STIGQter STIGQter: STIG Summary: VMware vRealize Automation 7.x SLES Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 28 Sep 2018

CheckedNameTitle
SV-100115r1_ruleThe SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours.
SV-100117r1_ruleThe SLES for vRealize must audit all account creations.
SV-100119r1_ruleIn addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.
SV-100121r1_ruleThe SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-100123r1_ruleThe SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
SV-100125r1_ruleThe SLES for vRealize must limit the number of concurrent sessions to 10 for all accounts and/or account types.
SV-100127r1_ruleThe SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types.
SV-100129r1_ruleThe SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection.
SV-100131r1_ruleThe SLES for vRealize must monitor remote access methods - SSH Daemon.
SV-100133r1_ruleThe SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions- SSH Daemon.
SV-100135r1_ruleThe SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.
SV-100137r1_ruleThe SLES for vRealize must produce audit records.
SV-100139r1_ruleThe SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-100141r1_ruleThe SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).
SV-100143r1_ruleThe SLES for vRealize must protect audit information from unauthorized read access - ownership.
SV-100145r1_ruleThe SLES for vRealize must protect audit information from unauthorized read access - group-ownership.
SV-100147r1_ruleThe SLES for vRealize must protect audit information from unauthorized modification.
SV-100149r1_ruleThe SLES for vRealize must protect audit information from unauthorized deletion.
SV-100151r1_ruleThe SLES for vRealize must protect audit information from unauthorized deletion - log directories.
SV-100153r1_ruleThe SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions.
SV-100155r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex.
SV-100157r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday.
SV-100159r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime.
SV-100161r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime.
SV-100163r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime.
SV-100165r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname.
SV-100167r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname.
SV-100169r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setparam.
SV-100171r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setscheduler.
SV-100173r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/faillog.
SV-100175r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/lastlog.
SV-100177r1_ruleThe SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/tallylog.
SV-100179r1_ruleThe SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.
SV-100181r1_ruleThe SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.
SV-100183r1_ruleThe SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group-ownership.
SV-100185r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chmod.
SV-100187r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.
SV-100189r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.
SV-100191r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.
SV-100193r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.
SV-100195r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.
SV-100197r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.
SV-100199r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.
SV-100201r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.
SV-100203r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.
SV-100205r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.
SV-100207r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.
SV-100209r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.
SV-100211r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.
SV-100213r1_ruleThe SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.
SV-100215r1_ruleGlobal settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.
SV-100217r1_ruleThe SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.
SV-100219r1_ruleThe SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.
SV-100221r1_ruleThe SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.
SV-100223r1_ruleThe SLES for vRealize must store only encrypted representations of passwords.
SV-100225r1_ruleThe SLES for vRealize must store only encrypted representations of passwords.
SV-100227r1_ruleSLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.
SV-100229r1_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-100231r1_ruleSLES for vRealize must enforce a 60-day maximum password lifetime restriction.
SV-100233r1_ruleUser passwords must be changed at least every 60 days.
SV-100235r1_ruleThe SLES for vRealize must prohibit password reuse for a minimum of five generations.
SV-100237r1_ruleThe SLES for vRealize must prohibit password reuse for a minimum of five generations - old passwords are being stored.
SV-100239r1_ruleThe SLES for vRealize must enforce a minimum 15-character password length.
SV-100241r1_ruleThe system must require root password authentication upon booting into single-user mode.
SV-100243r1_ruleBootloader authentication must be enabled to prevent users without privilege to gain access to restricted file system resources.
SV-100245r1_ruleThe system boot loader configuration file(s) must have mode 0600 or less permissive.
SV-100247r1_ruleThe system boot loader configuration files must be owned by root.
SV-100249r1_ruleThe system boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
SV-100251r1_ruleThe Bluetooth protocol handler must be disabled or not installed.
SV-100253r1_ruleThe system must have USB Mass Storage disabled unless needed.
SV-100255r1_ruleThe system must have USB disabled unless needed.
SV-100257r1_ruleThe telnet-server package must not be installed.
SV-100259r1_ruleThe rsh-server package must not be installed.
SV-100261r1_ruleThe ypserv package must not be installed.
SV-100263r1_ruleThe yast2-tftp-server package must not be installed.
SV-100265r1_ruleThe tftp package must not be installed.
