VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000433-GPOS-00193
Group -
The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. ASLR also makes it more d...Rule Medium Severity -
SRG-OS-000437-GPOS-00194
Group -
The Photon operating system must remove all software components after updated versions have been installed.
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may...Rule Medium Severity -
SRG-OS-000458-GPOS-00203
Group -
SRG-OS-000470-GPOS-00214
Group -
The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000471-GPOS-00216
Group -
The Photon operating system must audit the "insmod" module.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000476-GPOS-00221
Group -
The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000480-GPOS-00225
Group -
The Photon operating system must use the "pam_cracklib" module.
If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and bru...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
Group -
The Photon operating system must set the "FAIL_DELAY" parameter.
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.Rule Medium Severity -
SRG-OS-000480-GPOS-00226
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must ensure audit events are flushed to disk at proper intervals.
Without setting a balance between performance and ensuring all audit events are written to disk, performance of the system may suffer or the risk of missing audit entries may be too high.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must create a home directory for all new local interactive user accounts.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must disable the debug-shell service.
The debug-shell service is intended to diagnose systemd-related boot issues with various "systemctl" commands. Once enabled and following a system reboot, the root shell will be available on tty9. ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SSH) exposes the system's GSSAPI to remote hosts,...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to disable environment processing.
Enabling environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to disable X11 forwarding.
X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to disallow authentication with an empty password.
Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blank password on the operating system, sshd must not allow that user to log...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
If compression is allowed in a Secure Shell (SSH) connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated co...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to display the last login immediately after authentication.
Providing users with feedback on the last time they logged on via Secure Shell (SSH) facilitates user recognition and reporting of unauthorized account use.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote mach...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to ignore user-specific "known_host" files.
Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote mach...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so the "/etc/skel" default scripts are protected from unauthorized modification.
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so the "/root" path is protected from unauthorized access.
If the "/root" path is accessible to users other than root, unauthorized users could change the root partitions files.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.
Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon login.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.