VMware vSphere 6.7 Photon OS V1R4

b

The Photon operating system must be configured to offload audit logs to a syslog server.

AU-4 - Medium - CCI-001851 - V-239072 - SV-239072r840145_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

PHTN-67-000129

Vuln IDs

V-239072

Rule IDs

SV-239072r840145_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000447-GPOS-00201

Checks: C-42283r675022_chk

At the command prompt, execute the following command: # grep -v "^#" /etc/vmware-syslog/stig-services-auditd.conf Expected result: input(type="imfile" File="/var/log/audit/audit.log" Tag="auditd" Severity="info" Facility="local0") If the file does not exist, this is a finding. If the output of the command does not match the expected result above, this is a finding.

Fix: F-42242r840144_fix

Open /etc/vmware-syslog/stig-services-auditd.conf with a text editor. Create the file if it does not exist. Set the contents of the file as follows: input(type="imfile" File="/var/log/audit/audit.log" Tag="auditd" Severity="info" Facility="local0")

b

The Photon operating system must audit all account creations.

AC-2 - Medium - CCI-000018 - V-239073 - SV-239073r816595_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000018

Version

PHTN-67-000001

Vuln IDs

V-239073

Rule IDs

SV-239073r816595_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.

Checks: C-42284r816593_chk

At the command line, execute the following command: # auditctl -l | grep -E "(useradd|groupadd)" Expected result: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42243r816594_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.

AC-7 - Medium - CCI-000044 - V-239074 - SV-239074r675030_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

PHTN-67-000002

Vuln IDs

V-239074

Rule IDs

SV-239074r675030_rule

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Checks: C-42285r675028_chk

At the command line, execute the following command: # grep pam_tally2 /etc/pam.d/system-auth|grep --color=always "deny=." Expected result: auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 If the output does not match the expected result, this is a finding.

Fix: F-42244r675029_fix

Open /etc/pam.d/system-auth with a text editor. Add the following line after the last auth statement: auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300

b

The Photon operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting SSH access.

AC-8 - Medium - CCI-000048 - V-239075 - SV-239075r675033_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

PHTN-67-000003

Vuln IDs

V-239075

Rule IDs

SV-239075r675033_rule

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088

Checks: C-42286r675031_chk

At the command line, execute the following command: # sshd -T|&grep -i Banner Expected result: banner /etc/issue If the output does not match the expected result, this is a finding. Open /etc/issue with a text editor. If the file does not contain the Standard Mandatory DoD Notice and Consent Banner, this is a finding.

Fix: F-42245r675032_fix

At the command line, execute the following commands: # cp /etc/issue.DoD /etc/issue Open /etc/ssh/sshd_config with a text editor and ensure that the "Banner" line is uncommented and set to the following: Banner /etc/issue Open /etc/issue with a text editor. Ensure that the file contains the Standard Mandatory DoD Notice and Consent Banner: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. At the command line, execute the following command: # service sshd reload

b

The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.

AC-10 - Medium - CCI-000054 - V-239076 - SV-239076r675036_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

PHTN-67-000004

Vuln IDs

V-239076

Rule IDs

SV-239076r675036_rule

Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service attacks.

Checks: C-42287r675034_chk

At the command line, execute the following command: # grep "^[^#].*maxlogins.*" /etc/security/limits.conf Expected result: * hard maxlogins 10 If the output does not match the expected result, this is a finding. Note: The expected result may be repeated multiple times.

Fix: F-42246r675035_fix

At the command line, execute the following command: # echo '* hard maxlogins 10' >> /etc/security/limits.conf

b

The Photon operating system must set a session inactivity timeout of 15 minutes or less.

AC-11 - Medium - CCI-000057 - V-239077 - SV-239077r675039_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

PHTN-67-000005

Vuln IDs

V-239077

Rule IDs

SV-239077r675039_rule

A session timeout is an action taken when a session goes idle for any reason. Rather than relying on the user to manually disconnect their session prior to going idle, the Photon operating system must be able to identify when a session has idled and take action to terminate the session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109

Checks: C-42288r675037_chk

At the command line, execute the following command: # cat /etc/profile.d/tmout.sh Expected result: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null If the file "tmout.sh" does not exist or the output does not look like the expected result, this is a finding.

Fix: F-42247r675038_fix

Open /etc/profile.d/tmout.sh with a text editor and set its content to the following: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b

The Photon operating system must have the sshd SyslogFacility set to "authpriv".

AC-17 - Medium - CCI-000067 - V-239078 - SV-239078r675042_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

PHTN-67-000006

Vuln IDs

V-239078

Rule IDs

SV-239078r675042_rule

Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.

Checks: C-42289r675040_chk

At the command line, execute the following command: # sshd -T|&grep -i SyslogFacility Expected result: syslogfacility AUTHPRIV If there is no output or if the output does not match expected result, this is a finding.

