STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide

Version

V2R3

Benchmark ID

VMW_vRealize_Automation_7-x_tcServer_STIG

Total Checks

156

Tags

vmware

CAT I: 11CAT II: 145CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (156)

V-240725MEDIUMtc Server HORIZON must limit the number of maximum concurrent connections permitted.V-240726MEDIUMtc Server VCO must limit the number of maximum concurrent connections permitted.V-240727MEDIUMtc Server VCAC must limit the number of maximum concurrent connections permitted.V-240728MEDIUMtc Server HORIZON must limit the amount of time that each TCP connection is kept alive.V-240729MEDIUMtc Server VCO must limit the amount of time that each TCP connection is kept alive.V-240730MEDIUMtc Server VCAC must limit the amount of time that each TCP connection is kept alive.V-240731MEDIUMtc Server HORIZON must limit the number of times that each TCP connection is kept alive.V-240732MEDIUMtc Server VCO must limit the number of times that each TCP connection is kept alive.V-240733MEDIUMtc Server VCAC must limit the number of times that each TCP connection is kept alive.V-240734MEDIUMtc Server HORIZON must perform server-side session management.V-240735MEDIUMtc Server VCO must perform server-side session management.V-240736MEDIUMtc Server VCAC must perform server-side session management.V-240737MEDIUMtc Server HORIZON must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.V-240738MEDIUMtc Server VCAC must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.V-240739MEDIUMtc Server HORIZON must use cryptography to protect the integrity of remote sessions.V-240740MEDIUMtc Server VCAC must use cryptography to protect the integrity of remote sessions.V-240741MEDIUMtc Server HORIZON must record user access in a format that enables monitoring of remote access.V-240742MEDIUMtc Server VCO must record user access in a format that enables monitoring of remote access.V-240743MEDIUMtc Server VCAC must record user access in a format that enables monitoring of remote access.V-240744MEDIUMtc Server ALL must generate log records for system startup and shutdown.V-240745MEDIUMtc Server HORIZON must generate log records for user access and authentication events.V-240746MEDIUMtc Server VCO must generate log records for user access and authentication events.V-240747MEDIUMtc Server VCAC must generate log records for user access and authentication events.V-240748MEDIUMtc Server ALL must initiate logging during service start-up.V-240749MEDIUMtc Server HORIZON must produce log records containing sufficient information to establish what type of events occurred.V-240750MEDIUMtc Server VCO must produce log records containing sufficient information to establish what type of events occurred.V-240751MEDIUMtc Server VCAC must produce log records containing sufficient information to establish what type of events occurred.V-240752MEDIUMtc Server HORIZON must produce log records containing sufficient information to establish when (date and time) events occurred.V-240753MEDIUMtc Server VCO must produce log records containing sufficient information to establish when (date and time) events occurred.V-240754MEDIUMtc Server VCAC must produce log records containing sufficient information to establish when (date and time) events occurred.V-240755MEDIUMtc Server HORIZON must produce log records containing sufficient information to establish where within the web server the events occurred.V-240756MEDIUMtc Server VCO must produce log records containing sufficient information to establish where within the web server the events occurred.V-240757MEDIUMtc Server VCAC must produce log records containing sufficient information to establish where within the web server the events occurred.V-240758MEDIUMtc Server HORIZON must produce log records containing sufficient information to establish the source of events.V-240759MEDIUMtc Server VCO must produce log records containing sufficient information to establish the source of events.V-240760MEDIUMtc Server VCAC must produce log records containing sufficient information to establish the source of events.V-240761MEDIUMtc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.V-240762MEDIUMtc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.V-240763MEDIUMtc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.V-240764MEDIUMtc Server HORIZON must produce log records that contain sufficient information to establish the outcome (success or failure) of events.V-240765MEDIUMtc Server VCO must produce log records that contain sufficient information to establish the outcome (success or failure) of events.V-240766MEDIUMtc Server VCAC must produce log records that contain sufficient information to establish the outcome (success or failure) of events.V-240767MEDIUMtc