STIGQter STIGQter: STIG Summary: VMware NSX Manager Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 27 Jun 2016

CheckedNameTitle
SV-83765r1_ruleThe NSX vCenter must be configured to use an authentication server to provide automated support for account management functions to centrally control the authentication process for the purpose of granting administrative access.
SV-83767r1_ruleThe NSX vCenter must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SV-83769r1_ruleThe NSX vCenter must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-83771r1_ruleThe NSX Manager must not have any default manufacturer passwords when deployed.
SV-83775r1_ruleThe NSX vCenter must protect audit information from any type of unauthorized read access.
SV-83777r1_ruleThe NSX Manager must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-83779r1_ruleThe NSX vCenter must enforce a minimum 15-character password length.
SV-83781r1_ruleThe NSX vCenter must prohibit password reuse for a minimum of five generations.
SV-83783r1_ruleIf multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one upper-case character be used.
SV-83785r1_ruleIf multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one lower-case character be used.
SV-83787r1_ruleIf multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one numeric character be used.
SV-83789r1_ruleIf multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one special character be used.
SV-83791r1_ruleThe NSX vCenter must enforce a 60-day maximum password lifetime restriction.
SV-83793r1_ruleThe NSX vCenter must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-83795r1_ruleThe NSX vCenter must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
SV-83797r1_ruleThe NSX vCenter must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
SV-83799r1_ruleIf the NSX vCenter uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
SV-83801r1_ruleThe NSX vCenter must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SV-83803r1_ruleThe NSX vCenter must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
SV-83805r1_ruleThe NSX vCenter must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real time.
SV-83807r1_ruleThe NSX Manager must compare internal information system clocks at least every 24 hours with an authoritative time server.
SV-83809r1_ruleThe NSX Manager must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
SV-83811r1_ruleThe NSX Manager must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-83813r1_ruleThe NSX Manager must off-load audit records onto a different system or media than the system being audited.
SV-83815r1_ruleThe NSX Manager must enforce access restrictions associated with changes to the system components.
SV-83817r1_ruleThe NSX Manager must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
SV-83819r1_ruleThe NSX Manager must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
SV-83821r1_ruleThe NSX Manager must employ automated mechanisms to assist in the tracking of security incidents.
SV-83823r1_ruleThe NSX vCenter must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
SV-83825r1_ruleThe NSX vCenter must accept multifactor credentials.