VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
If system startup scripts are accessible to unauthorized modification, this could compromise the system on startup.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so that all files have a valid owner and group owner.
If files do not have valid user and group owners, unintended access to files could occur.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the packet must take. There is also an option to re...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must log IPv4 packets with impossible addresses.
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these pac...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must use a reverse-path filter for IPv4 network traffic.
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are r...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not perform multicast packet forwarding.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not perform IPv4 packet forwarding.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must send Transmission Control Protocol (TCP) timestamps.
TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can h...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must protect all boot configuration files from unauthorized modification.
Boot configuration files control how the system boots, including single-user mode, auditing, log levels, etc. Improper or malicious configurations can negatively affect system security and availabi...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must protect sshd configuration from unauthorized access.
The "sshd_config" file contains all the configuration items for sshd. Incorrect or malicious configuration of sshd can allow unauthorized access to the system, insecure communication, limited foren...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must protect all "sysctl" configuration files from unauthorized access.
The "sysctl" configuration file specifies values for kernel parameters to be set on boot. Incorrect or malicious configuration of these parameters can have a negative effect on system security.Rule Medium Severity -
SRG-OS-000480-GPOS-00228
Group -
SRG-OS-000480-GPOS-00229
Group -
SRG-OS-000073-GPOS-00041
Group -
The Photon operating system must store only encrypted representations of passwords.
Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. If they are encrypted wi...Rule Medium Severity -
SRG-OS-000077-GPOS-00045
Group -
The Photon operating system must ensure the old passwords are being stored.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to restrict AllowTcpForwarding.
While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate for use on single-purpose appliances.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure sshd to restrict LoginGraceTime.
By default, sshd unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login would need such an amount of time to complete a...Rule Medium Severity -
SRG-OS-000478-GPOS-00223
Group -
The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, generate cryptographic hashes, and protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.