UCF STIG Viewer Logo

VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide


Overview

Date Finding Count (211)
2021-07-01 CAT I (High): 5 CAT II (Med): 198 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-239611 High The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-239612 High The SLES for vRealize must protect the confidentiality and integrity of transmitted information.
V-239613 High The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-239552 High The SLES for vRealize must prevent direct logon into the root account.
V-239496 High The SLES for vRealize must store only encrypted representations of passwords.
V-239517 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-239516 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-239515 Medium The yast2-tftp-server package must not be installed.
V-239514 Medium The ypserv package must not be installed.
V-239513 Medium The rsh-server package must not be installed.
V-239512 Medium The telnet-server package must not be installed.
V-239458 Medium The SLES for vRealize must protect audit information from unauthorized modification.
V-239459 Medium The SLES for vRealize must protect audit information from unauthorized deletion.
V-239456 Medium The SLES for vRealize must protect audit information from unauthorized read access - ownership.
V-239457 Medium The SLES for vRealize must protect audit information from unauthorized read access - group ownership.
V-239454 Medium The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-239455 Medium The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).
V-239452 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.
V-239453 Medium The SLES for vRealize must produce audit records.
V-239450 Medium The SLES for vRealize must monitor remote access methods - SSH Daemon.
V-239451 Medium The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Daemon.
V-239558 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-239511 Medium The SLES for vRealize must have USB disabled unless needed.
V-239584 Medium The SLES for vRealize must protect audit tools from unauthorized deletion.
V-239585 Medium The SLES for vRealize must enforce password complexity by requiring that at least one special character be used.
V-239510 Medium The SLES for vRealize must have USB Mass Storage disabled unless needed.
V-239580 Medium The SLES for vRealize must initiate session audits at system start-up.
V-239581 Medium The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.
V-239582 Medium The SLES for vRealize must protect audit tools from unauthorized access.
V-239583 Medium The SLES for vRealize must protect audit tools from unauthorized modification.
V-239441 Medium The SLES for vRealize must provide automated mechanisms for supporting account management functions.
V-239443 Medium The SLES for vRealize must audit all account creations.
V-239442 Medium The SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours.
V-239445 Medium The SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-239444 Medium In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications, any unexpected users, groups, or modifications must be investigated for legitimacy.
V-239446 Medium The SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
V-239449 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection.
V-239448 Medium The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types.
V-239519 Medium The Transparent Inter-Process Communication (TIPC) must be disabled or not installed.
V-239518 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-239618 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
V-239619 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-239599 Medium The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-239598 Medium The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-239617 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-239610 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-239614 Medium The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.
V-239615 Medium The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.
V-239616 Medium The SLES for vRealize must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-239594 Medium The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.
V-239593 Medium The SLES for vRealize must audit all account enabling actions.
V-239469 Medium The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setparam.
V-239592 Medium The SLES for vRealize must control remote access methods.
V-239468 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname.
V-239591 Medium The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.
V-239590 Medium The SLES for vRealize must use cryptographic mechanisms to protect the integrity of audit tools.
V-239466 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-239609 Medium The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
V-239608 Medium The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.
V-239607 Medium The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-239606 Medium The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.
V-239605 Medium The SLES for vRealize must notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-239604 Medium The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-239603 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-239602 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
V-239601 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-239600 Medium The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-239528 Medium The alias files must be group-owned by root, or a system group.
V-239529 Medium The alias files must have mode 0644 or less permissive.
V-239522 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-239523 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-239520 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
V-239521 Medium The ypbind service must not be running if no network services utilizing it are enabled.
V-239526 Medium Mail relaying must be restricted.
V-239527 Medium The alias files must be owned by root.
V-239524 Medium The SLES for vRealize must not use UDP for NIS/NIS+.
V-239525 Medium NIS maps must be protected through hard-to-guess domain names.
V-239548 Medium The SLES for vRealize must not have Teredo enabled.
V-239549 Medium The DHCP client must be disabled if not needed.
V-239540 Medium The SMTP service must not have the EXPN feature active.
V-239541 Medium The SMTP service must not have the VRFY feature active.
V-239542 Medium The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
V-239543 Medium The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
V-239544 Medium The AppleTalk protocol must be disabled or not installed.
V-239545 Medium The DECnet protocol must be disabled or not installed.
V-239546 Medium Proxy Neighbor Discovery Protocol (NDP) must not be enabled on SLES for vRealize.
V-239547 Medium The SLES for vRealize must not have 6to4 enabled.
V-239632 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-239633 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-239630 Medium The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.
V-239631 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-239636 Medium The SLES for vRealize audit system must be configured to audit user deletions of files and programs.
V-239637 Medium The SLES for vRealize audit system must be configured to audit file deletions.
V-239634 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-239635 Medium The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
V-239638 Medium Audit logs must be rotated daily.
V-239639 Medium The SLES for vRealize must generate audit records for all direct access to the information system.
V-239539 Medium The SMTP service must not use .forward files.
V-239538 Medium The SMTP services SMTP greeting must not provide version information.
V-239535 Medium The SMTP service log files must be owned by root.
V-239534 Medium The system syslog service must log informational and more severe SMTP service messages.
V-239537 Medium The SMTP service HELP command must not be enabled.
V-239536 Medium The SMTP service log file must have mode 0644 or less permissive.
V-239531 Medium Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.
V-239530 Medium Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-239533 Medium Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-239532 Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
