View STIG - Nutanix AOS 5.20.x Application Security Technical Implementation Guide V1R1

b

Nutanix AOS must automatically terminate a user session after 15 minutes of inactivity.

IA-11 - Medium - CCI-002038 - V-254097 - SV-254097r846379_rule

RMF Control

IA-11

Severity

Medium

CCI

CCI-002038

Version

NUTX-AP-000010

Vuln IDs

V-254097

Rule IDs

SV-254097r846379_rule

An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination terminates all processes associated with a user's logical session except those processes specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253, SRG-APP-000390-AS-000254

Checks: C-57582r846377_chk

Confirm Nutanix AOS Session Timeout settings are set to 15 minutes. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to "UI Settings" in the left navigation pane. For each user type, verify that the Session Timeout is set correctly. If not, this is a finding.

Fix: F-57533r846378_fix

Configure Nutanix AOS Session Timeout settings to 15 minutes. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to "UI Settings" in the left navigation pane. 4. Set the Session Timeout settings to 15 minutes per user type.

b

Nutanix AOS must disable Remote Support Sessions.

AC-17 - Medium - CCI-002314 - V-254098 - SV-254098r846382_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-002314

Version

NUTX-AP-000020

Vuln IDs

V-254098

Rule IDs

SV-254098r846382_rule

Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by logging connection activities of remote users. Examples of policy requirements include, but are not limited to, authorizing remote access to the information system, limiting access based on authentication credentials, and monitoring for unauthorized access.

Checks: C-57583r846380_chk

Confirm Nutanix AOS Prism Elements is configured to manage remote access. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Remote Support section to verify the ability to disable remote sessions, and that it is checked. If Disable Remote Sessions is not available, or is not checked, this is a finding.

Fix: F-57534r846381_fix

Configure Nutanix AOS Prism Elements to disable Remote Sessions. If the ability to disable Remote Sessions is not available there is corruption within the CVM. A rebuild is necessary to clear out the corruption and get the CVM back to a positive state. Rebuild the CVM by booting from ISO.

c

Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.

AC-17 - High - CCI-000068 - V-254099 - SV-254099r858120_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

NUTX-AP-000040

Vuln IDs

V-254099

Rule IDs

SV-254099r858120_rule

Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000015-AS-000010

Checks: C-57584r846383_chk

Validate that the Signing Algorithm of the current SSL certificate. In the Prism UI, click the gear icon, and then select Settings >> SSL Certificate. If there is no SSL Certificate loaded, this is a finding.

Fix: F-57535r858120_fix

Import a DoD PKI issued SSL Certificate by Following the "Install an SSL Certificate" instructions in the "AOS Security Guide" located on the Nutanix Portal or by completing the following steps. 1. Click the gear icon in the main menu, and then select SSL Certificate in the Settings page. The SSL Certificate dialog box appears. 2. To replace (or install) a certificate, click "Replace Certificate". 3. To apply a custom certificate that the user provides: a. Click the Import Key and Certificate option, and then click "Next". b. Complete the fields as follows, and then click the "Import Files". Note: All three imported files for the custom certificate must be PEM encoded. i. Private Key Type: Select the appropriate type for the signed certificate from the pull-down list (RSA 4096 bit, RSA 2048 bit, EC DSA 256 bit, EC DSA 384 bit, or EC DSA 521). ii. Private Key: Click "Browse", and then select the private key associated with the certificate to be imported. iii. Public Certificate: Click "Browse", and then select the signed public portion of the server certificate corresponding to the private key. iv. CA Certificate/Chain: Click "Browse", and then select the certificate or chain of the signing authority for the public certificate. Use the "cat" command to concatenate a list of CA certificates into a chain file. $ cat signer.crt inter.crt root.crt > server.cert

b

Nutanix AOS role mapping must be configured to the lowest privilege level needed for user access.

