UCF STIG Viewer Logo

VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide


Overview

Date Finding Count (175)
2018-10-12 CAT I (High): 14 CAT II (Med): 161 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-88909 High tc Server ALL must exclude documentation, sample code, example applications, and tutorials.
V-89105 High tc Server CaSa must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-89107 High tc Server API must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-89103 High tc Server UI must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
V-89029 High tc Server ALL must be configured to the correct user authentication source.
V-88933 High tc Server CaSa must not have any symbolic links in the web content directory tree.
V-88931 High tc Server UI must not have any symbolic links in the web content directory tree.
V-88935 High tc Server API must not have any symbolic links in the web content directory tree.
V-88961 High tc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-88963 High tc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-88965 High tc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
V-88967 High tc Server UI web server application directories must not be accessible to anonymous user.
V-88969 High tc Server CaSa web server application directories must not be accessible to anonymous user.
V-88971 High tc Server API web server application directories must not be accessible to anonymous user.
V-88865 Medium tc Server CaSa must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-88867 Medium tc Server API must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-88861 Medium tc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-88863 Medium tc Server UI must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-88903 Medium tc Server CaSa must not use the tomcat-users XML database for user management.
V-88901 Medium tc Server UI must not use the tomcat-users XML database for user management.
V-88907 Medium tc Server ALL must only contain services and functions necessary for operation.
V-88869 Medium tc Server UI must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-88905 Medium tc Server API must not use the tomcat-users XML database for user management.
V-89075 Medium tc Server CaSa must disable the shutdown port.
V-89077 Medium tc Server API must disable the shutdown port.
V-89071 Medium tc Server API must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-88795 Medium tc Server CaSa must perform server-side session management.
V-89073 Medium tc Server UI must disable the shutdown port.
V-89079 Medium tc Server UI must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-88851 Medium tc Server UI must produce log records containing sufficient information to establish the source of events.
V-88919 Medium tc Server CaSa must have mappings set for Java Servlet Pages.
V-88853 Medium tc Server CaSa must produce log records containing sufficient information to establish the source of events.
V-88855 Medium tc Server API must produce log records containing sufficient information to establish the source of events.
V-88857 Medium tc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-88859 Medium tc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-88911 Medium tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
V-88913 Medium tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-88915 Medium tc Server ALL must have all mappings to unused and vulnerable scripts to be removed.
V-88917 Medium tc Server UI must have mappings set for Java Servlet Pages.
V-89045 Medium tc Server CaSa must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-89041 Medium tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
V-88775 Medium tc Server UI must limit the number of maximum concurrent connections permitted.
V-89043 Medium tc Server UI must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-88777 Medium tc Server CaSa must limit the number of maximum concurrent connections permitted.
V-88987 Medium tc Server UI must be configured with a cross-site scripting (XSS) filter.
V-89047 Medium tc Server API must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-88985 Medium tc Server API document directory must be in a separate partition from the web servers system files.
V-89049 Medium tc Server UI must record time stamps for log records to a minimum granularity of one second.
V-88989 Medium tc Server CaSa must be configured with a cross-site scripting (XSS) filter.
V-88779 Medium tc Server API must limit the number of maximum concurrent connections permitted.
V-88849 Medium tc Server API must produce log records containing sufficient information to establish where within the web server the events occurred.
V-88847 Medium tc Server CaSa must produce log records containing sufficient information to establish where within the web server the events occurred.
V-88845 Medium tc Server UI must produce log records containing sufficient information to establish where within the web server the events occurred.
V-88843 Medium tc Server API must produce log records containing sufficient information to establish when (date and time) events occurred.
V-88841 Medium tc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred.
V-89119 Medium tc Server API must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-89117 Medium tc Server CaSa must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-89115 Medium tc Server UI must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
V-89113 Medium tc Server API must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-89111 Medium tc Server CaSa must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-88991 Medium tc Server API must be configured with a cross-site scripting (XSS) filter.
V-88993 Medium tc Server UI must set URIEncoding to UTF-8.
V-88995 Medium tc Server CaSa must set URIEncoding to UTF-8.
V-89059 Medium tc Server API application, libraries, and configuration files must only be accessible to privileged users.
V-88999 Medium tc Server UI must use the setCharacterEncodingFilter filter.
V-89055 Medium tc Server UI application, libraries, and configuration files must only be accessible to privileged users.
V-89053 Medium tc Server API must record time stamps for log records to a minimum granularity of one second.
V-89051 Medium tc Server CaSa must record time stamps for log records to a minimum granularity of one second.
V-88793 Medium tc Server UI must perform server-side session management.
V-88839 Medium tc Server UI must produce log records containing sufficient information to establish when (date and time) events occurred.
V-88791 Medium tc Server API must limit the number of times that each TCP connection is kept alive.
V-88833 Medium tc Server UI must produce log records containing sufficient information to establish what type of events occurred.
V-88831 Medium tc Server API must capture, record, and log all content related to a user session.
V-88837 Medium tc Server API must produce log records containing sufficient information to establish what type of events occurred.
V-88835 Medium tc Server CaSa must produce log records containing sufficient information to establish what type of events occurred.
V-88797 Medium tc Server API must perform server-side session management.
V-88983 Medium tc Server CaSa document directory must be in a separate partition from the web servers system files.
V-89109 Medium tc Server UI must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-89101 Medium tc Server API must set the secure flag for cookies.
V-89023 Medium tc Server UI must set an inactive timeout for sessions.
V-89021 Medium tc Server API must have the debug option turned off.
V-89027 Medium tc Server API must set an inactive timeout for sessions.
V-89025 Medium tc Server CaSa must set an inactive timeout for sessions.
V-88925 Medium tc Server UI must be configured with memory leak protection.
V-88927 Medium tc Server CaSa must be configured with memory leak protection.
V-88921 Medium tc Server API must have mappings set for Java Servlet Pages.
V-88923 Medium tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-88929 Medium tc Server API must be configured with memory leak protection.
V-88881 Medium tc Server API log files must only be accessible by privileged users.
V-88947 Medium tc Server API must encrypt passwords during transmission.
V-88829 Medium tc Server CaSa must capture, record, and log all content related to a user session.
V-88945 Medium tc Server CaSa must encrypt passwords during transmission.
V-88943 Medium tc Server UI must encrypt passwords during transmission.
V-88941 Medium tc Server API must be configured to use a specified IP address and port.
V-88821 Medium tc Server CaSa must generate log records for user access and authentication events.
V-88823 Medium tc Server API must generate log records for user access and authentication events.
V-88825 Medium tc Server ALL must initiate logging during service start-up.
V-88949 Medium tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable.
V-88827 Medium tc Server UI must capture, record, and log all content related to a user session.
V-88789 Medium tc Server CaSa must limit the number of times that each TCP connection is kept alive.
V-88875 Medium tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
V-89039 Medium tc Server ALL log files must be moved to a permanent repository in accordance with site policy.
V-89031 Medium tc Server UI must be configured to use the https scheme.
V-89033 Medium tc Server CaSa must be configured to use the https scheme.
V-89035 Medium tc Server API must be configured to use the https scheme.
V-88981 Medium tc Server UI document directory must be in a separate partition from the web servers system files.
V-89037 Medium tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
V-88937 Medium tc Server UI must be configured to use a specified IP address and port.
V-88939 Medium tc Server CaSa must be configured to use a specified IP address and port.
V-88955 Medium tc Server UI must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-88957 Medium tc Server CaSa must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-89089 Medium tc Server API session IDs must be sent to the client using SSL/TLS.
V-88951 Medium tc Server ALL must only allow authenticated system administrators to have access to the keystore.
V-88953 Medium tc Server ALL must only allow authenticated system administrators to have access to the truststore.
V-89085 Medium tc Server UI session IDs must be sent to the client using SSL/TLS.
V-89087 Medium tc Server CaSa session IDs must be sent to the client using SSL/TLS.
