{
"stig": {
"date": "2018-10-11",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-88205": {
"checkid": "C-87897r1_chk",
"checktext": "Obtain the site configuration control policy from the ISSO.\n\nReview site procedures to determine if an enterprise management system is used to uniquely identify and authenticate users.\n\nIf an enterprise management solution is not used, this is a finding.",
"description": "To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (LDAP) in nature.\n\nTo ensure support to the enterprise, the authentication must utilize an enterprise solution.",
"fixid": "F-94947r1_fix",
"fixtext": "Configure vROps to use an enterprise user management system and document this in the site configuration control policy.",
"iacontrols": null,
"id": "V-88205",
"ruleID": "SV-98855r1_rule",
"severity": "medium",
"title": "The vRealize Operations server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).",
"version": "VROM-AP-000195"
},
"V-88207": {
"checkid": "C-87899r1_chk",
"checktext": "Verify that the session timeout is set to \"15\" minutes with the following steps:\n\n1. Log on to the admin UI as the administrator.\n2. Navigate to \"Global Settings\".\n3. Review the session timeout value in mins.\n\nIf the \"Session Timeout:\" setting is not \"15\" minutes, this is a finding.",
"description": "If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a logout event or after a certain period of inactivity is a method for mitigating the risk of this vulnerability. When a user management session becomes idle, or when a user logs out of the management interface, the application server must terminate the session.",
"fixid": "F-94949r1_fix",
"fixtext": "To edit the session timeout, use the following steps:\n\n1. Log on to the admin UI as the administrator.\n2. Navigate to \"Global Settings\".\n3. Select \"Edit Global Settings\".\n4. Set the \"Session Timeout:\" setting to \"15\" minutes.\n5. Select \"OK\".",
"iacontrols": null,
"id": "V-88207",
"ruleID": "SV-98857r1_rule",
"severity": "medium",
"title": "The vRealize Operations server session timeout must be configured.",
"version": "VROM-AP-000295"
},
"V-88209": {
"checkid": "C-87901r1_chk",
"checktext": "Obtain the site configuration control policy from the ISSO.\n\nReview site procedures to determine if a site policy exists to verify vROps installation after release into a production environment. The site policy should ensure that the installation was a complete application deployment before users are allowed to conduct business.\n\nIf a site policy does not exist or is not being followed, this is a finding.",
"description": "Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.\n\nWhen an application is deployed to the application server, if the deployment process does not complete properly and without errors, there is the potential that some application files may not be deployed or may be corrupted and an application error may occur during runtime.\n\nThe application server must be able to perform complete application deployments. A partial deployment can leave the server in an inconsistent state. Application servers may provide a transaction rollback function to address this issue.",
"fixid": "F-94951r1_fix",
"fixtext": "Develop a site configuration control policy to ensure deployments are completed before allowing users to use the production environment.",
"iacontrols": null,
"id": "V-88209",
"ruleID": "SV-98859r1_rule",
"severity": "medium",
"title": "The vRealize Operations server must be configured to perform complete application deployments.",
"version": "VROM-AP-000315"
},
"V-88211": {
"checkid": "C-87903r1_chk",
"checktext": "Verify that the vROps Single Sign-On (SSO) is configured with the correct authentication source only (DoD PKI CAC enabled vSphere SSO instance) by using the following steps:\n\n1. Log on to the admin UI as the administrator.\n2. In the menu, click Administration, and then in the left pane click Access >> Authentication Sources.\n3. Review the authentication sources and ensure that only the DoD PKI CAC enabled vSphere SSO instance is available as an authentication source.\n\nIf there is no authentication source, or multiple non-DoD PKI CAC enabled vSphere SSO instance authentication sources exist, this is a finding.",
"description": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The application server must only allow the use of DoD PKI-established certificate authorities for verification.",
"fixid": "F-94953r1_fix",
"fixtext": "Configure vROps Single Sign-On (SSO) with the following steps:\n\n1. Log on to vRealize Operations Manager as an administrator.\n2. In the menu, click Administration, and then in the left pane click Access >> Authentication Sources.\n3. Click \"Add\".\n4. In the Add Source for User and Group Import dialog box, provide information for the single sign-on source.\n5. Click \"Test\" to test the source connection.\n6. Click \"OK\". The certificate details are displayed.\n7. Select the \"Accept this Certificate\" check box.\n8. Click \"OK\".\n9. In the \"Import User Groups\" dialog box, import user accounts from an SSO server on another machine.\n10. In the list of user groups displayed, select at least one user group.\n11. Click \"Next\".\n12. In the \"Roles and Objects\" pane, select a role from the \"Select Role\" drop-down menu.\n13. Select the \"Assign this role to the group\" check box.\n14. Select the \"objects\" users of the group can access when holding this role.\n\nTo assign permissions so that users can access all the objects in vRealize Operations Manager:\n\n1. Select the \"Allow access to all objects in the system\" check box.\n2. Click \"OK\".\n\nNote: For complete details review vROps 6.x and vSphere SSO product documentation.",
"iacontrols": null,
"id": "V-88211",
"ruleID": "SV-98861r1_rule",
"severity": "medium",
"title": "The vRealize Operations server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.",
"version": "VROM-AP-000540"
},
"V-88213": {
"checkid": "C-87905r1_chk",
"checktext": "Obtain the current vRealize Operations STIGs from the ISSO.\n\nVerify that this Security Technical Implementation Guide (STIG) is the most current STIG available for vRealize Operations.\n\nAssess all of the organization's vROps installations to ensure that they are fully compliant with the most current STIG.\n\nIf the most current version of the vROps STIG was not used, or if the vROps appliance configuration is not compliant with the most current STIG, this is a finding.",
"description": "Configuring the vRealize Operations appliance to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nThe vROps product is continually under refinement, and patches are regularly released to address vulnerabilities. As a result, the vROps STIG is also subject to a release cycle on a quarterly basis.\n\nAssessors should ensure that they are reviewing the vRealize Operations appliance with the most current STIG.",
"fixid": "F-94955r1_fix",
"fixtext": "Obtain the most current vRealize Operations STIG. Ensure that this vROps appliance is configured with all current requirements.",
"iacontrols": null,
"id": "V-88213",
"ruleID": "SV-98863r1_rule",
"severity": "medium",
"title": "The vRealize Operations appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",
"version": "VROM-AP-000655"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-88205": "true",
"V-88207": "true",
"V-88209": "true",
"V-88211": "true",
"V-88213": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "vmware_vrealize_operations_manager_6.x_application",
"title": "VMware vRealize Operations Manager 6.x Application Security Technical Implementation Guide",
"version": "1"
}
}