VMware vRealize Operations Manager 6.x Application Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]


Version / Release: V1R1

Published: 2018-10-11

Updated At: 2018-11-03 10:31:52




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-98855r1_rule VROM-AP-000195 CCI-000764 MEDIUM The vRealize Operations server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (LDAP) in nature.
    SV-98857r1_rule VROM-AP-000295 CCI-001185 MEDIUM The vRealize Operations server session timeout must be configured. If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a l
    SV-98859r1_rule VROM-AP-000315 CCI-001190 MEDIUM The vRealize Operations server must be configured to perform complete application deployments. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an application is deployed to the application server, if the deploy
    SV-98861r1_rule VROM-AP-000540 CCI-002470 MEDIUM The vRealize Operations server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-98863r1_rule VROM-AP-000655 CCI-000366 MEDIUM The vRealize Operations appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the vRealize Operations appliance to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most rest