VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must use a reverse-path filter for IPv4 network traffic.
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are r...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not perform IPv4 packet forwarding.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must send TCP timestamps.
TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can h...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must disable systemd fallback DNS.
Systemd contains an ability to set fallback DNS servers, which is used for DNS lookups in the event no system level DNS servers are configured or other DNS servers are specified in the Systemd reso...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must generate audit records for all access and modifications to the opasswd file.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.Rule Medium Severity -
SRG-OS-000250-GPOS-00093
Group -
The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must enable the rsyslog service.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.Rule Medium Severity -
SRG-OS-000077-GPOS-00045
Group -
The Photon operating system must be configured to use the pam_pwhistory.so module.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must enable hardlink access control protection in the kernel.
By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecur...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must audit all account creations.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...Rule Medium Severity -
The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. OpenSSH on the Photon operating system when configured...Rule High Severity -
The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
The Photon operating system must allow only authorized users to configure the auditd service.
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audi...Rule Medium Severity -
The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
The Photon operating system must require the change of at least eight characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attemp...Rule Medium Severity -
The Photon operating system must enforce a minimum 15-character password length.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be ...Rule Medium Severity -
The Photon operating system must restrict access to the kernel message buffer.
Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.Rule Medium Severity -
The Photon operating system must be configured to use TCP syncookies.
A TCP SYN flood attack can cause a Denial of Service (DOS) by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a sub...Rule Medium Severity -
The Photon operating system must audit all account modifications.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an exis...Rule Medium Severity -
The Photon operating system must protect audit tools from unauthorized access.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...Rule Medium Severity -
The Photon operating system must enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting ...Rule Medium Severity -
The operating system must automatically terminate a user session after inactivity time-outs have expired.
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....Rule Medium Severity -
The Photon operating system must audit the execution of privileged functions.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and setting a reasonable number of logs to keep. This e...Rule Low Severity -
The Photon operating system must require users to reauthenticate for privilege escalation.
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, ...Rule Medium Severity -
The Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory inclu...Rule Medium Severity -
The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher stand...Rule High Severity -
The Photon operating system must prevent the use of dictionary words for passwords.
If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses an...Rule Medium Severity -
The Photon operating system must ensure audit events are flushed to disk at proper intervals.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that en...Rule Medium Severity -
The Photon operating system must prevent leaking information of the existence of a user account.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
The Photon operating system must audit logon attempts for unknown users.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
The Photon operating system must be configured to use the pam_pwquality.so module.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.