AC-3 - Medium - CCI-000213 - V-254100 - SV-254100r846388_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

NUTX-AP-000060

Vuln IDs

V-254100

Rule IDs

SV-254100r846388_rule

Strong access controls are critical to securing the application server. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by the application server to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, application domains) in the application server. Without stringent logical access and authorization controls, an adversary may have the ability, with very little effort, to compromise the application server and associated supporting infrastructure.

Checks: C-57585r846386_chk

Nutanix AOS supports user and group role mapping. Ensure all users or groups match that of the documented mapping policies defined by the ISSO. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to "role mapping". For each user or group listed, ensure the role granted is according to access control policies. If not, this is a finding.

Fix: F-57536r846387_fix

Configure the user and group mappings to be compliant with the documented mapping policies defined by the ISSO. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to "role mapping". 4. Add users and groups to role mappings per policy.

b

Nutanix AOS must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

AC-6 - Medium - CCI-002235 - V-254101 - SV-254101r846391_rule

RMF Control

AC-6

Severity

Medium

CCI

CCI-002235

Version

NUTX-AP-000070

Vuln IDs

V-254101

Rule IDs

SV-254101r846391_rule

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Restricting nonprivileged users also prevents an attacker, who has gained access to a nonprivileged account, from elevating privileges, creating accounts, and performing system checks and maintenance.

Checks: C-57586r846389_chk

Display a list of configured users and their roles on the Prism UI: 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to "Local User Management". Validate that only authorized accounts have been assigned the "Cluster Admin" role by comparing the above list against the approved user list provided by the ISSM. If there are any users assigned the "Cluster Admin" role that have not been authorized by the ISSM, this is a finding.

Fix: F-57537r846390_fix

Assign the privileged users identified by the ISSM to the Cluster Admin role.

a

Nutanix AOS must display the standard Mandatory DoD Notice and Consent Banner before granting access to the system.

AC-8 - Low - CCI-000048 - V-254102 - SV-254102r846394_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-000048

Version

NUTX-AP-000080

Vuln IDs

V-254102

Rule IDs

SV-254102r846394_rule

Application servers are required to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance that states that: (i) Users are accessing a U.S. Government information system; (ii) System usage may be monitored, recorded, and subject to audit; (iii) Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) The use of the system indicates consent to monitoring and recording. System use notification messages can be implemented in the form of warning banners displayed when individuals log on to the information system. System use notification is intended only for information system access including an interactive logon interface with a human user, and is not required when an interactive interface does not exist. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Satisfies: SRG-APP-000068-AS-000035, SRG-APP-000069-AS-000036

Checks: C-57587r846392_chk

Validate that the Prism WebUI "Welcome Banner" is enabled. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the "Welcome Banner". 4. Verify the "Enable Banner" box is selected. If the "Enable Banner" box is not checked, this is a finding. Confirm Nutanix AOS Prism WebUI is set to display the Standard Mandatory DoD Notice and Consent Banner. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the "Welcome Banner". If the Welcome Banner is not configured with the Standard Mandatory DoD Notice and Consent Banner, this is a finding.

Fix: F-57538r846393_fix

Configure Nutanix AOS Prism Elements WebUI to display the Standard Mandatory DoD Notice and Consent Banner. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the "Welcome Banner". 4. Set the Welcome Banner to be configured with the Standardized DoD Use Notification. 5. Check "Enable Banner". 6. Click "Save".

b

Nutanix AOS must offload log records onto a syslog server.

AU-10 - Medium - CCI-000166 - V-254103 - SV-254103r846397_rule

RMF Control

AU-10

Severity

Medium

CCI

CCI-000166

Version

NUTX-AP-000110

Vuln IDs

V-254103

Rule IDs

SV-254103r846397_rule

Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Offloading is a common process in information systems with limited log storage capacity. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to offload log records onto a different system or media than the system being logged. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000358-AS-000064, SRG-APP-000515-AS-000203

Checks: C-57588r846395_chk

Confirm Nutanix AOS is configured to offload log records onto a different system. $ ncli rsyslog-config ls-servers If no remote syslog servers are defined, this is a finding.

Fix: F-57539r846396_fix

Configure Nutanix AOS to offload log records onto a different system by running the following command. $ ncli rsyslog-config add-server name=<remote_server_name> relp-enabled=<true | false> ip-address=<remote_ip_address> port=<port_num> network-protocol=<tcp | udp>

b

Nutanix AOS must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75 percent of maximum log record storage capacity.

AU-5 - Medium - CCI-001855 - V-254104 - SV-254104r846400_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-001855

Version

NUTX-AP-000130

Vuln IDs

V-254104

Rule IDs

SV-254104r846400_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. Notification of the storage condition will allow administrators to take actions so that logs are not lost. This requirement can be met by configuring the application server to utilize a dedicated logging tool that meets this requirement. Satisfies: SRG-APP-000359-AS-000065, SRG-APP-000360-AS-000066

Checks: C-57589r846398_chk

Confirm Nutanix Cluster Check (NCC) "CVM DISK | System Audit Volume Usage" is enabled and the threshold values are set correctly. 1. Log in to Prism Element. 2. Select "Health dashboard" from navigation dropdown. 3. Select Actions >> Manage Checks. 4. Scroll down to CVM | Disk section, and then select "System Audit Volume Usage". If the selected check is Disabled, this is a finding. Validate the Alert Policy settings for Warning and Critical are set to 75 percent. If the Warning or Critical values are not set to 75 percent, this is a finding.

Fix: F-57540r846399_fix

Configure Nutanix Cluster Check (NCC) "CVM DISK | System Audit Volume Usage" is enabled and the threshold values are set to organization-defined values. 1. Log in to Prism Element. 2. Select "Health dashboard" from navigation dropdown. 3. Select Actions >> Manage Checks. 4. Scroll down to CVM | Disk section, select "System Audit Volume Usage". 5. If check is disabled, click to enable the check. 6. Select "Alert Policy", set the values for "Warning" and "Critical" thresholds to 75 percent and click "Save".

b

Nutanix AOS must be configured to send Cluster Check alerts to the SA and ISSO.

AU-5 - Medium - CCI-000139 - V-254105 - SV-254105r846403_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-000139

Version

NUTX-AP-000150

Vuln IDs

V-254105

Rule IDs

SV-254105r846403_rule

Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure can be lost. To minimize the timeframe of the log failure, an alert needs to be sent to the SA and ISSO at a minimum. Log processing failures include, but are not limited to, failures in the application server log capturing mechanisms or log storage capacity being reached or exceeded. In some instances, it is preferred to send alarms to individuals rather than to an entire group. Application servers must be able to trigger an alarm and send an alert to, at a minimum, the SA and ISSO in the event there is an application server log processing failure.

Checks: C-57590r846401_chk

Confirm Nutanix AOS is set to send SMTP alerts to the organization identified email address(es). 1. Log in to Nutanix Prism Elements. 2. Select "Health" dashboard. 3. On the Actions tab, select "Set NCC Frequency". If the Frequency setting and email address(es) are not set to organization-identified frequency and recipient, this is a finding.

Fix: F-57541r846402_fix

Configure Nutanix Cluster Check (NCC) within Prism Elements to meet the Organization identified frequency and recipient. 1. Log in to Nutanix Prism Elements. 2. Select "Health" dashboard. 3. On the Actions tab, select "Set NCC Frequency". 4. Enter frequency timeframe. 5. Enter recipient email address(es).

a

Nutanix AOS must be configured to synchronize internal information system clocks using redundant authoritative time sources.

AU-8 - Low - CCI-000159 - V-254106 - SV-254106r846406_rule

RMF Control

AU-8

Severity

Low

CCI

CCI-000159

Version

NUTX-AP-000160

Vuln IDs

V-254106

Rule IDs

SV-254106r846406_rule

Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. To meet this requirement, the organization will define an authoritative time source and have each system compare its internal clock at least every 24 hours. Satisfies: SRG-APP-000371-AS-000077, SRG-APP-000372-AS-000212, SRG-APP-000116-AS-000076

Checks: C-57591r846404_chk

Confirm Nutanix AOS Prism Elements is configured to use redundant NTP sources. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the NTP Servers section. 4. Ensure external NTP servers have been configured. If external NTP sources are not configured, this is a finding.

