| V-254222 | High | Nutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DoD data may be... |
| V-254224 | High | Nutanix AOS must enable FIPS mode to implement NIST FIPS-validated cryptography. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher... |
| V-254217 | High | Nutanix AOS must store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-264424 | High | Nutanix AOS must be running an operating system release that is currently supported by the vendor. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
| V-254125 | High | Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information... |
| V-254187 | High | Nutanix AOS must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit... |
| V-254156 | Medium | Nutanix AOS must generate audit records for privileged security activities. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-254157 | Medium | Nutanix AOS must generate audit records for privileged account activities. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-254154 | Medium | Nutanix AOS must audit attempts to modify or delete security objects. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254155 | Medium | Nutanix AOS must generate audit records when successful/unsuccessful logon attempts occur. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254152 | Medium | Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify security objects occur. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254153 | Medium | Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify categories of information occur. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254150 | Medium | Nutanix AOS must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-254151 | Medium | Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify privileges occur. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254220 | Medium | Nutanix AOS must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the... |
| V-254221 | Medium | Nutanix AOS must prohibit the use of cached authenticators. | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
| V-254223 | Medium | Nutanix AOS must audit all activities performed during nonlocal maintenance and diagnostic sessions. | If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.
This requirement... |
| V-254225 | Medium | Nutanix AOS must be configured to run SELinux Policies. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or... |
| V-254158 | Medium | Nutanix AOS must be configured to audit the loading and unloading of dynamic kernel modules. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254159 | Medium | Nutanix AOS must generate audit records when concurrent logons to the same account occur from different sources. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254233 | Medium | Nutanix AOS must reveal error messages only to authorized users. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or... |
| V-254232 | Medium | Nutanix AOS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by... |
| V-254231 | Medium | Nutanix AOS must maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-254230 | Medium | Nutanix AOS must maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during... |
| V-254237 | Medium | Nutanix AOS must be configured to use SELinux Enforcing mode. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or... |
| V-254236 | Medium | Nutanix AOS must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products... |
| V-254235 | Medium | Nutanix AOS must implement address space layout randomization to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory... |
| V-254234 | Medium | Nutanix AOS must implement nonexecutable data to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory... |
| V-254226 | Medium | Nutanix AOS must be configured to restrict public directories. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of... |
| V-254227 | Medium | Nutanix AOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This... |
| V-254228 | Medium | Nutanix AOS must be configured to use syncookies to limit denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Managing... |
| V-254208 | Medium | Nutanix AOS must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-254209 | Medium | Nutanix AOS must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-254206 | Medium | Nutanix AOS must be configured to disable USB mass storage devices. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but are not limited to, devices such as flash drives,... |
| V-254204 | Medium | Nutanix AOS must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the capability to escalate a functional capability,... |
| V-254205 | Medium | Nutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials... |
| V-254202 | Medium | Nutanix AOS must not have the telnet-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often... |
| V-254203 | Medium | Nutanix AOS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or... |
| V-254200 | Medium | Nutanix AOS must not have the rsh-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often... |
| V-254201 | Medium | Nutanix AOS must not have the ypserv package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often... |
| V-254229 | Medium | Nutanix AOS must protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
This... |
| V-254149 | Medium | Nutanix AOS must generate audit records for file extended attribute actions. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-254148 | Medium | Nutanix AOS must generate audit records for file permission actions. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-254141 | Medium | Nutanix AOS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured... |
| V-254140 | Medium | Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for all account creations, modifications, disabling, and terminations. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-254143 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the creat privileged commands. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254142 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the chown privileged commands. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254145 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the truncate-related privileged commands. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254144 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the open-related privileged commands. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254147 | Medium | Nutanix AOS must generate audit records for file ownership actions. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-254146 | Medium | Nutanix AOS must generate audit records for file access actions. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-254211 | Medium | Nutanix AOS must enforce a minimum 15 character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the... |
| V-254210 | Medium | Nutanix AOS must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-254213 | Medium | Nutanix AOS must require the change of at least 50 percent of the total number of characters when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for... |
| V-254212 | Medium | Nutanix AOS must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting... |
| V-254215 | Medium | Nutanix AOS must require the maximum number of repeating characters be limited to three when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for... |
| V-254214 | Medium | Nutanix AOS must require the change of at least four character classes when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for... |
| V-254216 | Medium | Nutanix AOS must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for... |
| V-254219 | Medium | Nutanix AOS must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force... |
| V-254218 | Medium | Nutanix AOS must enforce 24 hours/1 day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and... |
| V-254138 | Medium | Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for directory and permissions management actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-254139 | Medium | Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file management actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-254134 | Medium | Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels). | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-254135 | Medium | Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system and account management actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-254136 | Medium | Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file attribute management actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-254137 | Medium | Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system module management actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-254130 | Medium | Nutanix AOS must audit the execution of privileged functions. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious... |
| V-254131 | Medium | Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by... |
| V-254133 | Medium | Any publicly accessible connection to Nutanix AOS must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent... |
| V-254198 | Medium | Nutanix AOS must enable an application firewall, if available. | Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. |
| V-254199 | Medium | Nutanix AOS must be configured with nodev, nosuid, and noexec options for /dev/shm. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users... |
| V-254192 | Medium | Nutanix AOS must prevent the use of dictionary words for passwords. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses... |
| V-254193 | Medium | Nutanix AOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. |
| V-254190 | Medium | Nutanix AOS must not be configured to allow KerberosAuthentication. | Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.
When dealing with access... |
| V-254191 | Medium | Nutanix AOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has... |
| V-254196 | Medium | Nutanix AOS must not allow an unattended or automatic logon to the system. | Failure to restrict system access to authenticated users negatively impacts operating system security. |
| V-254197 | Medium | Nutanix AOS must be configured so that all local interactive user home directories have mode "0750" or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. |
| V-254194 | Medium | Nutanix AOS must be configured to run SCMA daily. | The Nutanix platform leverages the use of the Security Configuration Management Automation (SCMA) framework to ensure secure configurations have not been altered from their desired state. If the... |
| V-254129 | Medium | Nutanix AOS must enforce discretionary access control on symlinks and hardlinks. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-254127 | Medium | Nutanix AOS must audit all account actions. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an... |
| V-254124 | Medium | Nutanix AOS must control remote access methods. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access... |
| V-254123 | Medium | Nutanix AOS must monitor remote access methods. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access... |
| V-254122 | Medium | Nutanix AOS must automatically terminate a user session after inactivity time-outs have expired or at shutdown. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions (i.e.,... |
| V-254121 | Medium | Nutanix AOS must disconnect a session after 15 minutes of idle time for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature... |
| V-254120 | Medium | Nutanix AOS must limit the number of concurrent sessions to ten for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is... |
| V-254189 | Medium | Nutanix AOS must not be configured to allow GSSAPIAuthentication. | Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.
When dealing with access... |
| V-254188 | Medium | Nutanix AOS must notify designated personnel if baseline configurations are changed in an unauthorized manner. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system... |
| V-254185 | Medium | Nutanix AOS audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized... |
| V-254184 | Medium | Nutanix AOS audit tools must be configured to 0755 or less permissive. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine... |
| V-254186 | Medium | Nutanix AOS audit tools must be group-owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized... |
| V-254181 | Medium | Nutanix AOS must provide the capability to centrally review and analyze audit records from multiple components within the system. | Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient... |
| V-254180 | Medium | Nutanix AOS must shut down by default upon audit failure (unless availability is an overriding concern). | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware... |
| V-254183 | Medium | Nutanix AOS must protect audit information from unauthorized access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit information includes all information (e.g., audit... |
| V-254170 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the passwd/gpasswd/unix-chkpwd privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-254171 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the chage privileged command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-254172 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the userhelper privileged command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-254173 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the mount and umount privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-254174 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the post-related privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-254175 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the opensshrelated privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-254176 | Medium | Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the crontab-related privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-254177 | Medium | Nutanix AOS must produce audit records containing the individual identities of group account users. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the individual identities of... |
| V-254178 | Medium | Nutanix AOS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems must be able to allocate audit record storage capacity.
The task of allocating... |
| V-254179 | Medium | Nutanix AOS must offload audit records to a syslog server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage... |
| V-254163 | Medium | Nutanix AOS must initiate session audits at system start-up. | If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is... |
| V-254162 | Medium | Nutanix AOS must generate audit records for all account creations, modifications, disabling, and termination events. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254161 | Medium | Nutanix AOS must generate audit records for all direct access to the information system. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254160 | Medium | Nutanix AOS must generate audit records when successful/unsuccessful accesses to objects occur. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-254167 | Medium | Nutanix AOS must produce audit records containing information to establish the source of events. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In addition to logging where events occur... |
| V-254166 | Medium | Nutanix AOS must produce audit records containing information to establish where events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
To compile an accurate risk assessment and... |
| V-254165 | Medium | Nutanix AOS must produce audit records containing information to establish when events occurred. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
To compile an accurate risk assessment and... |
| V-254164 | Medium | Nutanix AOS must produce audit records containing information to establish what type of events occurred. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Audit record content that may be... |
| V-254169 | Medium | Nutanix AOS must produce audit records containing information to establish the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine... |
| V-254168 | Medium | Nutanix AOS must produce audit records containing information to establish the outcome of events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the... |
| V-254207 | Low | Nutanix AOS must be configured to disable user accounts after the password expires. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive... |
| V-254132 | Low | Nutanix AOS must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal... |
| V-254195 | Low | Nutanix AOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. |
| V-254128 | Low | Nutanix AOS must be configured with an encrypted boot password for root. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must... |
| V-254126 | Low | Nutanix AOS must automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of... |
| V-254182 | Low | Nutanix AOS must compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when... |
