VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V2R1

Published: 2021-07-01

Updated At: 2021-08-02 18:13:08

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-239441r661774_rule VROM-SL-000005 CCI-000015 MEDIUM The SLES for vRealize must provide automated mechanisms for supporting account management functions. Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. A comprehensive account management process that includes automation helps t
    SV-239442r661777_rule VROM-SL-000010 CCI-000016 MEDIUM The SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. T
    SV-239443r661780_rule VROM-SL-000015 CCI-000018 MEDIUM The SLES for vRealize must audit all account creations. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitiga
    SV-239444r661783_rule VROM-SL-000020 CCI-000018 MEDIUM In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications, any unexpected users, groups, or modifications must be investigated for legitimacy. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitiga
    SV-239445r661786_rule VROM-SL-000025 CCI-000044 MEDIUM The SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-239446r661789_rule VROM-SL-000030 CCI-000048 MEDIUM The SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH. Display of a standardized and approved use notification before granting access to the SLES for vRealize ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations
    SV-239447r661792_rule VROM-SL-000040 CCI-000054 LOW The SLES for vRealize must limit the number of concurrent sessions to ten for all accounts and/or account types. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This r
    SV-239448r661795_rule VROM-SL-000050 CCI-000057 MEDIUM The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user t
    SV-239449r661798_rule VROM-SL-000055 CCI-000057 MEDIUM The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user t
    SV-239450r661801_rule VROM-SL-000070 CCI-000067 MEDIUM The SLES for vRealize must monitor remote access methods - SSH Daemon. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-239451r661804_rule VROM-SL-000075 CCI-000068 MEDIUM The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Daemon. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-239452r766911_rule VROM-SL-000080 CCI-000068 MEDIUM The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-239453r661810_rule VROM-SL-000085 CCI-000130 MEDIUM The SLES for vRealize must produce audit records. Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example,
    SV-239454r661813_rule VROM-SL-000125 CCI-000139 MEDIUM The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system oper
    SV-239455r661816_rule VROM-SL-000130 CCI-000140 MEDIUM The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern). It is critical that when the SLES for vRealize is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and a
    SV-239456r661819_rule VROM-SL-000150 CCI-000162 MEDIUM The SLES for vRealize must protect audit information from unauthorized read access - ownership. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully
    SV-239457r661822_rule VROM-SL-000155 CCI-000162 MEDIUM The SLES for vRealize must protect audit information from unauthorized read access - group ownership. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully
    SV-239458r661825_rule VROM-SL-000160 CCI-000163 MEDIUM The SLES for vRealize must protect audit information from unauthorized modification. If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect au
    SV-239459r661828_rule VROM-SL-000165 CCI-000164 MEDIUM The SLES for vRealize must protect audit information from unauthorized deletion. If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect au
    SV-239460r661831_rule VROM-SL-000170 CCI-000164 MEDIUM The SLES for vRealize must protect audit information from unauthorized deletion - log directories. If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect au
    SV-239461r767694_rule VROM-SL-000175 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239462r767695_rule VROM-SL-000180 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239463r767696_rule VROM-SL-000185 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239464r767697_rule VROM-SL-000190 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239465r767698_rule VROM-SL-000195 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239466r767699_rule VROM-SL-000200 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239467r767700_rule VROM-SL-000205 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239468r767701_rule VROM-SL-000210 CCI-000169 MEDIUM The SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239469r767702_rule VROM-SL-000215 CCI-000169 MEDIUM The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setparam. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239470r767703_rule VROM-SL-000220 CCI-000169 MEDIUM The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setscheduler. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239471r767704_rule VROM-SL-000225 CCI-000169 MEDIUM The SLES for vRealize must be configured to audit all attempts to alter /var/log/faillog. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239472r767705_rule VROM-SL-000230 CCI-000169 MEDIUM The SLES for vRealize must be configured to audit all attempts to alter /var/log/lastlog. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239473r767706_rule VROM-SL-000235 CCI-000169 MEDIUM The SLES for vRealize must be configured to audit all attempts to alter /var/log/tallylog. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the i