Fix: F-57542r846405_fix

Configure Nutanix AOS Prism Elements to use redundant authoritative NTP time sources. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the NTP Servers section. 4. Configure two authoritative NTP servers.

b

Nutanix AOS must protect log information from any type of unauthorized access.

AU-9 - Medium - CCI-000162 - V-254107 - SV-254107r846409_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

NUTX-AP-000190

Vuln IDs

V-254107

Rule IDs

SV-254107r846409_rule

If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized read access. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080

Checks: C-57592r846407_chk

Confirm Nutanix AOS application server log files are protected from unauthorized read access. The Nutanix AOS application server log files are owned by the Nutanix user and have a file permission of "640". Step 1. Identify actual file name by looking at alert_manager.INFO, which is a symlink for the actual rotating file name. $ sudo ls -al /home/nutanix/data/logs/alert_manager.INFO lrwxrwxrwx. 1 nutanix nutanix 75 Nov 1 17:50 /home/nutanix/data/logs/alert_manager.INFO -> alert_manager.ntnx-<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER> Step 2. Execute a stat command on the actual application server log file name. $ sudo stat -c "%a %n" /home/nutanix/data/logs/alert_manager.ntnx-<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER> 640 /home/nutanix/data/logs/alert_manager.ntnx<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER> If the output of the actual log file name is not "640", this is a finding.

Fix: F-57543r846408_fix

To configure Nutanix AOS Prism Elements application server log file permissions, run the following command: $ sudo salt-call state.sls security/CVM/interactivenutanixCVM

b

Nutanix AOS must enforce access restrictions associated with changes to application server configuration.

CM-5 - Medium - CCI-001813 - V-254108 - SV-254108r858121_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001813

Version

NUTX-AP-000220

Vuln IDs

V-254108

Rule IDs

SV-254108r858121_rule

When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant effects on the overall security of the system. Access restrictions for changes also include application software libraries. If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.

Checks: C-57593r858121_chk

Confirm Nutanix Prism Elements is setup with Role Based Access Controls. 1. Log in into Nutanix Prism Elements. 2. Select the gear icon on top right corner. 3. Select "Authentication" from left navigation pane. If no Organizational approved Directory (AD/LDAP) is listed, this is a finding. 4. Select "Role Mapping". If no Role mappings are listed, this is a finding.

Fix: F-57544r846411_fix

Configure Nutanix AOS Prism Elements to use Role Base Access Control with an Organization approved Directory (AD, LDAP). 1. Log in into Nutanix Prism Elements. 2. Select the gear icon on top right corner. 3. Select "Authentication" from left navigation pane. 4. Add an authenticated Organization approved Directory. 5. Setup Role Mappings for Users and or Groups.

b

Nutanix AOS must use an enterprise user management system to uniquely identify and authenticate users.

IA-2 - Medium - CCI-000764 - V-254109 - SV-254109r858122_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

NUTX-AP-000270

Vuln IDs

V-254109

Rule IDs

SV-254109r858122_rule

To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. To ensure support to the enterprise, the authentication must utilize an enterprise solution.

Checks: C-57594r858122_chk

Verify that Nutanix AOS is set to use enterprise user management systems. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the "Authentication" settings. If an Active Directory or OpenLDAP server is not configured, this is a finding. Verify that only one local user account exists as the account of last resort. Navigate to Local User Management. If more than one local user account exists, this is a finding.

Fix: F-57545r846414_fix

Configure Nutanix AOS to use an enterprise user management system to authenticate individual users. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Authentication settings. 4. Add an Active Directory or OpenLDAP server to the Directory List. Configure one local admin user as the account of last resort. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to "Local User Management". 4. Select "+ New Users".

b

Nutanix AOS must use multifactor authentication for account access.

IA-2 - Medium - CCI-000765 - V-254110 - SV-254110r858401_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000765

Version

NUTX-AP-000280

Vuln IDs

V-254110

Rule IDs

SV-254110r858401_rule

Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition. A privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface. When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled. Satisfies: SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103

Checks: C-57595r858123_chk

Confirm Nutanix AOS is set to use multifactor authentication. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Authentication settings. If CAC authentication is not enabled, this is a finding.

Fix: F-57546r858401_fix

Configure Nutanix AOS Prism Elements to use CAC authentication. 1. Log in to Prism Elements. 2. Click on the gear icon in the upper right. 3. Navigate to the Authentication settings. 4. Select the "Configure Service Account" check box, and then complete the following in the indicated fields: a. Select the authentication directory that contains the CAC users that to be authenticated. This list includes the directories configured on the Directory List tab. b. Service Username: Enter the username in the user name@domain.com format the web console will use to log in to the Active Directory. c. Service Password: Enter the password for the service user name. d. Click "Enable CAC".

b

Nutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.

IA-5 - Medium - CCI-000187 - V-254111 - SV-254111r858402_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000187

Version

NUTX-AP-000290

Vuln IDs

V-254111

Rule IDs

SV-254111r858402_rule

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. PIV credentials are only used in an unclassified environment. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as its use as a primary component of layered protection for national security systems. The application server must support the use of PIV credentials to access the management interface and perform management functions. Satisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000177-AS-000126, SRG-APP-000401-AS-000243, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248

Checks: C-57596r858124_chk

Confirm Nutanix AOS is set to use multifactor authentication. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Authentication settings. If CAC authentication is not enabled, this is a finding.

Fix: F-57547r858402_fix

Configure Nutanix AOS Prism Elements to use CAC authentication. 1. Log in to Prism Elements. 2. Click on the gear icon in the upper right. 3. Navigate to the Authentication settings. 4. Select the "Configure Service Account" check box, and then complete the following in the indicated fields: a. Select the authentication directory that contains the CAC users to be authenticated. This list includes the directories configured on the Directory List tab. b. Service Username: Enter the username in the user name@domain.com format that the web console will use to log in to the Active Directory. c. Service Password: Enter the password for the service user name. d. Click "Enable CAC".

c

Nutanix AOS must utilize encryption when using LDAP for authentication.

IA-5 - High - CCI-000197 - V-254112 - SV-254112r858125_rule

RMF Control

IA-5

Severity

High

CCI

CCI-000197

Version

NUTX-AP-000340

Vuln IDs

V-254112

Rule IDs

SV-254112r858125_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.

Checks: C-57597r858125_chk

Confirm Nutanix AOS is set to use encryption when using LDAP. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Authentication settings. 4. Add an Active Directory or OpenLDAP server to the Directory List. If an Active Directory or OpenLDAP server is not using port 636, this is a finding.

Fix: F-57548r846423_fix

Configure Nutanix AOS to utilize an Active Directory server to authenticate individual users. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Authentication settings. 4. Add an Active Directory or OpenLDAP server to the Directory List utilizing SSL encrypted port 636.

c

Nutanix AOS must perform RFC 5280-compliant certification path validation.

IA-5 - High - CCI-000185 - V-254113 - SV-254113r846427_rule

RMF Control

IA-5

Severity

High

CCI

CCI-000185

Version

NUTX-AP-000360

Vuln IDs

V-254113

Rule IDs

SV-254113r846427_rule

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-57598r846425_chk

Confirm Nutanix AOS is that OCSP checking is enabled. $ ncli authconfig get-client-authentication-config 'Auth Config Status : true' If "Auth config status" is not set to "true", this is a finding.

Fix: F-57549r846426_fix

Configure Nutanix AOS to use OCSP for certificate revocation. Set the OCSP responder URL. $ ncli authconfig set-certificate-revocation set-ocsp-responder=<ocsp url><ocsp url>

c

Nutanix AOS must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.

SC-13 - High - CCI-002450 - V-254114 - SV-254114r846430_rule

RMF Control

SC-13

Severity

High

CCI

CCI-002450

Version

NUTX-AP-000430

Vuln IDs

V-254114

Rule IDs

SV-254114r846430_rule

Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions. Satisfies: SRG-APP-000514-AS-000137, SRG-APP-000427-AS-000264

Checks: C-57599r846428_chk

Confirm Nutanix AOS is configured with a trusted DoD root CA signed certificate. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the SSL Certificate section. 4. Ensure the approved CA signed certificate is installed. If the certificate used is not from an approved DoD-approved CA, this is a finding.

Fix: F-57550r846429_fix

Configure Nutanix AOS to use a trusted DoD root CA signed certificate. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the SSL Certificate section. 4. Click "Relace Certificate". 5. Select "Import Key and Certificate". 6. Select the Private Key Type and upload the Private key; Public Certificate, and the CA Certificate or chain. 7. Select "Import Files".

c

Nutanix AOS must protect the confidentiality and integrity of all information at rest.

SC-28 - High - CCI-001199 - V-254115 - SV-254115r846433_rule

RMF Control

SC-28

Severity

High

CCI

CCI-001199

Version

NUTX-AP-000450

Vuln IDs

V-254115

Rule IDs

SV-254115r846433_rule

When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, data owners and DoD consider routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information. The strength of mechanisms is commensurate with the classification and sensitivity of the information. The application server must directly provide, or provide access to, cryptographic libraries and functionality that allow applications to encrypt data when it is stored. Satisfies: SRG-APP-000231-AS-000133, SRG-APP-000231-AS-000156, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157

Checks: C-57600r846431_chk

Confirm Nutanix AOS is set to use data at rest encryption. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Data-at-Rest Encryption section. 4. Ensure "Software Encryption" is enabled. If Software Encryption is not configured, this is a finding.

Fix: F-57551r846432_fix

Configure Nutanix AOS to use data at rest encryption 1. Log in to Prism Element. 2. Click on the gear icon in the upper right. 3. Navigate to the Data-at-Rest Encryption section. 4. Select "edit configuration". 5. Select either the Cluster local KMS or an External KMS. 6. Click "Protect" and then type "ENCRYPT" to confirm.

b

Nutanix AOS must restrict error messages only to authorized users.

SI-11 - Medium - CCI-001314 - V-254116 - SV-254116r846436_rule

RMF Control

SI-11

Severity

Medium

CCI

CCI-001314

Version

NUTX-AP-000490

Vuln IDs

V-254116

Rule IDs

SV-254116r846436_rule

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages created by the application server. All application server user accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

Checks: C-57601r846434_chk

The Nutanix AOS application server log files are owned by the Nutanix user and have a file permission of "640". Step 1. Identify actual file name by looking at alert_manager.INFO, which is a symlink, the actual rotating file name. $ sudo ls -al /home/nutanix/data/logs/alert_manager.INFO lrwxrwxrwx. 1 nutanix nutanix 75 Nov 1 17:50 /home/nutanix/data/logs/alert_manager.INFO -> alert_manager.ntnx-<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER> Step 2. Execute a stat command on the actual application server log file name. $ sudo stat -c "%a %n" /home/nutanix/data/logs/alert_manager.ntnx-<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER> 640 /home/nutanix/data/logs/alert_manager.ntnx<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER> If the output of the actual log file name is not "640", this is a finding.

Fix: F-57552r846435_fix

Configure Nutanix AOS Prism Elements application server log file permissions, run the following command: $ sudo salt-call state.sls security/CVM/interactivenutanixCVM

b

Nutanix AOS must separate hosted application functionality from application server management functionality.

SC-2 - Medium - CCI-001082 - V-254117 - SV-254117r846439_rule

RMF Control

SC-2

Severity

Medium

CCI

CCI-001082

Version

NUTX-AP-000890

Vuln IDs

V-254117

Rule IDs

SV-254117r846439_rule

The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents nonprivileged users from having visibility to functions not available to the user. By limiting visibility, a compromised nonprivileged account does not offer information to the attacker to functionality and information needed to further the attack on the application server. Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. The hosted application and hosted application functionality consists of the assets needed for the application to function, such as the business logic, databases, user authentication, etc. The separation of application server administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate.

