You can configure vRealize Log Insight to ensure STIG (Security Technical Implementation Guide) compliance for better security. This configuration includes the DoD (Department of Defense) consent agreement and additional password policy restrictions.
- A new user is created or an Active Directory or VMware Identity Manager user logs in for the first time.
- The allocated log record storage volume reaches 75 percent of the maximum log record storage capacity of the repository. This notification is sent per node.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin user, or a user associated with a role that has the relevant permissions. See Create and Modify Roles for more information. The URL format of the web user interface is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
- Expand the main menu and navigate to Configuration > General.
- In the Security Technical Implementation Guide pane, perform the relevant actions:
- Click the DoD Consent Agreement toggle button to display the mandatory DoD consent agreement when a user logs in to vRealize Log Insight. Select a login message type - a simple message on the login page, a login page with a check box to accept the consent before logging in, or a consent dialog box with a button to accept the DoD consent agreement. Add a consent title and description.
When the DoD consent agreement is activated, users can see the selected login message type when they log in.
- Click the Password Policy Restriction toggle button to activate further password restrictions for user accounts and additional rules to lock the accounts.
If the password policy restriction is activated, the following additional rules are applied to passwords:
- A password must contain at least 15 characters.
- A user can change their password only once in 24 hours.
- When a user changes their password, they cannot use the last five passwords.
- When a user changes their password, at least eight characters of the new password must be different from the old password.
If the password policy restriction is activated, a user account is locked if:- The user has not logged in to vRealize Log Insight for 35 days.
- The user has not changed their password for 60 days.
Note: Super Admin user accounts are never locked.
- Click the DoD Consent Agreement toggle button to display the mandatory DoD consent agreement when a user logs in to vRealize Log Insight. Select a login message type - a simple message on the login page, a login page with a check box to accept the consent before logging in, or a consent dialog box with a button to accept the DoD consent agreement. Add a consent title and description.
- Click Save.
