Skip to content

II - Mission Support Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000480-GPOS-00229

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.

    &lt;VulnDiscussion&gt;Enabling user environment processing may enable users to bypass access restrictions in some configurations and must therefore...
    Rule High Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must create a home directory for all new local interactive user accounts.

    &lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must disable the debug-shell service.

    &lt;VulnDiscussion&gt;The debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.

    &lt;VulnDiscussion&gt;GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.

    &lt;VulnDiscussion&gt;X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best pra...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.

    &lt;VulnDiscussion&gt;If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as anoth...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication.

    &lt;VulnDiscussion&gt;If Kerberos is enabled through SSH, sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities ...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.

    &lt;VulnDiscussion&gt;If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could res...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.

    &lt;VulnDiscussion&gt;Providing users with feedback on the last time they logged on via SSH facilitates user recognition and reporting of unauthori...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.

    &lt;VulnDiscussion&gt;SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Indi...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules