STIGQter STIGQter: STIG Summary: VMW vRealize Automation 7.x vAMI Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 28 Sep 2018

CheckedNameTitle
SV-100845r1_ruleThe vAMI must use FIPS 140-2 approved ciphers when transmitting management data during remote access management sessions.
SV-100847r1_ruleThe vAMI must restrict inbound connections from nonsecure zones.
SV-100849r1_ruleThe vAMI configuration file must be owned by root.
SV-100851r1_ruleThe vAMI must have sfcb logging enabled.
SV-100853r1_ruleThe vAMI must protect log information from unauthorized read access.
SV-100855r1_ruleThe vAMI must protect log information from unauthorized modification.
SV-100857r1_ruleThe vAMI must protect log information from unauthorized deletion.
SV-100859r1_ruleThe vAMI log records must be backed up at least every seven days onto a different system or system component than the system or component being logged.
SV-100861r1_rulePatches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization.
SV-100863r1_ruleThe vAMI executable files and library must not be world-writeable.
SV-100865r1_ruleThe vAMI installation procedures must be capable of being rolled back to a last known good configuration.
SV-100867r1_ruleThe vAMI must not contain any unnecessary functions and only provide essential capabilities.
SV-100869r1_ruleThe vAMI must use the sfcb HTTPS port for communication with Lighttpd.
SV-100871r1_ruleThe vAMI must use a site-defined, user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
SV-100873r1_ruleThe vAMI must transmit only encrypted representations of passwords.
SV-100875r1_ruleThe vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor.
SV-100877r1_ruleThe vAMI must use approved versions of TLS.
SV-100879r1_ruleThe vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator.
SV-100881r1_ruleThe vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator.
SV-100883r1_ruleThe vAMI must have the correct authentication set for HTTPS connections.
SV-100885r1_ruleThe vAMI installation procedures must be part of a complete vRealize Automation deployment.
SV-100887r1_ruleThe vAMI must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SV-100889r1_ruleThe vAMI error logs must be reviewed.
SV-100891r1_ruleThe vAMI account credentials must protected by site policies.
SV-100893r1_ruleThe vAMI sfcb config file must be group-owned by root.
SV-100895r1_ruleThe vAMI must utilize syslog.
SV-100897r1_ruleThe vAMI configuration file must be protected from unauthorized access.
SV-100899r1_ruleThe vAMI must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-100901r1_ruleThe vAMI must have the keepaliveTimeout enabled.
SV-100903r1_ruleThe vAMI must have the keepaliveMaxRequest enabled.
SV-100905r1_ruleThe vAMI must use approved versions of TLS.
SV-100907r1_ruleThe vAMI sfcb must have HTTPS enabled.
SV-100909r1_ruleThe vAMI sfcb must have HTTP disabled.
SV-100911r1_ruleThe vAMI must have security-relevant software updates installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
SV-100913r1_ruleThe vAMI must log all successful login events.
SV-100915r1_ruleThe vAMI must enable logging.
SV-100917r1_ruleThe vAMI must have PAM logging enabled.
SV-100919r1_ruleThe vAMI must log all login events.
SV-100921r1_ruleThe vAMI sfcb server certificate must only be accessible to authenticated system administrators or the designated PKI Sponsor.
SV-100923r1_ruleIf the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved. If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable.
SV-100925r1_ruleThe vAMI must utilize syslog.
SV-100927r1_ruleThe vAMI must be configured to listen on a specific IPv4 address.
SV-100929r1_ruleThe vAMI must be configured to listen on a specific network interface.
SV-100931r1_ruleThe application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.