Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2023-09-12
  • Released: 2023-10-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The vAMI must use FIPS 140-2 approved ciphers when transmitting management data during remote access management sessions.
AC-17 - High - CCI-000068 - V-240926 - SV-240926r879519_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
VRAU-VA-000010
Vuln IDs
  • V-240926
  • V-90195
Rule IDs
  • SV-240926r879519_rule
  • SV-100845
Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the application server. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Types of management interfaces utilized by an application server include web-based HTTPS interfaces as well as command line-based management interfaces.
Checks: C-44159r675943_chk

At the command prompt, execute the following command: grep '^ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.cipher-list" is not set to "FIPS: +3DES:!aNULL", or is missing or is commented out, this is a finding.

Fix: F-44118r675944_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the lighttpd.conf file with the following value: 'ssl.cipher-list = "FIPS: +3DES:!aNULL"'

c
The vAMI must restrict inbound connections from nonsecure zones.
AC-17 - High - CCI-001453 - V-240927 - SV-240927r879520_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
VRAU-VA-000015
Vuln IDs
  • V-240927
  • V-90197
Rule IDs
  • SV-240927r879520_rule
  • SV-100847
Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems.
Checks: C-44160r675946_chk

At the command prompt, execute the following command: grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.engine" is not set to "enable", or is missing or is commented out, this is a finding.

Fix: F-44119r675947_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the lighttpd.conf file with the following value: 'ssl.engine = "enable"'

b
The vAMI configuration file must be owned by root.
AU-12 - Medium - CCI-000171 - V-240928 - SV-240928r879560_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
VRAU-VA-000055
Vuln IDs
  • V-240928
  • V-90199
Rule IDs
  • SV-240928r879560_rule
  • SV-100849
Log records can be generated from various components within the application server, (e.g., httpd, beans, etc.) From an application perspective, certain specific application functionalities may be logged, as well. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component logable events. The application server must be configured to select which personnel are assigned the role of selecting which logable events are to be logged. The personnel or roles that can select logable events are only the ISSM (or individuals or roles appointed by the ISSM).
Checks: C-44161r675949_chk

At the command prompt, execute the following command: ls -lL /opt/vmware/etc/sfcb/sfcb.cfg If the sfcb.cfg file is not owned by root, this is a finding.

Fix: F-44120r675950_fix

At the command prompt, enter the following command: chown root:root /opt/vmware/etc/sfcb/sfcb.cfg

b
The vAMI must have sfcb logging enabled.
AU-3 - Medium - CCI-000135 - V-240929 - SV-240929r879569_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
VRAU-VA-000105
Vuln IDs
  • V-240929
  • V-90201
Rule IDs
  • SV-240929r879569_rule
  • SV-100851
Privileged commands are commands that change the configuration or data of the application server. Since this type of command changes the application server configuration and could possibly change the security posture of the application server, these commands need to be logged to show the full-text of the command executed. Without the full-text, reconstruction of harmful events or forensic analysis is not possible. Organizations can consider limiting the additional log information to only that information explicitly needed for specific log requirements. At a minimum, the organization must log either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain log trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Checks: C-44162r675952_chk

At the command prompt, execute the following command: grep traceLevel /opt/vmware/etc/sfcb/sfcb.cfg If the value of "traceLevel" is not set to "1", or is missing or is commented out, this is a finding.

Fix: F-44121r675953_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'traceLevel: 1'

b
The vAMI must protect log information from unauthorized read access.
AU-9 - Medium - CCI-000162 - V-240930 - SV-240930r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VRAU-VA-000130
Vuln IDs
  • V-240930
  • V-90203
Rule IDs
  • SV-240930r879576_rule
  • SV-100853
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files that are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized read access.
Checks: C-44163r675955_chk

At the command prompt, execute the following command: ls -lL /opt/vmware/var/log/vami /opt/vmware/var/log/sfcb If any log files are world-readable, this is a finding.

Fix: F-44122r675956_fix

At the command prompt, enter the following command: chmod 640 </path/to/file> Note: Replace </path/to/file> with the file(s) with world-read rights.

b
The vAMI must protect log information from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-240931 - SV-240931r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
VRAU-VA-000135
Vuln IDs
  • V-240931
  • V-90205
Rule IDs
  • SV-240931r879577_rule
  • SV-100855
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files that are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.
Checks: C-44164r675958_chk

At the command prompt, execute the following command: ls -lL /opt/vmware/var/log/vami /opt/vmware/var/log/sfcb If any log files are world-writable, this is a finding.

