VMW vRealize Automation 7.x vAMI Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2018-10-12

Updated At: 2018-11-03 10:31:48

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-100845r1_rule VRAU-VA-000010 CCI-000068 HIGH The vAMI must use FIPS 140-2 approved ciphers when transmitting management data during remote access management sessions. Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the application server. If cryptography is not used, then the s
    SV-100847r1_rule VRAU-VA-000015 CCI-001453 HIGH The vAMI must restrict inbound connections from nonsecure zones. Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote a
    SV-100849r1_rule VRAU-VA-000055 CCI-000171 MEDIUM The vAMI configuration file must be owned by root. Log records can be generated from various components within the application server, (e.g., httpd, beans, etc.) From an application perspective, certain specific application functionalities may be logged, as well. The list of logged events is the set of ev
    SV-100851r1_rule VRAU-VA-000105 CCI-000135 MEDIUM The vAMI must have sfcb logging enabled. Privileged commands are commands that change the configuration or data of the application server. Since this type of command changes the application server configuration and could possibly change the security posture of the application server, these comma
    SV-100853r1_rule VRAU-VA-000130 CCI-000162 MEDIUM The vAMI must protect log information from unauthorized read access. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an atta
    SV-100855r1_rule VRAU-VA-000135 CCI-000163 MEDIUM The vAMI must protect log information from unauthorized modification. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an atta
    SV-100857r1_rule VRAU-VA-000140 CCI-000164 MEDIUM The vAMI must protect log information from unauthorized deletion. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. Application servers contain admin interfaces that allow reading
    SV-100859r1_rule VRAU-VA-000160 CCI-001348 MEDIUM The vAMI log records must be backed up at least every seven days onto a different system or system component than the system or component being logged. Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to a different system or onto separate media from the system that the vAMI is actually running on helps to assure that in the event of a catastro
    SV-100861r1_rule VRAU-VA-000170 CCI-001749 MEDIUM Patches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization. Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the softwa
    SV-100863r1_rule VRAU-VA-000175 CCI-001499 MEDIUM The vAMI executable files and library must not be world-writeable. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared
    SV-100865r1_rule VRAU-VA-000180 CCI-001499 MEDIUM The vAMI installation procedures must be capable of being rolled back to a last known good configuration. Any changes to the components of the application server can have significant effects on the overall security of the system. In order to ensure a prompt response to failed application installations and application server upgrades, the application server mu
    SV-100867r1_rule VRAU-VA-000185 CCI-000381 HIGH The vAMI must not contain any unnecessary functions and only provide essential capabilities. Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Application servers must provide the capability to disabl
    SV-100869r1_rule VRAU-VA-000190 CCI-000382 MEDIUM The vAMI must use the sfcb HTTPS port for communication with Lighttpd. Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features all
    SV-100871r1_rule VRAU-VA-000195 CCI-000764 MEDIUM The vAMI must use a site-defined, user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature.
