VMW vRealize Automation 7.x vIDM Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2018-10-12
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
vIDM must be configured to log activity to the horizon.log file.
AC-17 - Medium - CCI-000067 - V-90283 - SV-100933r1_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VRAU-VI-000020
Vuln IDs
  • V-90283
Rule IDs
  • SV-100933r1_rule
Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. Application servers provide a web and command line-based remote management capability for managing the application server. Application servers must ensure that all actions related to administrative functionality such as application server configuration are logged.
Checks: C-89975r1_chk

At the command prompt, execute the following command: grep log4j.appender.rollingFile.file /usr/local/horizon/conf/saas-log4j.properties If the "log4j.appender.rollingFile.file" is not set to "/opt/vmware/horizon/workspace/logs/horizon.log" or is commented out or is missing, this is a finding.

Fix: F-97025r1_fix

Navigate to and open /usr/local/horizon/conf/saas-log4j.properties. Configure the vIDM policy log file with the following lines: log4j.appender.rollingFile=org.apache.log4j.RollingFileAppender log4j.appender.rollingFile.MaxFileSize=50MB log4j.appender.rollingFile.MaxBackupIndex=7 log4j.appender.rollingFile.Encoding=UTF-8 log4j.appender.rollingFile.file=/opt/vmware/horizon/workspace/logs/horizon.log log4j.appender.rollingFile.append=true log4j.appender.rollingFile.layout=org.apache.log4j.PatternLayout log4j.appender.rollingFile.layout.ConversionPattern=%d{ISO8601} %-5p (%t) [%X{orgId};%X{userId};%X{ip}] %c - %m%n

b
vIDM must be configured correctly for the site enterprise user management system.
IA-2 - Medium - CCI-000764 - V-90285 - SV-100935r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
VRAU-VI-000195
Vuln IDs
  • V-90285
Rule IDs
  • SV-100935r1_rule
To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. To ensure support to the enterprise, the authentication must utilize an enterprise solution.
Checks: C-89977r1_chk

Interview the ISSO. Obtain the correct configuration for the site's Directory services. In a browser, log in with Tenant admin privileges and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to review the configuration. If the Directory service is not configured correctly, this is a finding.

Fix: F-97027r1_fix

Interview the ISSO. Obtain the correct configuration for the site's Directory services. In a browser, log in with Tenant admin privileges, and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to edit the configuration in accordance with the instructions provided by the ISSO.

c
vIDM must utilize encryption when using LDAP for authentication.
IA-5 - High - CCI-000197 - V-90287 - SV-100937r1_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
VRAU-VI-000240
Vuln IDs
  • V-90287
Rule IDs
  • SV-100937r1_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.
Checks: C-89979r1_chk

In a browser, log in with Tenant admin privileges, and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to review the configuration. If the SSL checkbox is not selected, this is a finding. Note: The checkbox is labeled, "This Directory requires all connections to use SSL".

Fix: F-97029r1_fix

In a browser, log in with Tenant admin privileges, and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to review the configuration. Check the checkbox that is labeled, "This Directory requires all connections to use SSL". Click "Save".

b
vIDM must be configured to provide clustering.
SC-24 - Medium - CCI-001190 - V-90289 - SV-100939r1_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-VI-000315
Vuln IDs
  • V-90289
Rule IDs
  • SV-100939r1_rule
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple application servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy.
Checks: C-89981r1_chk

Interview the ISSO. Obtain the correct configuration for clustering used by the site. Review the vRealize Automation appliance's installation, environment, and configuration. Determine if vRA clustering has been correctly implemented. If vRA is not correctly implementing clustering, this is a finding.

Fix: F-97031r1_fix

Interview the ISSO. Obtain the correct configuration for clustering used by the site. Configure vRealize Automation to be in compliance with the clustering design provided by the ISSO.

b
vIDM must be configured to log activity to the horizon.log file.
SI-11 - Medium - CCI-001312 - V-90291 - SV-100941r1_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-VI-000340
Vuln IDs
  • V-90291
Rule IDs
  • SV-100941r1_rule
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. The structure and content of error messages needs to be carefully considered by the organization and development team. Application servers must have the capability to log at various levels, which can provide log entries for potential security-related error events. An example is the capability for the application server to assign a criticality level to a failed logon attempt error message, a security-related error message being of a higher criticality.
Checks: C-89983r1_chk

At the command prompt, execute the following command: grep log4j.appender.rollingFile.file /usr/local/horizon/conf/saas-log4j.properties If the "log4j.appender.rollingFile.file" is not set to "/opt/vmware/horizon/workspace/logs/horizon.log" or is commented out or is missing, this is a finding.

Fix: F-97033r1_fix

Navigate to and open /usr/local/horizon/conf/saas-log4j.properties. Configure the vIDM policy log file with the following lines: log4j.appender.rollingFile=org.apache.log4j.RollingFileAppender log4j.appender.rollingFile.MaxFileSize=50MB log4j.appender.rollingFile.MaxBackupIndex=7 log4j.appender.rollingFile.Encoding=UTF-8 log4j.appender.rollingFile.file=/opt/vmware/horizon/workspace/logs/horizon.log log4j.appender.rollingFile.append=true log4j.appender.rollingFile.layout=org.apache.log4j.PatternLayout log4j.appender.rollingFile.layout.ConversionPattern=%d{ISO8601} %-5p (%t) [%X{orgId};%X{userId};%X{ip}] %c - %m%n

c
vIDM, when installed in a MAC I system, must be in a high-availability (HA) cluster.
SC-5 - High - CCI-002385 - V-90293 - SV-100943r1_rule
RMF Control
SC-5
Severity
High
CCI
CCI-002385
Version
VRAU-VI-000550
Vuln IDs
  • V-90293
Rule IDs
  • SV-100943r1_rule
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provided high-availability.
Checks: C-89985r1_chk

If vRA is not installed in a MAC I system, this is Not Applicable. Interview the ISSO. Obtain the correct configuration for clustering used by the site. Review the vRealize Automation appliance's installation, environment, and configuration. Determine if vRA clustering has been correctly implemented. If vRA is not correctly implementing clustering, this is a finding.

Fix: F-97035r1_fix

If vRA is not installed in a MAC I system, this is Not Applicable. Interview the ISSO. Obtain the correct configuration for clustering used by the site. Configure vRealize Automation to be in compliance with the clustering design provided by the ISSO.

b
The vRealize Automation appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
CM-6 - Medium - CCI-000366 - V-90295 - SV-100945r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VRAU-VI-000655
Vuln IDs
  • V-90295
Rule IDs
  • SV-100945r1_rule
Configuring the vRealize Automation application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. The vRA product is continually under refinement, and patches are regularly released to address vulnerabilities. As a result, the vRA STIG is also subject to a release cycle on a quarterly basis. Assessors should ensure that they are reviewing the vRealize Automation appliance with the most current STIG.
Checks: C-89987r1_chk

Obtain the current vRealize Automation STIGs from the ISSO. Verify that this STIG is the most current STIG available for vRealize Automation. Assess all of the organization's vRA installations to ensure that they are fully compliant with the most current STIG. If the most current version of the vRA STIG was not used, or if the vRA appliance configuration is not compliant with the most current STIG, this is a finding.

Fix: F-97037r1_fix

Obtain the most current vRealize Automation STIG. Verify that this vRA appliance is configured with all current requirements.