Fix: F-44123r675959_fix

At the command prompt, enter the following command: chmod 640 </path/to/file> Note: Replace </path/to/file> with the file(s) with world-write rights.

b
The vAMI must protect log information from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-240932 - SV-240932r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
VRAU-VA-000140
Vuln IDs
  • V-240932
  • V-90207
Rule IDs
  • SV-240932r879578_rule
  • SV-100857
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write log data to log files that are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.
Checks: C-44165r675961_chk

At the command prompt, execute the following command: ls -lL /opt/vmware/var/log/vami /opt/vmware/var/log/sfcb If log files are not owned by root, this is a finding.

Fix: F-44124r675962_fix

At the command prompt, enter the following command: chown root:root </path/to/file> Note: Replace </path/to/file> with the file(s) that are not owned by root.

b
The vAMI log records must be backed up at least every seven days onto a different system or system component than the system or component being logged.
AU-9 - Medium - CCI-001348 - V-240933 - SV-240933r879582_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
VRAU-VA-000160
Vuln IDs
  • V-240933
  • V-90209
Rule IDs
  • SV-240933r879582_rule
  • SV-100859
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to a different system or onto separate media from the system that the vAMI is actually running on helps to assure that in the event of a catastrophic system failure, the log records will be retained.
Checks: C-44166r675964_chk

Interview the ISSO and/or the SA. Determine if there is a local procedure to back up log records at least every seven days onto a different system. If a procedure does not exist or is not being followed, this is a finding.

Fix: F-44125r675965_fix

Develop and implement a site procedure to back up the log data and records to a different system or separate media at least every seven days.

b
Patches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization.
CM-5 - Medium - CCI-001749 - V-240934 - SV-240934r879584_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
VRAU-VA-000170
Vuln IDs
  • V-240934
  • V-90211
Rule IDs
  • SV-240934r879584_rule
  • SV-100861
Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
Checks: C-44167r675967_chk

Interview the ISSO and/or the SA. Determine if there is a local procedure to verify the digital signature of the vAMI files prior to being installed on a production system. If a procedure does not exist or is not being followed, this is a finding.

Fix: F-44126r675968_fix

Develop and implement a site procedure to verify the digital signature of the vAMI files prior to being installed on a production system.

b
The vAMI executable files and library must not be world-writeable.
CM-5 - Medium - CCI-001499 - V-240935 - SV-240935r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
VRAU-VA-000175
Vuln IDs
  • V-240935
  • V-90213
Rule IDs
  • SV-240935r879586_rule
  • SV-100863
Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.
Checks: C-44168r675970_chk

At the command prompt, execute the following command: find /opt/vmware/share/vami -perm -0002 -type f If any files are listed, this is a finding.

Fix: F-44127r675971_fix

At the command prompt, enter the following command: chmod a-w </path/to/file> Note: Replace </path/to/file> with the file(s) with world-write rights.

b
The vAMI installation procedures must be capable of being rolled back to a last known good configuration.
CM-5 - Medium - CCI-001499 - V-240936 - SV-240936r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
VRAU-VA-000180
Vuln IDs
  • V-240936
  • V-90215
Rule IDs
  • SV-240936r879586_rule
  • SV-100865
Any changes to the components of the application server can have significant effects on the overall security of the system. In order to ensure a prompt response to failed application installations and application server upgrades, the application server must provide an automated rollback capability that allows the system to be restored to a previous known good configuration state prior to the application installation or application server upgrade.
Checks: C-44169r675973_chk

Interview the ISSO and/or the SA. Determine if there is a local procedure to revert to the last known good configuration in the event of failed installations and upgrades. If a procedure does not exist or is not being followed, this is a finding.

Fix: F-44128r675974_fix

Develop and implement a site procedure to revert to the last known good configuration in the event of failed installations and upgrades.

c
The vAMI must not contain any unnecessary functions and only provide essential capabilities.
CM-7 - High - CCI-000381 - V-240937 - SV-240937r879587_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
VRAU-VA-000185
Vuln IDs
  • V-240937
  • V-90217
Rule IDs
  • SV-240937r879587_rule
  • SV-100867
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.
Checks: C-44170r675976_chk

Review the vAMI directories and files. Determine if there are any tutorials, examples, or sample code. If any tutorials, examples, or sample code is present, this is a finding.

Fix: F-44129r675977_fix

Remove all tutorials, examples, and sample code.

b
The vAMI must use the sfcb HTTPS port for communication with Lighttpd.
CM-7 - Medium - CCI-000382 - V-240938 - SV-240938r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VRAU-VA-000190
Vuln IDs
  • V-240938
  • V-90219
Rule IDs
  • SV-240938r879588_rule
  • SV-100869
Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. For a list of approved ports and protocols, reference the DoD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html.
Checks: C-44171r676072_chk

At the command prompt, execute the following command to determine the sfcb HTTPS port: grep httpsPort /opt/vmware/etc/sfcb/sfcb.cfg | cut -d ':' -f 2 | tr -d ' ' If the httpsPort configuration is missing or commented out, this is a finding. At the command prompt, type the following command to determine the port that Lighttpd is using to communicate with sfcb: grep cimom -A 7 /opt/vmware/etc/lighttpd/lighttpd.conf | grep port | cut -d '=' -f 2 | tr -d '&gt;' | tr -d ' ' | tr -d '"' If Lighttpd is not using the sfcb HTTPS port for communication with the vAMI, this is a finding.

Fix: F-44130r676074_fix

At the command prompt, type the following command to determine the sfcb httpsPort: grep httpsPort /opt/vmware/etc/sfcb/sfcb.cfg | cut -d ':' -f 2 | tr -d ' ' Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Navigate to the '$HTTP["url"] =~ "^/cimom"' block. Configure the lighttpd.conf file with the following block: $HTTP["url"] =~ "^/cimom" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => "<port>" )) ) } Note: Substitute <port> in lighttpd.conf with the httpsPort number found in sfcb.cfg.

b
The vAMI must use a site-defined, user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - V-240939 - SV-240939r879589_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
VRAU-VA-000195
Vuln IDs
  • V-240939
  • V-90221
Rule IDs
  • SV-240939r879589_rule
  • SV-100871
To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. To ensure support to the enterprise, the authentication must utilize an enterprise solution.
Checks: C-44172r675982_chk

Interview the ISSO and/or the SA. Determine the enterprise user management system being used to uniquely identify and authenticate users. If the vAMI is not configured to use the enterprise user management system, this is a finding.

Fix: F-44131r675983_fix

Consult the appropriate VMware technical guide to implement the site-specific enterprise user management system.

c
The vAMI must transmit only encrypted representations of passwords.
IA-5 - High - CCI-000197 - V-240940 - SV-240940r879609_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
VRAU-VA-000235
Vuln IDs
  • V-240940
  • V-90223
Rule IDs
  • SV-240940r879609_rule
  • SV-100873
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.
Checks: C-44173r675985_chk

At the command prompt, execute the following command: grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.engine" is not set to "enable", or is missing or is commented out, this is a finding.

Fix: F-44132r675986_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the lighttpd.conf file with the following value: 'ssl.engine = "enable"'

c
The vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor.
IA-5 - High - CCI-000186 - V-240941 - SV-240941r879613_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000186
Version
VRAU-VA-000250
Vuln IDs
  • V-240941
  • V-90225
Rule IDs
  • SV-240941r879613_rule
  • SV-100875
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java-based application servers utilize the Java keystore, which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system.
Checks: C-44174r675988_chk

At the command prompt, execute the following command: ls -l /opt/vmware/etc/sfcb/file.pem If permissions on the key file are not -r--r----- (440), this is a finding.

Fix: F-44133r675989_fix

At the command prompt, enter the following command: chmod 440 /opt/vmware/etc/sfcb/file.pem

c
The vAMI must use approved versions of TLS.
IA-7 - High - CCI-000803 - V-240942 - SV-240942r879616_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
VRAU-VA-000265
Vuln IDs
  • V-240942
  • V-90227
Rule IDs
  • SV-240942r879616_rule
  • SV-100877
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems.
Checks: C-44175r675991_chk

At the command prompt, execute the following command: grep ssl.use-sslv /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.use-sslv2" and "ssl.use-sslv3" are not "disable", this is a finding.

Fix: F-44134r675992_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the lighttpd.conf file with the following two values: 'ssl.use-sslv2 = "disable"' 'ssl.use-sslv3 = "disable"' Note: Both values must be present.

b
The vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator.
SC-23 - Medium - CCI-001184 - V-240943 - SV-240943r879636_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
VRAU-VA-000285
Vuln IDs
  • V-240943
  • V-90229
Rule IDs
  • SV-240943r879636_rule
  • SV-100879
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addresses man-in-the-middle attacks, including session hijacking or insertion of false information into a session. Application servers must provide the capability to perform mutual authentication. Mutual authentication is when both the client and the server authenticate each other.
Checks: C-44176r675994_chk

At the command prompt, execute the following command: grep basicAuthLib /opt/vmware/etc/sfcb/sfcb.cfg If the value of "basicAuthLib" is missing, commented out, or not "sfcBasicPAMAuthentication", this is a finding.

Fix: F-44135r675995_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'basicAuthLib: sfcBasicPAMAuthentication'

b
The vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator.
SC-23 - Medium - CCI-001664 - V-240944 - SV-240944r879638_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
VRAU-VA-000295
Vuln IDs
  • V-240944
  • V-90231
Rule IDs
  • SV-240944r879638_rule
  • SV-100881
Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. Application servers must generate a unique session identifier for each application session to prevent session hijacking.
Checks: C-44177r675997_chk

At the command prompt, execute the following command: grep basicAuthEntry /opt/vmware/etc/sfcb/sfcb.cfg If the value of "basicAuthEntry" is missing, commented out, or not "_sfcBasicAuthenticate", this is a finding.

Fix: F-44136r675998_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'basicAuthEntry: _sfcBasicAuthenticate'

b
The vAMI must have the correct authentication set for HTTPS connections.
SC-23 - Medium - CCI-001664 - V-240945 - SV-240945r879638_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
VRAU-VA-000300
Vuln IDs
  • V-240945
  • V-90233
Rule IDs
  • SV-240945r879638_rule
  • SV-100883
This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
Checks: C-44178r676000_chk

At the command prompt, execute the following command: grep doBasicAuth /opt/vmware/etc/sfcb/sfcb.cfg If the value of "doBasicAuth" is missing, commented out, or not "true", this is a finding.

Fix: F-44137r676001_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'doBasicAuth: true'

b
The vAMI installation procedures must be part of a complete vRealize Automation deployment.
SC-24 - Medium - CCI-001190 - V-240946 - SV-240946r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-VA-000310
Vuln IDs
  • V-240946
  • V-90235
Rule IDs
  • SV-240946r879640_rule
  • SV-100885
Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an application is deployed to the vAMI, if the deployment process does not complete properly and without errors, there is the potential that some application files may not be deployed or may be corrupted and an application error may occur during runtime. The vAMI must be able to perform complete application deployments. A partial deployment can leave the server in an inconsistent state. Application servers may provide a transaction rollback function to address this issue.
Checks: C-44179r676003_chk

Interview the ISSO and/or the SA. Determine if the vAMI was installed separately from a full installation of vRealize Automation. If the vAMI was installed independently of a full vRA installation, this is a finding.

Fix: F-44138r676004_fix

Reinstall the vRealize Automation instance as a complete package.

b
The vAMI must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SC-24 - Medium - CCI-001190 - V-240947 - SV-240947r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-VA-000320
Vuln IDs
  • V-240947
  • V-90237
Rule IDs
  • SV-240947r879640_rule
  • SV-100887
Fail-secure is a condition achieved by the vAMI in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission-essential processes.
Checks: C-44180r676076_chk

Interview the ISSO and/or the SA. Determine if the vAMI has ever not failed to a secure state during a system initialization failure, shutdown failure, or system abort. If the vAMI has ever not failed to a secure state under these conditions, this is a finding.

Fix: F-44139r676007_fix

Reinstall the vRealize Automation instance as a complete package.

b
The vAMI error logs must be reviewed.
SI-11 - Medium - CCI-001312 - V-240948 - SV-240948r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-VA-000340
Vuln IDs
  • V-240948
  • V-90239
Rule IDs
  • SV-240948r879655_rule
  • SV-100889
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. The structure and content of error messages needs to be carefully considered by the organization and development team. Application servers must have the capability to log at various levels, which can provide log entries for potential security-related error events. An example is the capability for the application server to assign a criticality level to a failed logon attempt error message, a security-related error message being of a higher criticality.
Checks: C-44181r676009_chk

Interview the ISSO and/or the SA and review vRA product documentation. Determine a local procedure exists for monitoring error conditions reported by the vAMI. If a procedure does not exist or is not being followed, this is a finding.

