UCF STIG Viewer Logo

VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide


Overview

Date Finding Count (211)
2018-10-11 CAT I (High): 5 CAT II (Med): 198 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-88575 High The SLES for vRealize must prevent direct logon into the root account.
V-88463 High The SLES for vRealize must store only encrypted representations of passwords.
V-88697 High The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-88695 High The SLES for vRealize must protect the confidentiality and integrity of transmitted information.
V-88693 High The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-88487 Medium The SLES for the vRealize boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
V-88485 Medium The SLES for the vRealize boot loader configuration files must be owned by root.
V-88483 Medium The SLES for the vRealize boot loader configuration file(s) must have mode 0600 or less permissive.
V-88481 Medium Bootloader authentication must be enabled to prevent users without privilege to gain access restricted file system resources.
V-88489 Medium The Bluetooth protocol handler must be disabled or not installed.
V-88565 Medium The SLES for vRealize must not have 6to4 enabled.
V-88379 Medium The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-88567 Medium The SLES for vRealize must not have Teredo enabled.
V-88561 Medium The DECnet protocol must be disabled or not installed.
V-88563 Medium Proxy Neighbor Discovery Protocol (NDP) must not be enabled on SLES for vRealize.
V-88371 Medium The SLES for vRealize must monitor remote access methods - SSH Daemon.
V-88373 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Daemon.
V-88569 Medium The DHCP client must be disabled if not needed.
V-88375 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.
V-88377 Medium The SLES for vRealize must produce audit records.
V-88767 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-88765 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-88763 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-88761 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-88409 Medium The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setparam.
V-88407 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname.
V-88405 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname.
V-88403 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-88769 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-88401 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime.
V-88679 Medium The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-88675 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
V-88677 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-88671 Medium The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-88673 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-88533 Medium Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.
V-88573 Medium Duplicate User IDs (UIDs) must not exist for users within the organization.
V-88571 Medium The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.
V-88577 Medium The SLES for vRealize must enforce SSHv2 for network access to privileged accounts.
V-88579 Medium The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.
V-88493 Medium The SLES for vRealize must have USB disabled unless needed.
V-88479 Medium The SLES for vRealize must require root password authentication upon booting into single-user mode.
V-88771 Medium The SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-88773 Medium The SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-88473 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations.
V-88471 Medium User passwords must be changed at least every 60 days.
V-88491 Medium The SLES for vRealize must have USB Mass Storage disabled unless needed.
V-88477 Medium The SLES for vRealize must enforce a minimum 15-character password length.
V-88475 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations. Ensure the old passwords are being stored.
V-88537 Medium Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-88447 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.
V-88353 Medium The SLES for vRealize must provide automated mechanisms for supporting account management functions.
V-88669 Medium The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-88357 Medium The SLES for vRealize must audit all account creations.
V-88355 Medium The SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours.
V-88359 Medium In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications, any unexpected users, groups, or modifications must be investigated for legitimacy.
V-88667 Medium The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-88641 Medium The SLES for vRealize must enforce password complexity by requiring that at least one special character be used.
V-88589 Medium The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.
V-88587 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-88585 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-88531 Medium Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-88583 Medium The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-88581 Medium The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.
V-88507 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-88469 Medium SLES for vRealize must enforce a 60-day maximum password lifetime restriction.
V-88505 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-88449 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.
V-88503 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-88501 Medium The yast2-tftp-server package must not be installed.
V-88749 Medium The SLES for vRealize must generate audit records for all direct access to the information system.
V-88461 Medium The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.
V-88465 Medium SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.
V-88509 Medium The Transparent Inter-Process Communication (TIPC) must be disabled or not installed.
V-88467 Medium Users must not be able to change passwords more than once every 24 hours.
V-88495 Medium The telnet-server package must not be installed.
V-88523 Medium Mail relaying must be restricted.
V-88455 Medium Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.
V-88457 Medium The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.
V-88451 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.
V-88599 Medium The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-88453 Medium The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.
V-88617 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-88595 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-88615 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-88597 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-88459 Medium The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.
V-88591 Medium The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-88611 Medium The /var/log/messages file must have mode 0640 or less permissive.
V-88593 Medium The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-88515 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-88517 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-88511 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
V-88691 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-88759 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-88757 Medium The SLES for vRealize must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.
V-88755 Medium The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-88753 Medium The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
V-88699 Medium The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.
V-88751 Medium The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.
V-88529 Medium The alias files must have mode 0644 or less permissive.
V-88619 Medium Any publically accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-88443 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.
V-88441 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.
V-88609 Medium The /var/log/messages file must be owned by root.
V-88445 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.
V-88605 Medium The /var/log directory must have mode 0750 or less permissive.
