Skip to content
Log In

VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The Photon operating system /var/log directory must be restricted.

    Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by th...
    Rule Medium Severity
    Show

  • SRG-OS-000206-GPOS-00084

    Group
    Show

  • The Photon operating system must reveal error messages only to authorized users.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...
    Rule Medium Severity
    Show

  • SRG-OS-000239-GPOS-00089

    Group
    Show

  • SRG-OS-000241-GPOS-00091

    Group
    Show

  • The Photon operating system must audit all account removal actions.

    When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In o...
    Rule Medium Severity
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.

    Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...
    Rule High Severity
    Show

  • SRG-OS-000254-GPOS-00095

    Group
    Show

  • The Photon operating system must initiate session audits at system startup.

    If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enable...
    Rule Medium Severity
    Show

  • SRG-OS-000256-GPOS-00097

    Group
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • SRG-OS-000278-GPOS-00108

    Group
    Show

  • The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools.

    Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit recor...
    Rule High Severity
    Show

  • SRG-OS-000279-GPOS-00109

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Photon operating system must enable symlink access control protection in the kernel.

    By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower mat...
    Rule High Severity
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000329-GPOS-00128

    Group
    Show

  • The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the a...
    Rule Medium Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • SRG-OS-000343-GPOS-00134

    Group
    Show

  • The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

    If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
    Rule Low Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.

    Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requireme...
    Rule High Severity
    Show

  • SRG-OS-000373-GPOS-00156

    Group
    Show

  • SRG-OS-000433-GPOS-00193

    Group
    Show

  • SRG-OS-000437-GPOS-00194

    Group
    Show

  • The Photon operating system must remove all software components after updated versions have been installed.

    Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may...
    Rule Medium Severity
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-OS-000471-GPOS-00216

    Group
    Show

  • The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-OS-000478-GPOS-00223

    Group
    Show

  • SRG-OS-000480-GPOS-00225

    Group
    Show

  • SRG-OS-000480-GPOS-00226

    Group
    Show

  • The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs.

    Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00228

    Group
    Show

  • The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

    Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00229

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication.

    SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.
    Rule High Severity
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • The Photon operating system must be configured to use the pam_faillock.so module.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...
    Rule Medium Severity
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • The Photon operating system must persist lockouts between system reboots.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...
    Rule Medium Severity
    Show

  • SRG-OS-000069-GPOS-00037

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules