I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000343-GPOS-00134
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure auditd to log space limit problems to syslog.
<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to pla...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
<GroupDescription></GroupDescription>Group -
The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
<VulnDiscussion>Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significa...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
<GroupDescription></GroupDescription>Group -
The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
<VulnDiscussion>Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significa...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
<GroupDescription></GroupDescription>Group -
The Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation.
<VulnDiscussion>Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significa...Rule Medium Severity -
SRG-OS-000373-GPOS-00156
<GroupDescription></GroupDescription>Group -
The Photon operating system must require users to reauthenticate for privilege escalation.
<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operat...Rule Medium Severity -
SRG-OS-000394-GPOS-00174
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
<VulnDiscussion>Privileged access contains control and configuration information and is particularly sensitive, so additional protections are...Rule Low Severity -
SRG-OS-000433-GPOS-00193
<GroupDescription></GroupDescription>Group -
The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
<VulnDiscussion>ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's add...Rule Medium Severity -
SRG-OS-000437-GPOS-00194
<GroupDescription></GroupDescription>Group -
The Photon operating system must remove all software components after updated versions have been installed.
<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed m...Rule Medium Severity -
SRG-OS-000458-GPOS-00203
<GroupDescription></GroupDescription>Group -
The Photon operating system must generate audit records when the sudo command is used.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-OS-000470-GPOS-00214
<GroupDescription></GroupDescription>Group -
The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-OS-000471-GPOS-00216
<GroupDescription></GroupDescription>Group -
The Photon operating system must audit the "insmod" module.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-OS-000476-GPOS-00221
<GroupDescription></GroupDescription>Group -
The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-OS-000480-GPOS-00225
<GroupDescription></GroupDescription>Group -
The Photon operating system must use the "pam_cracklib" module.
<VulnDiscussion>If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
<GroupDescription></GroupDescription>Group -
The Photon operating system must set the "FAIL_DELAY" parameter.
<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain acc...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
<GroupDescription></GroupDescription>Group -
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain acc...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must ensure audit events are flushed to disk at proper intervals.
<VulnDiscussion>Without setting a balance between performance and ensuring all audit events are written to disk, performance of the system ma...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must create a home directory for all new local interactive user accounts.
<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must disable the debug-shell service.
<VulnDiscussion>The debug-shell service is intended to diagnose systemd-related boot issues with various "systemctl" commands. Once enabled a...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disable environment processing.
<VulnDiscussion>Enabling environment processing may enable users to bypass access restrictions in some configurations and must therefore be d...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disable X11 forwarding.
<VulnDiscussion>X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best pra...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
<VulnDiscussion>If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disallow Kerberos authentication.
<VulnDiscussion>If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. V...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disallow authentication with an empty password.
<VulnDiscussion>Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blan...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
<VulnDiscussion>If compression is allowed in a Secure Shell (SSH) connection prior to authentication, vulnerabilities in the compression soft...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.