STIGQter STIGQter: STIG Summary: VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 28 Sep 2018

CheckedNameTitle
SV-100533r1_ruletc Server VCO must limit the number of maximum concurrent connections permitted.
SV-100535r1_ruletc Server VCAC must limit the number of maximum concurrent connections permitted.
SV-100537r1_ruletc Server HORIZON must limit the amount of time that each TCP connection is kept alive.
SV-100539r1_ruletc Server VCO must limit the amount of time that each TCP connection is kept alive.
SV-100541r1_ruletc Server VCAC must limit the amount of time that each TCP connection is kept alive.
SV-100543r1_ruletc Server HORIZON must limit the number of times that each TCP connection is kept alive.
SV-100545r1_ruletc Server VCO must limit the number of times that each TCP connection is kept alive.
SV-100547r1_ruletc Server VCAC must limit the number of times that each TCP connection is kept alive.
SV-100549r1_ruletc Server HORIZON must perform server-side session management.
SV-100551r1_ruletc Server VCO must perform server-side session management.
SV-100553r1_ruletc Server VCAC must perform server-side session management.
SV-100555r1_ruletc Server HORIZON must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
SV-100557r1_ruletc Server VCAC must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
SV-100559r1_ruletc Server HORIZON must use cryptography to protect the integrity of remote sessions.
SV-100561r1_ruletc Server HORIZON must record user access in a format that enables monitoring of remote access.
SV-100563r1_ruletc Server VCO must record user access in a format that enables monitoring of remote access.
SV-100565r1_ruletc Server VCAC must record user access in a format that enables monitoring of remote access.
SV-100567r1_ruletc Server ALL must generate log records for system startup and shutdown.
SV-100569r1_ruletc Server HORIZON must generate log records for user access and authentication events.
SV-100571r1_ruletc Server VCO must generate log records for user access and authentication events.
SV-100573r1_ruletc Server VCAC must generate log records for user access and authentication events.
SV-100575r1_ruletc Server ALL must initiate logging during service start-up.
SV-100577r1_ruletc Server HORIZON must capture, record, and log all content related to a user session.
SV-100579r1_ruletc Server VCO must capture, record, and log all content related to a user session.
SV-100581r1_ruletc Server VCAC must capture, record, and log all content related to a user session.
SV-100583r1_ruletc Server HORIZON must produce log records containing sufficient information to establish what type of events occurred.
SV-100585r1_ruletc Server VCO must produce log records containing sufficient information to establish what type of events occurred.
SV-100587r1_ruletc Server VCAC must produce log records containing sufficient information to establish what type of events occurred.
SV-100589r1_ruletc Server HORIZON must produce log records containing sufficient information to establish when (date and time) events occurred.
SV-100591r1_ruletc Server VCO must produce log records containing sufficient information to establish when (date and time) events occurred.
SV-100593r1_ruletc Server VCAC must produce log records containing sufficient information to establish when (date and time) events occurred.
SV-100595r1_ruletc Server HORIZON must produce log records containing sufficient information to establish where within the web server the events occurred.
SV-100597r1_ruletc Server VCO must produce log records containing sufficient information to establish where within the web server the events occurred.
SV-100599r1_ruletc Server VCAC must produce log records containing sufficient information to establish where within the web server the events occurred.
SV-100601r1_ruletc Server HORIZON must produce log records containing sufficient information to establish the source of events.
SV-100603r1_ruletc Server VCO must produce log records containing sufficient information to establish the source of events.
SV-100605r1_ruletc Server VCAC must produce log records containing sufficient information to establish the source of events.
SV-100607r1_ruletc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-100609r1_ruletc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-100611r1_ruletc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-100613r1_ruletc Server HORIZON must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-100615r1_ruletc Server VCO must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-100617r1_ruletc Server VCAC must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-100619r1_ruletc Server HORIZON must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-100621r1_ruletc Server VCO must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-100623r1_ruletc Server VCAC must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-100625r1_ruletc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
SV-100627r1_ruletc Server HORIZON log files must only be accessible by privileged users.
SV-100629r1_ruletc Server VCO log files must only be accessible by privileged users.
SV-100631r1_ruletc Server VCAC log files must only be accessible by privileged users.
