STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

VMware vRealize Automation 7.x SLES Security Technical Implementation Guide

Version

V2R2

Benchmark ID

VMW_vRealize_Automation_7-x_SLES_STIG

Total Checks

209

Tags

vmware

CAT I: 9CAT II: 196CAT III: 4

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (209)

V-240344MEDIUMThe SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours.V-240345MEDIUMThe SLES for vRealize must audit all account creations.V-240346MEDIUMIn addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications must be investigated for legitimacy.V-240347MEDIUMThe SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-240348MEDIUMThe SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.V-240349LOWThe SLES for vRealize must limit the number of concurrent sessions to 10 for all accounts and/or account types.V-240350MEDIUMThe SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types.V-240351MEDIUMThe SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection.V-240352MEDIUMThe SLES for vRealize must monitor remote access methods - SSH Daemon.V-240353MEDIUMThe SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions- SSH Daemon.V-240354MEDIUMThe SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.V-240355MEDIUMThe SLES for vRealize must produce audit records.V-240356MEDIUMThe SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-240357MEDIUMThe SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).V-240358MEDIUMThe SLES for vRealize must protect audit information from unauthorized read access - ownership.V-240359MEDIUMThe SLES for vRealize must protect audit information from unauthorized read access - group-ownership.V-240360MEDIUMThe SLES for vRealize must protect audit information from unauthorized modification.V-240361MEDIUMThe SLES for vRealize must protect audit information from unauthorized deletion.V-240362MEDIUMThe SLES for vRealize must protect audit information from unauthorized deletion - log directories.V-240376MEDIUMThe SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.V-240377MEDIUMThe SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.V-240378MEDIUMThe SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group-ownership.V-240379MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chmod.V-240380MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.V-240381MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.V-240382MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.V-240383MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.V-240384MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.V-240385MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.V-240386MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.V-240387MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.V-240388MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.V-240389MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.V-240390MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.V-240391MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.V-240392MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.V-240393MEDIUMThe SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.V-240394MEDIUMGlobal settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.V-240395MEDIUMThe SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.V-240396MEDIUMThe SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.V-240397HIGHThe SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.V-240398HIGHThe SLES for vRealize must store only encrypted representations of passwords.V-240399HIGHThe SLES for vRealize must store only encrypted representations of passwords.V-240400MEDIUMSLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.V-240401MEDIUMUsers must not be able to change passwords more than once every 24 hours.V-240402MEDIUMSLES for vRealize must enforce a 60-day maximum password lifetime restriction.V-240403MEDIUMUser passwords must be changed at least every 60 days.V-240404MEDIUMThe SLES for vRealize must prohibit password reuse for a minimum of five generations.V-240405MEDIUMThe SLES for vRealize must prohibit password reuse for a minimum of five generations - old passwords are being stored.V-240406MEDIUMThe SLES for vRealize must enforce a minimum 15-character password length.V-240407MEDIUMThe system must require root password authentication upon booting into single-user mode.V-240408MEDIUMBootloader authentication must be enabled to prevent users without privilege to gain access to restricted file system resources.V-240409MEDIUMThe system boot loader configuration file(s) must have mode 0600 or less permissive.V-240410MEDIUMThe system boot loader configuration files must be owned by root.V-240411MEDIUMThe system boot loader configuration file(s) must be group-owned by root, bin, sys, or system.V-240412MEDIUMThe Bluetooth protocol handler must be disabled or not installed.V-240413MEDIUMThe system must have USB Mass Storage disabled unless needed.V-240414MEDIUMThe system must have USB disabled unless needed.V-240415MEDIUMThe telnet-server package must not be installed.V-240416MEDIUMThe rsh-server package must not be installed.V-240417MEDIUMThe ypserv package must not be installed.V-240418MEDIUMThe yast2-tftp-server package must not be installed.V-240419MEDIUMThe tftp package must not be installed.V-240420MEDIUMThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.V-240421MEDIUMThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.V-240422MEDIUMThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.V-240423MEDIUMThe Transparent Inter-Process Communication (TIPC) must be disabled or not installed.V-240424MEDIUMThe xinetd service must be disabled if no network services using it are enabled.V-240425MEDIUMThe xinetd.conf file, and the xinetd.d directory must be owned by root or bin.V-240426MEDIUMThe inetd.conf file, xinetd.conf file, and xinetd.d directory must be group owned by root, bin, sys, or system.V-240427MEDIUMThe xinetd.d directory must have mode 0755 or less permissive.V-240428MEDIUMXinetd logging/tracing must be enabled.V-240429MEDIUMThe ypbind service must not be running if no network services utilizing it are enabled.V-240430MEDIUMThe system must not use UDP for NIS/NIS+.V-240431MEDIUMNIS maps must be protected through hard-to-guess domain names.V-240432MEDIUMMail relaying must be restricted.V-240433MEDIUMThe alias files must be owned by root.V-240434MEDIUMThe alias files must be group-owned by root or a system group.V-240435MEDIUMThe alias files must have mode 0644 or less permissive.V-240436MEDIUMFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.V-240437MEDIUMFiles executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.V-240438MEDIUMFiles executed through a mail aliases file must have mode 0755 or less permissive.V-240439MEDIUMSendmail logging must not be set to less than nine in the sendmail.cf file.V-240440MEDIUMThe system syslog service must log informational and more severe SMTP service messages.V-240441MEDIUMThe SMTP service log files must be owned by root.V-240442MEDIUMThe SMTP service log file must have mode 0644 or less permissive.V-240443MEDIUMThe SMTP service HELP command must not be enabled.V-240444MEDIUMThe SMTP service SMTP greeting must not provide version information.V-240445MEDIUMThe SMTP service must not use .forward files.V-240446MEDIUMThe SMTP service must not have the EXPN feature active.V-240447MEDIUMThe SMTP service must not have the VRFY feature active.V-240448MEDIUMThe Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.V-240449MEDIUMThe Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.V-240450MEDIUMThe AppleTalk protocol must be disabled or not installed.V-240451MEDIUMThe DECnet protocol must be disabled or not installed.V-240452MEDIUMProxy Neighbor Discovery Protocol (NDP) must not be enabled on the system.V-240453MEDIUMThe SLES for vRealize must not have 6to4 enabled.V-240454MEDIUMThe SLES for vRealize must not have Teredo enabled.V-240455MEDIUMThe DHCP client must be disabled if not needed.V-240456MEDIUMThe SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.V-240457MEDIUMDuplicate User IDs (UIDs) must not exist for users within the organization.V-240458HIGHThe SLES for vRealize must prevent direct logon into the root account.V-240459MEDIUMThe SLES for vRealize must enforce SSHv2 for network access to privileged accounts.V-240460MEDIUMThe SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.V-240461MEDIUMThe SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.V-240462MEDIUMThe SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.V-240463MEDIUMThe SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).V-240464MEDIUMAll GIDs referenced in /etc/passwd must be defined in /etc/group.V-240465MEDIUMThe SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).V-240466MEDIUMThe SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.V-240467MEDIUMThe SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.V-240468MEDIUMThe SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.V-240469MEDIUMThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.V-240470MEDIUMThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.V-240471MEDIUMThe SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.V-240472MEDIUMThe /var/log directory must be group-owned by root.V-240473MEDIUMThe /var/log directory must be owned by root.V-240474MEDIUMThe /var/log directory must have mode 0750 or less permissive.V-240475MEDIUMThe /var/log/messages file must be group-owned by root.V-240476MEDIUMThe /var/log/messages file must be owned by root.V-240477MEDIUMThe /var/log/messages file must have mode 0640 or less permissive.V-240478MEDIUMThe SLES for vRealize must reveal error messages only to authorized users.V-240479MEDIUMThe SLES for vRealize must reveal error messages only to authorized users.V-240480MEDIUMThe SLES for vRealize must reveal error messages only to authorized users.V-240482MEDIUMThe SLES for vRealize must audit all account modifications.V-240483MEDIUMThe SLES for vRealize must audit all account modifications.V-240484MEDIUMThe SLES for vRealize must audit all account disabling actions.V-240485MEDIUMThe SLES for vRealize must audit all account removal actions.V-240486MEDIUMThe SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.V-240487MEDIUMThe SLES for vRealize must initiate session audits at system start-up.V-240488MEDIUMThe SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.V-240489MEDIUMThe SLES for vRealize must protect audit tools from unauthorized access.V-240490MEDIUMThe SLES for vRealize must protect audit tools from unauthorized modification.V-240491MEDIUMThe SLES for vRealize must protect audit tools from unauthorized deletion.V-240492MEDIUMThe shared library files must have restrictive permissions.V-240493MEDIUMShared library files must have root ownership.V-240494MEDIUMSystem executables must have restrictive permissions.V-240495MEDIUMSystem executables must have root ownership.V-240496MEDIUMThe SLES for vRealize must enforce password complexity by requiring that at least one special character be used.V-240497MEDIUMThe SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.V-240498MEDIUMThe SLES for vRealize must control remote access methods.V-240499MEDIUMThe SLES for vRealize must audit all account enabling actions.V-240500MEDIUMThe SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.V-240501LOWThe SLES for vRealize must audit the execution of privileged functions.V-240502LOWThe SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.V-240503LOWThe SLES for vRealize must off-load audit records onto a different system or media from the system being audited.V-240504MEDIUMThe SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.V-240505MEDIUMThe SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.V-240506MEDIUMThe SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).V-240507MEDIUMThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.V-240508MEDIUMThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.V-240509MEDIUMThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.V-240510MEDIUMThe SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.V-240511MEDIUMThe SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.V-240512MEDIUMThe RPM package management tool must cryptographically verify the authenticity of all software packages during installation.V-240513MEDIUMThe SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.V-240514MEDIUMThe SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.V-240515MEDIUMThe SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.V-240516HIGHThe SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-240517HIGHThe SLES for vRealize must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the SLES for vRealize is implementing rate-limiting measures on impacted network interfaces.V-240518HIGHThe SLES for vRealize must protect the confidentiality and integrity of transmitted information.V-240519HIGHThe SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).V-240520MEDIUMThe SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.V-240521MEDIUMThe SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.V-240522MEDIUMThe SLES for vRealize must verify correct operation of all security functions.V-240523MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.V-240524MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.V-240525MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-240526MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.V-240527MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.V-240528MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.V-240529MEDIUMThe SLES for vRealize must generate audit records for privileged activities or other system-level access.V-240530MEDIUMThe SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.V-240531MEDIUMThe SLES for vRealize must generate audit records showing starting and ending time for user access to the system.V-240532MEDIUMThe SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.V-240533MEDIUMThe SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.V-240534MEDIUMThe SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.V-240535MEDIUMThe SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.V-240536MEDIUMThe SLES for vRealize audit system must be configured to audit user deletions of files and programs.V-240537MEDIUMThe SLES for vRealize audit system must be configured to audit file deletions.V-240538MEDIUMSLES for vRealize audit logs must be rotated daily.V-240539MEDIUMThe SLES for vRealize must generate audit records for all direct access to the information system.V-240540MEDIUMThe SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.V-240541MEDIUMThe SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.V-240542MEDIUMThe SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-240543MEDIUMThe SLES for vRealize must, at a minimum, off-load audit information on interconnected systems in real time and off-load standalone systems weekly.V-240544MEDIUMThe SLES for vRealize must prevent the use of dictionary words for passwords.V-240545MEDIUMThe SLES for vRealize must prevent the use of dictionary words for passwords.V-240546MEDIUMThe SLES for vRealize must prevent the use of dictionary words for passwords.V-240547MEDIUMThe SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.V-240548MEDIUMThe SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.V-240549MEDIUMThe SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.V-240550MEDIUMThe SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-240551MEDIUMThe SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-258447HIGHThe version of vRealize Automation 7.x SLES running on the system must be a supported version.V-258526MEDIUMAny publically accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.V-258527MEDIUMThe SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions.V-258528MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex.V-258529MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday.V-258530MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime.V-258531MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime.V-258532MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime.V-258533MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname.V-258534MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname.V-258535MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setparam.V-258536MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter the system through sched_setscheduler.V-258537MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/faillog.V-258538MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/lastlog.V-258539MEDIUMThe SLES for vRealize audit system must be configured to audit all attempts to alter /var/log/tallylog.