    SV-239474r661873_rule VROM-SL-000240 CCI-000171 MEDIUM The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming th
    SV-239475r661876_rule VROM-SL-000245 CCI-000171 MEDIUM The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming th
    SV-239476r661879_rule VROM-SL-000250 CCI-000171 MEDIUM The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group ownership. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming th
    SV-239477r661882_rule VROM-SL-000255 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The operating system must generate audit records for all discretionary access control permission modifications using chmod. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239478r661885_rule VROM-SL-000260 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239479r661888_rule VROM-SL-000265 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239480r661891_rule VROM-SL-000270 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239481r661894_rule VROM-SL-000275 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239482r661897_rule VROM-SL-000280 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239483r661900_rule VROM-SL-000285 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239484r661903_rule VROM-SL-000290 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239485r661906_rule VROM-SL-000295 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239486r661909_rule VROM-SL-000300 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239487r661912_rule VROM-SL-000305 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239488r661915_rule VROM-SL-000310 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239489r661918_rule VROM-SL-000315 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239490r661921_rule VROM-SL-000320 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239491r661924_rule VROM-SL-000340 CCI-000192 MEDIUM The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-239492r661927_rule VROM-SL-000345 CCI-000192 MEDIUM Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files. Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory. In order for the requirements to be applied the file(s) containing them must be included direc
    SV-239493r661930_rule VROM-SL-000350 CCI-000193 MEDIUM The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-239494r661933_rule VROM-SL-000355 CCI-000194 MEDIUM The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-239495r661936_rule VROM-SL-000360 CCI-000195 MEDIUM The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of cha
    SV-239496r661939_rule VROM-SL-000365 CCI-000196 HIGH The SLES for vRealize must store only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
    SV-239497r661942_rule VROM-SL-000375 CCI-000198 MEDIUM SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeate
    SV-239498r661945_rule VROM-SL-000380 CCI-000198 MEDIUM Users must not be able to change passwords more than once every 24 hours. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeate
    SV-239499r661948_rule VROM-SL-000385 CCI-000199 MEDIUM SLES for vRealize must enforce a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for
    SV-239500r661951_rule VROM-SL-000390 CCI-000199 MEDIUM User passwords must be changed at least every 60 days. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for
    SV-239501r661954_rule VROM-SL-000395 CCI-000200 MEDIUM The SLES for vRealize must prohibit password reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password
    SV-239502r661957_rule VROM-SL-000400 CCI-000200 MEDIUM The SLES for vRealize must prohibit password reuse for a minimum of five generations. Ensure the old passwords are being stored. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password
    SV-239503r661960_rule VROM-SL-000405 CCI-000205 MEDIUM The SLES for vRealize must enforce a minimum 15-character password length. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bru
    SV-239504r661963_rule VROM-SL-000415 CCI-000213 MEDIUM The SLES for vRealize must require root password authentication upon booting into single-user mode. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-239505r661966_rule VROM-SL-000420 CCI-000213 MEDIUM Bootloader authentication must be enabled to prevent users without privilege to gain access restricted file system resources. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-239506r661969_rule VROM-SL-000425 CCI-000213 MEDIUM The SLES for the vRealize boot loader configuration file(s) must have mode 0600 or less permissive. File permissions more permissive than 0600 on boot loader configuration files could allow an unauthorized user to view or modify sensitive information pertaining to system boot instructions.
    SV-239507r661972_rule VROM-SL-000430 CCI-000213 MEDIUM The SLES for the vRealize boot loader configuration files must be owned by root. The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modification of these files resulting from improper ownership could compromise the system's boot loader configuration
    SV-239508r661975_rule VROM-SL-000435 CCI-000213 MEDIUM The SLES for the vRealize boot loader configuration file(s) must be group-owned by root, bin, sys, or system. The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modifications resulting from improper group ownership may compromise the boot loader configuration.
    SV-239509r661978_rule VROM-SL-000440 CCI-000381 MEDIUM The Bluetooth protocol handler must be disabled or not installed. Bluetooth is a personal area network (PAN) technology. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a so
    SV-239510r661981_rule VROM-SL-000445 CCI-000381 MEDIUM The SLES for vRealize must have USB Mass Storage disabled unless needed. USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
    SV-239511r661984_rule VROM-SL-000450 CCI-000381 MEDIUM The SLES for vRealize must have USB disabled unless needed. USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
    SV-239512r661987_rule VROM-SL-000455 CCI-000381 MEDIUM The telnet-server package must not be installed. Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.
    SV-239513r661990_rule VROM-SL-000460 CCI-000381 MEDIUM The rsh-server package must not be installed. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
    SV-239514r661993_rule VROM-SL-000465 CCI-000381 MEDIUM The ypserv package must not be installed. Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
    SV-239515r661996_rule VROM-SL-000470 CCI-000381 MEDIUM The yast2-tftp-server package must not be installed. Removing the "yast2-tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
    SV-239516r661999_rule VROM-SL-000485 CCI-000382 MEDIUM The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. The Datagram Congestion Control Protocol (DCCP) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to
    SV-239517r662002_rule VROM-SL-000490 CCI-000382 MEDIUM The Stream Control Transmission Protocol (SCTP) must be disabled unless required. The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may b
    SV-239518r662005_rule VROM-SL-000495 CCI-000382 MEDIUM The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required. The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local process
    SV-239519r662008_rule VROM-SL-000500 CCI-000382 MEDIUM The Transparent Inter-Process Communication (TIPC) must be disabled or not installed. The Transparent Inter-Process Communication (TIPC) protocol is a relatively new cluster communications protocol developed by Ericsson. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be
    SV-239520r662011_rule VROM-SL-000505 CCI-000382 MEDIUM The xinetd service must be disabled if no network services utilizing it are enabled. The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself
    SV-239521r662014_rule VROM-SL-000510 CCI-000382 MEDIUM The ypbind service must not be running if no network services utilizing it are enabled. Disabling the "ypbind" service ensures the SLES for vRealize is not acting as a client in a NIS or NIS+ domain when not required.
    SV-239522r662017_rule VROM-SL-000515 CCI-000382 MEDIUM NIS/NIS+/yp files must be owned by root, sys, or bin. NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized
    SV-239523r662020_rule VROM-SL-000520 CCI-000382 MEDIUM The NIS/NIS+/yp command files must have mode 0755 or less permissive. NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and SLES for vRealize.
    SV-239524r662023_rule VROM-SL-000525 CCI-000382 MEDIUM The SLES for vRealize must not use UDP for NIS/NIS+. Implementing NIS or NIS+ under UDP may make SLES for vRealize more susceptible to a denial of service attack and does not provide the same quality of service as TCP.
    SV-239525r662026_rule VROM-SL-000530 CCI-000382 MEDIUM NIS maps must be protected through hard-to-guess domain names. The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information.
    SV-239526r662029_rule VROM-SL-000535 CCI-000382 MEDIUM Mail relaying must be restricted. If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending SPAM or other unauthorized activity.
    SV-239527r662032_rule VROM-SL-000540 CCI-000382 MEDIUM The alias files must be owned by root. If the alias and aliases.db files are not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.
    SV-239528r662035_rule VROM-SL-000545 CCI-000382 MEDIUM The alias files must be group-owned by root, or a system group. If the aliases and aliases.db file are not group-owned by root or a system group, an unauthorized user may modify one or both of the files to add aliases to run malicious code or redirect email.
    SV-239529r662038_rule VROM-SL-000550 CCI-000382 MEDIUM The alias files must have mode 0644 or less permissive. Excessive permissions on the alias files may permit unauthorized modification. If an alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email.