SV-100267r1_ruleThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
SV-100269r1_ruleThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.
SV-100271r1_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
SV-100273r1_ruleThe Transparent Inter-Process Communication (TIPC) must be disabled or not installed.
SV-100275r1_ruleThe xinetd service must be disabled if no network services using it are enabled.
SV-100277r1_ruleThe xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
SV-100279r1_ruleThe inetd.conf file, xinetd.conf file, and xinetd.d directory must be group owned by root, bin, sys, or system.
SV-100281r1_ruleThe xinetd.d directory must have mode 0755 or less permissive.
SV-100283r1_ruleXinetd logging/tracing must be enabled.
SV-100285r1_ruleThe ypbind service must not be running if no network services utilizing it are enabled.
SV-100287r1_ruleThe system must not use UDP for NIS/NIS+.
SV-100289r1_ruleNIS maps must be protected through hard-to-guess domain names.
SV-100291r1_ruleMail relaying must be restricted.
SV-100293r1_ruleThe alias files must be owned by root.
SV-100295r1_ruleThe alias files must be group-owned by root or a system group.
SV-100297r1_ruleThe alias files must have mode 0644 or less permissive.
SV-100299r1_ruleFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
SV-100301r1_ruleFiles executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.
SV-100303r1_ruleFiles executed through a mail aliases file must have mode 0755 or less permissive.
SV-100305r1_ruleSendmail logging must not be set to less than nine in the sendmail.cf file.
SV-100307r1_ruleThe system syslog service must log informational and more severe SMTP service messages.
SV-100309r1_ruleThe SMTP service log files must be owned by root.
SV-100311r1_ruleThe SMTP service log file must have mode 0644 or less permissive.
SV-100313r1_ruleThe SMTP service HELP command must not be enabled.
SV-100315r1_ruleThe SMTP service SMTP greeting must not provide version information.
SV-100317r1_ruleThe SMTP service must not use .forward files.
SV-100319r1_ruleThe SMTP service must not have the EXPN feature active.
SV-100321r1_ruleThe SMTP service must not have the VRFY feature active.
SV-100323r1_ruleThe Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
SV-100325r1_ruleThe Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
SV-100327r1_ruleThe AppleTalk protocol must be disabled or not installed.
SV-100329r1_ruleThe DECnet protocol must be disabled or not installed.
SV-100331r1_ruleProxy Neighbor Discovery Protocol (NDP) must not be enabled on the system.
SV-100333r1_ruleThe SLES for vRealize must not have 6to4 enabled.
SV-100335r1_ruleThe SLES for vRealize must not have Teredo enabled.
SV-100337r1_ruleThe DHCP client must be disabled if not needed.
SV-100339r1_ruleThe SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.
SV-100341r1_ruleDuplicate User IDs (UIDs) must not exist for users within the organization.
SV-100343r1_ruleThe SLES for vRealize must prevent direct logon into the root account.
SV-100345r1_ruleThe SLES for vRealize must enforce SSHv2 for network access to privileged accounts.
SV-100347r1_ruleThe SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.
SV-100349r1_ruleThe SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.
SV-100351r1_ruleThe SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SV-100353r1_ruleThe SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-100355r1_ruleAll GIDs referenced in /etc/passwd must be defined in /etc/group.
SV-100357r1_ruleThe SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-100359r1_ruleThe SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.
SV-100361r1_ruleThe SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
SV-100363r1_ruleThe SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
SV-100365r1_ruleThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SV-100367r1_ruleThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SV-100369r1_ruleThe SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
SV-100371r1_ruleThe /var/log directory must be group-owned by root.
SV-100373r1_ruleThe /var/log directory must be owned by root.
SV-100375r1_ruleThe /var/log directory must have mode 0750 or less permissive.
SV-100377r1_ruleThe /var/log/messages file must be group-owned by root.
SV-100379r1_ruleThe /var/log/messages file must be owned by root.
SV-100381r1_ruleThe /var/log/messages file must have mode 0640 or less permissive.
SV-100383r1_ruleThe SLES for vRealize must reveal error messages only to authorized users.
SV-100385r1_ruleThe SLES for vRealize must reveal error messages only to authorized users.
SV-100387r1_ruleThe SLES for vRealize must reveal error messages only to authorized users.