SV-100633r1_ruletc Server HORIZON log files must be protected from unauthorized modification.
SV-100635r1_ruletc Server VCO log files must be protected from unauthorized modification.
SV-100637r1_ruletc Server VCAC log files must be protected from unauthorized modification.
SV-100639r1_ruletc Server HORIZON log files must be protected from unauthorized deletion.
SV-100641r1_ruletc Server VCO log files must be protected from unauthorized deletion.
SV-100643r1_ruletc Server VCAC log files must be protected from unauthorized deletion.
SV-100645r1_ruletc Server ALL log data and records must be backed up onto a different system or media.
SV-100647r1_ruletc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
SV-100649r1_ruletc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
SV-100651r1_ruletc Server HORIZON must not use the tomcat-users XML database for user management.
SV-100653r1_ruletc Server VCO must not use the tomcat-users XML database for user management.
SV-100655r1_ruletc Server VCAC must not use the tomcat-users XML database for user management.
SV-100657r1_ruletc Server ALL must only contain services and functions necessary for operation.
SV-100659r1_ruletc Server ALL must exclude documentation, sample code, example applications, and tutorials.
SV-100661r1_ruletc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
SV-100663r1_ruletc Server ALL must have all mappings to unused and vulnerable scripts to be removed.
SV-100665r1_ruletc Server HORIZON must have mappings set for Java Servlet Pages.
SV-100667r1_ruletc Server VCO must have mappings set for Java Servlet Pages.
SV-100669r1_ruletc Server VCAC must have mappings set for Java Servlet Pages.
SV-100671r1_ruletc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.
SV-100673r1_ruletc Server HORIZON must be configured with memory leak protection.
SV-100675r1_ruletc Server VCO must be configured with memory leak protection.
SV-100677r1_ruletc Server VCAC must be configured with memory leak protection.
SV-100679r1_ruletc Server VCO must not have any symbolic links in the web content directory tree.
SV-100681r1_ruletc Server HORIZON must be configured to use a specified IP address and port.
SV-100683r1_ruletc Server VCO must be configured to use a specified IP address and port.
SV-100685r1_ruletc Server VCAC must be configured to use a specified IP address and port.
SV-100687r1_ruletc Server HORIZON must encrypt passwords during transmission.
SV-100689r1_ruletc Server VCAC must encrypt passwords during transmission.
SV-100691r1_ruletc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid.
SV-100693r1_ruletc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
SV-100695r1_ruletc Server VCAC must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
SV-100697r1_ruletc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SV-100699r1_ruletc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SV-100701r1_ruletc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SV-100703r1_ruletc Server HORIZON web server application directories must not be accessible to anonymous user.
SV-100705r1_ruletc Server VCO web server application directories must not be accessible to anonymous user.
SV-100707r1_ruletc Server VCAC web server application directories must not be accessible to anonymous user.
SV-100709r1_ruletc Server ALL baseline must be documented and maintained.
SV-100711r1_ruletc Server HORIZON must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-100713r1_ruletc Server VCO must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-100715r1_ruletc Server VCAC must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-100717r1_ruletc Server HORIZON document directory must be in a separate partition from the web servers system files.
SV-100719r1_ruletc Server VCO document directory must be in a separate partition from the web servers system files.
SV-100721r1_ruletc Server VCAC document directory must be in a separate partition from the web servers system files.
SV-100723r1_ruletc Server HORIZON must be configured with a cross-site scripting (XSS) filter.
SV-100725r1_ruletc Server VCO must be configured with a cross-site scripting (XSS) filter.
SV-100727r1_ruletc Server VCAC must be configured with a cross-site scripting (XSS) filter.
SV-100729r1_ruletc Server HORIZON must set URIEncoding to UTF-8.
SV-100731r1_ruletc Server VCO must set URIEncoding to UTF-8.
SV-100733r1_ruletc Server HORIZON must use the setCharacterEncodingFilter filter.
SV-100735r1_ruletc Server VCO must use the setCharacterEncodingFilter filter.
SV-100737r1_ruletc Server VCAC must set URIEncoding to UTF-8.
SV-100739r1_ruletc Server VCAC must use the setCharacterEncodingFilter filter.
