STIGQter STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 28 Sep 2018

CheckedNameTitle
SV-99425r1_ruletc Server UI must limit the number of maximum concurrent connections permitted.
SV-99427r1_ruletc Server CaSa must limit the number of maximum concurrent connections permitted.
SV-99429r1_ruletc Server API must limit the number of maximum concurrent connections permitted.
SV-99431r1_ruletc Server UI must limit the amount of time that each TCP connection is kept alive.
SV-99433r1_ruletc Server CaSa must limit the amount of time that each TCP connection is kept alive.
SV-99435r1_ruletc Server API must limit the amount of time that each TCP connection is kept alive.
SV-99437r1_ruletc Server UI must limit the number of times that each TCP connection is kept alive.
SV-99439r1_ruletc Server CaSa must limit the number of times that each TCP connection is kept alive.
SV-99441r1_ruletc Server API must limit the number of times that each TCP connection is kept alive.
SV-99443r1_ruletc Server UI must perform server-side session management.
SV-99445r1_ruletc Server CaSa must perform server-side session management.
SV-99447r1_ruletc Server API must perform server-side session management.
SV-99449r1_ruletc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
SV-99451r1_ruletc Server CaSa must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
SV-99453r1_ruletc Server API must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
SV-99455r1_ruletc Server UI must use cryptography to protect the integrity of remote sessions.
SV-99457r1_ruletc Server CaSa must use cryptography to protect the integrity of remote sessions.
SV-99459r1_ruletc Server API must use cryptography to protect the integrity of remote sessions.
SV-99461r1_ruletc Server UI must record user access in a format that enables monitoring of remote access.
SV-99463r1_ruletc Server CaSa must record user access in a format that enables monitoring of remote access.
SV-99465r1_ruletc Server API must record user access in a format that enables monitoring of remote access.
SV-99467r1_ruletc Server ALL must generate log records for system startup and shutdown.
SV-99469r1_ruletc Server UI must generate log records for user access and authentication events.
SV-99471r1_ruletc Server CaSa must generate log records for user access and authentication events.
SV-99473r1_ruletc Server API must generate log records for user access and authentication events.
SV-99475r1_ruletc Server ALL must initiate logging during service start-up.
SV-99477r1_ruletc Server UI must capture, record, and log all content related to a user session.
SV-99479r1_ruletc Server CaSa must capture, record, and log all content related to a user session.
SV-99481r1_ruletc Server API must capture, record, and log all content related to a user session.
SV-99483r1_ruletc Server UI must produce log records containing sufficient information to establish what type of events occurred.
SV-99485r1_ruletc Server CaSa must produce log records containing sufficient information to establish what type of events occurred.
SV-99487r1_ruletc Server API must produce log records containing sufficient information to establish what type of events occurred.
SV-99489r1_ruletc Server UI must produce log records containing sufficient information to establish when (date and time) events occurred.
SV-99491r1_ruletc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred.
SV-99493r1_ruletc Server API must produce log records containing sufficient information to establish when (date and time) events occurred.
SV-99495r1_ruletc Server UI must produce log records containing sufficient information to establish where within the web server the events occurred.
SV-99497r1_ruletc Server CaSa must produce log records containing sufficient information to establish where within the web server the events occurred.
SV-99499r1_ruletc Server API must produce log records containing sufficient information to establish where within the web server the events occurred.
SV-99501r1_ruletc Server UI must produce log records containing sufficient information to establish the source of events.
SV-99503r1_ruletc Server CaSa must produce log records containing sufficient information to establish the source of events.
SV-99505r1_ruletc Server API must produce log records containing sufficient information to establish the source of events.
SV-99507r1_ruletc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-99509r1_ruletc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-99511r1_ruletc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-99513r1_ruletc Server UI must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-99515r1_ruletc Server CaSa must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-99517r1_ruletc Server API must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-99519r1_ruletc Server UI must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-99521r1_ruletc Server CaSa must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-99523r1_ruletc Server API must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-99525r1_ruletc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
SV-99527r1_ruletc Server UI log files must only be accessible by privileged users.
SV-99529r1_ruletc Server CaSa log files must only be accessible by privileged users.
SV-99531r1_ruletc Server API log files must only be accessible by privileged users.
SV-99533r1_ruletc Server UI log files must be protected from unauthorized modification.