SV-100389r1_ruleAny publically accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-100391r1_ruleThe SLES for vRealize must audit all account modifications.
SV-100393r1_ruleThe SLES for vRealize must audit all account modifications.
SV-100395r1_ruleThe SLES for vRealize must audit all account disabling actions.
SV-100397r1_ruleThe SLES for vRealize must audit all account removal actions.
SV-100399r1_ruleThe SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.
SV-100401r1_ruleThe SLES for vRealize must initiate session audits at system start-up.
SV-100403r1_ruleThe SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.
SV-100405r1_ruleThe SLES for vRealize must protect audit tools from unauthorized access.
SV-100407r1_ruleThe SLES for vRealize must protect audit tools from unauthorized modification.
SV-100409r1_ruleThe SLES for vRealize must protect audit tools from unauthorized deletion.
SV-100411r1_ruleThe shared library files must have restrictive permissions.
SV-100413r1_ruleShared library files must have root ownership.
SV-100415r1_ruleSystem executables must have restrictive permissions.
SV-100417r1_ruleSystem executables must have root ownership.
SV-100419r1_ruleThe SLES for vRealize must enforce password complexity by requiring that at least one special character be used.
SV-100421r1_ruleThe SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.
SV-100423r1_ruleThe SLES for vRealize must control remote access methods.
SV-100425r1_ruleThe SLES for vRealize must audit all account enabling actions.
SV-100427r1_ruleThe SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.
SV-100429r1_ruleThe SLES for vRealize must audit the execution of privileged functions.
SV-100431r1_ruleThe SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
SV-100433r1_ruleThe SLES for vRealize must off-load audit records onto a different system or media from the system being audited.
SV-100435r1_ruleThe SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
SV-100437r1_ruleThe SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
SV-100439r1_ruleThe SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
SV-100441r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
SV-100443r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
SV-100445r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
SV-100447r1_ruleThe SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
SV-100449r1_ruleThe SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.
SV-100451r1_ruleThe RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
SV-100453r1_ruleThe SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.
SV-100455r1_ruleThe SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
SV-100457r1_ruleThe SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
SV-100459r1_ruleThe SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-100461r1_ruleThe SLES for vRealize must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the SLES for vRealize is implementing rate-limiting measures on impacted network interfaces.
SV-100463r1_ruleThe SLES for vRealize must protect the confidentiality and integrity of transmitted information.
SV-100465r1_ruleThe SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
SV-100467r1_ruleThe SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.
SV-100469r1_ruleThe SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.
SV-100471r1_ruleThe SLES for vRealize must verify correct operation of all security functions.
SV-100473r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.
SV-100475r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.
SV-100477r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.
SV-100479r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.
SV-100481r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.
SV-100483r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.
SV-100485r1_ruleThe SLES for vRealize must generate audit records for privileged activities or other system-level access.
SV-100487r1_ruleThe SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-100489r1_ruleThe SLES for vRealize must generate audit records showing starting and ending time for user access to the system.
SV-100491r1_ruleThe SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.
SV-100493r1_ruleThe SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.
SV-100495r1_ruleThe SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
SV-100497r1_ruleThe SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
SV-100499r1_ruleThe SLES for vRealize audit system must be configured to audit user deletions of files and programs.
SV-100501r1_ruleThe SLES for vRealize audit system must be configured to audit file deletions.
SV-100503r1_ruleSLES for vRealize audit logs must be rotated daily.
SV-100505r1_ruleThe SLES for vRealize must generate audit records for all direct access to the information system.
SV-100507r1_ruleThe SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.
SV-100509r1_ruleThe SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
SV-100511r1_ruleThe SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-100513r1_ruleThe SLES for vRealize must, at a minimum, off-load audit information on interconnected systems in real time and off-load standalone systems weekly.
SV-100515r1_ruleThe SLES for vRealize must prevent the use of dictionary words for passwords.
SV-100517r1_ruleThe SLES for vRealize must prevent the use of dictionary words for passwords.
SV-100519r1_ruleThe SLES for vRealize must prevent the use of dictionary words for passwords.
SV-100521r1_ruleThe SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
SV-100523r1_ruleThe SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
SV-100525r1_ruleThe SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
SV-100527r1_ruleThe SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-100529r1_ruleThe SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
SV-100531r1_ruleThe SLES for vRealize must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.