VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must log IPv4 packets with impossible addresses.
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these pac...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must use a reverse-path filter for IPv4 network traffic.
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are r...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must not perform IPv4 packet forwarding.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must send TCP timestamps.
TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can h...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must enforce password complexity on the root account.
Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_pwquality does not apply complexity rules to the root user. Whi...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must disable systemd fallback DNS.
Systemd contains an ability to set fallback DNS servers, which is used for DNS lookups in the event no system level DNS servers are configured or other DNS servers are specified in the Systemd reso...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must generate audit records for all access and modifications to the opasswd file.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.Rule Medium Severity -
SRG-OS-000250-GPOS-00093
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must enable the rsyslog service.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.Rule Medium Severity -
SRG-OS-000077-GPOS-00045
Group -
SRG-OS-000480-GPOS-00227
Group -
The Photon operating system must enable hardlink access control protection in the kernel.
By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecur...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000363-GPOS-00150
Group -
The Photon operating system must configure AIDE to detect changes to baseline configurations.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configuratio...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
Group -
The Photon operating system must not allow empty passwords.
Accounts with empty or no passwords allow anyone to log on as that account without specifying a password or other forms of authentication. Allowing accounts with empty passwords puts the system at ...Rule Medium Severity -
The Photon operating system must audit all account creations.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...Rule Medium Severity -
The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
The Photon operating system must configure auditd to log to disk.
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content must be shipped...Rule Medium Severity -
The Photon operating system must enable the auditd service.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that en...Rule Medium Severity -
The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identificat...Rule Medium Severity -
The operating system must store only encrypted representations of passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule High Severity -
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all files on the system. GRUB2 is the boot loader ...Rule Medium Severity -
The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be ...Rule Medium Severity -
The Photon operating system must audit all account modifications.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an exis...Rule Medium Severity -
The Photon operating system must protect audit tools from unauthorized access.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...Rule Medium Severity -
The Photon operating system must enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting ...Rule Medium Severity -
The Photon operating system must audit the execution of privileged functions.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
The Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory inclu...Rule Medium Severity -
The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher stand...Rule High Severity -
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs.
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.Rule Medium Severity -
The Photon operating system must audit logon attempts for unknown users.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
The Photon operating system must enable Secure Shell (SSH) authentication logging.
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. The INFO Log...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.