UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 6.7 Photon OS Security Technical Implementation Guide


Overview

Date Finding Count (123)
2022-09-27 CAT I (High): 2 CAT II (Med): 121 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-239138 High The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
V-239081 High The Photon operating system must configure sshd to use approved encryption algorithms.
V-239100 Medium The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.
V-239101 Medium The Photon operating system must prohibit password reuse for a minimum of five generations.
V-239102 Medium The Photon operating system must ensure old passwords are being stored.
V-239103 Medium The Photon operating system must enforce a minimum eight-character password length.
V-239104 Medium The Photon operating system must only allow installation of packages signed by VMware.
V-239105 Medium The Photon operating system must disable the loading of unnecessary kernel modules.
V-239106 Medium The Photon operating system must not have Duplicate User IDs (UIDs).
V-239107 Medium The Photon operating system must configure sshd to disallow root logins.
V-239108 Medium The Photon operating system must disable new accounts immediately upon password expiration.
V-239109 Medium The Photon operating system must use TCP syncookies.
V-239188 Medium The Photon operating system must enforce password complexity on the root account.
V-239189 Medium The Photon operating system must protect all boot configuration files from unauthorized access.
V-239180 Medium The Photon operating system must log IPv4 packets with impossible addresses.
V-239181 Medium The Photon operating system must use a reverse-path filter for IPv4 network traffic.
V-239182 Medium The Photon operating system must not perform multicast packet forwarding.
V-239183 Medium The Photon operating system must not perform IPv4 packet forwarding.
V-239184 Medium The Photon operating system must send TCP timestamps.
V-239185 Medium The Photon OS must not have the xinetd service enabled.
V-239186 Medium The Photon operating system must be configured to protect the SSH public host key from unauthorized modification.
V-239187 Medium The Photon operating system must be configured to protect the SSH private host key from unauthorized access.
V-239175 Medium The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
V-239174 Medium The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
V-239177 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-239176 Medium The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-239078 Medium The Photon operating system must have the sshd SyslogFacility set to "authpriv".
V-239079 Medium The Photon operating system must have sshd authentication logging enabled.
V-239173 Medium The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
V-239172 Medium The Photon operating system must be configured so that the /etc/cron.allow file is protected from unauthorized modification.
V-239074 Medium The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
V-239075 Medium The Photon operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting SSH access.
V-239076 Medium The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
V-239077 Medium The Photon operating system must set a session inactivity timeout of 15 minutes or less.
V-239179 Medium The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
V-239178 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
V-239072 Medium The Photon operating system must be configured to offload audit logs to a syslog server.
V-239073 Medium The Photon operating system must audit all account creations.
V-239113 Medium The Photon operating system /var/log directory must be owned by root.
V-239112 Medium The Photon operating system must configure rsyslog to offload system logs to a central server.
V-239111 Medium The Photon operating system must configure sshd to disconnect idle SSH sessions.
V-239110 Medium The Photon operating system must configure sshd to disconnect idle SSH sessions.
V-239117 Medium The Photon operating system must audit all account disabling actions.
V-239116 Medium The Photon operating system must audit all account modifications.
V-239115 Medium The Photon operating system messages file must have mode 0640 or less permissive.
V-239114 Medium The Photon operating system messages file must be owned by root.
V-239119 Medium The Photon operating system must initiate auditing as part of the boot process.
V-239118 Medium The Photon operating system must audit all account removal actions.
V-239193 Medium The Photon operating system must set the UMASK parameter correctly.
V-239191 Medium The Photon operating system must protect all sysctl configuration files from unauthorized access.
V-239190 Medium The Photon operating system must protect sshd configuration from unauthorized access.
V-239195 Medium The Photon operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-239194 Medium The Photon operating system must configure sshd to disallow HostbasedAuthentication.
V-239171 Medium The Photon operating system must be configured so that all files have a valid owner and group owner.
V-239126 Medium The Photon operating system must configure sshd with a specific ListenAddress.
V-239127 Medium The Photon operating system must audit the execution of privileged functions.
V-239124 Medium The Photon operating system package files must not be modified.
V-239125 Medium The Photon operating system must set an inactivity timeout value for non-interactive sessions.
V-239122 Medium The Photon operating system must protect audit tools from unauthorized modification.
V-239123 Medium The Photon operating system must enforce password complexity by requiring that at least one special character be used.
V-239120 Medium The Photon operating system audit files and directories must have correct permissions.
V-239121 Medium The Photon operating system audit files and directories must have correct permissions.
V-239128 Medium The Photon operating system must configure auditd to keep five rotated log files.
V-239129 Medium The Photon operating system must configure auditd to keep five rotated log files.
V-239147 Medium The Photon operating system must set the FAIL_DELAY parameter.
V-239139 Medium The Photon operating system must use OpenSSH for remote maintenance sessions.
V-239131 Medium The Photon operating system must configure auditd to log space limit problems to syslog.
V-239130 Medium The Photon operating system must configure a cron job to rotate auditd logs daily.
V-239133 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-239132 Medium The Photon operating system must be configured to synchronize with an approved DoD time source.
V-239135 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-239134 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-239137 Medium The Photon operating system must prohibit the use of cached authenticators after one day.
V-239170 Medium The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
V-251878 Medium The Photon operating system must audit all account modifications.
V-239098 Medium The Photon operating system must store only encrypted representations of passwords.
V-239099 Medium The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.
V-239096 Medium The Photon operating system must require that new passwords are at least four characters different from the old password.
V-239097 Medium The Photon operating system must store only encrypted representations of passwords.
V-239094 Medium The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.
V-239095 Medium The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.
V-239092 Medium The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-239093 Medium The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
V-239090 Medium The Photon operating system must have the auditd service running.
V-239091 Medium The Photon operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-239148 Medium The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-239149 Medium The Photon operating system must ensure audit events are flushed to disk at proper intervals.
V-239144 Medium The Photon operating system must audit the insmod module.
V-239145 Medium The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.
V-239146 Medium The Photon operating system must use the pam_cracklib module.
V-239136 Medium The Photon operating system must require users to reauthenticate for privilege escalation.
V-239140 Medium The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
V-239141 Medium The Photon operating system must remove all software components after updated versions have been installed.
V-239142 Medium The Photon operating system must generate audit records when the sudo command is used.
V-239143 Medium The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
V-239080 Medium The Photon operating system must have the sshd LogLevel set to "INFO".
V-239083 Medium The Photon operating system must configure auditd to use the correct log format.
V-239082 Medium The Photon operating system must configure auditd to log to disk.
V-239085 Medium The Photon operating system audit log must log space limit problems to syslog.
V-239084 Medium The Photon operating system must be configured to audit the execution of privileged functions.
V-239087 Medium The Photon operating system audit log must have correct permissions.
V-239086 Medium The Photon operating system audit log must attempt to log audit failures to syslog.
V-239089 Medium The Photon operating system audit log must be group-owned by root.
V-239088 Medium The Photon operating system audit log must be owned by root.
V-239159 Medium The Photon operating system must configure sshd to use privilege separation.
V-239158 Medium The Photon operating system must configure sshd to disallow Kerberos authentication.
V-239157 Medium The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
V-239156 Medium The Photon operating system must configure sshd to disable X11 forwarding.
V-239155 Medium The Photon operating system must configure sshd to disable environment processing.
V-239154 Medium The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
V-239152 Medium The Photon operating system must disable the debug-shell service.
V-239151 Medium The Photon operating system must create a home directory for all new local interactive user accounts.
V-239150 Medium The Photon operating system must ensure root $PATH entries are appropriate.
V-239162 Medium The Photon operating system must configure sshd to display the last login immediately after authentication.
V-239163 Medium The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
V-239160 Medium The Photon operating system must configure sshd to disallow authentication with an empty password.
V-239161 Medium The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
V-239166 Medium The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
V-239167 Medium The Photon operating system must be configured so that the /etc/skel default scripts are protected from unauthorized modification.
V-239164 Medium The Photon operating system must configure sshd to ignore user-specific known_host files.
V-239165 Medium The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
V-239168 Medium The Photon operating system must be configured so that the /root path is protected from unauthorized access.
V-239169 Medium The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.