VMware vRealize Automation 7.x vIDM Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2023-09-12
  • Released: 2023-10-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
vIDM must be configured to log activity to the horizon.log file.
AC-17 - Medium - CCI-000067 - V-240969 - SV-240969r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VRAU-VI-000020
Vuln IDs
  • V-240969
  • V-90283
Rule IDs
  • SV-240969r879521_rule
  • SV-100933
Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. Application servers provide a web and command line-based remote management capability for managing the application server. Application servers must ensure that all actions related to administrative functionality such as application server configuration are logged.
Checks: C-44202r676166_chk

At the command prompt, execute the following command: grep log4j.appender.rollingFile.file /usr/local/horizon/conf/saas-log4j.properties If the "log4j.appender.rollingFile.file" is not set to "/opt/vmware/horizon/workspace/logs/horizon.log" or is commented out or is missing, this is a finding.

Fix: F-44161r676167_fix

Navigate to and open /usr/local/horizon/conf/saas-log4j.properties. Configure the vIDM policy log file with the following lines: log4j.appender.rollingFile=org.apache.log4j.RollingFileAppender log4j.appender.rollingFile.MaxFileSize=50MB log4j.appender.rollingFile.MaxBackupIndex=7 log4j.appender.rollingFile.Encoding=UTF-8 log4j.appender.rollingFile.file=/opt/vmware/horizon/workspace/logs/horizon.log log4j.appender.rollingFile.append=true log4j.appender.rollingFile.layout=org.apache.log4j.PatternLayout log4j.appender.rollingFile.layout.ConversionPattern=%d{ISO8601} %-5p (%t) [%X{orgId};%X{userId};%X{ip}] %c - %m%n

b
vIDM must be configured correctly for the site enterprise user management system.
IA-2 - Medium - CCI-000764 - V-240970 - SV-240970r879589_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
VRAU-VI-000195
Vuln IDs
  • V-240970
  • V-90285
Rule IDs
  • SV-240970r879589_rule
  • SV-100935
To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. To ensure support to the enterprise, the authentication must utilize an enterprise solution.
Checks: C-44203r676169_chk

Interview the ISSO. Obtain the correct configuration for the site's Directory services. In a browser, log in with Tenant admin privileges and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to review the configuration. If the Directory service is not configured correctly, this is a finding.

Fix: F-44162r676170_fix

Interview the ISSO. Obtain the correct configuration for the site's Directory services. In a browser, log in with Tenant admin privileges, and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to edit the configuration in accordance with the instructions provided by the ISSO.

c
vIDM must utilize encryption when using LDAP for authentication.
IA-5 - High - CCI-000197 - V-240971 - SV-240971r879609_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
VRAU-VI-000240
Vuln IDs
  • V-240971
  • V-90287
Rule IDs
  • SV-240971r879609_rule
  • SV-100937
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.
Checks: C-44204r676172_chk

In a browser, log in with Tenant admin privileges, and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to review the configuration. If the SSL checkbox is not selected, this is a finding. Note: The checkbox is labeled, "This Directory requires all connections to use SSL".

Fix: F-44163r676173_fix

In a browser, log in with Tenant admin privileges, and navigate to the Administration page. Select Directories Management >> Directories. Click on the configured Directory to review the configuration. Check the checkbox that is labeled, "This Directory requires all connections to use SSL". Click "Save".

b
vIDM must be configured to provide clustering.
SC-24 - Medium - CCI-001190 - V-240972 - SV-240972r879640_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VRAU-VI-000315
Vuln IDs
  • V-240972
  • V-90289
Rule IDs
  • SV-240972r879640_rule
  • SV-100939
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple application servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy.
Checks: C-44205r676175_chk

Interview the ISSO. Obtain the correct configuration for clustering used by the site. Review the vRealize Automation appliance's installation, environment, and configuration. Determine if vRA clustering has been correctly implemented. If vRA is not correctly implementing clustering, this is a finding.

Fix: F-44164r676176_fix

Interview the ISSO. Obtain the correct configuration for clustering used by the site. Configure vRealize Automation to be in compliance with the clustering design provided by the ISSO.

b
vIDM must be configured to log activity to the horizon.log file.
SI-11 - Medium - CCI-001312 - V-240973 - SV-240973r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VRAU-VI-000340
Vuln IDs
  • V-240973
  • V-90291
Rule IDs
  • SV-240973r879655_rule
  • SV-100941
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. The structure and content of error messages needs to be carefully considered by the organization and development team. Application servers must have the capability to log at various levels, which can provide log entries for potential security-related error events. An example is the capability for the application server to assign a criticality level to a failed logon attempt error message, a security-related error message being of a higher criticality.
Checks: C-44206r676178_chk

At the command prompt, execute the following command: grep log4j.appender.rollingFile.file /usr/local/horizon/conf/saas-log4j.properties If the "log4j.appender.rollingFile.file" is not set to "/opt/vmware/horizon/workspace/logs/horizon.log" or is commented out or is missing, this is a finding.

Fix: F-44165r676179_fix

Navigate to and open /usr/local/horizon/conf/saas-log4j.properties. Configure the vIDM policy log file with the following lines: log4j.appender.rollingFile=org.apache.log4j.RollingFileAppender log4j.appender.rollingFile.MaxFileSize=50MB log4j.appender.rollingFile.MaxBackupIndex=7 log4j.appender.rollingFile.Encoding=UTF-8 log4j.appender.rollingFile.file=/opt/vmware/horizon/workspace/logs/horizon.log log4j.appender.rollingFile.append=true log4j.appender.rollingFile.layout=org.apache.log4j.PatternLayout log4j.appender.rollingFile.layout.ConversionPattern=%d{ISO8601} %-5p (%t) [%X{orgId};%X{userId};%X{ip}] %c - %m%n

c
vIDM, when installed in a MAC I system, must be in a high-availability (HA) cluster.
SC-5 - High - CCI-002385 - V-240974 - SV-240974r879806_rule
RMF Control
SC-5
Severity
High
CCI
CCI-002385
Version
VRAU-VI-000550
Vuln IDs
  • V-240974
  • V-90293
Rule IDs
  • SV-240974r879806_rule
  • SV-100943
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provided high-availability.
Checks: C-44207r676181_chk

If vRA is not installed in a MAC I system, this is Not Applicable. Interview the ISSO. Obtain the correct configuration for clustering used by the site. Review the vRealize Automation appliance's installation, environment, and configuration. Determine if vRA clustering has been correctly implemented. If vRA is not correctly implementing clustering, this is a finding.

Fix: F-44166r676182_fix

If vRA is not installed in a MAC I system, this is Not Applicable. Interview the ISSO. Obtain the correct configuration for clustering used by the site. Configure vRealize Automation to be in compliance with the clustering design provided by the ISSO.

b
The vRealize Automation appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
CM-6 - Medium - CCI-000366 - V-240975 - SV-240975r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VRAU-VI-000655
Vuln IDs
  • V-240975
  • V-90295
Rule IDs
  • SV-240975r879887_rule
  • SV-100945
Configuring the vRealize Automation application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. The vRA product is continually under refinement, and patches are regularly released to address vulnerabilities. As a result, the vRA STIG is also subject to a release cycle on a quarterly basis. Assessors should ensure that they are reviewing the vRealize Automation appliance with the most current STIG.
Checks: C-44208r676184_chk

Obtain the current vRealize Automation STIGs from the ISSO. Verify that this STIG is the most current STIG available for vRealize Automation. Assess all of the organization's vRA installations to ensure that they are fully compliant with the most current STIG. If the most current version of the vRA STIG was not used, or if the vRA appliance configuration is not compliant with the most current STIG, this is a finding.

Fix: F-44167r676185_fix

Obtain the most current vRealize Automation STIG. Verify that this vRA appliance is configured with all current requirements.

c
The version of vRealize Automation 7.x vIDM running on the system must be a supported version.
SI-2 - High - CCI-002605 - V-258456 - SV-258456r928891_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
VRAU-VI-009999
Vuln IDs
  • V-258456
Rule IDs
  • SV-258456r928891_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-62196r928890_chk

vRealize Automation 7.x vIDM is no longer supported by the vendor. If the system is running vRealize Automation 7.x vIDM, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.