| V-254099 | High | Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session. | Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration.... |
| V-254112 | High | Nutanix AOS must utilize encryption when using LDAP for authentication. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.
Application servers have the capability to utilize LDAP... |
| V-254113 | High | Nutanix AOS must perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-254114 | High | Nutanix AOS must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing... |
| V-254115 | High | Nutanix AOS must protect the confidentiality and integrity of all information at rest. | When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and... |
| V-254097 | Medium | Nutanix AOS must automatically terminate a user session after 15 minutes of inactivity. | An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of open and unused user sessions, the application... |
| V-254098 | Medium | Nutanix AOS must disable Remote Support Sessions. | Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy... |
| V-254105 | Medium | Nutanix AOS must be configured to send Cluster Check alerts to the SA and ISSO. | Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the... |
| V-254104 | Medium | Nutanix AOS must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75 percent of maximum log record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include software/hardware errors, failures in the... |
| V-254107 | Medium | Nutanix AOS must protect log information from any type of unauthorized access. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-254101 | Medium | Nutanix AOS must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or... |
| V-254100 | Medium | Nutanix AOS role mapping must be configured to the lowest privilege level needed for user access. | Strong access controls are critical to securing the application server. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access... |
| V-254103 | Medium | Nutanix AOS must offload log records onto a syslog server. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited... |
| V-254109 | Medium | Nutanix AOS must use an enterprise user management system to uniquely identify and authenticate users. | To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which... |
| V-254108 | Medium | Nutanix AOS must enforce access restrictions associated with changes to application server configuration. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant... |
| V-254110 | Medium | Nutanix AOS must use multifactor authentication for account access. | Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker... |
| V-254111 | Medium | Nutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
PIV credentials are only used in an unclassified environment.
DoD has mandated the use of the... |
| V-254116 | Medium | Nutanix AOS must restrict error messages only to authorized users. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be... |
| V-254117 | Medium | Nutanix AOS must separate hosted application functionality from application server management functionality. | The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged... |
| V-254118 | Medium | Nutanix AOS must configure network traffic segmentation when using Disaster Recovery Services. | The application server consists of the management interface and hosted applications, as well as cluster management functions. Separating the management interface from hosted applications prevents... |
| V-254119 | Medium | Nutanix AOS must be running an operating system release that is currently supported by the vendor. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
| V-254106 | Low | Nutanix AOS must be configured to synchronize internal information system clocks using redundant authoritative time sources. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Synchronization of system clocks is... |
| V-254102 | Low | Nutanix AOS must display the standard Mandatory DoD Notice and Consent Banner before granting access to the system. | Application servers are required to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices... |
