VMW vRealize Automation 7.x vIDM Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]


Version / Release: V1R1

Published: 2018-10-12

Updated At: 2018-11-03 10:31:52




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-100933r1_rule VRAU-VI-000020 CCI-000067 MEDIUM vIDM must be configured to log activity to the horizon.log file. Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. App
    SV-100935r1_rule VRAU-VI-000195 CCI-000764 MEDIUM vIDM must be configured correctly for the site enterprise user management system. To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature.
    SV-100937r1_rule VRAU-VI-000240 CCI-000197 HIGH vIDM must utilize encryption when using LDAP for authentication. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected
    SV-100939r1_rule VRAU-VI-000315 CCI-001190 MEDIUM vIDM must be configured to provide clustering. This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integr
    SV-100941r1_rule VRAU-VI-000340 CCI-001312 MEDIUM vIDM must be configured to log activity to the horizon.log file. The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and
    SV-100943r1_rule VRAU-VI-000550 CCI-002385 HIGH vIDM, when installed in a MAC I system, must be in a high-availability (HA) cluster. A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the applicati
    SV-100945r1_rule VRAU-VI-000655 CCI-000366 MEDIUM The vRealize Automation appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the vRealize Automation application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most re