UCF STIG Viewer Logo

VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide


Overview

Date Finding Count (173)
2023-09-12 CAT I (High): 15 CAT II (Med): 158 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-258459 High The version of vRealize Operations Manager 6.x tc Server running on the system must be a supported version.
V-241663 High tc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-241666 High tc Server UI web server application directories must not be accessible to anonymous user.
V-241667 High tc Server CaSa web server application directories must not be accessible to anonymous user.
V-241664 High tc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-241665 High tc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-241668 High tc Server API web server application directories must not be accessible to anonymous user.
V-241697 High tc Server ALL must be configured to the correct user authentication source.
V-241734 High tc Server UI must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-241735 High tc Server CaSa must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-241736 High tc Server API must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-241637 High tc Server ALL must exclude documentation, sample code, example applications, and tutorials.
V-241648 High tc Server UI must not have any symbolic links in the web content directory tree.
V-241649 High tc Server CaSa must not have any symbolic links in the web content directory tree.
V-241650 High tc Server API must not have any symbolic links in the web content directory tree.
V-241662 Medium tc Server API must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-241578 Medium tc Server API must limit the amount of time that each TCP connection is kept alive.
V-241579 Medium tc Server UI must limit the number of times that each TCP connection is kept alive.
V-241701 Medium tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
V-241573 Medium tc Server UI must limit the number of maximum concurrent connections permitted.
V-241669 Medium tc Server ALL baseline must be documented and maintained.
V-241576 Medium tc Server UI must limit the amount of time that each TCP connection is kept alive.
V-241577 Medium tc Server CaSa must limit the amount of time that each TCP connection is kept alive.
V-241574 Medium tc Server CaSa must limit the number of maximum concurrent connections permitted.
V-241575 Medium tc Server API must limit the number of maximum concurrent connections permitted.
V-241600 Medium tc Server CaSa must produce log records containing sufficient information to establish what type of events occurred.
V-241601 Medium tc Server API must produce log records containing sufficient information to establish what type of events occurred.
V-241602 Medium tc Server UI must produce log records containing sufficient information to establish when (date and time) events occurred.
V-241603 Medium tc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred.
V-241604 Medium tc Server API must produce log records containing sufficient information to establish when (date and time) events occurred.
V-241605 Medium tc Server UI must produce log records containing sufficient information to establish where within the web server the events occurred.
V-241606 Medium tc Server CaSa must produce log records containing sufficient information to establish where within the web server the events occurred.
V-241607 Medium tc Server API must produce log records containing sufficient information to establish where within the web server the events occurred.
V-241608 Medium tc Server UI must produce log records containing sufficient information to establish the source of events.
V-241609 Medium tc Server CaSa must produce log records containing sufficient information to establish the source of events.
V-241688 Medium tc Server UI must have the allowTrace parameter set to false.
V-241689 Medium tc Server CaSa must have the allowTrace parameter set to false.
V-241680 Medium tc Server CaSa must set URIEncoding to UTF-8.
V-241681 Medium tc Server API must set URIEncoding to UTF-8.
V-241682 Medium tc Server UI must use the setCharacterEncodingFilter filter.
V-241683 Medium tc Server CaSa must use the setCharacterEncodingFilter filter.
V-241684 Medium tc Server API must use the setCharacterEncodingFilter filter.
V-241685 Medium tc Server UI must set the welcome-file node to a default web page.
V-241686 Medium tc Server CaSa must set the welcome-file node to a default web page.
V-241687 Medium tc Server API must set the welcome-file node to a default web page.
V-241675 Medium tc Server API document directory must be in a separate partition from the web servers system files.
V-241674 Medium tc Server CaSa document directory must be in a separate partition from the web servers system files.
V-241677 Medium tc Server CaSa must be configured with a cross-site scripting (XSS) filter.
V-241676 Medium tc Server UI must be configured with a cross-site scripting (XSS) filter.
V-241671 Medium tc Server CaSa must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-241670 Medium tc Server UI must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-241673 Medium tc Server UI document directory must be in a separate partition from the web servers system files.
V-241672 Medium tc Server API must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-241679 Medium tc Server UI must set URIEncoding to UTF-8.
V-241678 Medium tc Server API must be configured with a cross-site scripting (XSS) filter.
V-241613 Medium tc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-241612 Medium tc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-241611 Medium tc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-241610 Medium tc Server API must produce log records containing sufficient information to establish the source of events.
V-241617 Medium tc Server UI must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-241616 Medium tc Server API must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-241615 Medium tc Server CaSa must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-241614 Medium tc Server UI must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-241619 Medium tc Server API must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-241618 Medium tc Server CaSa must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-241699 Medium tc Server CaSa must be configured to use the https scheme.
V-241698 Medium tc Server UI must be configured to use the https scheme.
V-241693 Medium tc Server API must have the debug option turned off.
V-241692 Medium tc Server CaSa must have the debug option turned off.
V-241691 Medium tc Server UI must have the debug option turned off.
V-241690 Medium tc Server API must have the allowTrace parameter set to false.
V-241696 Medium tc Server API must set an inactive timeout for sessions.
V-241695 Medium tc Server CaSa must set an inactive timeout for sessions.
V-241694 Medium tc Server UI must set an inactive timeout for sessions.
V-241590 Medium tc Server API must use cryptography to protect the integrity of remote sessions.
V-241591 Medium tc Server UI must record user access in a format that enables monitoring of remote access.
V-241592 Medium tc Server CaSa must record user access in a format that enables monitoring of remote access.
V-241593 Medium tc Server API must record user access in a format that enables monitoring of remote access.
V-241594 Medium tc Server ALL must generate log records for system startup and shutdown.
V-241595 Medium tc Server UI must generate log records for user access and authentication events.
V-241596 Medium tc Server CaSa must generate log records for user access and authentication events.
V-241597 Medium tc Server API must generate log records for user access and authentication events.
V-241598 Medium tc Server ALL must initiate logging during service start-up.
V-241599 Medium tc Server UI must produce log records containing sufficient information to establish what type of events occurred.
V-241626 Medium tc Server API log files must be protected from unauthorized modification.
V-241627 Medium tc Server UI log files must be protected from unauthorized deletion.
V-241624 Medium tc Server UI log files must be protected from unauthorized modification.
V-241625 Medium tc Server CaSa log files must be protected from unauthorized modification.
V-241622 Medium tc Server CaSa log files must only be accessible by privileged users.
V-241623 Medium tc Server API log files must only be accessible by privileged users.
V-241620 Medium tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
V-241621 Medium tc Server UI log files must only be accessible by privileged users.
V-241628 Medium tc Server CaSa log files must be protected from unauthorized deletion.
V-241629 Medium tc Server API log files must be protected from unauthorized deletion.
V-241583 Medium tc Server CaSa must perform server-side session management.
V-241582 Medium tc Server UI must perform server-side session management.
V-241581 Medium tc Server API must limit the number of times that each TCP connection is kept alive.
V-241580 Medium tc Server CaSa must limit the number of times that each TCP connection is kept alive.
V-241587 Medium tc Server API must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-241586 Medium tc Server CaSa must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-241585 Medium tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-241584 Medium tc Server API must perform server-side session management.
V-241589 Medium tc Server CaSa must use cryptography to protect the integrity of remote sessions.
V-241588 Medium tc Server UI must use cryptography to protect the integrity of remote sessions.
V-241730 Medium tc Server API must set the useHttpOnly parameter.
V-241731 Medium tc Server UI must set the secure flag for cookies.
V-241732 Medium tc Server CaSa must set the secure flag for cookies.
V-241733 Medium tc Server API must set the secure flag for cookies.
V-241737 Medium tc Server UI must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-241738 Medium tc Server CaSa must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-241739 Medium tc Server API must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-241709 Medium tc Server API must record time stamps for log records to a minimum granularity of one second.
