UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide


Overview

Date Finding Count (113)
2023-02-21 CAT I (High): 1 CAT II (Med): 110 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-256508 High The Photon operating system must require authentication upon booting into single-user and maintenance modes.
V-256569 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-256568 Medium The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-256561 Medium The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.
V-256560 Medium The Photon operating system must be configured so the "/root" path is protected from unauthorized access.
V-256563 Medium The Photon operating system must be configured so that all files have a valid owner and group owner.
V-256562 Medium The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
V-256565 Medium The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
V-256564 Medium The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification.
V-256567 Medium The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
V-256566 Medium The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
V-256518 Medium The Photon operating system must audit all account modifications.
V-256519 Medium The Photon operating system must audit all account disabling actions.
V-256514 Medium The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.
V-256515 Medium The Photon operating system "/var/log" directory must be owned by root.
V-256516 Medium The Photon operating system messages file must have the correct ownership and file permissions.
V-256517 Medium The Photon operating system must audit all account modifications.
V-256510 Medium The Photon operating system must not have duplicate User IDs (UIDs).
V-256511 Medium The Photon operating system must disable new accounts immediately upon password expiration.
V-256512 Medium The Photon operating system must use Transmission Control Protocol (TCP) syncookies.
V-256513 Medium The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.
V-256590 Medium The Photon operating system must disable systemd fallback Domain Name System (DNS).
V-256509 Medium The Photon operating system must disable the loading of unnecessary kernel modules.
V-256507 Medium The Photon operating system must enforce a minimum eight-character password length.
V-256506 Medium The Photon operating system must prohibit password reuse for a minimum of five generations.
V-256505 Medium The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.
V-256504 Medium The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.
V-256503 Medium The Photon operating system must use an OpenSSH server version that does not support protocol 1.
V-256502 Medium The Photon operating system must store only encrypted representations of passwords.
V-256501 Medium The Photon operating system must require that new passwords are at least four characters different from the old password.
V-256500 Medium The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.
V-256587 Medium The Photon operating system must configure sshd to restrict AllowTcpForwarding.
V-256586 Medium The Photon operating system must ensure the old passwords are being stored.
V-256585 Medium The Photon operating system must store only encrypted representations of passwords.
V-256584 Medium The Photon operating system must configure sshd to disallow HostbasedAuthentication.
V-256583 Medium The Photon operating system must set the "umask" parameter correctly.
V-256582 Medium The Photon operating system must protect all "sysctl" configuration files from unauthorized access.
V-256581 Medium The Photon operating system must protect sshd configuration from unauthorized access.
V-256580 Medium The Photon operating system must protect all boot configuration files from unauthorized modification.
V-256589 Medium The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, generate cryptographic hashes, and protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-256588 Medium The Photon operating system must configure sshd to restrict LoginGraceTime.
V-256532 Medium The  Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation.
V-256533 Medium The Photon operating system must require users to reauthenticate for privilege escalation.
V-256530 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-256531 Medium The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-256536 Medium The Photon operating system must remove all software components after updated versions have been installed.
V-256537 Medium The Photon operating system must generate audit records when the sudo command is used.
V-256535 Medium The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
V-256538 Medium The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
V-256539 Medium The Photon operating system must audit the "insmod" module.
V-256525 Medium The Photon operating system package files must not be modified.
V-256524 Medium The Photon operating system must enforce password complexity by requiring that at least one special character be used.
V-256527 Medium The Photon operating system must configure auditd to keep five rotated log files.
V-256526 Medium The Photon operating system must audit the execution of privileged functions.
V-256521 Medium The Photon operating system must initiate auditing as part of the boot process.
V-256520 Medium The Photon operating system must audit all account removal actions.
V-256523 Medium The Photon operating system must protect audit tools from unauthorized modification and deletion.
V-256522 Medium The Photon operating system audit files and directories must have correct permissions.
V-256529 Medium The Photon operating system must configure auditd to log space limit problems to syslog.
V-256528 Medium The Photon operating system must configure auditd to keep logging in the event max log file size is reached.
V-256488 Medium The Photon operating system must configure auditd to use the correct log format.
V-256489 Medium The Photon operating system must be configured to audit the execution of privileged functions.
V-256487 Medium The Photon operating system must configure auditd to log to disk.
V-256484 Medium The Photon operating system must have sshd authentication logging enabled.
V-256485 Medium The Photon operating system must have the sshd LogLevel set to "INFO".
V-256482 Medium The Photon operating system must set a session inactivity timeout of 15 minutes or less.
V-256483 Medium The Photon operating system must have the sshd SyslogFacility set to "authpriv".
V-256480 Medium The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting Secure Shell (SSH) access.
V-256481 Medium The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
V-256550 Medium The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
V-256551 Medium The Photon operating system must configure sshd to disallow Kerberos authentication.
V-256552 Medium The Photon operating system must configure sshd to disallow authentication with an empty password.
V-256553 Medium The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
V-256554 Medium The Photon operating system must configure sshd to display the last login immediately after authentication.
V-256555 Medium The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
V-256556 Medium The Photon operating system must configure sshd to ignore user-specific "known_host" files.
V-256557 Medium The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
V-256558 Medium The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
V-256559 Medium The Photon operating system must be configured so the "/etc/skel" default scripts are protected from unauthorized modification.
V-256491 Medium The Photon operating system audit log must log space limit problems to syslog.
V-256490 Medium The Photon operating system must have the auditd service running.
V-256493 Medium The Photon operating system audit log must have correct permissions.
V-256492 Medium The Photon operating system audit log must attempt to log audit failures to syslog.
V-256495 Medium The Photon operating system audit log must be group-owned by root.
V-256494 Medium The Photon operating system audit log must be owned by root.
V-256497 Medium The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-256496 Medium The Photon operating system must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-256499 Medium The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.
V-256498 Medium The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
V-256543 Medium The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-256542 Medium The Photon operating system must set the "FAIL_DELAY" parameter.
V-256541 Medium The Photon operating system must use the "pam_cracklib" module.
V-256540 Medium The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.
V-256547 Medium The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
V-256546 Medium The Photon operating system must disable the debug-shell service.
V-256545 Medium The Photon operating system must create a home directory for all new local interactive user accounts.
V-256544 Medium The Photon operating system must ensure audit events are flushed to disk at proper intervals.
V-256549 Medium The Photon operating system must configure sshd to disable X11 forwarding.
V-256548 Medium The Photon operating system must configure sshd to disable environment processing.
V-256479 Medium The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
V-256478 Medium The Photon operating system must audit all account creations.
V-256576 Medium The Photon operating system must send Transmission Control Protocol (TCP) timestamps.
V-256577 Medium The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
V-256574 Medium The Photon operating system must not perform multicast packet forwarding.
V-256575 Medium The Photon operating system must not perform IPv4 packet forwarding.
V-256572 Medium The Photon operating system must log IPv4 packets with impossible addresses.
V-256573 Medium The Photon operating system must use a reverse-path filter for IPv4 network traffic.
V-256570 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
V-256571 Medium The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
V-256578 Medium The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.
V-256579 Medium The Photon operating system must enforce password complexity on the root account.
V-256534 Low The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
V-256486 Low The Photon operating system must configure sshd to use approved encryption algorithms.