Skip to content
Log In

III - Administrative Public

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.

    If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication.

    If Kerberos is enabled through SSH, sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitat...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.

    If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.

    Providing users with feedback on the last time they logged on via SSH facilitates user recognition and reporting of unauthorized account use.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.

    SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which mus...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.

    SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which mus...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.

    By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding.

    While enabling TCP tunnels is a valuable function of sshd, this feature is not appropriate for use on single purpose appliances.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must configure Secure Shell (SSH) to restrict LoginGraceTime.

    By default, SSH unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login would need such an amount of time to complete a ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.

    When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must not forward IPv4 or IPv6 source-routed packets.

    Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the packet must take. There is also an option to re...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

    Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

    ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.

    ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.

    ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must log IPv4 packets with impossible addresses.

    The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these pac...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must use a reverse-path filter for IPv4 network traffic.

    Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are r...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must not perform IPv4 packet forwarding.

    Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must send TCP timestamps.

    TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can h...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.

    If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.

    If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must enforce password complexity on the root account.

    Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_pwquality does not apply complexity rules to the root user. Whi...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must disable systemd fallback DNS.

    Systemd contains an ability to set fallback DNS servers, which is used for DNS lookups in the event no system level DNS servers are configured or other DNS servers are specified in the Systemd reso...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Photon operating system must generate audit records for all access and modifications to the opasswd file.

    Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
    Rule Medium Severity
    Show

  • SRG-OS-000250-GPOS-00093

    Group
    Show

  • The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.

    Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules