VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000366-GPOS-00153
Group -
The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.
Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requireme...Rule High Severity -
SRG-OS-000032-GPOS-00013
Group -
The Photon operating system must configure the Secure Shell (SSH) SyslogFacility.
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. Shipping ssh...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
Group -
SRG-OS-000163-GPOS-00072
Group -
SRG-OS-000239-GPOS-00089
Group -
The Photon operating system must audit all account modifications.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an exis...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
Group -
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.Rule Medium Severity -
SRG-OS-000480-GPOS-00229
Group -
The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password.
Blank passwords are one of the first things an attacker checks for when probing a system. Even if the user somehow has a blank password on the OS, SSH must not allow that user to log in.Rule High Severity -
SRG-OS-000480-GPOS-00229
Group -
The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.
Enabling user environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must create a home directory for all new local interactive user accounts.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must disable the debug-shell service.
The debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. Th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SSH) exposes the system's GSSAPI to remote hosts,...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.
X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.
If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.
Providing users with feedback on the last time they logged on via SSH facilitates user recognition and reporting of unauthorized account use.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.
SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.
SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.
By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding.
While enabling TCP tunnels is a valuable function of sshd, this feature is not appropriate for use on single purpose appliances.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must log IPv4 packets with impossible addresses.
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these pac...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.