Fix: F-44140r676010_fix

Develop and implement a site procedure to monitor error conditions reported by the vAMI.

b
The vAMI account credentials must protected by site policies.
AC-17 - Medium - CCI-002314 - V-240949 - SV-240949r879692_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
VRAU-VA-000385
Vuln IDs
  • V-240949
  • V-90241
Rule IDs
  • SV-240949r879692_rule
  • SV-100891
Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by logging connection activities of remote users. Examples of policy requirements include, but are not limited to, authorizing remote access to the information system, limiting access based on authentication credentials, and monitoring for unauthorized access.
Checks: C-44182r676012_chk

Interview the ISSO and/or the SA. Determine if access credentials for the vAMI are controlled by a site policy. If a site policy does not exist, or is not being followed, this is a finding.

Fix: F-44141r676013_fix

Develop and implement a site procedure to control access credentials for the vAMI.

b
The vAMI must utilize syslog.
AU-3 - Medium - CCI-001844 - V-240950 - SV-240950r879729_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001844
Version
VRAU-VA-000415
Vuln IDs
  • V-240950
  • V-90245
Rule IDs
  • SV-240950r879729_rule
  • SV-100895
A clustered application server is made up of several servers working together to provide the user a failover and increased computing capability. To facilitate uniform logging in the event of an incident and later forensic investigation, the record format and logable events need to be uniform. This can be managed best from a centralized server. Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.
Checks: C-44183r676015_chk

At the command prompt, execute the following command: grep traceFile /opt/vmware/etc/sfcb/sfcb.cfg If the value of "traceFile" is not "syslog', this is a finding.

Fix: F-44142r676016_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'traceFile: syslog'

b
The vAMI configuration file must be protected from unauthorized access.
CM-5 - Medium - CCI-001813 - V-240951 - SV-240951r879753_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
VRAU-VA-000460
Vuln IDs
  • V-240951
  • V-90247
Rule IDs
  • SV-240951r879753_rule
  • SV-100897
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system. Access restrictions for changes also include application software libraries. If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.
Checks: C-44184r676018_chk

At the command prompt, execute the following command: ls -lL /opt/vmware/etc/sfcb/sfcb.cfg If the permissions on the sfcb.cfg file are greater than 640, this is a finding.

Fix: F-44143r676019_fix

At the command prompt, enter the following command: chmod 640 /opt/vmware/etc/sfcb/sfcb.cfg

b
The vAMI must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SC-13 - Medium - CCI-002450 - V-240952 - SV-240952r879944_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
VRAU-VA-000530
Vuln IDs
  • V-240952
  • V-90249
Rule IDs
  • SV-240952r879944_rule
  • SV-100899
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: 'Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms.' NSA-approved cryptography is required to be used for classified information system processing. The application server must utilize NSA-approved encryption modules when protecting classified data. This means using AES and other approved encryption modules.
Checks: C-44185r676021_chk

At the command prompt, execute the following command: grep 'ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.cipher-list" is not "FIPS: +3DES:!aNULL", this is a finding.

Fix: F-44144r676022_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the lighttpd.conf file with the following value: 'ssl.cipher-list = "FIPS: +3DES:!aNULL"'

b
The vAMI must have the keepaliveTimeout enabled.
SC-5 - Medium - CCI-002385 - V-240953 - SV-240953r879806_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
VRAU-VA-000555
Vuln IDs
  • V-240953
  • V-90251
Rule IDs
  • SV-240953r879806_rule
  • SV-100901
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. There are many examples of technologies that exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy or clustering, may reduce the susceptibility to some DoS attacks.
Checks: C-44186r676024_chk

At the command prompt, execute the following command: grep keepaliveTimeout /opt/vmware/etc/sfcb/sfcb.cfg | grep -vE '^#' If the value of "keepaliveTimeout" is missing, commented out, or less than "15", this is a finding.

