UCF STIG Viewer Logo

VMware vSphere 6.7 Photon OS Security Technical Implementation Guide


Overview

Date Finding Count (124)
2022-06-17 CAT I (High): 2 CAT II (Med): 122 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-239138 High The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
V-239081 High The Photon operating system must configure sshd to use approved encryption algorithms.
V-239100 Medium The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.
V-239101 Medium The Photon operating system must prohibit password reuse for a minimum of five generations.
V-239102 Medium The Photon operating system must ensure old passwords are being stored.
V-239103 Medium The Photon operating system must enforce a minimum eight-character password length.
V-239104 Medium The Photon operating system must only allow installation of packages signed by VMware.
V-239105 Medium The Photon operating system must disable the loading of unnecessary kernel modules.
V-239106 Medium The Photon operating system must not have Duplicate User IDs (UIDs).
V-239107 Medium The Photon operating system must configure sshd to disallow root logins.
V-239108 Medium The Photon operating system must disable new accounts immediately upon password expiration.
V-239109 Medium The Photon operating system must use TCP syncookies.
V-239188 Medium The Photon operating system must enforce password complexity on the root account.
V-239189 Medium The Photon operating system must protect all boot configuration files from unauthorized access.
V-239180 Medium The Photon operating system must log IPv4 packets with impossible addresses.
V-239181 Medium The Photon operating system must use a reverse-path filter for IPv4 network traffic.
V-239182 Medium The Photon operating system must not perform multicast packet forwarding.
V-239183 Medium The Photon operating system must not perform IPv4 packet forwarding.
V-239184 Medium The Photon operating system must send TCP timestamps.
V-239185 Medium The Photon OS must not have the xinetd service enabled.
V-239186 Medium The Photon operating system must be configured to protect the SSH public host key from unauthorized modification.
V-239187 Medium The Photon operating system must be configured to protect the SSH private host key from unauthorized access.
V-239175 Medium The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
V-239174 Medium The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
V-239177 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-239176 Medium The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-239078 Medium The Photon operating system must have the sshd SyslogFacility set to "authpriv".
V-239079 Medium The Photon operating system must have sshd authentication logging enabled.
V-239173 Medium The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
V-239172 Medium The Photon operating system must be configured so that the /etc/cron.allow file is protected from unauthorized modification.
V-239074 Medium The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
V-239075 Medium The Photon operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting SSH access.
V-239076 Medium The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
V-239077 Medium The Photon operating system must set a session inactivity timeout of 15 minutes or less.
V-239179 Medium The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
V-239178 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
V-239072 Medium The Photon operating system must be configured to offload audit logs to a syslog server.
V-239073 Medium The Photon operating system must audit all account creations.
V-239113 Medium The Photon operating system /var/log directory must be owned by root.
V-239112 Medium The Photon operating system must configure rsyslog to offload system logs to a central server.
V-239111 Medium The Photon operating system must configure sshd to disconnect idle SSH sessions.
V-239110 Medium The Photon operating system must configure sshd to disconnect idle SSH sessions.
V-239117 Medium The Photon operating system must audit all account disabling actions.
V-239116 Medium The Photon operating system must audit all account modifications.
V-239115 Medium The Photon operating system messages file must have mode 0640 or less permissive.
V-239114 Medium The Photon operating system messages file must be owned by root.
V-239119 Medium The Photon operating system must initiate auditing as part of the boot process.
V-239118 Medium The Photon operating system must audit all account removal actions.
V-239193 Medium The Photon operating system must set the UMASK parameter correctly.
V-239191 Medium The Photon operating system must protect all sysctl configuration files from unauthorized access.
V-239190 Medium The Photon operating system must protect sshd configuration from unauthorized access.
V-239195 Medium The Photon operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-239194 Medium The Photon operating system must configure sshd to disallow HostbasedAuthentication.
V-239171 Medium The Photon operating system must be configured so that all files have a valid owner and group owner.
V-239126 Medium The Photon operating system must configure sshd with a specific ListenAddress.
V-239127 Medium The Photon operating system must audit the execution of privileged functions.
V-239124 Medium The Photon operating system package files must not be modified.
V-239125 Medium The Photon operating system must set an inactivity timeout value for non-interactive sessions.
V-239122 Medium The Photon operating system must protect audit tools from unauthorized modification.
V-239123 Medium The Photon operating system must enforce password complexity by requiring that at least one special character be used.
V-239120 Medium The Photon operating system audit files and directories must have correct permissions.
V-239121 Medium The Photon operating system audit files and directories must have correct permissions.
V-239128 Medium The Photon operating system must configure auditd to keep five rotated log files.
V-239129 Medium The Photon operating system must configure auditd to keep five rotated log files.
V-239147 Medium The Photon operating system must set the FAIL_DELAY parameter.
V-239139 Medium The Photon operating system must use OpenSSH for remote maintenance sessions.
V-239131 Medium The Photon operating system must configure auditd to log space limit problems to syslog.
V-239130 Medium The Photon operating system must configure a cron job to rotate auditd logs daily.
V-239133 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-239132 Medium The Photon operating system must be configured to synchronize with an approved DoD time source.
V-239135 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-239134 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-239137 Medium The Photon operating system must prohibit the use of cached authenticators after one day.
V-239170 Medium The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
V-251878 Medium The Photon operating system must audit all account modifications.
V-239098 Medium The Photon operating system must store only encrypted representations of passwords.
V-239099 Medium The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.
V-239096 Medium The Photon operating system must require that new passwords are at least four characters different from the old password.
V-239097 Medium The Photon operating system must store only encrypted representations of passwords.
V-239094 Medium The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.
V-239095 Medium The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.
V-239092 Medium The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-239093 Medium The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
V-239090 Medium The Photon operating system must have the auditd service running.
V-239091 Medium The Photon operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-239148 Medium The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-239149 Medium The Photon operating system must ensure audit events are flushed to disk at proper intervals.
V-239144 Medium The Photon operating system must audit the insmod module.
V-239145 Medium The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.
V-239146 Medium The Photon operating system must use the pam_cracklib module.
V-239136 Medium The Photon operating system must require users to reauthenticate for privilege escalation.
V-239140 Medium The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
V-239141 Medium The Photon operating system must remove all software components after updated versions have been installed.
V-239142 Medium The Photon operating system must generate audit records when the sudo command is used.
V-239143 Medium The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
V-239080 Medium The Photon operating system must have the sshd LogLevel set to "INFO".
V-239083 Medium The Photon operating system must configure auditd to use the correct log format.
V-239082 Medium The Photon operating system must configure auditd to log to disk.
V-239085 Medium The Photon operating system audit log must log space limit problems to syslog.
V-239084 Medium The Photon operating system must be configured to audit the execution of privileged functions.
V-239087 Medium The Photon operating system audit log must have correct permissions.
V-239086 Medium The Photon operating system audit log must attempt to log audit failures to syslog.
V-239089 Medium The Photon operating system audit log must be group-owned by root.
V-239088 Medium The Photon operating system audit log must be owned by root.
V-239159 Medium The Photon operating system must configure sshd to use privilege separation.
V-239158 Medium The Photon operating system must configure sshd to disallow Kerberos authentication.
V-239157 Medium The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
V-239156 Medium The Photon operating system must configure sshd to disable X11 forwarding.
V-239155 Medium The Photon operating system must configure sshd to disable environment processing.
V-239154 Medium The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
V-239153 Medium The Photon operating system must configure a secure umask for all shells.
V-239152 Medium The Photon operating system must disable the debug-shell service.
V-239151 Medium The Photon operating system must create a home directory for all new local interactive user accounts.
V-239150 Medium The Photon operating system must ensure root $PATH entries are appropriate.
V-239162 Medium The Photon operating system must configure sshd to display the last login immediately after authentication.
V-239163 Medium The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
V-239160 Medium The Photon operating system must configure sshd to disallow authentication with an empty password.
V-239161 Medium The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
V-239166 Medium The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
V-239167 Medium The Photon operating system must be configured so that the /etc/skel default scripts are protected from unauthorized modification.
V-239164 Medium The Photon operating system must configure sshd to ignore user-specific known_host files.
V-239165 Medium The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
V-239168 Medium The Photon operating system must be configured so that the /root path is protected from unauthorized access.
V-239169 Medium The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.