VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Photon operating system must terminate idle Secure Shell (SSH) sessions.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
The Photon operating system must create a home directory for all new local interactive user accounts.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
The Photon operating system must disable the debug-shell service.
The debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. Th...Rule Medium Severity -
The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.
X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.Rule Medium Severity -
The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.Rule Medium Severity -
The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.
SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which mus...Rule Medium Severity -
The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a ...Rule Medium Severity -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.Rule Medium Severity -
The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.