    SV-239530r662041_rule VROM-SL-000555 CCI-000382 MEDIUM Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root. If a file executed through a mail aliases file is not owned and writable only by root, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges.
    SV-239531r662044_rule VROM-SL-000560 CCI-000382 MEDIUM Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system. If a file executed through a mail aliases file is not group-owned by root or a system group, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges
    SV-239532r662047_rule VROM-SL-000565 CCI-000382 MEDIUM Files executed through a mail aliases file must have mode 0755 or less permissive. If a file executed through a mail alias file has permissions greater than 0755, it can be modified by an unauthorized user and may contain malicious code or instructions that could compromise the system.
    SV-239533r662050_rule VROM-SL-000570 CCI-000382 MEDIUM Sendmail logging must not be set to less than nine in the sendmail.cf file. If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service.
    SV-239534r662053_rule VROM-SL-000575 CCI-000382 MEDIUM The system syslog service must log informational and more severe SMTP service messages. If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed.
    SV-239535r662056_rule VROM-SL-000580 CCI-000382 MEDIUM The SMTP service log files must be owned by root. If the SMTP service log file is not owned by root, then unauthorized personnel may modify or delete the file to hide a system compromise.
    SV-239536r662059_rule VROM-SL-000585 CCI-000382 MEDIUM The SMTP service log file must have mode 0644 or less permissive. If the SMTP service log file is more permissive than 0644, unauthorized users may be allowed to change the log file.
    SV-239537r662062_rule VROM-SL-000590 CCI-000382 MEDIUM The SMTP service HELP command must not be enabled. The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions.
    SV-239538r662065_rule VROM-SL-000595 CCI-000382 MEDIUM The SMTP services SMTP greeting must not provide version information. The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.
    SV-239539r662068_rule VROM-SL-000600 CCI-000382 MEDIUM The SMTP service must not use .forward files. The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops that could degrade system performance.
    SV-239540r662071_rule VROM-SL-000605 CCI-000382 MEDIUM The SMTP service must not have the EXPN feature active. The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional information concerning users on the system, such as the fu
    SV-239541r662074_rule VROM-SL-000610 CCI-000382 MEDIUM The SMTP service must not have the VRFY feature active. The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full name
    SV-239542r662077_rule VROM-SL-000615 CCI-000382 MEDIUM The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required. The Lightweight User Datagram Protocol (UDP-Lite) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able t
    SV-239543r662080_rule VROM-SL-000620 CCI-000382 MEDIUM The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed. The Internetwork Packet Exchange (IPX) protocol is a network-layer protocol that is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vR
    SV-239544r662083_rule VROM-SL-000625 CCI-000382 MEDIUM The AppleTalk protocol must be disabled or not installed. The AppleTalk suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by
    SV-239545r662086_rule VROM-SL-000630 CCI-000382 MEDIUM The DECnet protocol must be disabled or not installed. The DECnet suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by op
    SV-239546r662089_rule VROM-SL-000635 CCI-000382 MEDIUM Proxy Neighbor Discovery Protocol (NDP) must not be enabled on SLES for vRealize. Proxy Neighbor Discovery Protocol (NDP) allows a system to respond to NDP requests on one interface on behalf of hosts connected to another interface. If this function is enabled when not required, addressing information may be leaked between the attached
    SV-239547r662092_rule VROM-SL-000640 CCI-000382 MEDIUM The SLES for vRealize must not have 6to4 enabled. 6to4 is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets on an ad hoc basis. This is not a preferred transition strategy and increases the attack surface of SLES for vRealize.
    SV-239548r662095_rule VROM-SL-000645 CCI-000382 MEDIUM The SLES for vRealize must not have Teredo enabled. Teredo is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets. Unauthorized tunneling may circumvent network security.
    SV-239549r662098_rule VROM-SL-000650 CCI-000382 MEDIUM The DHCP client must be disabled if not needed. DHCP allows for the unauthenticated configuration of network parameters on SLES for vRealize by exchanging information with a DHCP server.
    SV-239550r662101_rule VROM-SL-000655 CCI-000382 MEDIUM The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed. Firewire is a common computer peripheral interface. Firewire devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
    SV-239551r662104_rule VROM-SL-000660 CCI-000764 MEDIUM Duplicate User IDs (UIDs) must not exist for users within the organization. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of SLES for vRealize. Organizational users include organizational employees or individuals t
    SV-239552r662107_rule VROM-SL-000685 CCI-000770 HIGH The SLES for vRealize must prevent direct logon into the root account. To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does
    SV-239553r662110_rule VROM-SL-000690 CCI-001941 MEDIUM The SLES for vRealize must enforce SSHv2 for network access to privileged accounts. A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication proc
    SV-239554r662113_rule VROM-SL-000695 CCI-001942 MEDIUM The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts. A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication proc
    SV-239555r662116_rule VROM-SL-000705 CCI-000795 MEDIUM The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration. Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco
    SV-239556r662119_rule VROM-SL-000710 CCI-000803 MEDIUM The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. SLES for vRealize utilizing encryption are
    SV-239557r662122_rule VROM-SL-000715 CCI-000804 MEDIUM The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users). Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information syst
    SV-239558r662125_rule VROM-SL-000720 CCI-000804 MEDIUM The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users). Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information syst
    SV-239559r662128_rule VROM-SL-000730 CCI-001682 MEDIUM The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled. Emergency administrator accounts are privileged accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization proces
    SV-239560r662131_rule VROM-SL-000735 CCI-000877 MEDIUM The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system
    SV-239561r662134_rule VROM-SL-000740 CCI-000879 MEDIUM The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating sys
    SV-239562r662137_rule VROM-SL-000760 CCI-001095 MEDIUM The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is availabl
    SV-239563r662140_rule VROM-SL-000765 CCI-001095 MEDIUM The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is availabl
    SV-239564r662405_rule VROM-SL-000770 CCI-001133 MEDIUM The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-239565r662146_rule VROM-SL-000795 CCI-001314 MEDIUM The /var/log directory must be group-owned by root. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239566r662149_rule VROM-SL-000800 CCI-001314 MEDIUM The /var/log directory must be owned by root. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239567r662152_rule VROM-SL-000805 CCI-001314 MEDIUM The /var/log directory must have mode 0750 or less permissive. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239568r662155_rule VROM-SL-000810 CCI-001314 MEDIUM The /var/log/messages file must be group-owned by root. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239569r662158_rule VROM-SL-000815 CCI-001314 MEDIUM The /var/log/messages file must be owned by root. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239570r662161_rule VROM-SL-000820 CCI-001314 MEDIUM The /var/log/messages file must have mode 0640 or less permissive. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239571r662164_rule VROM-SL-000825 CCI-001314 MEDIUM The SLES for vRealize must reveal error messages only to authorized users. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239572r662167_rule VROM-SL-000830 CCI-001314 MEDIUM The SLES for vRealize must reveal error messages only to authorized users. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239573r662170_rule VROM-SL-000835 CCI-001314 MEDIUM The SLES for vRealize must reveal error messages only to authorized users. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Infor
    SV-239574r767707_rule VROM-SL-000840 CCI-001384 MEDIUM Any publicly accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the publicly accessible SLES for vRealize ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives,
    SV-239575r662176_rule VROM-SL-000845 CCI-001403 MEDIUM The SLES for vRealize must audit all account modifications. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modificat
    SV-239576r662179_rule VROM-SL-000850 CCI-001403 MEDIUM The SLES for vRealize must audit all account modifications. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modificat
    SV-239577r662182_rule VROM-SL-000855 CCI-001404 MEDIUM The SLES for vRealize must audit all account-disabling actions. When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user acc
    SV-239578r662185_rule VROM-SL-000860 CCI-001405 MEDIUM The SLES for vRealize must audit all account removal actions. When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user acc
    SV-239579r662188_rule VROM-SL-000865 CCI-001453 MEDIUM The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating throu
    SV-239580r662191_rule VROM-SL-000870 CCI-001464 MEDIUM The SLES for vRealize must initiate session audits at system start-up. If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
    SV-239581r662194_rule VROM-SL-000875 CCI-001487 MEDIUM The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
    SV-239582r662197_rule VROM-SL-000880 CCI-001493 MEDIUM The SLES for vRealize must protect audit tools from unauthorized access. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providi
    SV-239583r662200_rule VROM-SL-000885 CCI-001494 MEDIUM The SLES for vRealize must protect audit tools from unauthorized modification. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providi
    SV-239584r662203_rule VROM-SL-000890 CCI-001495 MEDIUM The SLES for vRealize must protect audit tools from unauthorized deletion. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providi
    SV-239585r662206_rule VROM-SL-000900 CCI-001619 MEDIUM The SLES for vRealize must enforce password complexity by requiring that at least one special character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password co
    SV-239586r662209_rule VROM-SL-000910 CCI-001683 LOW The SLES for vRealize must notify System Administrators and Information Systems Security Officer when accounts are created. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is
    SV-239587r662212_rule VROM-SL-000915 CCI-001684 LOW The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are modified. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modif
    SV-239588r662215_rule VROM-SL-000920 CCI-001685 LOW The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are disabled. When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events
    SV-239589r662218_rule VROM-SL-000925 CCI-001686 LOW The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are removed. When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events
    SV-239590r662221_rule VROM-SL-000930 CCI-001496 MEDIUM The SLES for vRealize must use cryptographic mechanisms to protect the integrity of audit tools. Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfu
    SV-239591r662224_rule VROM-SL-000935 CCI-002361 MEDIUM The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, net
    SV-239592r662227_rule VROM-SL-000950 CCI-002314 MEDIUM The SLES for vRealize must control remote access methods. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD no
    SV-239593r662230_rule VROM-SL-000970 CCI-002130 MEDIUM The SLES for vRealize must audit all account enabling actions. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account
    SV-239594r662233_rule VROM-SL-000975 CCI-002132 MEDIUM The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account
    SV-239595r662236_rule VROM-SL-001005 CCI-002234 LOW The SLES for vRealize must audit the execution of privileged functions. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts
    SV-239596r662239_rule VROM-SL-001010 CCI-002238 LOW The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
    SV-239597r662242_rule VROM-SL-001035 CCI-001851 LOW The SLES for vRealize must off-load audit records onto a different system or media from the system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-239598r662245_rule VROM-SL-001040 CCI-001855 MEDIUM The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.
    SV-239599r662248_rule VROM-SL-001045 CCI-001858 MEDIUM The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation
    SV-239600r662406_rule VROM-SL-001085 CCI-001891 MEDIUM The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. S
    SV-239601r662254_rule VROM-SL-001090 CCI-001891 MEDIUM The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of th
    SV-239602r662257_rule VROM-SL-001095 CCI-001891 MEDIUM The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of th
    SV-239603r662260_rule VROM-SL-001100 CCI-001891 MEDIUM The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of th
    SV-239604r662263_rule VROM-SL-001105 CCI-002046 MEDIUM The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-239605r662266_rule VROM-SL-001130 CCI-001744 MEDIUM The SLES for vRealize must notify designated personnel if baseline configurations are changed in an unauthorized manner. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be
    SV-239606r662269_rule VROM-SL-001140 CCI-001814 MEDIUM The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system. Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. E
    SV-239607r662272_rule VROM-SL-001145 CCI-001749 MEDIUM The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, ser
    SV-239608r662275_rule VROM-SL-001220 CCI-002884 MEDIUM The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions. If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance to
    SV-239609r662278_rule VROM-SL-001225 CCI-002890 MEDIUM The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integri
    SV-239610r662281_rule VROM-SL-001230 CCI-003123 MEDIUM The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintena
    SV-239611r662284_rule VROM-SL-001240 CCI-002450 HIGH The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provid
    SV-239612r662287_rule VROM-SL-001285 CCI-002418 HIGH The SLES for vRealize must protect the confidentiality and integrity of transmitted information. Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all
    SV-239613r662407_rule VROM-SL-001290 CCI-002421 HIGH The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common applicati
    SV-239614r662293_rule VROM-SL-001310 CCI-002824 MEDIUM The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution. Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address sp
    SV-239615r662296_rule VROM-SL-001315 CCI-002824 MEDIUM The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution. Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address sp
    SV-239616r662299_rule VROM-SL-001335 CCI-002702 MEDIUM The SLES for vRealize must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the
    SV-239617r662302_rule VROM-SL-001340 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239618r662305_rule VROM-SL-001345 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239619r662308_rule VROM-SL-001350 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239620r662311_rule VROM-SL-001355 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239621r662314_rule VROM-SL-001360 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239622r662317_rule VROM-SL-001365 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239623r662320_rule VROM-SL-001370 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security levels occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239624r662323_rule VROM-SL-001375 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239625r662326_rule VROM-SL-001380 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239626r662329_rule VROM-SL-001385 CCI-000172 MEDIUM The SLES for vRealize must generate audit records for privileged activities or other system-level access. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239627r662332_rule VROM-SL-001390 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit reco
    SV-239628r662335_rule VROM-SL-001395 CCI-000172 MEDIUM The SLES for vRealize must generate audit records showing starting and ending time for user access to the system. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239629r662338_rule VROM-SL-001400 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239630r662341_rule VROM-SL-001405 CCI-000172 MEDIUM The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239631r662344_rule VROM-SL-001410 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    SV-239632r662347_rule VROM-SL-001415 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    SV-239633r662350_rule VROM-SL-001420 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    SV-239634r662353_rule VROM-SL-001425 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    SV-239635r662356_rule VROM-SL-001430 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    SV-239636r662359_rule VROM-SL-001435 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit user deletions of files and programs. Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
    SV-239637r662362_rule VROM-SL-001440 CCI-000172 MEDIUM The SLES for vRealize audit system must be configured to audit file deletions. If the SLES for vRealize system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
    SV-239638r662365_rule VROM-SL-001445 CCI-000172 MEDIUM Audit logs must be rotated daily. Rotate audit logs daily to preserve audit file system space and to conform to the DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users.
    SV-239639r662368_rule VROM-SL-001450 CCI-000172 MEDIUM The SLES for vRealize must generate audit records for all direct access to the information system. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239640r662371_rule VROM-SL-001455 CCI-000172 MEDIUM The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239641r662374_rule VROM-SL-001460 CCI-000172 MEDIUM The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-239642r662408_rule VROM-SL-001465 CCI-002450 MEDIUM The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provid
    SV-239643r662380_rule VROM-SL-001470 CCI-001851 MEDIUM The SLES for vRealize must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-239644r662383_rule VROM-SL-001475 CCI-000366 MEDIUM The SLES for vRealize must prevent the use of dictionary words for passwords. If SLES for vRealize system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
    SV-239645r662386_rule VROM-SL-001480 CCI-000366 MEDIUM The SLES for vRealize must prevent the use of dictionary words for passwords. If SLES for vRealize allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
    SV-239646r662389_rule VROM-SL-001485 CCI-000366 MEDIUM The SLES for vRealize must prevent the use of dictionary words for passwords. If SLES for vRealize allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
    SV-239647r662392_rule VROM-SL-001490 CCI-000366 MEDIUM The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
    SV-239648r662395_rule VROM-SL-001495 CCI-000366 MEDIUM The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
    SV-239649r662398_rule VROM-SL-001500 CCI-000366 MEDIUM The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
    SV-239650r662401_rule VROM-SL-001505 CCI-000366 MEDIUM The SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-239651r662404_rule VROM-SL-001510 CCI-000366 MEDIUM The SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.