SV-100741r1_ruletc Server HORIZON must set the welcome-file node to a default web page.
SV-100743r1_ruletc Server VCO must set the welcome-file node to a default web page.
SV-100745r1_ruletc Server VCAC must set the welcome-file node to a default web page.
SV-100747r1_ruletc Server HORIZON must have the allowTrace parameter set to false.
SV-100749r1_ruletc Server VCO must have the allowTrace parameter set to false.
SV-100751r1_ruletc Server VCAC must have the allowTrace parameter set to false.
SV-100753r1_ruletc Server HORIZON must have the debug option turned off.
SV-100755r1_ruletc Server VCO must have the debug option turned off.
SV-100757r1_ruletc Server VCAC must have the debug option turned off.
SV-100759r1_ruletc Server HORIZON must set an inactive timeout for sessions.
SV-100761r1_ruletc Server VCO must set an inactive timeout for sessions.
SV-100763r1_ruletc Server VCAC must set an inactive timeout for sessions.
SV-100765r1_ruletc Server ALL must be configured to the correct user authentication source.
SV-100767r1_ruletc Server HORIZON must be configured to use the https scheme.
SV-100769r1_ruletc Server VCAC must be configured to use the https scheme.
SV-100771r1_ruletc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
SV-100773r1_ruletc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
SV-100775r1_ruletc Server HORIZON must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-100777r1_ruletc Server VCO must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-100779r1_ruletc Server VCAC must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-100781r1_ruletc Server HORIZON must record time stamps for log records to a minimum granularity of one second.
SV-100783r1_ruletc Server VCO must record time stamps for log records to a minimum granularity of one second.
SV-100785r1_ruletc Server VCAC must record time stamps for log records to a minimum granularity of one second.
SV-100787r1_ruletc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users.
SV-100789r1_ruletc Server VCO application, libraries, and configuration files must only be accessible to privileged users.
SV-100791r1_ruletc Server VCAC application, libraries, and configuration files must only be accessible to privileged users.
SV-100793r1_ruletc Server HORIZON must be configured with the appropriate ports.
SV-100795r1_ruletc Server VCO must be configured with the appropriate ports.
SV-100797r1_ruletc Server VCAC must be configured with the appropriate ports.
SV-100799r1_ruletc Server HORIZON must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
SV-100801r1_ruletc Server VCAC must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
SV-100803r1_ruletc Server HORIZON must disable the shutdown port.
SV-100805r1_ruletc Server VCO must disable the shutdown port.
SV-100807r1_ruletc Server VCAC must disable the shutdown port.
SV-100809r1_ruletc Server HORIZON must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
SV-100811r1_ruletc Server VCAC must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
SV-100813r1_ruletc Server HORIZON session IDs must be sent to the client using SSL/TLS.
SV-100815r1_ruletc Server VCAC session IDs must be sent to the client using SSL/TLS.
SV-100817r1_ruletc Server HORIZON must set the useHttpOnly parameter.
SV-100819r1_ruletc Server VCO must set the useHttpOnly parameter.
SV-100821r1_ruletc Server VCAC must set the useHttpOnly parameter.
SV-100823r1_ruletc Server HORIZON must set the secure flag for cookies.
SV-100825r1_ruletc Server VCO must set the secure flag for cookies.
SV-100827r1_ruletc Server VCAC must set the secure flag for cookies.
SV-100829r1_ruletc Server HORIZON must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
SV-100831r1_ruletc Server VCAC must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
SV-100833r1_ruletc Server HORIZON must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SV-100835r1_ruletc Server VCAC must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SV-100837r1_ruletc Server HORIZON must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
SV-100839r1_ruletc Server VCAC must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
SV-100841r1_ruletc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.
SV-100843r1_ruletc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-100991r1_ruletc Server HORIZON must limit the number of maximum concurrent connections permitted.
SV-100993r1_ruletc Server VCAC must use cryptography to protect the integrity of remote sessions.
SV-100995r1_ruletc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
SV-100997r1_ruletc Server ALL must only allow authenticated system administrators to have access to the keystore.
SV-100999r1_ruletc Server ALL log files must be moved to a permanent repository in accordance with site policy.