Server HORIZON must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.V-240768MEDIUMtc Server VCO must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.V-240769MEDIUMtc Server VCAC must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.V-240770MEDIUMtc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.V-240771MEDIUMtc Server HORIZON log files must only be accessible by privileged users.V-240772MEDIUMtc Server VCO log files must only be accessible by privileged users.V-240773MEDIUMtc Server VCAC log files must only be accessible by privileged users.V-240774MEDIUMtc Server HORIZON log files must be protected from unauthorized modification.V-240775MEDIUMtc Server VCO log files must be protected from unauthorized modification.V-240776MEDIUMtc Server VCAC log files must be protected from unauthorized modification.V-240777MEDIUMtc Server HORIZON log files must be protected from unauthorized deletion.V-240778MEDIUMtc Server VCO log files must be protected from unauthorized deletion.V-240779MEDIUMtc Server VCAC log files must be protected from unauthorized deletion.V-240780MEDIUMtc Server ALL log data and records must be backed up onto a different system or media.V-240781MEDIUMtc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.V-240782MEDIUMtc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.V-240783MEDIUMtc Server HORIZON must not use the tomcat-users XML database for user management.V-240784MEDIUMtc Server VCO must not use the tomcat-users XML database for user management.V-240785MEDIUMtc Server VCAC must not use the tomcat-users XML database for user management.V-240786MEDIUMtc Server ALL must only contain services and functions necessary for operation.V-240787HIGHtc Server ALL must exclude documentation, sample code, example applications, and tutorials.V-240788MEDIUMtc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.V-240789MEDIUMtc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.V-240790MEDIUMtc Server ALL must have all mappings to unused and vulnerable scripts to be removed.V-240791MEDIUMtc Server HORIZON must have mappings set for Java Servlet Pages.V-240792MEDIUMtc Server VCO must have mappings set for Java Servlet Pages.V-240793MEDIUMtc Server VCAC must have mappings set for Java Servlet Pages.V-240794MEDIUMtc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed.V-240795MEDIUMtc Server HORIZON must be configured with memory leak protection.V-240796MEDIUMtc Server VCO must be configured with memory leak protection.V-240797MEDIUMtc Server VCAC must be configured with memory leak protection.V-240798MEDIUMtc Server VCO must not have any symbolic links in the web content directory tree.V-240799MEDIUMtc Server HORIZON must be configured to use a specified IP address and port.V-240800MEDIUMtc Server VCO must be configured to use a specified IP address and port.V-240801MEDIUMtc Server VCAC must be configured to use a specified IP address and port.V-240802MEDIUMtc Server HORIZON must encrypt passwords during transmission.V-240803MEDIUMtc Server VCAC must encrypt passwords during transmission.V-240804MEDIUMtc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid.V-240805MEDIUMtc Server ALL must only allow authenticated system administrators to have access to the keystore.V-240806MEDIUMtc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.V-240807MEDIUMtc Server VCAC must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.V-240808HIGHtc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.V-240809HIGHtc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.V-240810HIGHtc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.V-240811HIGHtc Server HORIZON web server application directories must not be accessible to anonymous user.V-240812HIGHtc Server VCO web server application directories must not be accessible to anonymous user.V-240813HIGHtc Server VCAC web server application directories must not be accessible to anonymous user.V-240814MEDIUMtc Server ALL baseline must be documented and maintained.V-240815MEDIUMtc Server HORIZON must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.V-240816MEDIUMtc Server VCO must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.V-240817MEDIUMtc Server VCAC must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.V-240818MEDIUMtc Server HORIZON document directory must be in a separate partition from the web servers system files.V-240819MEDIUMtc Server VCO document directory must be in a separate partition from the web servers system files.V-240820MEDIUMtc Server VCAC document directory must be in a separate partition from the web servers system files.V-240824MEDIUMtc Server HORIZON must set URIEncoding to UTF-8.V-240825MEDIUMtc Server VCO must set URIEncoding to UTF-8.V-240826MEDIUMtc Server HORIZON must use the