Fix: F-44145r676025_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'keepaliveTimeout: 15'

b
The vAMI must have the keepaliveMaxRequest enabled.
SC-5 - Medium - CCI-002385 - V-240954 - SV-240954r879806_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
VRAU-VA-000560
Vuln IDs
  • V-240954
  • V-90253
Rule IDs
  • SV-240954r879806_rule
  • SV-100903
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. There are many examples of technologies that exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy or clustering, may reduce the susceptibility to some DoS attacks.
Checks: C-44187r676027_chk

At the command prompt, execute the following command: grep keepaliveMaxRequest /opt/vmware/etc/sfcb/sfcb.cfg | grep -vE '^#' If the value of "keepaliveMaxRequest" is missing, commented out, less than "100", this is a finding.

Fix: F-44146r676028_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'keepaliveMaxRequest: 100'

b
The vAMI must use approved versions of TLS.
SC-8 - Medium - CCI-002418 - V-240955 - SV-240955r918127_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-VA-000565
Vuln IDs
  • V-240955
  • V-90255
Rule IDs
  • SV-240955r918127_rule
  • SV-100905
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems.
Checks: C-44188r676030_chk

At the command prompt, execute the following command: grep ssl.use-sslv /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.use-sslv2" and "ssl.use-sslv3" are not "disable", this is a finding.

Fix: F-44147r676031_fix

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the lighttpd.conf file with the following two values: 'ssl.use-sslv2 = "disable"' 'ssl.use-sslv3 = "disable"' Note: Both values must be present.

b
The vAMI sfcb must have HTTPS enabled.
SC-8 - Medium - CCI-002421 - V-240956 - SV-240956r879811_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
VRAU-VA-000570
Vuln IDs
  • V-240956
  • V-90257
Rule IDs
  • SV-240956r879811_rule
  • SV-100907
Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems.
Checks: C-44189r676033_chk

At the command prompt, execute the following command: grep 'enableHttps:' /opt/vmware/etc/sfcb/sfcb.cfg | grep -v '^#' If the value of "enableHttps" is missing or is not set to "true", this is a finding.

Fix: F-44148r676034_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'enableHttps: true'

b
The vAMI sfcb must have HTTP disabled.
SC-8 - Medium - CCI-002422 - V-240957 - SV-240957r879813_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002422
Version
VRAU-VA-000580
Vuln IDs
  • V-240957
  • V-90259
Rule IDs
  • SV-240957r879813_rule
  • SV-100909
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The application server must utilize approved encryption when receiving transmitted data.
Checks: C-44190r676036_chk

At the command prompt, execute the following command: grep 'enableHttp:' /opt/vmware/etc/sfcb/sfcb.cfg | grep -v '^#' If the value of "enableHttp" is set to "true", this is a finding.

Fix: F-44149r676037_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'enableHttp: false'

b
The vAMI must have security-relevant software updates installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
SI-2 - Medium - CCI-002605 - V-240958 - SV-240958r879827_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002605
Version
VRAU-VA-000595
Vuln IDs
  • V-240958
  • V-90261
Rule IDs
  • SV-240958r879827_rule
  • SV-100911
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes) to production systems after thorough testing of the patches within a lab environment. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
Checks: C-44191r676039_chk

Interview the ISSO and/or the SA. Determine if a local procedure exists to install security-relevant software updates in a satisfactory timeframe. If a procedure does not exist or is not being followed, this is a finding.

Fix: F-44150r676040_fix

Develop and implement a site procedure to install security-relevant software updates in a satisfactory timeframe.

b
The vAMI must log all successful login events.
AU-12 - Medium - CCI-000172 - V-240959 - SV-240959r879874_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VRAU-VA-000610
Vuln IDs
  • V-240959
  • V-90263
Rule IDs
  • SV-240959r879874_rule
  • SV-100913
Logging the access to the application server allows the system administrators to monitor user accounts. By logging successful/unsuccessful logons, the system administrator can determine if an account is compromised (e.g., frequent logons) or is in the process of being compromised (e.g., frequent failed logons) and can take actions to thwart the attack. Logging successful logons can also be used to determine accounts that are no longer in use.
Checks: C-44192r676042_chk

At the command prompt, execute the following command: grep quiet_success /etc/pam.d/vami-sfcb If the command returns any output, this is a finding.

