| Checked | Name | Title |
|---|
| ☐ | SV-100845r1_rule | The vAMI must use FIPS 140-2 approved ciphers when transmitting management data during remote access management sessions. |
| ☐ | SV-100847r1_rule | The vAMI must restrict inbound connections from nonsecure zones. |
| ☐ | SV-100849r1_rule | The vAMI configuration file must be owned by root. |
| ☐ | SV-100851r1_rule | The vAMI must have sfcb logging enabled. |
| ☐ | SV-100853r1_rule | The vAMI must protect log information from unauthorized read access. |
| ☐ | SV-100855r1_rule | The vAMI must protect log information from unauthorized modification. |
| ☐ | SV-100857r1_rule | The vAMI must protect log information from unauthorized deletion. |
| ☐ | SV-100859r1_rule | The vAMI log records must be backed up at least every seven days onto a different system or system component than the system or component being logged. |
| ☐ | SV-100861r1_rule | Patches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization. |
| ☐ | SV-100863r1_rule | The vAMI executable files and library must not be world-writeable. |
| ☐ | SV-100865r1_rule | The vAMI installation procedures must be capable of being rolled back to a last known good configuration. |
| ☐ | SV-100867r1_rule | The vAMI must not contain any unnecessary functions and only provide essential capabilities. |
| ☐ | SV-100869r1_rule | The vAMI must use the sfcb HTTPS port for communication with Lighttpd. |
| ☐ | SV-100871r1_rule | The vAMI must use a site-defined, user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). |
| ☐ | SV-100873r1_rule | The vAMI must transmit only encrypted representations of passwords. |
| ☐ | SV-100875r1_rule | The vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor. |
| ☐ | SV-100877r1_rule | The vAMI must use approved versions of TLS. |
| ☐ | SV-100879r1_rule | The vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator. |
| ☐ | SV-100881r1_rule | The vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator. |
| ☐ | SV-100883r1_rule | The vAMI must have the correct authentication set for HTTPS connections. |
| ☐ | SV-100885r1_rule | The vAMI installation procedures must be part of a complete vRealize Automation deployment. |
| ☐ | SV-100887r1_rule | The vAMI must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-100889r1_rule | The vAMI error logs must be reviewed. |
| ☐ | SV-100891r1_rule | The vAMI account credentials must protected by site policies. |
| ☐ | SV-100893r1_rule | The vAMI sfcb config file must be group-owned by root. |
| ☐ | SV-100895r1_rule | The vAMI must utilize syslog. |
| ☐ | SV-100897r1_rule | The vAMI configuration file must be protected from unauthorized access. |
| ☐ | SV-100899r1_rule | The vAMI must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| ☐ | SV-100901r1_rule | The vAMI must have the keepaliveTimeout enabled. |
| ☐ | SV-100903r1_rule | The vAMI must have the keepaliveMaxRequest enabled. |
| ☐ | SV-100905r1_rule | The vAMI must use approved versions of TLS. |
| ☐ | SV-100907r1_rule | The vAMI sfcb must have HTTPS enabled. |
| ☐ | SV-100909r1_rule | The vAMI sfcb must have HTTP disabled. |
| ☐ | SV-100911r1_rule | The vAMI must have security-relevant software updates installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). |
| ☐ | SV-100913r1_rule | The vAMI must log all successful login events. |
| ☐ | SV-100915r1_rule | The vAMI must enable logging. |
| ☐ | SV-100917r1_rule | The vAMI must have PAM logging enabled. |
| ☐ | SV-100919r1_rule | The vAMI must log all login events. |
| ☐ | SV-100921r1_rule | The vAMI sfcb server certificate must only be accessible to authenticated system administrators or the designated PKI Sponsor. |
| ☐ | SV-100923r1_rule | If the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved.
If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable. |
| ☐ | SV-100925r1_rule | The vAMI must utilize syslog. |
| ☐ | SV-100927r1_rule | The vAMI must be configured to listen on a specific IPv4 address. |
| ☐ | SV-100929r1_rule | The vAMI must be configured to listen on a specific network interface. |
| ☐ | SV-100931r1_rule | The application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. |
STIGQter: STIG Summary: