acceptedVMware vRealize Operations Manager 6.x Application Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 28 Sep 20181I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000148-AS-000101<GroupDescription></GroupDescription>VROM-AP-000195The vRealize Operations server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).<VulnDiscussion>To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (LDAP) in nature.
To ensure support to the enterprise, the authentication must utilize an enterprise solution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target vRealize Operations Manager 6.x ApplicationDISADPMS TargetvRealize Operations Manager 6.x Application3453CCI-000764Configure vROps to use an enterprise user management system and document this in the site configuration control policy.Obtain the site configuration control policy from the ISSO.
Review site procedures to determine if an enterprise management system is used to uniquely identify and authenticate users.
If an enterprise management solution is not used, this is a finding.SRG-APP-000220-AS-000148<GroupDescription></GroupDescription>VROM-AP-000295The vRealize Operations server session timeout must be configured.<VulnDiscussion>If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a logout event or after a certain period of inactivity is a method for mitigating the risk of this vulnerability. When a user management session becomes idle, or when a user logs out of the management interface, the application server must terminate the session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target vRealize Operations Manager 6.x ApplicationDISADPMS TargetvRealize Operations Manager 6.x Application3453CCI-001185To edit the session timeout, use the following steps:
1. Log on to the admin UI as the administrator.
2. Navigate to "Global Settings".
3. Select "Edit Global Settings".
4. Set the "Session Timeout:" setting to "15" minutes.
5. Select "OK".Verify that the session timeout is set to "15" minutes with the following steps:
1. Log on to the admin UI as the administrator.
2. Navigate to "Global Settings".
3. Review the session timeout value in mins.
If the "Session Timeout:" setting is not "15" minutes, this is a finding.SRG-APP-000225-AS-000153<GroupDescription></GroupDescription>VROM-AP-000315The vRealize Operations server must be configured to perform complete application deployments.<VulnDiscussion>Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.
When an application is deployed to the application server, if the deployment process does not complete properly and without errors, there is the potential that some application files may not be deployed or may be corrupted and an application error may occur during runtime.
The application server must be able to perform complete application deployments. A partial deployment can leave the server in an inconsistent state. Application servers may provide a transaction rollback function to address this issue.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target vRealize Operations Manager 6.x ApplicationDISADPMS TargetvRealize Operations Manager 6.x Application3453CCI-001190Develop a site configuration control policy to ensure deployments are completed before allowing users to use the production environment.Obtain the site configuration control policy from the ISSO.
Review site procedures to determine if a site policy exists to verify vROps installation after release into a production environment. The site policy should ensure that the installation was a complete application deployment before users are allowed to conduct business.
If a site policy does not exist or is not being followed, this is a finding.SRG-APP-000427-AS-000264<GroupDescription></GroupDescription>VROM-AP-000540The vRealize Operations server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The application server must only allow the use of DoD PKI-established certificate authorities for verification.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target vRealize Operations Manager 6.x ApplicationDISADPMS TargetvRealize Operations Manager 6.x Application3453CCI-002470Configure vROps Single Sign-On (SSO) with the following steps:
1. Log on to vRealize Operations Manager as an administrator.
2. In the menu, click Administration, and then in the left pane click Access >> Authentication Sources.
3. Click "Add".
4. In the Add Source for User and Group Import dialog box, provide information for the single sign-on source.
5. Click "Test" to test the source connection.
6. Click "OK". The certificate details are displayed.
7. Select the "Accept this Certificate" check box.
8. Click "OK".
9. In the "Import User Groups" dialog box, import user accounts from an SSO server on another machine.
10. In the list of user groups displayed, select at least one user group.
11. Click "Next".
12. In the "Roles and Objects" pane, select a role from the "Select Role" drop-down menu.
13. Select the "Assign this role to the group" check box.
14. Select the "objects" users of the group can access when holding this role.
To assign permissions so that users can access all the objects in vRealize Operations Manager:
1. Select the "Allow access to all objects in the system" check box.
2. Click "OK".
Note: For complete details review vROps 6.x and vSphere SSO product documentation.Verify that the vROps Single Sign-On (SSO) is configured with the correct authentication source only (DoD PKI CAC enabled vSphere SSO instance) by using the following steps:
1. Log on to the admin UI as the administrator.
2. In the menu, click Administration, and then in the left pane click Access >> Authentication Sources.
3. Review the authentication sources and ensure that only the DoD PKI CAC enabled vSphere SSO instance is available as an authentication source.
If there is no authentication source, or multiple non-DoD PKI CAC enabled vSphere SSO instance authentication sources exist, this is a finding.SRG-APP-000516-AS-000237<GroupDescription></GroupDescription>VROM-AP-000655The vRealize Operations appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.<VulnDiscussion>Configuring the vRealize Operations appliance to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
The vROps product is continually under refinement, and patches are regularly released to address vulnerabilities. As a result, the vROps STIG is also subject to a release cycle on a quarterly basis.
Assessors should ensure that they are reviewing the vRealize Operations appliance with the most current STIG.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target vRealize Operations Manager 6.x ApplicationDISADPMS TargetvRealize Operations Manager 6.x Application3453CCI-000366Obtain the most current vRealize Operations STIG. Ensure that this vROps appliance is configured with all current requirements.Obtain the current vRealize Operations STIGs from the ISSO.
Verify that this Security Technical Implementation Guide (STIG) is the most current STIG available for vRealize Operations.
Assess all of the organization's vROps installations to ensure that they are fully compliant with the most current STIG.
If the most current version of the vROps STIG was not used, or if the vROps appliance configuration is not compliant with the most current STIG, this is a finding.