VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide


Overview

Date Finding Count (104)
2023-10-29 CAT I (High): 13 CAT II (Med): 88 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-258806 High The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.
V-258819 High The Photon operating system must not have the telnet package installed.
V-258818 High The operating system must store only encrypted representations of passwords.
V-258839 High The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools.
V-258835 High The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.
V-258846 High The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.
V-258841 High The Photon operating system must enable symlink access control protection in the kernel.
V-258857 High The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication.
V-258852 High The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-258864 High The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.
V-258900 High The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.
V-258871 High The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.
V-258870 High The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password.
V-258801 Medium The Photon operating system must audit all account creations.
V-258802 Medium The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-258803 Medium The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.
V-258805 Medium The Photon operating system must monitor remote access logins.
V-258807 Medium The Photon operating system must configure auditd to log to disk.
V-258808 Medium The Photon operating system must enable the auditd service.
V-258809 Medium The Photon operating system must be configured to audit the execution of privileged functions.
V-258888 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-258889 Medium The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
V-258880 Medium The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.
V-258881 Medium The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.
V-258882 Medium The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.
V-258883 Medium The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding.
V-258884 Medium The Photon operating system must configure Secure Shell (SSH) to restrict LoginGraceTime.
V-258885 Medium The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
V-258886 Medium The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
V-258887 Medium The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-258813 Medium The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-258812 Medium The Photon operating system must allow only authorized users to configure the auditd service.
V-258811 Medium The Photon operating system must protect audit logs from unauthorized access.
V-258810 Medium The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.
V-258817 Medium The Photon operating system must require the change of at least eight characters when passwords are changed.
V-258816 Medium The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.
V-258815 Medium The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.
V-258814 Medium The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
V-258899 Medium The Photon operating system must generate audit records for all access and modifications to the opasswd file.
V-258898 Medium The Photon operating system must disable systemd fallback DNS.
V-258893 Medium The Photon operating system must not perform IPv4 packet forwarding.
V-258892 Medium The Photon operating system must use a reverse-path filter for IPv4 network traffic.
V-258891 Medium The Photon operating system must log IPv4 packets with impossible addresses.
V-258890 Medium The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
V-258897 Medium The Photon operating system must enforce password complexity on the root account.
V-258896 Medium The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.
V-258895 Medium The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
V-258894 Medium The Photon operating system must send TCP timestamps.
V-258826 Medium The Photon operating system must not have duplicate User IDs (UIDs).
V-258827 Medium The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-258824 Medium The Photon operating system must require authentication upon booting into single-user and maintenance modes.
V-258825 Medium The Photon operating system must disable unnecessary kernel modules.
V-258822 Medium The Photon operating system must prohibit password reuse for a minimum of five generations.
V-258823 Medium The Photon operating system must enforce a minimum 15-character password length.
V-258820 Medium The Photon operating system must enforce one day as the minimum password lifetime.
V-258821 Medium The Photon operating systems must enforce a 90-day maximum password lifetime restriction.
V-258828 Medium The Photon operating system must restrict access to the kernel message buffer.
V-258829 Medium The Photon operating system must be configured to use TCP syncookies.
V-258838 Medium The Photon operating system must enforce password complexity by requiring that at least one special character be used.
V-258831 Medium The Photon operating system /var/log directory must be restricted.
V-258830 Medium The Photon operating system must terminate idle Secure Shell (SSH) sessions after 15 minutes.
V-258833 Medium The Photon operating system must audit all account modifications.
V-258832 Medium The Photon operating system must reveal error messages only to authorized users.
V-258834 Medium The Photon operating system must audit all account removal actions.
V-258837 Medium The Photon operating system must protect audit tools from unauthorized access.
V-258836 Medium The Photon operating system must initiate session audits at system startup.
V-258848 Medium The Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
V-258849 Medium The Photon operating system must remove all software components after updated versions have been installed.
V-258847 Medium The Photon operating system must require users to reauthenticate for privilege escalation.
V-258840 Medium The operating system must automatically terminate a user session after inactivity time-outs have expired.
V-258842 Medium The Photon operating system must audit the execution of privileged functions.
V-258843 Medium The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-258868 Medium The Photon operating system must audit all account modifications.
V-258869 Medium The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-258859 Medium The Photon operating system must prevent leaking information of the existence of a user account.
V-258858 Medium The Photon operating system must be configured to use the pam_faillock.so module.
V-258856 Medium The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-258855 Medium The Photon operating system must ensure audit events are flushed to disk at proper intervals.
V-258854 Medium The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs.
V-258853 Medium The Photon operating system must prevent the use of dictionary words for passwords.
V-258851 Medium The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.
V-258850 Medium The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
V-258862 Medium The Photon operating system must persist lockouts between system reboots.
V-258863 Medium The Photon operating system must be configured to use the pam_pwquality.so module.
V-258860 Medium The Photon operating system must audit logon attempts for unknown users.
V-258861 Medium The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-258866 Medium The Photon operating system must enable Secure Shell (SSH) authentication logging.
V-258867 Medium The Photon operating system must terminate idle Secure Shell (SSH) sessions.
V-258865 Medium The Photon operating system must configure the Secure Shell (SSH) SyslogFacility.
V-258901 Medium The Photon operating system must enable the rsyslog service.
V-258903 Medium The Photon operating system must enable hardlink access control protection in the kernel.
V-258902 Medium The Photon operating system must be configured to use the pam_pwhistory.so module.
V-258904 Medium The Photon operating system must restrict core dumps.
V-258875 Medium The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.
V-258874 Medium The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
V-258877 Medium The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication.
V-258876 Medium The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.
V-258873 Medium The Photon operating system must disable the debug-shell service.
V-258872 Medium The Photon operating system must create a home directory for all new local interactive user accounts.
V-258879 Medium The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.
V-258878 Medium The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.
V-258804 Low The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-258844 Low The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.
V-258845 Low The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.