{"stig":{"title":"VMware vRealize Automation 7.x vIDM Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-240969","ruleId":"SV-240969r879521_rule","severity":"medium","ruleTitle":"vIDM must be configured to log activity to the horizon.log file.","description":"Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. Application servers provide a web and command line-based remote management capability for managing the application server. Application servers must ensure that all actions related to administrative functionality such as application server configuration are logged.","checkContent":"At the command prompt, execute the following command:\n\ngrep log4j.appender.rollingFile.file /usr/local/horizon/conf/saas-log4j.properties\n\nIf the \"log4j.appender.rollingFile.file\" is not set to \"/opt/vmware/horizon/workspace/logs/horizon.log\" or is commented out or is missing, this is a finding.","fixText":"Navigate to and open /usr/local/horizon/conf/saas-log4j.properties.\n\nConfigure the vIDM policy log file with the following lines:\n\nlog4j.appender.rollingFile=org.apache.log4j.RollingFileAppender\nlog4j.appender.rollingFile.MaxFileSize=50MB\nlog4j.appender.rollingFile.MaxBackupIndex=7\nlog4j.appender.rollingFile.Encoding=UTF-8\nlog4j.appender.rollingFile.file=/opt/vmware/horizon/workspace/logs/horizon.log\nlog4j.appender.rollingFile.append=true\nlog4j.appender.rollingFile.layout=org.apache.log4j.PatternLayout\nlog4j.appender.rollingFile.layout.ConversionPattern=%d{ISO8601} %-5p (%t) [%X{orgId};%X{userId};%X{ip}] %c - %m%n","ccis":["CCI-000067"]},{"vulnId":"V-240970","ruleId":"SV-240970r879589_rule","severity":"medium","ruleTitle":"vIDM must be configured correctly for the site enterprise user management system.","description":"To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. To ensure support to the enterprise, the authentication must utilize an enterprise solution.","checkContent":"Interview the ISSO. Obtain the correct configuration for the site's Directory services.\n\nIn a browser, log in with Tenant admin privileges and navigate to the Administration page.\n\nSelect Directories Management >> Directories.\n\nClick on the configured Directory to review the configuration. \n\nIf the Directory service is not configured correctly, this is a finding.","fixText":"Interview the ISSO. Obtain the correct configuration for the site's Directory services.\n\nIn a browser, log in with Tenant admin privileges, and navigate to the Administration page.\n\nSelect Directories Management >> Directories.\n\nClick on the configured Directory to edit the configuration in accordance with the instructions provided by the ISSO.","ccis":["CCI-000764"]},{"vulnId":"V-240971","ruleId":"SV-240971r879609_rule","severity":"high","ruleTitle":"vIDM must utilize encryption when using LDAP for authentication.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.","checkContent":"In a browser, log in with Tenant admin privileges, and navigate to the Administration page.\n\nSelect Directories Management >> Directories.\n\nClick on the configured Directory to review the configuration. \n\nIf the SSL checkbox is not selected, this is a finding.\n\nNote: The checkbox is labeled, \"This Directory requires all connections to use SSL\".","fixText":"In a browser, log in with Tenant admin privileges, and navigate to the Administration page.\n\nSelect Directories Management >> Directories.\n\nClick on the configured Directory to review the configuration. \n\nCheck the checkbox that is labeled, \"This Directory requires all connections to use SSL\". \n\nClick \"Save\".","ccis":["CCI-000197"]},{"vulnId":"V-240972","ruleId":"SV-240972r879640_rule","severity":"medium","ruleTitle":"vIDM must be configured to provide clustering.","description":"This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple application servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy.","checkContent":"Interview the ISSO. Obtain the correct configuration for clustering used by the site.\n\nReview the vRealize Automation appliance's installation, environment, and configuration. Determine if vRA clustering has been correctly implemented.\n\nIf vRA is not correctly implementing clustering, this is a finding.","fixText":"Interview the ISSO. Obtain the correct configuration for clustering used by the site.