V-239478 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.
V-239559 Medium The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.
V-239479 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.
V-239553 Medium The SLES for vRealize must enforce SSHv2 for network access to privileged accounts.
V-239551 Medium Duplicate User IDs (UIDs) must not exist for users within the organization.
V-239550 Medium The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.
V-239557 Medium The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-239556 Medium The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-239555 Medium The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.
V-239554 Medium The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.
V-239467 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname.
V-239625 Medium The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.
V-239624 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.
V-239627 Medium The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-239626 Medium The SLES for vRealize must generate audit records for privileged activities or other system-level access.
V-239621 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
V-239620 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-239623 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security levels occur.
V-239622 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-239629 Medium The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.
V-239628 Medium The SLES for vRealize must generate audit records showing starting and ending time for user access to the system.
V-239470 Medium The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setscheduler.
V-239471 Medium The SLES for vRealize must be configured to audit all attempts to alter /var/log/faillog.
V-239568 Medium The /var/log/messages file must be group-owned by root.
V-239569 Medium The /var/log/messages file must be owned by root.
V-239566 Medium The /var/log directory must be owned by root.
V-239567 Medium The /var/log directory must have mode 0750 or less permissive.
V-239564 Medium The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-239565 Medium The /var/log directory must be group-owned by root.
V-239562 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-239563 Medium The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-239560 Medium The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-239561 Medium The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-239492 Medium Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.
V-239493 Medium The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.
V-239490 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.
V-239491 Medium The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.
V-239497 Medium SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.
V-239494 Medium The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.
V-239495 Medium The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.
V-239498 Medium Users must not be able to change passwords more than once every 24 hours.
V-239499 Medium SLES for vRealize must enforce a 60-day maximum password lifetime restriction.
V-239650 Medium The SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-239651 Medium The SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-239571 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-239570 Medium The /var/log/messages file must have mode 0640 or less permissive.
V-239573 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-239572 Medium The SLES for vRealize must reveal error messages only to authorized users.
V-239575 Medium The SLES for vRealize must audit all account modifications.
V-239574 Medium Any publicly accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-239577 Medium The SLES for vRealize must audit all account-disabling actions.
V-239576 Medium The SLES for vRealize must audit all account modifications.
V-239579 Medium The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.
V-239578 Medium The SLES for vRealize must audit all account removal actions.
V-239472 Medium The SLES for vRealize must be configured to audit all attempts to alter /var/log/lastlog.
V-239473 Medium The SLES for vRealize must be configured to audit all attempts to alter /var/log/tallylog.
V-239474 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.
V-239475 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.
V-239476 Medium The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group ownership.
V-239477 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The operating system must generate audit records for all discretionary access control permission modifications using chmod.
V-239485 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.
V-239484 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.
V-239487 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.
V-239486 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.
V-239481 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.
V-239480 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.
V-239483 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.
V-239482 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.
V-239489 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.
V-239488 Medium The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.
V-239643 Medium The SLES for vRealize must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.
V-239642 Medium The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-239641 Medium The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
V-239640 Medium The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.
V-239647 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-239646 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-239645 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-239644 Medium The SLES for vRealize must prevent the use of dictionary words for passwords.
V-239649 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-239648 Medium The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-239504 Medium The SLES for vRealize must require root password authentication upon booting into single-user mode.
V-239505 Medium Bootloader authentication must be enabled to prevent users without privilege to gain access restricted file system resources.
V-239506 Medium The SLES for the vRealize boot loader configuration file(s) must have mode 0600 or less permissive.
V-239507 Medium The SLES for the vRealize boot loader configuration files must be owned by root.
V-239500 Medium User passwords must be changed at least every 60 days.
V-239501 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations.
V-239502 Medium The SLES for vRealize must prohibit password reuse for a minimum of five generations. Ensure the old passwords are being stored.
V-239503 Medium The SLES for vRealize must enforce a minimum 15-character password length.
V-239463 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday.
V-239462 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex.
V-239461 Medium The SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions.
V-239460 Medium The SLES for vRealize must protect audit information from unauthorized deletion - log directories.
V-239508 Medium The SLES for the vRealize boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
V-239509 Medium The Bluetooth protocol handler must be disabled or not installed.
V-239465 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime.
V-239464 Medium The SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime.
V-239588 Low The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are disabled.
V-239586 Low The SLES for vRealize must notify System Administrators and Information Systems Security Officer when accounts are created.
V-239447 Low The SLES for vRealize must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-239597 Low The SLES for vRealize must off-load audit records onto a different system or media from the system being audited.
V-239596 Low The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-239595 Low The SLES for vRealize must audit the execution of privileged functions.
V-239589 Low The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are removed.
V-239587 Low The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are modified.