setCharacterEncodingFilter filter.V-240827MEDIUMtc Server VCO must use the setCharacterEncodingFilter filter.V-240828MEDIUMtc Server VCAC must set URIEncoding to UTF-8.V-240829MEDIUMtc Server VCAC must use the setCharacterEncodingFilter filter.V-240830MEDIUMtc Server HORIZON must set the welcome-file node to a default web page.V-240831MEDIUMtc Server VCO must set the welcome-file node to a default web page.V-240832MEDIUMtc Server VCAC must set the welcome-file node to a default web page.V-240833MEDIUMtc Server HORIZON must have the allowTrace parameter set to false.V-240834MEDIUMtc Server VCO must have the allowTrace parameter set to false.V-240835MEDIUMtc Server VCAC must have the allowTrace parameter set to false.V-240836MEDIUMtc Server HORIZON must have the debug option turned off.V-240837MEDIUMtc Server VCO must have the debug option turned off.V-240838MEDIUMtc Server VCAC must have the debug option turned off.V-240839MEDIUMtc Server HORIZON must set an inactive timeout for sessions.V-240840MEDIUMtc Server VCO must set an inactive timeout for sessions.V-240841MEDIUMtc Server VCAC must set an inactive timeout for sessions.V-240842HIGHtc Server ALL must be configured to the correct user authentication source.V-240843MEDIUMtc Server HORIZON must be configured to use the https scheme.V-240844MEDIUMtc Server VCAC must be configured to use the https scheme.V-240845MEDIUMtc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.V-240846MEDIUMtc Server ALL log files must be moved to a permanent repository in accordance with site policy.V-240847MEDIUMtc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity.V-240848MEDIUMtc Server HORIZON must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-240849MEDIUMtc Server VCO must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-240850MEDIUMtc Server VCAC must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-240851MEDIUMtc Server HORIZON must record time stamps for log records to a minimum granularity of one second.V-240852MEDIUMtc Server VCO must record time stamps for log records to a minimum granularity of one second.V-240853MEDIUMtc Server VCAC must record time stamps for log records to a minimum granularity of one second.V-240854MEDIUMtc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users.V-240855MEDIUMtc Server VCO application, libraries, and configuration files must only be accessible to privileged users.V-240856MEDIUMtc Server VCAC application, libraries, and configuration files must only be accessible to privileged users.V-240857MEDIUMtc Server HORIZON must be configured with the appropriate ports.V-240858MEDIUMtc Server VCO must be configured with the appropriate ports.V-240859MEDIUMtc Server VCAC must be configured with the appropriate ports.V-240860MEDIUMtc Server HORIZON must use NSA Suite A cryptography when encrypting data that must be compartmentalized.V-240861MEDIUMtc Server VCAC must use NSA Suite A cryptography when encrypting data that must be compartmentalized.V-240862MEDIUMtc Server HORIZON must disable the shutdown port.V-240863MEDIUMtc Server VCO must disable the shutdown port.V-240864MEDIUMtc Server VCAC must disable the shutdown port.V-240865MEDIUMtc Server HORIZON must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.V-240866MEDIUMtc Server VCAC must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission.V-240867MEDIUMtc Server HORIZON session IDs must be sent to the client using SSL/TLS.V-240868MEDIUMtc Server VCAC session IDs must be sent to the client using SSL/TLS.V-240869MEDIUMtc Server HORIZON must set the useHttpOnly parameter.V-240870MEDIUMtc Server VCO must set the useHttpOnly parameter.V-240871MEDIUMtc Server VCAC must set the useHttpOnly parameter.V-240872MEDIUMtc Server HORIZON must set the secure flag for cookies.V-240873MEDIUMtc Server VCO must set the secure flag for cookies.V-240874MEDIUMtc Server VCAC must set the secure flag for cookies.V-240875HIGHtc Server HORIZON must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.V-240876HIGHtc Server VCAC must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.V-240877MEDIUMtc Server HORIZON must remove all export ciphers to protect the confidentiality and integrity of transmitted information.V-240878MEDIUMtc Server VCAC must remove all export ciphers to protect the confidentiality and integrity of transmitted information.V-240879MEDIUMtc Server HORIZON must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.V-240880MEDIUMtc Server VCAC must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception.V-240881MEDIUMtc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source.V-240882MEDIUMtc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-258454HIGHThe version of vRealize Automation 7.x tc Server running on the system must be a supported version.