VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Photon operating system must audit all account removal actions.
When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or operating system processes. To detect and respond to events affecti...Rule Medium Severity -
The Photon operating system must audit the execution of privileged functions.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as...Rule Low Severity -
The Photon operating system must generate audit records when the sudo command is used.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.Rule Medium Severity -
The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the system as another user.Rule Medium Severity -
The Photon operating system must configure sshd to disallow Kerberos authentication.
If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subje...Rule Medium Severity -
The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.Rule Medium Severity -
The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification.
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.Rule Medium Severity -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.