Skip to content

I - Mission Critical Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to disable X11 forwarding.

    &lt;VulnDiscussion&gt;X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best pra...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.

    &lt;VulnDiscussion&gt;If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the ...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to disallow Kerberos authentication.

    &lt;VulnDiscussion&gt;If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. V...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to disallow authentication with an empty password.

    &lt;VulnDiscussion&gt;Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blan...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to disallow compression of the encrypted session stream.

    &lt;VulnDiscussion&gt;If compression is allowed in a Secure Shell (SSH) connection prior to authentication, vulnerabilities in the compression soft...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to display the last login immediately after authentication.

    &lt;VulnDiscussion&gt;Providing users with feedback on the last time they logged on via Secure Shell (SSH) facilitates user recognition and reporti...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.

    &lt;VulnDiscussion&gt;Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to ignore user-specific "known_host" files.

    &lt;VulnDiscussion&gt;Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.

    &lt;VulnDiscussion&gt;By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits ...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.

    &lt;VulnDiscussion&gt;When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboo...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules