STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide

Version

V1R2

Benchmark ID

VMW_vRealize_Automation_7-x_VAMI_STIG

Total Checks

44

Tags

vmware

CAT I: 7CAT II: 37CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (44)

V-240926HIGHThe vAMI must use FIPS 140-2 approved ciphers when transmitting management data during remote access management sessions.V-240927HIGHThe vAMI must restrict inbound connections from nonsecure zones.V-240928MEDIUMThe vAMI configuration file must be owned by root.V-240929MEDIUMThe vAMI must have sfcb logging enabled.V-240930MEDIUMThe vAMI must protect log information from unauthorized read access.V-240931MEDIUMThe vAMI must protect log information from unauthorized modification.V-240932MEDIUMThe vAMI must protect log information from unauthorized deletion.V-240933MEDIUMThe vAMI log records must be backed up at least every seven days onto a different system or system component than the system or component being logged.V-240934MEDIUMPatches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization.V-240935MEDIUMThe vAMI executable files and library must not be world-writeable.V-240936MEDIUMThe vAMI installation procedures must be capable of being rolled back to a last known good configuration.V-240937HIGHThe vAMI must not contain any unnecessary functions and only provide essential capabilities.V-240938MEDIUMThe vAMI must use the sfcb HTTPS port for communication with Lighttpd.V-240939MEDIUMThe vAMI must use a site-defined, user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).V-240940HIGHThe vAMI must transmit only encrypted representations of passwords.V-240941HIGHThe vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor.V-240942HIGHThe vAMI must use approved versions of TLS.V-240943MEDIUMThe vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator.V-240944MEDIUMThe vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator.V-240945MEDIUMThe vAMI must have the correct authentication set for HTTPS connections.V-240946MEDIUMThe vAMI installation procedures must be part of a complete vRealize Automation deployment.V-240947MEDIUMThe vAMI must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.V-240948MEDIUMThe vAMI error logs must be reviewed.V-240949MEDIUMThe vAMI account credentials must protected by site policies.V-240950MEDIUMThe vAMI must utilize syslog.V-240951MEDIUMThe vAMI configuration file must be protected from unauthorized access.V-240952MEDIUMThe vAMI must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-240953MEDIUMThe vAMI must have the keepaliveTimeout enabled.V-240954MEDIUMThe vAMI must have the keepaliveMaxRequest enabled.V-240955MEDIUMThe vAMI must use approved versions of TLS.V-240956MEDIUMThe vAMI sfcb must have HTTPS enabled.V-240957MEDIUMThe vAMI sfcb must have HTTP disabled.V-240958MEDIUMThe vAMI must have security-relevant software updates installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).V-240959MEDIUMThe vAMI must log all successful login events.V-240960MEDIUMThe vAMI must enable logging.V-240961MEDIUMThe vAMI must have PAM logging enabled.V-240962MEDIUMThe vAMI must log all login events.V-240963MEDIUMThe vAMI sfcb server certificate must only be accessible to authenticated system administrators or the designated PKI Sponsor.V-240964MEDIUMIf the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved. If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable.V-240965MEDIUMThe vAMI must utilize syslog.V-240966MEDIUMThe vAMI must be configured to listen on a specific IPv4 address.V-240967MEDIUMThe vAMI must be configured to listen on a specific network interface.V-240968MEDIUMThe application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.V-258455HIGHThe version of vRealize Automation 7.x vAMI running on the system must be a supported version.