Skip to content
Log In

Nutanix AOS 5.20.x OS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Nutanix AOS audit tools must be owned by root.

    Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...
    Rule Medium Severity
    Show

  • SRG-OS-000258-GPOS-00099

    Group
    Show

  • SRG-OS-000278-GPOS-00108

    Group
    Show

  • SRG-OS-000363-GPOS-00150

    Group
    Show

  • Nutanix AOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.

    Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configuratio...
    Rule Medium Severity
    Show

  • SRG-OS-000364-GPOS-00151

    Group
    Show

  • Nutanix AOS must not be configured to allow GSSAPIAuthentication.

    Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. When dealing with access restrict...
    Rule Medium Severity
    Show

  • SRG-OS-000364-GPOS-00151

    Group
    Show

  • Nutanix AOS must not be configured to allow KerberosAuthentication.

    Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. When dealing with access restrict...
    Rule Medium Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • Nutanix AOS must be configured so that all local interactive user home directories have mode "0750" or less permissive.

    Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00232

    Group
    Show

  • SRG-OS-000480-GPOS-00225

    Group
    Show

  • Nutanix AOS must prevent the use of dictionary words for passwords.

    If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses an...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00226

    Group
    Show

  • Nutanix AOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

    Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Nutanix AOS must be configured to run SCMA daily.

    The Nutanix platform leverages the use of the Security Configuration Management Automation (SCMA) framework to ensure secure configurations have not been altered from their desired state. If the SC...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00228

    Group
    Show

  • Nutanix AOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

    Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00229

    Group
    Show

  • Nutanix AOS must not allow an unattended or automatic logon to the system.

    Failure to restrict system access to authenticated users negatively impacts operating system security.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00230

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Nutanix AOS must not have the rsh-server package installed.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Nutanix AOS must not have the telnet-server package installed.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • SRG-OS-000373-GPOS-00156

    Group
    Show

  • Nutanix AOS must require users to reauthenticate for privilege escalation.

    Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, i...
    Rule Medium Severity
    Show

  • SRG-OS-000112-GPOS-00057

    Group
    Show

  • SRG-OS-000114-GPOS-00059

    Group
    Show

  • Nutanix AOS must be configured to disable USB mass storage devices.

    Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, devices such as flash drives, ...
    Rule Medium Severity
    Show

  • SRG-OS-000118-GPOS-00060

    Group
    Show

  • Nutanix AOS must be configured to disable user accounts after the password expires.

    Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts...
    Rule Low Severity
    Show

  • SRG-OS-000069-GPOS-00037

    Group
    Show

  • SRG-OS-000070-GPOS-00038

    Group
    Show

  • SRG-OS-000071-GPOS-00039

    Group
    Show

  • Nutanix AOS must enforce password complexity by requiring that at least one numeric character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000078-GPOS-00046

    Group
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • Nutanix AOS must enforce password complexity by requiring that at least one special character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting ...
    Rule Medium Severity
    Show

  • SRG-OS-000072-GPOS-00040

    Group
    Show

  • Nutanix AOS must enforce a 60-day maximum password lifetime restriction.

    Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force user...
    Rule Medium Severity
    Show

  • SRG-OS-000076-GPOS-00044

    Group
    Show

  • SRG-OS-000077-GPOS-00045

    Group
    Show

  • SRG-OS-000072-GPOS-00040

    Group
    Show

  • Nutanix AOS must require the change of at least four character classes when passwords are changed.

    If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempt...
    Rule Medium Severity
    Show

  • SRG-OS-000072-GPOS-00040

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules