Skip to content
Log In

VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The Photon operating system must prohibit password reuse for a minimum of five generations.

    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user...
    Rule Medium Severity
    Show

  • SRG-OS-000078-GPOS-00046

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • The Photon operating system must require authentication upon booting into single-user and maintenance modes.

    If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all files on the system. GRUB2 is the boot loader ...
    Rule High Severity
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • The Photon operating system must disable the loading of unnecessary kernel modules.

    To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only tho...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • The Photon operating system must not have duplicate User IDs (UIDs).

    To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and provide for nonrepudiation.
    Rule Medium Severity
    Show

  • SRG-OS-000118-GPOS-00060

    Group
    Show

  • The Photon operating system must disable new accounts immediately upon password expiration.

    Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts...
    Rule Medium Severity
    Show

  • SRG-OS-000142-GPOS-00071

    Group
    Show

  • The Photon operating system must use Transmission Control Protocol (TCP) syncookies.

    A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequen...
    Rule Medium Severity
    Show

  • SRG-OS-000163-GPOS-00072

    Group
    Show

  • SRG-OS-000163-GPOS-00072

    Group
    Show

  • The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.

    Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on a console or console port that...
    Rule Medium Severity
    Show

  • SRG-OS-000206-GPOS-00084

    Group
    Show

  • The Photon operating system "/var/log" directory must be owned by root.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an...
    Rule Medium Severity
    Show

  • SRG-OS-000206-GPOS-00084

    Group
    Show

  • The Photon operating system messages file must have the correct ownership and file permissions.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an...
    Rule Medium Severity
    Show

  • SRG-OS-000239-GPOS-00089

    Group
    Show

  • The Photon operating system must audit all account modifications.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an exis...
    Rule Medium Severity
    Show

  • SRG-OS-000239-GPOS-00089

    Group
    Show

  • SRG-OS-000240-GPOS-00090

    Group
    Show

  • The Photon operating system must audit all account disabling actions.

    When operating system accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or operating system processes. To detect and respond to events affect...
    Rule Medium Severity
    Show

  • SRG-OS-000241-GPOS-00091

    Group
    Show

  • SRG-OS-000254-GPOS-00095

    Group
    Show

  • The Photon operating system must initiate auditing as part of the boot process.

    Each process on the system carries an "auditable" flag, which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes that launch after it sta...
    Rule Medium Severity
    Show

  • SRG-OS-000256-GPOS-00097

    Group
    Show

  • The Photon operating system audit files and directories must have correct permissions.

    Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on...
    Rule Medium Severity
    Show

  • SRG-OS-000257-GPOS-00098

    Group
    Show

  • The Photon operating system must protect audit tools from unauthorized modification and deletion.

    Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on...
    Rule Medium Severity
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • The Photon operating system must enforce password complexity by requiring that at least one special character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000278-GPOS-00108

    Group
    Show

  • The Photon operating system package files must not be modified.

    Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit recor...
    Rule Medium Severity
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • The Photon operating system must configure auditd to keep five rotated log files.

    Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep, ...
    Rule Medium Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • The Photon operating system must configure auditd to keep logging in the event max log file size is reached.

    Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep, ...
    Rule Medium Severity
    Show

  • SRG-OS-000343-GPOS-00134

    Group
    Show

  • The Photon operating system must configure auditd to log space limit problems to syslog.

    If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
    Rule Medium Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

    Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Ensuring all p...
    Rule Medium Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

    Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Cryptographica...
    Rule Medium Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • SRG-OS-000373-GPOS-00156

    Group
    Show

  • The Photon operating system must require users to reauthenticate for privilege escalation.

    Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, ...
    Rule Medium Severity
    Show

  • SRG-OS-000394-GPOS-00174

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules