Skip to content
Log In

VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000205-GPOS-00083

    Group
    Show

  • The Photon operating system /var/log directory must be restricted.

    Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by th...
    Rule Medium Severity
    Show

  • SRG-OS-000206-GPOS-00084

    Group
    Show

  • The Photon operating system must reveal error messages only to authorized users.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...
    Rule Medium Severity
    Show

  • SRG-OS-000239-GPOS-00089

    Group
    Show

  • SRG-OS-000241-GPOS-00091

    Group
    Show

  • The Photon operating system must audit all account removal actions.

    When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In o...
    Rule Medium Severity
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.

    Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...
    Rule High Severity
    Show

  • SRG-OS-000254-GPOS-00095

    Group
    Show

  • The Photon operating system must initiate session audits at system startup.

    If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enable...
    Rule Medium Severity
    Show

  • SRG-OS-000256-GPOS-00097

    Group
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • SRG-OS-000278-GPOS-00108

    Group
    Show

  • The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools.

    Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit recor...
    Rule High Severity
    Show

  • SRG-OS-000279-GPOS-00109

    Group
    Show

  • The operating system must automatically terminate a user session after inactivity time-outs have expired.

    Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Photon operating system must enable symlink access control protection in the kernel.

    By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower mat...
    Rule High Severity
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000329-GPOS-00128

    Group
    Show

  • The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the a...
    Rule Medium Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.

    Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and setting a reasonable number of logs to keep. This e...
    Rule Low Severity
    Show

  • SRG-OS-000343-GPOS-00134

    Group
    Show

  • The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

    If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
    Rule Low Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.

    Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requireme...
    Rule High Severity
    Show

  • SRG-OS-000373-GPOS-00156

    Group
    Show

  • The Photon operating system must require users to reauthenticate for privilege escalation.

    Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, ...
    Rule Medium Severity
    Show

  • SRG-OS-000433-GPOS-00193

    Group
    Show

  • SRG-OS-000437-GPOS-00194

    Group
    Show

  • The Photon operating system must remove all software components after updated versions have been installed.

    Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may...
    Rule Medium Severity
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-OS-000471-GPOS-00216

    Group
    Show

  • The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-OS-000478-GPOS-00223

    Group
    Show

  • SRG-OS-000480-GPOS-00225

    Group
    Show

  • The Photon operating system must prevent the use of dictionary words for passwords.

    If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses an...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00226

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must ensure audit events are flushed to disk at proper intervals.

    Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that en...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00228

    Group
    Show

  • The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

    Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00229

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication.

    SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.
    Rule High Severity
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • The Photon operating system must be configured to use the pam_faillock.so module.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...
    Rule Medium Severity
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules