VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
The Photon operating system must have sshd authentication logging enabled.
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. Shipping ssh...Rule Medium Severity -
The Photon operating system must have the sshd LogLevel set to "INFO".
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. The INFO Log...Rule Medium Severity -
The Photon operating system must have the auditd service running.
Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). They also provide a means...Rule Medium Severity -
The Photon operating system audit log must log space limit problems to syslog.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
The Photon operating system must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured a...Rule Medium Severity -
The Photon operating system must store only encrypted representations of passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule Medium Severity -
The Photon operating system must enforce a minimum eight-character password length.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on a console or console port that...Rule Medium Severity -
The Photon operating system must audit all account modifications.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an exis...Rule Medium Severity -
The Photon operating system must audit all account removal actions.
When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or operating system processes. To detect and respond to events affecti...Rule Medium Severity -
The Photon operating system must audit the execution of privileged functions.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as...Rule Low Severity -
The Photon operating system must generate audit records when the sudo command is used.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.Rule Medium Severity -
The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the system as another user.Rule Medium Severity -
The Photon operating system must configure sshd to disallow Kerberos authentication.
If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subje...Rule Medium Severity -
The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.Rule Medium Severity -
The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification.
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.Rule Medium Severity -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.Rule Medium Severity -
The Photon operating system must enforce password complexity on the root account.
Password complexity rules must apply to all accounts on the system, including root. Without specifying the "enforce_for_root flag", "pam_cracklib" does not apply complexity rules to the root user. ...Rule Medium Severity -
The Photon operating system must set the "umask" parameter correctly.
The "umask" value influences the permissions assigned to files when they are created. The "umask" setting in "login.defs" controls the permissions for a new user's home directory. By setting the pr...Rule Medium Severity -
The Photon operating system must configure sshd to disallow HostbasedAuthentication.
Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.Rule Medium Severity -
The Photon operating system must disable systemd fallback Domain Name System (DNS).
Systemd contains an ability to set fallback DNS servers. This is used for DNS lookups in the event no system-level DNS servers are configured or other DNS servers are specified in the systemd "reso...Rule Medium Severity -
TheĀ Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation.
Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Cryptographica...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.