VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Photon operating system must enforce password complexity on the root account.
<VulnDiscussion>Password complexity rules must apply to all accounts on the system, including root. Without specifying the "enforce_for_root ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must protect all boot configuration files from unauthorized modification.
<VulnDiscussion>Boot configuration files control how the system boots, including single-user mode, auditing, log levels, etc. Improper or mal...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must protect sshd configuration from unauthorized access.
<VulnDiscussion>The "sshd_config" file contains all the configuration items for sshd. Incorrect or malicious configuration of sshd can allow ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must protect all "sysctl" configuration files from unauthorized access.
<VulnDiscussion>The "sysctl" configuration file specifies values for kernel parameters to be set on boot. Incorrect or malicious configuratio...Rule Medium Severity -
SRG-OS-000480-GPOS-00228
<GroupDescription></GroupDescription>Group -
The Photon operating system must set the "umask" parameter correctly.
<VulnDiscussion>The "umask" value influences the permissions assigned to files when they are created. The "umask" setting in "login.defs" con...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disallow HostbasedAuthentication.
<VulnDiscussion>Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly...Rule Medium Severity -
SRG-OS-000073-GPOS-00041
<GroupDescription></GroupDescription>Group -
The Photon operating system must store only encrypted representations of passwords.
<VulnDiscussion>Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly ...Rule Medium Severity -
SRG-OS-000077-GPOS-00045
<GroupDescription></GroupDescription>Group -
The Photon operating system must ensure the old passwords are being stored.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to restrict AllowTcpForwarding.
<VulnDiscussion>While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate fo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to restrict LoginGraceTime.
<VulnDiscussion>By default, sshd unauthenticated connections are left open for two minutes before being closed. This setting is too permissiv...Rule Medium Severity -
SRG-OS-000478-GPOS-00223
<GroupDescription></GroupDescription>Group -
The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, generate cryptographic hashes, and protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating syst...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must disable systemd fallback Domain Name System (DNS).
<VulnDiscussion>Systemd contains an ability to set fallback DNS servers. This is used for DNS lookups in the event no system-level DNS server...Rule Medium Severity -
The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
<VulnDiscussion>Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significa...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.