UCF STIG Viewer Logo

Nutanix AOS 5.20.x Application Security Technical Implementation Guide


Date Finding Count (23)
2022-08-24 CAT I (High): 5 CAT II (Med): 16 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-254099 High Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.
V-254112 High Nutanix AOS must utilize encryption when using LDAP for authentication.
V-254113 High Nutanix AOS must perform RFC 5280-compliant certification path validation.
V-254114 High Nutanix AOS must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-254115 High Nutanix AOS must protect the confidentiality and integrity of all information at rest.
V-254097 Medium Nutanix AOS must automatically terminate a user session after 15 minutes of inactivity.
V-254098 Medium Nutanix AOS must disable Remote Support Sessions.
V-254105 Medium Nutanix AOS must be configured to send Cluster Check alerts to the SA and ISSO.
V-254104 Medium Nutanix AOS must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75 percent of maximum log record storage capacity.
V-254107 Medium Nutanix AOS must protect log information from any type of unauthorized access.
V-254101 Medium Nutanix AOS must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-254100 Medium Nutanix AOS role mapping must be configured to the lowest privilege level needed for user access.
V-254103 Medium Nutanix AOS must offload log records onto a syslog server.
V-254109 Medium Nutanix AOS must use an enterprise user management system to uniquely identify and authenticate users.
V-254108 Medium Nutanix AOS must enforce access restrictions associated with changes to application server configuration.
V-254110 Medium Nutanix AOS must use multifactor authentication for account access.
V-254111 Medium Nutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.
V-254116 Medium Nutanix AOS must restrict error messages only to authorized users.
V-254117 Medium Nutanix AOS must separate hosted application functionality from application server management functionality.
V-254118 Medium Nutanix AOS must configure network traffic segmentation when using Disaster Recovery Services.
V-254119 Medium Nutanix AOS must be running an operating system release that is currently supported by the vendor.
V-254106 Low Nutanix AOS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
V-254102 Low Nutanix AOS must display the standard Mandatory DoD Notice and Consent Banner before granting access to the system.