SV-99535r1_ruletc Server CaSa log files must be protected from unauthorized modification.
SV-99537r1_ruletc Server API log files must be protected from unauthorized modification.
SV-99539r1_ruletc Server UI log files must be protected from unauthorized deletion.
SV-99541r1_ruletc Server CaSa log files must be protected from unauthorized deletion.
SV-99543r1_ruletc Server API log files must be protected from unauthorized deletion.
SV-99545r1_ruletc Server ALL log data and records must be backed up onto a different system or media.
SV-99547r1_ruletc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
SV-99549r1_ruletc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
SV-99551r1_ruletc Server UI must not use the tomcat-users XML database for user management.
SV-99553r1_ruletc Server CaSa must not use the tomcat-users XML database for user management.
SV-99555r1_ruletc Server API must not use the tomcat-users XML database for user management.
SV-99557r1_ruletc Server ALL must only contain services and functions necessary for operation.
SV-99559r1_ruletc Server ALL must exclude documentation, sample code, example applications, and tutorials.
SV-99561r1_ruletc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.
SV-99563r1_ruletc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
SV-99565r1_ruletc Server ALL must have all mappings to unused and vulnerable scripts to be removed.
SV-99567r1_ruletc Server UI must have mappings set for Java Servlet Pages.
SV-99569r1_ruletc Server CaSa must have mappings set for Java Servlet Pages.
SV-99571r1_ruletc Server API must have mappings set for Java Servlet Pages.
SV-99573r1_ruletc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.
SV-99575r1_ruletc Server UI must be configured with memory leak protection.
SV-99577r1_ruletc Server CaSa must be configured with memory leak protection.
SV-99579r1_ruletc Server API must be configured with memory leak protection.
SV-99581r1_ruletc Server UI must not have any symbolic links in the web content directory tree.
SV-99583r1_ruletc Server CaSa must not have any symbolic links in the web content directory tree.
SV-99585r1_ruletc Server API must not have any symbolic links in the web content directory tree.
SV-99587r1_ruletc Server UI must be configured to use a specified IP address and port.
SV-99589r1_ruletc Server CaSa must be configured to use a specified IP address and port.
SV-99591r1_ruletc Server API must be configured to use a specified IP address and port.
SV-99593r1_ruletc Server UI must encrypt passwords during transmission.
SV-99595r1_ruletc Server CaSa must encrypt passwords during transmission.
SV-99597r1_ruletc Server API must encrypt passwords during transmission.
SV-99599r1_ruletc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable.
SV-99601r1_ruletc Server ALL must only allow authenticated system administrators to have access to the keystore.
SV-99603r1_ruletc Server ALL must only allow authenticated system administrators to have access to the truststore.
SV-99605r1_ruletc Server UI must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
SV-99607r1_ruletc Server CaSa must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
SV-99609r1_ruletc Server API must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.
SV-99611r1_ruletc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SV-99613r1_ruletc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SV-99615r1_ruletc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.
SV-99617r1_ruletc Server UI web server application directories must not be accessible to anonymous user.
SV-99619r1_ruletc Server CaSa web server application directories must not be accessible to anonymous user.
SV-99621r1_ruletc Server API web server application directories must not be accessible to anonymous user.
SV-99623r1_ruletc Server ALL baseline must be documented and maintained.
SV-99625r1_ruletc Server UI must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-99627r1_ruletc Server CaSa must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-99629r1_ruletc Server API must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-99631r1_ruletc Server UI document directory must be in a separate partition from the web servers system files.
SV-99633r1_ruletc Server CaSa document directory must be in a separate partition from the web servers system files.
SV-99635r1_ruletc Server API document directory must be in a separate partition from the web servers system files.
SV-99637r1_ruletc Server UI must be configured with a cross-site scripting (XSS) filter.
SV-99639r1_ruletc Server CaSa must be configured with a cross-site scripting (XSS) filter.
SV-99641r1_ruletc Server API must be configured with a cross-site scripting (XSS) filter.
SV-99643r1_ruletc Server UI must set URIEncoding to UTF-8.
SV-99645r1_ruletc Server CaSa must set URIEncoding to UTF-8.
SV-99647r1_ruletc Server API must set URIEncoding to UTF-8.
SV-99649r1_ruletc Server UI must use the setCharacterEncodingFilter filter.
SV-99651r1_ruletc Server CaSa must use the setCharacterEncodingFilter filter.
SV-99653r1_ruletc Server API must use the setCharacterEncodingFilter filter.
SV-99655r1_ruletc Server UI must set the welcome-file node to a default web page.
SV-99657r1_ruletc Server CaSa must set the welcome-file node to a default web page.
SV-99659r1_ruletc Server API must set the welcome-file node to a default web page.
SV-99661r1_ruletc Server UI must have the allowTrace parameter set to false.
SV-99663r1_ruletc Server CaSa must have the allowTrace parameter set to false.
SV-99665r1_ruletc Server API must have the allowTrace parameter set to false.
SV-99667r1_ruletc Server UI must have the debug option turned off.
SV-99669r1_ruletc Server CaSa must have the debug option turned off.
SV-99671r1_ruletc Server API must have the debug option turned off.
SV-99673r1_ruletc Server UI must set an inactive timeout for sessions.
SV-99675r1_ruletc Server CaSa must set an inactive timeout for sessions.
SV-99677r1_ruletc Server API must set an inactive timeout for sessions.
SV-99679r1_ruletc Server ALL must be configured to the correct user authentication source.
SV-99681r1_ruletc Server UI must be configured to use the https scheme.
SV-99683r1_ruletc Server CaSa must be configured to use the https scheme.
SV-99685r1_ruletc Server API must be configured to use the https scheme.
SV-99687r1_ruletc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
SV-99689r1_ruletc Server ALL log files must be moved to a permanent repository in accordance with site policy.
SV-99691r1_ruletc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.
SV-99693r1_ruletc Server UI must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-99695r1_ruletc Server CaSa must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-99697r1_ruletc Server API must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-99699r1_ruletc Server UI must record time stamps for log records to a minimum granularity of one second.
SV-99701r1_ruletc Server CaSa must record time stamps for log records to a minimum granularity of one second.
SV-99703r1_ruletc Server API must record time stamps for log records to a minimum granularity of one second.
SV-99705r1_ruletc Server UI application, libraries, and configuration files must only be accessible to privileged users.
SV-99707r1_ruletc Server CaSa application, libraries, and configuration files must only be accessible to privileged users.
SV-99709r1_ruletc Server API application, libraries, and configuration files must only be accessible to privileged users.
SV-99711r1_ruletc Server UI must be configured with the appropriate ports.
SV-99713r1_ruletc Server CaSa must be configured with the appropriate ports.
SV-99715r1_ruletc Server API must be configured with the appropriate ports.
SV-99717r1_ruletc Server UI must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
SV-99719r1_ruletc Server CaSa must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
SV-99721r1_ruletc Server API must use NSA Suite A cryptography when encrypting data that must be compartmentalized.
SV-99723r1_ruletc Server UI must disable the shutdown port.
SV-99725r1_ruletc Server CaSa must disable the shutdown port.
SV-99727r1_ruletc Server API must disable the shutdown port.
SV-99729r1_ruletc Server UI must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
SV-99731r1_ruletc Server CaSa must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
SV-99733r1_ruletc Server API must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.
SV-99735r1_ruletc Server UI session IDs must be sent to the client using SSL/TLS.
SV-99737r1_ruletc Server CaSa session IDs must be sent to the client using SSL/TLS.
SV-99739r1_ruletc Server API session IDs must be sent to the client using SSL/TLS.
SV-99741r1_ruletc Server UI must set the useHttpOnly parameter.
SV-99743r1_ruletc Server CaSa must set the useHttpOnly parameter.
SV-99745r1_ruletc Server API must set the useHttpOnly parameter.
SV-99747r1_ruletc Server UI must set the secure flag for cookies.
SV-99749r1_ruletc Server CaSa must set the secure flag for cookies.
SV-99751r1_ruletc Server API must set the secure flag for cookies.
SV-99753r1_ruletc Server UI must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
SV-99755r1_ruletc Server CaSa must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
SV-99757r1_ruletc Server API must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.
SV-99759r1_ruletc Server UI must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SV-99761r1_ruletc Server CaSa must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SV-99763r1_ruletc Server API must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SV-99765r1_ruletc Server UI must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
SV-99767r1_ruletc Server CaSa must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
SV-99769r1_ruletc Server API must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.
SV-99771r1_ruletc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.
SV-99773r1_ruletc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.