Checks: C-57602r846437_chk

Management information flow can be isolated to a separate vLAN from the guest VMs. 1. Log in to Prism Element. 2. Click on the gear icon in the upper right corner. 3. Under the "Settings" menu click "Network Configuration", and then select the "Internal Interfaces" tab. 4. Click on the "Management LAN" option. If VLAN ID is "0" or blank, this is a finding.

Fix: F-57553r846438_fix

1. Log in to Prism Element. 2. Click on the gear icon in the upper right corner. 3. Under the "Settings" menu click "Network Configuration", and then select the "Internal Interfaces" tab. 4. Click the "Management LAN" option. 5. Set the VLAN to the VLAN used for management functions. SSH into each CVM host as user nutanix and issue the following command: change_cvm_vlan vlan_id. SSH into each AHV host as root and issue the following command: ovs-vsctl set port br0 tag=vlan_id Note: Network switches connected to all Nutanix nodes must be appropriately configured with the same vlan_id.

b

Nutanix AOS must configure network traffic segmentation when using Disaster Recovery Services.

SC-2 - Medium - CCI-001082 - V-254118 - SV-254118r858375_rule

RMF Control

SC-2

Severity

Medium

CCI

CCI-001082

Version

NUTX-AP-000895

Vuln IDs

V-254118

Rule IDs

SV-254118r858375_rule

The application server consists of the management interface and hosted applications, as well as cluster management functions. Separating the management interface from hosted applications prevents nonprivileged users from having visibility to functions not available to the user. Isolating cluster management functions ensures that cluster housekeeping tasks such as disaster recovery, replication, etc. function on their own network segment away from production traffic. Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. The hosted application and hosted application functionality consists of the assets needed for the application to function, such as the business logic, databases, user authentication, etc. The separation of application server administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate.

Checks: C-57603r846440_chk

DR network traffic segmentation is required when using Disaster Recovery Services. Disaster recovery can be used with Asynchronous, NearSync, and Metro Availability replications only if both the primary site and the recovery site are configured with Network Segmentation. Validate that Disaster Recovery Services is configured to use Specific Network Traffic Segmentation. If Disaster Recovery services are not in use this check is NA. 1. Log in to the Prism Elements web console and click the gear icon at the top-right corner of the page. 2. In the left pane, click "Network Configuration". 3. In the details pane, on the Internal Interfaces tab, review the existing interfaces to ensure there is an identified interface for DR traffic. If no identified network interface is defined for DR traffic, this is a finding.

Fix: F-57554r858375_fix

For the most current setup instructions, refer to the version-specific AOC Security Guide on the Nutanix Portal: https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v5_20:Nutanix-Security-Guide-v5_20 An excerpt from the AOS Security Guide is provided. Isolating the traffic associated with a specific service (DR) is a two-step process. To isolate a service to a separate virtual network, complete the following: 1. Log in to the Prism web console and click the gear icon at the top-right corner of the page. 2. In the left pane, click "Network Configuration". 3. In the details pane, on the Internal Interfaces tab, click "Create New Interface". 4. On the Interface Details tab, complete the following: a. Specify a descriptive name for the network segment. b. (On AHV) Optionally, in VLAN ID, specify a VLAN ID. Note: Ensure that the VLAN ID is configured on the physical switch. c. In Bridge (on AHV) or CVM Port Group (on ESXi), select the bridge or port group created for the network segment. d. To specify an IP address pool for the network segment, click "Create New IP Pool", and then, in the IP Pool dialog box, do the following: i. In Name, specify a name for the pool. ii. In Netmask, specify the network mask for the pool. iii. Click "Add an IP Range", specify the start and end IP addresses in the IP Range dialog box that is displayed. iv. Use Add an IP Range to add as many IP address ranges as needed. Note: Add at least n+1 IP addresses in an IP range considering n is the number of nodes in the cluster. v. Click "Save". vi. Use Add an IP Pool to add more IP address pools. Use only one IP address pool at any given time. vii. Select the IP address pool to be used, and then click "Next". Note: An existing unused IP address pool can also be used. 5. On the Feature Selection tab, do the following: Note: Network segmentation cannot be enabled for multiple services at the same time. Complete the configuration for one service before enabling network segmentation for another service. a. Select the service whose traffic is to be isolated. b. Configure the settings for the selected service. Note: The settings on this page depend on the services selected. For information about service-specific settings, refer to Service-Specific Settings and Configurations. c. Click "Save". 6. In the "Create Interface" dialog box, click "Save". Note: The CVMs are rebooted multiple times, one after another. This procedure might trigger more tasks on the cluster. For example, if configuring network segmentation for disaster recovery, the firewall rules are added on the CVM to allow traffic on the specified ports through the new CVM interface and updated when a new recovery cluster is added or an existing cluster is modified. What to do next: Refer to Service-Specific Settings and Configurations for any additional tasks that are required after the network for a service is segmented. Disaster Recovery with Protection Domains: The settings for configuring network segmentation for disaster recovery apply to all Asynchronous, NearSync, and Metro Availability replication schedules. Disaster recovery can be used with Asynchronous, NearSync, and Metro Availability replications only if both the primary site and the recovery site are configured with Network Segmentation. Before enabling or disabling the network segmentation on a host, disable all the disaster recovery replication schedules running on that host. Note: Network segmentation does not support disaster recovery with Leap. Remote Site Configuration: After configuring network segmentation for disaster recovery, configure remote sites at both locations. Reconfigure remote sites if network segmentation is disabled. For information about configuring remote sites, refer to Site Configuration in the Data Protection and Recovery with Prism Element Guide. Segmenting a Stretched Layer 2 Network for Disaster Recovery: A stretched Layer 2 network configuration allows the source and remote metro clusters to be in the same broadcast domain and communicate without a gateway. About this task: Network segmentation can be enabled for disaster recovery on a stretched Layer 2 network that does not have a gateway. A stretched Layer 2 network is usually configured across the physically remote clusters such as a metro availability cluster deployment. A stretched Layer 2 network allows the source and remote clusters to be configured in the same broadcast domain without the usual gateway. Refer to AOS Release Notes for minimum AOS version required to configure a stretched Layer 2 network. To configure a network segment as a stretched L2 network, do the following. Procedure: Run the following command: nutanix@cvm$ network_segmentation --service_network --service_name=kDR --ip_pool=DR-ip-pool-name --service_vlan=DR-vlan-id --desc_name=Description --host_physical_network=portgroup/bridge --stretched_metro Replace the following: (Refer to Isolating Service-Specific Traffic for the information) * DR-ip-pool-name with the name of the IP Pool created for the DR service or any existing unused IP address pool. * DR-vlan-id with the VLAN ID being used for the DR service. * Description with a suitable description of this stretched L2 network segment. * portgroup/bridge with the details of Bridge or CVM Port Group used for the DR service.

b

Nutanix AOS must be running an operating system release that is currently supported by the vendor.

SI-2 - Medium - CCI-002605 - V-254119 - SV-254119r846445_rule

RMF Control

SI-2

Severity

Medium

CCI

CCI-002605

Version

NUTX-AP-001080

Vuln IDs

V-254119

Rule IDs

SV-254119r846445_rule

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes) to production systems after thorough testing of the patches within a lab environment. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.

Checks: C-57604r846443_chk

1. Log in to the Prism Element web interface. 2. Click on the person's name that just logged in. 3. In the drop down menu, click "About Nutanix". 4. Compare the Nutanix AOS version against the supported versions in the Nutanix support portal. https://www.nutanix.com/support-services/product-support If the AOS version is not supported as indicated in the Nutanix support portal, this is a finding.

Fix: F-57555r846444_fix

Use Nutanix LCM and upgrade to a supported version.