    SV-100873r1_rule VRAU-VA-000235 CCI-000197 HIGH The vAMI must transmit only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have t
    SV-100875r1_rule VRAU-VA-000250 CCI-000186 HIGH The vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the priva
    SV-100877r1_rule VRAU-VA-000265 CCI-000803 HIGH The vAMI must use approved versions of TLS. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use
    SV-100879r1_rule VRAU-VA-000285 CCI-001184 MEDIUM The vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator. This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session toke
    SV-100881r1_rule VRAU-VA-000295 CCI-001664 MEDIUM The vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator. Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, i
    SV-100883r1_rule VRAU-VA-000300 CCI-001664 MEDIUM The vAMI must have the correct authentication set for HTTPS connections. This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other p
    SV-100885r1_rule VRAU-VA-000310 CCI-001190 MEDIUM The vAMI installation procedures must be part of a complete vRealize Automation deployment. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an application is deployed to the vAMI, if the deployment process do
    SV-100887r1_rule VRAU-VA-000320 CCI-001190 MEDIUM The vAMI must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. Fail-secure is a condition achieved by the vAMI in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. Preserving information system state informa
    SV-100889r1_rule VRAU-VA-000340 CCI-001312 MEDIUM The vAMI error logs must be reviewed. The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and
    SV-100891r1_rule VRAU-VA-000385 CCI-002314 MEDIUM The vAMI account credentials must protected by site policies. Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sess
    SV-100893r1_rule VRAU-VA-000405 CCI-001914 MEDIUM The vAMI sfcb config file must be group-owned by root. Log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system
    SV-100895r1_rule VRAU-VA-000415 CCI-001844 MEDIUM The vAMI must utilize syslog. A clustered application server is made up of several servers working together to provide the user a failover and increased computing capability. To facilitate uniform logging in the event of an incident and later forensic investigation, the record format
    SV-100897r1_rule VRAU-VA-000460 CCI-001813 MEDIUM The vAMI configuration file must be protected from unauthorized access. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system. Access restrict
    SV-100899r1_rule VRAU-VA-000530 CCI-002450 MEDIUM The vAMI must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protec
    SV-100901r1_rule VRAU-VA-000555 CCI-002385 MEDIUM The vAMI must have the keepaliveTimeout enabled. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server mu
    SV-100903r1_rule VRAU-VA-000560 CCI-002385 MEDIUM The vAMI must have the keepaliveMaxRequest enabled. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server mu
    SV-100905r1_rule VRAU-VA-000565 CCI-002418 MEDIUM The vAMI must use approved versions of TLS. Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Tra
    SV-100907r1_rule VRAU-VA-000570 CCI-002421 MEDIUM The vAMI sfcb must have HTTPS enabled. Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through
    SV-100909r1_rule VRAU-VA-000580 CCI-002422 MEDIUM The vAMI sfcb must have HTTP disabled. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-100911r1_rule VRAU-VA-000595 CCI-002605 MEDIUM The vAMI must have security-relevant software updates installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to
    SV-100913r1_rule VRAU-VA-000610 CCI-000172 MEDIUM The vAMI must log all successful login events. Logging the access to the application server allows the system administrators to monitor user accounts. By logging successful/unsuccessful logons, the system administrator can determine if an account is compromised (e.g., frequent logons) or is in the pro
    SV-100915r1_rule VRAU-VA-000615 CCI-000172 MEDIUM The vAMI must enable logging. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Privileged act
    SV-100917r1_rule VRAU-VA-000620 CCI-000172 MEDIUM The vAMI must have PAM logging enabled. Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs. Generating these events, especially if the management interface is accessed via a stateless protocol like HTTP,
    SV-100919r1_rule VRAU-VA-000625 CCI-000172 MEDIUM The vAMI must log all login events. Being able to work on a system through multiple views into the application allows a user to work more efficiently and more accurately. Before environments with windowing capabilities or multiple desktops, a user would log onto the application from differe
    SV-100921r1_rule VRAU-VA-000635 CCI-002450 MEDIUM The vAMI sfcb server certificate must only be accessible to authenticated system administrators or the designated PKI Sponsor. An asymmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise, and the private portion of the key must be protected. The application server will provid
    SV-100923r1_rule VRAU-VA-000640 CCI-002450 MEDIUM If the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved. If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable. Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates
    SV-100925r1_rule VRAU-VA-000645 CCI-001851 MEDIUM The vAMI must utilize syslog. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading shou
    SV-100927r1_rule VRAU-VA-000650 CCI-000366 MEDIUM The vAMI must be configured to listen on a specific IPv4 address. Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security p
    SV-100929r1_rule VRAU-VA-000655 CCI-000366 MEDIUM The vAMI must be configured to listen on a specific network interface. Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security p
    SV-100931r1_rule VRAU-VA-000660 CCI-002418 MEDIUM The application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server will reply with the cipher suite it will use for communica