V-89081 Medium tc Server CaSa must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-88959 Medium tc Server API must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
V-89083 Medium tc Server API must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
V-89005 Medium tc Server UI must set the welcome-file node to a default web page.
V-89007 Medium tc Server CaSa must set the welcome-file node to a default web page.
V-89001 Medium tc Server CaSa must use the setCharacterEncodingFilter filter.
V-89003 Medium tc Server API must use the setCharacterEncodingFilter filter.
V-89009 Medium tc Server API must set the welcome-file node to a default web page.
V-89099 Medium tc Server CaSa must set the secure flag for cookies.
V-88785 Medium tc Server API must limit the amount of time that each TCP connection is kept alive.
V-89093 Medium tc Server CaSa must set the useHttpOnly parameter.
V-88787 Medium tc Server UI must limit the number of times that each TCP connection is kept alive.
V-89091 Medium tc Server UI must set the useHttpOnly parameter.
V-88781 Medium tc Server UI must limit the amount of time that each TCP connection is kept alive.
V-89097 Medium tc Server UI must set the secure flag for cookies.
V-88783 Medium tc Server CaSa must limit the amount of time that each TCP connection is kept alive.
V-89095 Medium tc Server API must set the useHttpOnly parameter.
V-89013 Medium tc Server CaSa must have the allowTrace parameter set to false.
V-89011 Medium tc Server UI must have the allowTrace parameter set to false.
V-89017 Medium tc Server UI must have the debug option turned off.
V-89015 Medium tc Server API must have the allowTrace parameter set to false.
V-89019 Medium tc Server CaSa must have the debug option turned off.
V-89123 Medium tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-88899 Medium tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
V-88895 Medium tc Server ALL log data and records must be backed up onto a different system or media.
V-88897 Medium tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
V-89121 Medium tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.
V-88891 Medium tc Server CaSa log files must be protected from unauthorized deletion.
V-88893 Medium tc Server API log files must be protected from unauthorized deletion.
V-88815 Medium tc Server API must record user access in a format that enables monitoring of remote access.
V-88817 Medium tc Server ALL must generate log records for system startup and shutdown.
V-88811 Medium tc Server UI must record user access in a format that enables monitoring of remote access.
V-88813 Medium tc Server CaSa must record user access in a format that enables monitoring of remote access.
V-88819 Medium tc Server UI must generate log records for user access and authentication events.
V-88877 Medium tc Server UI log files must only be accessible by privileged users.
V-88799 Medium tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-88873 Medium tc Server API must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-88871 Medium tc Server CaSa must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-88979 Medium tc Server API must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-88977 Medium tc Server CaSa must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-88975 Medium tc Server UI must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-88973 Medium tc Server ALL baseline must be documented and maintained.
V-88879 Medium tc Server CaSa log files must only be accessible by privileged users.
V-88805 Medium tc Server UI must use cryptography to protect the integrity of remote sessions.
V-89067 Medium tc Server UI must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-89065 Medium tc Server API must be configured with the appropriate ports.
V-88889 Medium tc Server UI log files must be protected from unauthorized deletion.
V-89063 Medium tc Server CaSa must be configured with the appropriate ports.
V-89061 Medium tc Server UI must be configured with the appropriate ports.
V-88883 Medium tc Server UI log files must be protected from unauthorized modification.
V-88997 Medium tc Server API must set URIEncoding to UTF-8.
V-88887 Medium tc Server API log files must be protected from unauthorized modification.
V-89069 Medium tc Server CaSa must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
V-88885 Medium tc Server CaSa log files must be protected from unauthorized modification.
V-88803 Medium tc Server API must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-88801 Medium tc Server CaSa must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
V-88807 Medium tc Server CaSa must use cryptography to protect the integrity of remote sessions.
V-89057 Medium tc Server CaSa application, libraries, and configuration files must only be accessible to privileged users.
V-88809 Medium tc Server API must use cryptography to protect the integrity of remote sessions.