V-88607 Medium The /var/log/messages file must be group-owned by root.
V-88601 Medium The /var/log directory must be group-owned by root.
V-88603 Medium The /var/log directory must be owned by root.
V-88521 Medium NIS maps must be protected through hard-to-guess domain names.
V-88685 Medium The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-88729 Medium The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.
V-88687 Medium The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.
V-88525 Medium The alias files must be owned by root.
V-88681 Medium The SLES for vRealize must notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-88527 Medium The alias files must be group-owned by root, or a system group.
V-88683 Medium The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.
V-88723 Medium The SLES for vRealize must generate audit records for privileged activities or other system-level access.
V-88613 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-88721 Medium The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.
V-88727 Medium The SLES for vRealize must generate audit records showing starting and ending time for user access to the system.
V-88689 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-88725 Medium The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-88497 Medium The rsh-server package must not be installed.
V-88389 Medium The SLES for vRealize must protect audit information from unauthorized deletion.
V-88383 Medium The SLES for vRealize must protect audit information from unauthorized read access - ownership.
V-88385 Medium The SLES for vRealize must protect audit information from unauthorized read access - group ownership.
V-88387 Medium The SLES for vRealize must protect audit information from unauthorized modification.
V-88639 Medium The SLES for vRealize must protect audit tools from unauthorized deletion.
V-88631 Medium The SLES for vRealize must initiate session audits at system start-up.
V-88633 Medium The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.
V-88629 Medium The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.
V-88635 Medium The SLES for vRealize must protect audit tools from unauthorized access.
V-88637 Medium The SLES for vRealize must protect audit tools from unauthorized modification.
V-88437 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.
V-88739 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-88435 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.
V-88433 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.
V-88431 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.
V-88539 Medium The system syslog service must log informational and more severe SMTP service messages.
V-88731 Medium The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.
V-88513 Medium The ypbind service must not be running if no network services utilizing it are enabled.
V-88735 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-88439 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.
V-88737 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-88535 Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
V-88627 Medium The SLES for vRealize must audit all account removal actions.
V-88625 Medium The SLES for vRealize must audit all account-disabling actions.
V-88623 Medium The SLES for vRealize must audit all account modifications.
V-88621 Medium The SLES for vRealize must audit all account modifications.
V-88519 Medium The SLES for vRealize must not use UDP for NIS/NIS+.
V-88705 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-88707 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
V-88701 Medium The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.
V-88703 Medium The SLES for vRealize must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-88709 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-88425 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The operating system must generate audit records for all discretionary access control permission modifications using chmod.
V-88549 Medium The SMTP service must not use .forward files.
V-88427 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.
V-88421 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.
V-88423 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group ownership.
V-88543 Medium The SMTP service log file must have mode 0644 or less permissive.
V-88541 Medium The SMTP service log files must be owned by root.
V-88547 Medium The SMTP services SMTP greeting must not provide version information.
V-88429 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.
V-88545 Medium The SMTP service HELP command must not be enabled.
V-88381 Medium The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).
V-88733 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-88653 Medium The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.
V-88741 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-88651 Medium The SLES for vRealize must use cryptographic mechanisms to protect the integrity of audit tools.
V-88657 Medium The SLES for vRealize must audit all account enabling actions.
V-88655 Medium The SLES for vRealize must control remote access methods.
V-88659 Medium The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.
V-88743 Medium The SLES for vRealize audit system must be configured to audit user deletions of files and programs.
V-88499 Medium The ypserv package must not be installed.
V-88713 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
V-88369 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection.
V-88711 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-88717 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security levels occur.
V-88715 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-88363 Medium The SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
V-88745 Medium The SLES for vRealize audit system must be configured to audit file deletions.
V-88361 Medium The SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-88719 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.
V-88367 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types.
V-88411 Medium The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setscheduler.
V-88559 Medium The AppleTalk protocol must be disabled or not installed.
V-88413 Medium The SLES for vRealize must be configured to audit all attempts to alter /var/log/faillog.
V-88415 Medium The SLES for vRealize must be configured to audit all attempts to alter /var/log/lastlog.
V-88747 Medium Audit logs must be rotated daily.
V-88417 Medium The SLES for vRealize must be configured to audit all attempts to alter /var/log/tallylog.
V-88419 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.
V-88551 Medium The SMTP service must not have the EXPN feature active.
V-88553 Medium The SMTP service must not have the VRFY feature active.
V-88555 Medium The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
V-88557 Medium The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
V-88397 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday.
V-88395 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex.
V-88393 Medium The SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions.
V-88391 Medium The SLES for vRealize must protect audit information from unauthorized deletion - log directories.
V-88399 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime.
V-88649 Low The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are removed.
V-88643 Low The SLES for vRealize must notify System Administrators and Information Systems Security Officer when accounts are created.
V-88663 Low The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-88665 Low The SLES for vRealize must off-load audit records onto a different system or media from the system being audited.
V-88645 Low The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are modified.
V-88661 Low The SLES for vRealize must audit the execution of privileged functions.
V-88647 Low The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are disabled.
V-88365 Low The SLES for vRealize must limit the number of concurrent sessions to ten for all accounts and/or account types.