UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide


Overview

Date Finding Count (104)
2023-10-29 CAT I (High): 13 CAT II (Med): 88 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-258806 High The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.
V-258819 High The Photon operating system must not have the telnet package installed.
V-258818 High The operating system must store only encrypted representations of passwords.
V-258839 High The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools.
V-258835 High The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.
V-258846 High The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.
V-258841 High The Photon operating system must enable symlink access control protection in the kernel.
V-258857 High The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication.
V-258852 High The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-258864 High The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.
V-258900 High The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.
V-258871 High The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.
V-258870 High The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password.
V-258801 Medium The Photon operating system must audit all account creations.
V-258802 Medium The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-258803 Medium The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.
V-258805 Medium The Photon operating system must monitor remote access logins.
V-258807 Medium The Photon operating system must configure auditd to log to disk.
V-258808 Medium The Photon operating system must enable the auditd service.
V-258809 Medium The Photon operating system must be configured to audit the execution of privileged functions.
V-258888 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-258889 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
V-258880 Medium The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.
V-258881 Medium The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.
V-258882 Medium The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.
V-258883 Medium The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding.
V-258884 Medium The Photon operating system must configure Secure Shell (SSH) to restrict LoginGraceTime.
V-258885 Medium The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
V-258886 Medium The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
V-258887 Medium The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-258813 Medium The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-258812 Medium The Photon operating system must allow only authorized users to configure the auditd service.
V-258811 Medium The Photon operating system must protect audit logs from unauthorized access.
V-258810 Medium The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.
V-258817 Medium The Photon operating system must require the change of at least eight characters when passwords are changed.
V-258816 Medium The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.
V-258815 Medium The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.
V-258814 Medium The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
V-258899 Medium The Photon operating system must generate audit records for all access and modifications to the opasswd file.
V-258898 Medium The Photon operating system must disable systemd fallback DNS.
V-258893 Medium The Photon operating system must not perform IPv4 packet forwarding.
V-258892 Medium The Photon operating system must use a reverse-path filter for IPv4 network traffic.
V-258891 Medium The Photon operating system must log IPv4 packets with impossible addresses.
V-258890 Medium The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
V-258897 Medium The Photon operating system must enforce password complexity on the root account.
V-258896 Medium The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.
V-258895 Medium The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
V-258894 Medium The Photon operating system must send TCP timestamps.
V-258826 Medium The Photon operating system must not have duplicate User IDs (UIDs).
V-258827 Medium The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-258824 Medium The Photon operating system must require authentication upon booting into single-user and maintenance modes.
V-258825 Medium The Photon operating system must disable unnecessary kernel modules.
V-258822 Medium The Photon operating system must prohibit password reuse for a minimum of five generations.
V-258823 Medium The Photon operating system must enforce a minimum 15-character password length.
V-258820 Medium The Photon operating system must enforce one day as the minimum password lifetime.
V-258821 Medium The Photon operating systems must enforce a 90-day maximum password lifetime restriction.
V-258828 Medium The Photon operating system must restrict access to the kernel message buffer.
V-258829 Medium The Photon operating system must be configured to use TCP syncookies.
V-258838 Medium The Photon operating system must enforce password complexity by requiring that at least one special character be used.
V-258831 Medium The Photon operating system /var/log directory must be restricted.
V-258830 Medium The Photon operating system must terminate idle Secure Shell (SSH) sessions after 15 minutes.
V-258833 Medium The Photon operating system must audit all account modifications.
V-258832 Medium The Photon operating system must reveal error messages only to authorized users.
V-258834 Medium The Photon operating system must audit all account removal actions.
V-258837 Medium The Photon operating system must protect audit tools from unauthorized access.
V-258836 Medium The Photon operating system must initiate session audits at system startup.
V-258848 Medium The Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
V-258849 Medium The Photon operating system must remove all software components after updated versions have been installed.
V-258847 Medium The Photon operating system must require users to reauthenticate for privilege escalation.
V-258840 Medium The operating system must automatically terminate a user session after inactivity time-outs have expired.
V-258842 Medium The Photon operating system must audit the execution of privileged functions.
V-258843 Medium The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-258868 Medium The Photon operating system must audit all account modifications.
V-258869 Medium The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-258859 Medium The Photon operating system must prevent leaking information of the existence of a user account.
V-258858 Medium The Photon operating system must be configured to use the pam_faillock.so module.
V-258856 Medium The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-258855 Medium The Photon operating system must ensure audit events are flushed to disk at proper intervals.
V-258854 Medium The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs.
V-258853 Medium The Photon operating system must prevent the use of dictionary words for passwords.
V-258851 Medium The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.
V-258850 Medium The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
V-258862 Medium The Photon operating system must persist lockouts between system reboots.
V-258863 Medium The Photon operating system must be configured to use the pam_pwquality.so module.
V-258860 Medium The Photon operating system must audit logon attempts for unknown users.
V-258861 Medium The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-258866 Medium The Photon operating system must enable Secure Shell (SSH) authentication logging.
V-258867 Medium The Photon operating system must terminate idle Secure Shell (SSH) sessions.
V-258865 Medium The Photon operating system must configure the Secure Shell (SSH) SyslogFacility.
V-258901 Medium The Photon operating system must enable the rsyslog service.
V-258903 Medium The Photon operating system must enable hardlink access control protection in the kernel.
V-258902 Medium The Photon operating system must be configured to use the pam_pwhistory.so module.
V-258904 Medium The Photon operating system must restrict core dumps.
V-258875 Medium The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.
V-258874 Medium The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
V-258877 Medium The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication.
V-258876 Medium The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.
V-258873 Medium The Photon operating system must disable the debug-shell service.
V-258872 Medium The Photon operating system must create a home directory for all new local interactive user accounts.
V-258879 Medium The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.
V-258878 Medium The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.
V-258804 Low The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-258844 Low The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.
V-258845 Low The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.