UCF STIG Viewer Logo

HYCU for Nutanix Security Technical Implementation Guide


Overview

Date Finding Count (41)
2021-08-03 CAT I (High): 7 CAT II (Med): 34 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-246822 High The HYCU 4.1 Application must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
V-246845 High The HYCU appliance must be running a release that is currently supported by the vendor.
V-246848 High The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
V-246830 High The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.
V-246856 High The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.
V-246857 High The HYCU server and Web UI must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 15 minutes of inactivity except to fulfill documented and validated mission requirements.
V-246859 High The HYCU Web UI must be configured to send log data to a central log server for forwarding alerts to the administrators and the ISSO.
V-246825 Medium The HYCU server and Web UI must audit the execution of privileged functions.
V-246824 Medium The HYCU virtual machine must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
V-246827 Medium The HYCU VM console must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-246826 Medium The HYCU VM console must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any logon attempt for 15 minutes.
V-246821 Medium The HYCU server must terminate shared/group account credentials when members leave the group.
V-246820 Medium The HYCU 4.1 application and server must initiate a session lock after a 15-minute period of inactivity.
V-246823 Medium If the HYCU Server or Web UI uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
V-246829 Medium The HYCU VM/server must be configured to disable SSH.
V-246828 Medium The HYCU VM console must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
V-246843 Medium The HYCU server must protect audit information from unauthorized deletion.
V-246842 Medium The HYCU server must be configured to synchronize internal information system clocks using redundant authoritative time sources.
V-246841 Medium The HYCU Web UI must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
V-246840 Medium The HYCU server must be configured to conduct backups of system-level information when changes occur and to offload audit records onto a different system or media.
V-246847 Medium The HYCU server must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-246846 Medium The HYCU server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-246844 Medium The HYCU server must protect audit tools from unauthorized access, modification, and deletion.
V-246849 Medium The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-246832 Medium The HYCU server must generate audit records when successful/unsuccessful attempts to modify or delete administrator privileges occur.
V-246833 Medium The HYCU server must generate audit records when successful/unsuccessful logon attempts occur.
V-246831 Medium The HYCU server must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-246836 Medium The HYCU server must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-246837 Medium The HYCU Server must generate audit records containing the full-text recording of privileged commands.
V-246834 Medium The HYCU server must generate audit records for privileged activities or other system-level access.
V-246835 Medium The HYCU server must produce audit records containing information to establish when events occurred, where events occurred, the source of the event, the outcome of the event, and identity of any individual or process associated with the event.
V-246838 Medium The HYCU server must initiate session auditing upon startup and produce audit log records containing sufficient information to establish what type of event occurred.
V-246839 Medium The HYCU server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-246850 Medium The HYCU server must authenticate Network Time Protocol sources using authentication that is cryptographically based.
V-246851 Medium The HYCU server must enforce password complexity by requiring that at least one uppercase character be used.
V-246852 Medium The network device must enforce a minimum 15-character password length.
V-246853 Medium The HYCU server must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
V-246854 Medium The HYCU VM console must not have any default manufacturer passwords when deployed.
V-246855 Medium The HYCU server must prohibit the use of cached authenticators after an organization-defined time period.
V-246858 Medium The network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-246819 Medium The HYCU 4.1 application and server must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.