VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000075-GPOS-00043
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.
<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enfo...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.
<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...Rule Medium Severity -
SRG-OS-000077-GPOS-00045
<GroupDescription></GroupDescription>Group -
The Photon operating system must prohibit password reuse for a minimum of five generations.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-OS-000078-GPOS-00046
<GroupDescription></GroupDescription>Group -
The Photon operating system must enforce a minimum eight-character password length.
<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is comprom...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
<VulnDiscussion>If the system does not require authentication before it boots into single-user mode, anyone with console access to the system...Rule High Severity -
SRG-OS-000096-GPOS-00050
<GroupDescription></GroupDescription>Group -
The Photon operating system must disable the loading of unnecessary kernel modules.
<VulnDiscussion>To support the requirements and principles of least functionality, the operating system must provide only essential capabilit...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
The Photon operating system must not have duplicate User IDs (UIDs).
<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticat...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
<GroupDescription></GroupDescription>Group -
The Photon operating system must disable new accounts immediately upon password expiration.
<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potenti...Rule Medium Severity -
SRG-OS-000142-GPOS-00071
<GroupDescription></GroupDescription>Group -
The Photon operating system must use Transmission Control Protocol (TCP) syncookies.
<VulnDiscussion>A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_R...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.
<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take c...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.
<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take c...Rule Medium Severity -
SRG-OS-000206-GPOS-00084
<GroupDescription></GroupDescription>Group -
The Photon operating system "/var/log" directory must be owned by root.
<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an orga...Rule Medium Severity -
SRG-OS-000206-GPOS-00084
<GroupDescription></GroupDescription>Group -
The Photon operating system messages file must have the correct ownership and file permissions.
<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an orga...Rule Medium Severity -
SRG-OS-000239-GPOS-00089
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit all account modifications.
<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing ...Rule Medium Severity -
SRG-OS-000239-GPOS-00089
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit all account modifications.
<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing ...Rule Medium Severity -
SRG-OS-000240-GPOS-00090
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit all account disabling actions.
<VulnDiscussion>When operating system accounts are disabled, user accessibility is affected. Accounts are used for identifying individual use...Rule Medium Severity -
SRG-OS-000241-GPOS-00091
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit all account removal actions.
<VulnDiscussion>When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual user...Rule Medium Severity -
SRG-OS-000254-GPOS-00095
<GroupDescription></GroupDescription>Group -
The Photon operating system must initiate auditing as part of the boot process.
<VulnDiscussion>Each process on the system carries an "auditable" flag, which indicates whether its activities can be audited. Although audit...Rule Medium Severity -
SRG-OS-000256-GPOS-00097
<GroupDescription></GroupDescription>Group -
The Photon operating system audit files and directories must have correct permissions.
<VulnDiscussion>Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, p...Rule Medium Severity -
SRG-OS-000257-GPOS-00098
<GroupDescription></GroupDescription>Group -
The Photon operating system must protect audit tools from unauthorized modification and deletion.
<VulnDiscussion>Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, p...Rule Medium Severity -
SRG-OS-000266-GPOS-00101
<GroupDescription></GroupDescription>Group -
The Photon operating system must enforce password complexity by requiring that at least one special character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity -
SRG-OS-000278-GPOS-00108
<GroupDescription></GroupDescription>Group -
The Photon operating system package files must not be modified.
<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit in...Rule Medium Severity -
SRG-OS-000327-GPOS-00127
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit the execution of privileged functions.
<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external enti...Rule Medium Severity -
SRG-OS-000341-GPOS-00132
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure auditd to keep five rotated log files.
<VulnDiscussion>Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an au...Rule Medium Severity -
SRG-OS-000341-GPOS-00132
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure auditd to keep logging in the event max log file size is reached.
<VulnDiscussion>Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an au...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.