VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000074-GPOS-00042
<GroupDescription></GroupDescription>Group -
The Photon operating system must not have the telnet package installed.
<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are...Rule High Severity -
The Photon operating system must enforce one day as the minimum password lifetime.
<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enfo...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
<GroupDescription></GroupDescription>Group -
The Photon operating systems must enforce a 90-day maximum password lifetime restriction.
<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...Rule Medium Severity -
SRG-OS-000077-GPOS-00045
<GroupDescription></GroupDescription>Group -
The Photon operating system must prohibit password reuse for a minimum of five generations.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-OS-000078-GPOS-00046
<GroupDescription></GroupDescription>Group -
The Photon operating system must enforce a minimum 15-character password length.
<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is comprom...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
<VulnDiscussion>If the system does not require authentication before it boots into single-user mode, anyone with console access to the system...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The Photon operating system must disable unnecessary kernel modules.
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...Rule Medium Severity -
The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be r...Rule Medium Severity -
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
The Photon operating system must restrict access to the kernel message buffer.
<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional s...Rule Medium Severity -
SRG-OS-000142-GPOS-00071
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured to use TCP syncookies.
<VulnDiscussion>A TCP SYN flood attack can cause a Denial of Service (DOS) by filling a system's TCP connection table with connections in the...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
The Photon operating system must terminate idle Secure Shell (SSH) sessions after 15 minutes.
<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take c...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The Photon operating system /var/log directory must be restricted.
<VulnDiscussion>Any operating system providing too much information in error messages risks compromising the data and security of the structu...Rule Medium Severity -
SRG-OS-000206-GPOS-00084
<GroupDescription></GroupDescription>Group -
The Photon operating system must reveal error messages only to authorized users.
<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an orga...Rule Medium Severity -
SRG-OS-000239-GPOS-00089
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit all account modifications.
<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing ...Rule Medium Severity -
SRG-OS-000241-GPOS-00091
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit all account removal actions.
<VulnDiscussion>When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual ...Rule Medium Severity -
SRG-OS-000250-GPOS-00093
<GroupDescription></GroupDescription>Group -
The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote acce...Rule High Severity -
SRG-OS-000254-GPOS-00095
<GroupDescription></GroupDescription>Group -
The Photon operating system must initiate session audits at system startup.
<VulnDiscussion>If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit syst...Rule Medium Severity -
SRG-OS-000256-GPOS-00097
<GroupDescription></GroupDescription>Group -
The Photon operating system must require users to reauthenticate for privilege escalation.
<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operat...Rule Medium Severity -
SRG-OS-000433-GPOS-00193
<GroupDescription></GroupDescription>Group -
The Photon operating system must protect audit tools from unauthorized access.
<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefo...Rule Medium Severity -
SRG-OS-000266-GPOS-00101
<GroupDescription></GroupDescription>Group -
The Photon operating system must enforce password complexity by requiring that at least one special character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity o...Rule Medium Severity -
SRG-OS-000278-GPOS-00108
<GroupDescription></GroupDescription>Group -
The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools.
<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit in...Rule High Severity -
SRG-OS-000279-GPOS-00109
<GroupDescription></GroupDescription>Group -
The operating system must automatically terminate a user session after inactivity time-outs have expired.
<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of ...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
The Photon operating system must enable symlink access control protection in the kernel.
<VulnDiscussion>By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a stick...Rule High Severity -
SRG-OS-000327-GPOS-00127
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit the execution of privileged functions.
<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external enti...Rule Medium Severity -
SRG-OS-000329-GPOS-00128
<GroupDescription></GroupDescription>Group -
The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000341-GPOS-00132
<GroupDescription></GroupDescription>Group -
The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.
<VulnDiscussion>Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an au...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.