Fix: F-44151r676043_fix

Navigate to and open /etc/pam.d/vami-sfcb. Comment out the line which contains quiet_success

b
The vAMI must enable logging.
AU-12 - Medium - CCI-000172 - V-240960 - SV-240960r879875_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VRAU-VA-000615
Vuln IDs
  • V-240960
  • V-90265
Rule IDs
  • SV-240960r879875_rule
  • SV-100915
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Privileged activities would occur through the management interface. This interface can be web-based or can be command line utilities. Whichever method is used by the application server, these activities must be logged.
Checks: C-44193r676045_chk

At the command prompt, execute the following command: grep traceLevel /opt/vmware/etc/sfcb/sfcb.cfg If the value of "traceLevel" is not "1", this is a finding.

Fix: F-44152r676046_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg. Configure the sfcb.cfg file with the following value: 'traceLevel: 1'

b
The vAMI must have PAM logging enabled.
AU-12 - Medium - CCI-000172 - V-240961 - SV-240961r879876_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VRAU-VA-000620
Vuln IDs
  • V-240961
  • V-90267
Rule IDs
  • SV-240961r879876_rule
  • SV-100917
Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs. Generating these events, especially if the management interface is accessed via a stateless protocol like HTTP, the log events will be generated when the user performs a logon (start) and when the user performs a logoff (end). Without these events, the user and later investigators cannot determine the sequence of events and therefore cannot determine what may have happened and by whom it may have been done. The generation of start and end times within log events allow the user to perform their due diligence in the event of a security breach.
Checks: C-44194r676048_chk

At the command prompt, execute the following command: ls /etc/pam_debug If the /etc/pam_debug file does not exist, this is a finding.

Fix: F-44153r676049_fix

At the command prompt, enter the following command: touch /etc/pam_debug

b
The vAMI must log all login events.
AU-12 - Medium - CCI-000172 - V-240962 - SV-240962r879877_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VRAU-VA-000625
Vuln IDs
  • V-240962
  • V-90269
Rule IDs
  • SV-240962r879877_rule
  • SV-100919
Being able to work on a system through multiple views into the application allows a user to work more efficiently and more accurately. Before environments with windowing capabilities or multiple desktops, a user would log onto the application from different workstations or terminals. With today's workstations, this is no longer necessary and may signal a compromised session or user account. When concurrent logons are made from different workstations to the management interface, a log record needs to be generated. This allows the system administrator to investigate the incident and to be aware of the incident.
Checks: C-44195r676051_chk

At the command prompt, execute the following command: grep -E 'auth.*unix' /etc/pam.d/vami-sfcb If no line is returned or the returned line does contain the option "debug", this is a finding.

Fix: F-44154r676052_fix

Navigate to and open /etc/pam.d/vami-sfcb. Configure the vami-sfcb file with the following value: "auth required /lib64/security/pam_unix.so debug"

b
The vAMI sfcb server certificate must only be accessible to authenticated system administrators or the designated PKI Sponsor.
SC-13 - Medium - CCI-002450 - V-240963 - SV-240963r879885_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
VRAU-VA-000635
Vuln IDs
  • V-240963
  • V-90271
Rule IDs
  • SV-240963r879885_rule
  • SV-100921
An asymmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise, and the private portion of the key must be protected. The application server will provide software libraries that applications can programmatically utilize to encrypt and decrypt information. These application server libraries must use NIST-approved or NSA-approved key management technology and processes when producing, controlling, or distributing symmetric and asymmetric keys.
Checks: C-44196r676054_chk

At the command prompt, execute the following command: ls -l /opt/vmware/etc/sfcb/server.pem If permissions on the certificate file is not -r--r----- (440), this is a finding.

Fix: F-44155r676055_fix

At the command prompt, enter the following command: chmod 440 /opt/vmware/etc/sfcb/server.pem

b
If the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved. If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable.
SC-13 - Medium - CCI-002450 - V-240964 - SV-240964r879885_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
VRAU-VA-000640
Vuln IDs
  • V-240964
  • V-90273
Rule IDs
  • SV-240964r879885_rule
  • SV-100923
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The vAMI must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.
Checks: C-44197r676057_chk

Interview the ISSO and/or the SA. Determine if the vAMI is using PKI Class 3 or Class 4 certificates. If the vAMI is using PKI Class 3 or Class 4 certificates, and the certificates are not DoD- or CNSS-approved, this is a finding.

Fix: F-44156r676058_fix

If the vAMI is using PKI Class 3 or Class 4 certificates, install certificates that are DoD or CNSS approved.

b
The vAMI must utilize syslog.
AU-4 - Medium - CCI-001851 - V-240965 - SV-240965r879886_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VRAU-VA-000645
Vuln IDs
  • V-240965
  • V-90275
Rule IDs
  • SV-240965r879886_rule
  • SV-100925
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading should be set up as a scheduled task but can be configured to be run manually, if other processes during the off-loading are manual. Off-loading is a common process in information systems with limited log storage capacity.
Checks: C-44198r676060_chk

At the command prompt, execute the following command: grep traceFile /opt/vmware/etc/sfcb/sfcb.cfg If the value of "traceFile" is not "syslog', this is a finding.

Fix: F-44157r676061_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg, Configure the sfcb.cfg file with the following value: 'traceFile: syslog'

b
The vAMI must be configured to listen on a specific IPv4 address.
CM-6 - Medium - CCI-000366 - V-240966 - SV-240966r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VRAU-VA-000650
Vuln IDs
  • V-240966
  • V-90277
Rule IDs
  • SV-240966r879887_rule
  • SV-100927
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Checks: C-44199r676063_chk

At the command prompt, execute the following command: grep ip4AddrList /opt/vmware/etc/sfcb/sfcb.cfg If the value of "ip4AddrList" is missing, commented out, or not set, this is a finding.

Fix: F-44158r676064_fix

Navigate to and open /opt/vmware/etc/sfcb/sfcb.cfg, Configure the sfcb.cfg file with the following value: 'ip4AddrList: <ip v4 address>' Note: Replace <ip v4 address> with the appropriate site-specific IPv4 address.

b
The vAMI must be configured to listen on a specific network interface.
CM-6 - Medium - CCI-000366 - V-240967 - SV-240967r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VRAU-VA-000655
Vuln IDs
  • V-240967
  • V-90279
Rule IDs
  • SV-240967r879887_rule
  • SV-100929
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Checks: C-44200r676078_chk

Obtain the current vRealize Operations STIGs from the ISSO. Verify that this STIG is the most current STIG available for vRealize Operations. Assess all of the organization's vROps installations to ensure that they are fully compliant with the most current STIG. If the most current version of the vROps STIG was not used, or if the vROps appliance configuration is not compliant with the most current STIG, this is a finding.

Fix: F-44159r676067_fix

Obtain the most current vRealize Operations STIG. Verify that this vROps appliance is configured with all current requirements.

b
The application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SC-8 - Medium - CCI-002418 - V-240968 - SV-240968r918128_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VRAU-VA-000660
Vuln IDs
  • V-240968
  • V-90281
Rule IDs
  • SV-240968r918128_rule
  • SV-100931
During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the application server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.
Checks: C-44201r878101_chk

Check that FIPS mode is enabled in the vRealize Automation virtual appliance management interface with the following steps: 1. Log into the vRealize Automation virtual appliance management interface (vAMI). https:// vrealize-automation-appliance-FQDN:5480 2. Select vRA Settings &gt;&gt; Host Settings. 3. Review the button under the Actions heading on the upper right to confirm that "enable FIPS" is selected. If "enable FIPS" is not selected, this is a finding. Alternately, check that FIPS mode is enabled in the command line using the following steps: 1. Log into the console as root. 2. Run the command: vcac-vami fips status. If FIPS is not enabled, this is a finding.

Fix: F-44160r878102_fix

Enable FIPS mode in the vRealize Automation virtual appliance management interface with the following steps: 1. Log into the vRealize Automation virtual appliance management interface (vAMI). https:// vrealize-automation-appliance-FQDN:5480 2. Select vRA Settings >> Host Settings. 3. Click the button under the Actions heading on the upper right to enable or disable FIPS. 4. Click "Yes" to restart the vRealize Automation appliance. Alternately, enable FIPS mode in the command line using the following steps: 1. Log into the console as root. 2. Run the command: vcac-vami fips enable

c
The version of vRealize Automation 7.x vAMI running on the system must be a supported version.
SI-2 - High - CCI-002605 - V-258455 - SV-258455r928889_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
VRAU-VA-009999
Vuln IDs
  • V-258455
Rule IDs
  • SV-258455r928889_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-62195r928888_chk

vRealize Automation 7.x vAMI is no longer supported by the vendor. If the system is running vRealize Automation 7.x vAMI, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.