V-241708 Medium tc Server CaSa must record time stamps for log records to a minimum granularity of one second.
V-241660 Medium tc Server UI must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-241744 Medium tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-241661 Medium tc Server CaSa must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-241741 Medium tc Server CaSa must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-241740 Medium tc Server UI must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-241743 Medium tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.
V-241742 Medium tc Server API must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-241723 Medium tc Server CaSa must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-241722 Medium tc Server UI must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-241721 Medium tc Server API must disable the shutdown port.
V-241720 Medium tc Server CaSa must disable the shutdown port.
V-241727 Medium tc Server API session IDs must be sent to the client using SSL/TLS.
V-241726 Medium tc Server CaSa session IDs must be sent to the client using SSL/TLS.
V-241725 Medium tc Server UI session IDs must be sent to the client using SSL/TLS.
V-241724 Medium tc Server API must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-241729 Medium tc Server CaSa must set the useHttpOnly parameter.
V-241728 Medium tc Server UI must set the useHttpOnly parameter.
V-241700 Medium tc Server API must be configured to use the https scheme.
V-241703 Medium tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
V-241702 Medium tc Server ALL log files must be moved to a permanent repository in accordance with site policy.
V-241705 Medium tc Server CaSa must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-241704 Medium tc Server UI must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-241639 Medium tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-241638 Medium tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
V-241707 Medium tc Server UI must record time stamps for log records to a minimum granularity of one second.
V-241631 Medium tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
V-241630 Medium tc Server ALL log data and records must be backed up onto a different system or media.
V-241633 Medium tc Server UI must not use the tomcat-users XML database for user management.
V-241632 Medium tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
V-241635 Medium tc Server API must not use the tomcat-users XML database for user management.
V-241634 Medium tc Server CaSa must not use the tomcat-users XML database for user management.
V-241636 Medium tc Server ALL must only contain services and functions necessary for operation.
V-241716 Medium tc Server UI must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-241717 Medium tc Server CaSa must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-241714 Medium tc Server CaSa must be configured with the appropriate ports.
V-241715 Medium tc Server API must be configured with the appropriate ports.
V-241712 Medium tc Server API application, libraries, and configuration files must only be accessible to privileged users.
V-241713 Medium tc Server UI must be configured with the appropriate ports.
V-241710 Medium tc Server UI application, libraries, and configuration files must only be accessible to privileged users.
V-241711 Medium tc Server CaSa application, libraries, and configuration files must only be accessible to privileged users.
V-241718 Medium tc Server API must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-241719 Medium tc Server UI must disable the shutdown port.
V-241644 Medium tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-241645 Medium tc Server UI must be configured with memory leak protection.
V-241646 Medium tc Server CaSa must be configured with memory leak protection.
V-241647 Medium tc Server API must be configured with memory leak protection.
V-241640 Medium tc Server ALL must have all mappings to unused and vulnerable scripts to be removed.
V-241641 Medium tc Server UI must have mappings set for Java Servlet Pages.
V-241642 Medium tc Server CaSa must have mappings set for Java Servlet Pages.
V-241643 Medium tc Server API must have mappings set for Java Servlet Pages.
V-241706 Medium tc Server API must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-241659 Medium tc Server ALL must only allow authenticated system administrators to have access to the truststore.
V-241658 Medium tc Server ALL must only allow authenticated system administrators to have access to the keystore.
V-241657 Medium tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable.
V-241656 Medium tc Server API must encrypt passwords during transmission.
V-241655 Medium tc Server CaSa must encrypt passwords during transmission.
V-241654 Medium tc Server UI must encrypt passwords during transmission.
V-241653 Medium tc Server API must be configured to use a specified IP address and port.
V-241652 Medium tc Server CaSa must be configured to use a specified IP address and port.
V-241651 Medium tc Server UI must be configured to use a specified IP address and port.