Medium tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid.
V-240807 Medium tc Server VCAC must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-240806 Medium tc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.