| V-240937 | High | The vAMI must not contain any unnecessary functions and only provide essential capabilities. | Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-240927 | High | The vAMI must restrict inbound connections from nonsecure zones. | Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration.... |
| V-258455 | High | The version of vRealize Automation 7.x vAMI running on the system must be a supported version. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
| V-240940 | High | The vAMI must transmit only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e.,... |
| V-240941 | High | The vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and... |
| V-240942 | High | The vAMI must use approved versions of TLS. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-240926 | High | The vAMI must use FIPS 140-2 approved ciphers when transmitting management data during remote access management sessions. | Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the... |
| V-240954 | Medium | The vAMI must have the keepaliveMaxRequest enabled. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-240935 | Medium | The vAMI executable files and library must not be world-writeable. | Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one... |
| V-240934 | Medium | Patches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization. | Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is... |
| V-240936 | Medium | The vAMI installation procedures must be capable of being rolled back to a last known good configuration. | Any changes to the components of the application server can have significant effects on the overall security of the system. In order to ensure a prompt response to failed application installations... |
| V-240939 | Medium | The vAMI must use a site-defined, user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which... |
| V-240938 | Medium | The vAMI must use the sfcb HTTPS port for communication with Lighttpd. | Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features, such as management... |
| V-240959 | Medium | The vAMI must log all successful login events. | Logging the access to the application server allows the system administrators to monitor user accounts. By logging successful/unsuccessful logons, the system administrator can determine if an... |
| V-240958 | Medium | The vAMI must have security-relevant software updates installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
| V-240931 | Medium | The vAMI must protect log information from unauthorized modification. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-240930 | Medium | The vAMI must protect log information from unauthorized read access. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-240933 | Medium | The vAMI log records must be backed up at least every seven days onto a different system or system component than the system or component being logged. | Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to a different system or onto separate media from the system that the vAMI is actually... |
| V-240932 | Medium | The vAMI must protect log information from unauthorized deletion. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.... |
| V-240953 | Medium | The vAMI must have the keepaliveTimeout enabled. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-240952 | Medium | The vAMI must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-240951 | Medium | The vAMI configuration file must be protected from unauthorized access. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant... |
| V-240950 | Medium | The vAMI must utilize syslog. | A clustered application server is made up of several servers working together to provide the user a failover and increased computing capability. To facilitate uniform logging in the event of an... |
| V-240949 | Medium | The vAMI account credentials must protected by site policies. | Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy... |
| V-240948 | Medium | The vAMI error logs must be reviewed. | The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in... |
| V-240967 | Medium | The vAMI must be configured to listen on a specific network interface. | Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security... |
| V-240962 | Medium | The vAMI must log all login events. | Being able to work on a system through multiple views into the application allows a user to work more efficiently and more accurately. Before environments with windowing capabilities or multiple... |
| V-240963 | Medium | The vAMI sfcb server certificate must only be accessible to authenticated system administrators or the designated PKI Sponsor. | An asymmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise, and the private portion of... |
| V-240960 | Medium | The vAMI must enable logging. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-240961 | Medium | The vAMI must have PAM logging enabled. | Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs. Generating these events, especially if the... |
| V-240966 | Medium | The vAMI must be configured to listen on a specific IPv4 address. | Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security... |
| V-240964 | Medium | If the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved.
If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing... |
| V-240965 | Medium | The vAMI must utilize syslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can... |
| V-240944 | Medium | The vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator. | Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session... |
| V-240945 | Medium | The vAMI must have the correct authentication set for HTTPS connections. | This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a... |
| V-240968 | Medium | The application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server... |
| V-240947 | Medium | The vAMI must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | Fail-secure is a condition achieved by the vAMI in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties... |
| V-240943 | Medium | The vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator. | This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an... |
| V-240957 | Medium | The vAMI sfcb must have HTTP disabled. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-240956 | Medium | The vAMI sfcb must have HTTPS enabled. | Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during... |
| V-240929 | Medium | The vAMI must have sfcb logging enabled. | Privileged commands are commands that change the configuration or data of the application server. Since this type of command changes the application server configuration and could possibly change... |
| V-240946 | Medium | The vAMI installation procedures must be part of a complete vRealize Automation deployment. | Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an... |
| V-240928 | Medium | The vAMI configuration file must be owned by root. | Log records can be generated from various components within the application server, (e.g., httpd, beans, etc.) From an application perspective, certain specific application functionalities may be... |
| V-240955 | Medium | The vAMI must use approved versions of TLS. | Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