\n\nConfigure vRealize Automation to be in compliance with the clustering design provided by the ISSO.","ccis":["CCI-001190"]},{"vulnId":"V-240973","ruleId":"SV-240973r879655_rule","severity":"medium","ruleTitle":"vIDM must be configured to log activity to the horizon.log file.","description":"The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. The structure and content of error messages needs to be carefully considered by the organization and development team. Application servers must have the capability to log at various levels, which can provide log entries for potential security-related error events. An example is the capability for the application server to assign a criticality level to a failed logon attempt error message, a security-related error message being of a higher criticality.","checkContent":"At the command prompt, execute the following command:\n\ngrep log4j.appender.rollingFile.file /usr/local/horizon/conf/saas-log4j.properties\n\nIf the \"log4j.appender.rollingFile.file\" is not set to \"/opt/vmware/horizon/workspace/logs/horizon.log\" or is commented out or is missing, this is a finding.","fixText":"Navigate to and open /usr/local/horizon/conf/saas-log4j.properties.\n\nConfigure the vIDM policy log file with the following lines:\n\nlog4j.appender.rollingFile=org.apache.log4j.RollingFileAppender\nlog4j.appender.rollingFile.MaxFileSize=50MB\nlog4j.appender.rollingFile.MaxBackupIndex=7\nlog4j.appender.rollingFile.Encoding=UTF-8\nlog4j.appender.rollingFile.file=/opt/vmware/horizon/workspace/logs/horizon.log\nlog4j.appender.rollingFile.append=true\nlog4j.appender.rollingFile.layout=org.apache.log4j.PatternLayout\nlog4j.appender.rollingFile.layout.ConversionPattern=%d{ISO8601} %-5p (%t) [%X{orgId};%X{userId};%X{ip}] %c - %m%n","ccis":["CCI-001312"]},{"vulnId":"V-240974","ruleId":"SV-240974r879806_rule","severity":"high","ruleTitle":"vIDM, when installed in a MAC I system, must be in a high-availability (HA) cluster.","description":"A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provided high-availability.","checkContent":"If vRA is not installed in a MAC I system, this is Not Applicable.\n\nInterview the ISSO. Obtain the correct configuration for clustering used by the site.\n\nReview the vRealize Automation appliance's installation, environment, and configuration. Determine if vRA clustering has been correctly implemented.\n\nIf vRA is not correctly implementing clustering, this is a finding.","fixText":"If vRA is not installed in a MAC I system, this is Not Applicable.\n\nInterview the ISSO. Obtain the correct configuration for clustering used by the site.\n\nConfigure vRealize Automation to be in compliance with the clustering design provided by the ISSO.","ccis":["CCI-002385"]},{"vulnId":"V-240975","ruleId":"SV-240975r879887_rule","severity":"medium","ruleTitle":"The vRealize Automation appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.","description":"Configuring the vRealize Automation application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nThe vRA product is continually under refinement, and patches are regularly released to address vulnerabilities. As a result, the vRA STIG is also subject to a release cycle on a quarterly basis.\n\nAssessors should ensure that they are reviewing the vRealize Automation appliance with the most current STIG.","checkContent":"Obtain the current vRealize Automation STIGs from the ISSO.\n\nVerify that this STIG is the most current STIG available for vRealize Automation. Assess all of the organization's vRA installations to ensure that they are fully compliant with the most current STIG.\n\nIf the most current version of the vRA STIG was not used, or if the vRA appliance configuration is not compliant with the most current STIG, this is a finding.","fixText":"Obtain the most current vRealize Automation STIG. Verify that this vRA appliance is configured with all current requirements.","ccis":["CCI-000366"]},{"vulnId":"V-258456","ruleId":"SV-258456r928891_rule","severity":"high","ruleTitle":"The version of vRealize Automation 7.x vIDM running on the system must be a supported version.","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"vRealize Automation 7.x vIDM is no longer supported by the vendor. If the system is running vRealize Automation 7.x vIDM, this is a finding.","fixText":"Upgrade to a supported version.","ccis":["CCI-002605"]}]}