I - Mission Critical Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to display the last login immediately after authentication.
<VulnDiscussion>Providing users with feedback on the last time they logged on via Secure Shell (SSH) facilitates user recognition and reporti...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
<VulnDiscussion>Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to ignore user-specific "known_host" files.
<VulnDiscussion>Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
<VulnDiscussion>By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
<VulnDiscussion>When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so the "/etc/skel" default scripts are protected from unauthorized modification.
<VulnDiscussion>If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so the "/root" path is protected from unauthorized access.
<VulnDiscussion>If the "/root" path is accessible to users other than root, unauthorized users could change the root partitions files.</Vu...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.
<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these fil...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
<VulnDiscussion>If system startup scripts are accessible to unauthorized modification, this could compromise the system on startup.</VulnD...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so that all files have a valid owner and group owner.
<VulnDiscussion>If files do not have valid user and group owners, unintended access to files could occur.</VulnDiscussion><FalsePosi...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification.
<VulnDiscussion>If cron files and folders are accessible to unauthorized users, malicious jobs may be created.</VulnDiscussion><Fals...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
<VulnDiscussion>If cron files and folders are accessible to unauthorized users, malicious jobs may be created.</VulnDiscussion><Fals...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
<VulnDiscussion>If cron files and folders are accessible to unauthorized users, malicious jobs may be created.</VulnDiscussion><Fals...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
<VulnDiscussion>Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tel...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDi...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must log IPv4 packets with impossible addresses.
<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and re...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must use a reverse-path filter for IPv4 network traffic.
<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the inte...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must not perform multicast packet forwarding.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must not perform IPv4 packet forwarding.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must send Transmission Control Protocol (TCP) timestamps.
<VulnDiscussion>TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (an...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.
<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><Fals...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.