Fix: F-42248r675041_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "SyslogFacility" line is uncommented and set to the following: SyslogFacility AUTHPRIV At the command line, execute the following command: # service sshd reload

b

The Photon operating system must have sshd authentication logging enabled.

AC-17 - Medium - CCI-000067 - V-239079 - SV-239079r675045_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

PHTN-67-000007

Vuln IDs

V-239079

Rule IDs

SV-239079r675045_rule

Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. Shipping sshd authentication events to syslog allows organizations to use their log aggregators to correlate forensic activities among multiple systems.

Checks: C-42290r675043_chk

At the command line, execute the following command: # grep "^authpriv" /etc/rsyslog.conf Expected result: authpriv.* /var/log/audit/sshinfo.log If the command does not return any output, this is a finding.

Fix: F-42249r675044_fix

Open /etc/rsyslog.conf with a text editor and locate the following line: $IncludeConfig /etc/vmware-syslog/syslog.conf Ensure that the following entry is put beneath the stated line and before the "# vmware services" line. authpriv.* /var/log/audit/sshinfo.log If the following line is at the end of the file, it must be removed or commented out: auth.* /var/log/auth.log At the command line, execute the following command: # systemctl restart syslog # service sshd reload

b

The Photon operating system must have the sshd LogLevel set to "INFO".

AC-17 - Medium - CCI-000067 - V-239080 - SV-239080r675048_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

PHTN-67-000008

Vuln IDs

V-239080

Rule IDs

SV-239080r675048_rule

Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. The INFO LogLevel is required, at least, to ensure the capturing of failed login events.

Checks: C-42291r675046_chk

At the command line, execute the following command: # sshd -T|&grep -i LogLevel Expected result: LogLevel INFO If the output does not match the expected result, this is a finding.

Fix: F-42250r675047_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "LogLevel" line is uncommented and set to the following: LogLevel INFO At the command line, execute the following command: # service sshd reload

c

The Photon operating system must configure sshd to use approved encryption algorithms.

AC-17 - High - CCI-000068 - V-239081 - SV-239081r816597_rule

RMF Control

AC-17

Severity

H

CCI

CCI-000068

Version

PHTN-67-000009

Vuln IDs

V-239081

Rule IDs

SV-239081r816597_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. OpenSSH on the Photon operating system is compiled with a FIPS-validated cryptographic module. The "FipsMode" setting controls whether this module is initialized and used in FIPS 140-2 mode. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187

Checks: C-42292r816596_chk

At the command line, execute the following command: # sshd -T|&grep -i FipsMode Expected result: fipsmode yes If the output does not match the expected result, this is a finding.

Fix: F-42251r675050_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "FipsMode" line is uncommented and set to the following: FipsMode yes At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure auditd to log to disk.

AU-3 - Medium - CCI-000130 - V-239082 - SV-239082r675054_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000130

Version

PHTN-67-000010

Vuln IDs

V-239082

Rule IDs

SV-239082r675054_rule

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content must be shipped to a central location, but it must also be logged locally. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019

Checks: C-42293r675052_chk

At the command line, execute the following command: # grep "^write_logs" /etc/audit/auditd.conf Expected result: write_logs = yes If there is no output, this is not a finding. If the output does not match the expected result, this is a finding.

Fix: F-42252r675053_fix

Open /etc/audit/auditd.conf with a text editor. Ensure that the "write_logs" line is uncommented and set to the following: write_logs = yes At the command line, execute the following command: # service auditd reload

b

The Photon operating system must configure auditd to use the correct log format.

AU-3 - Medium - CCI-000131 - V-239083 - SV-239083r675057_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

PHTN-67-000011

Vuln IDs

V-239083

Rule IDs

SV-239083r675057_rule

To compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know exact, unfiltered details of the event in question.

Checks: C-42294r675055_chk

At the command line, execute the following command: # grep "^log_format" /etc/audit/auditd.conf Expected result: log_format = RAW If there is no output, this is not a finding. If the output does not match the expected result, this is a finding.

Fix: F-42253r675056_fix

Open /etc/audit/auditd.conf with a text editor. Ensure that the "log_format" line is uncommented and set to the following: log_format = RAW At the command line, execute the following command: # service auditd reload

b

The Photon operating system must be configured to audit the execution of privileged functions.

AU-3 - Medium - CCI-000135 - V-239084 - SV-239084r821354_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000135

Version

PHTN-67-000012

Vuln IDs

V-239084

Rule IDs

SV-239084r821354_rule

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing all actions by superusers is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172

Checks: C-42295r821353_chk

At the command line, execute the following command: # auditctl -l | grep execve Expected result: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 execpriv If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42254r816599_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system audit log must log space limit problems to syslog.

AU-5 - Medium - CCI-000139 - V-239085 - SV-239085r675063_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

PHTN-67-000013

Vuln IDs

V-239085

Rule IDs

SV-239085r675063_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000344-GPOS-00135

Checks: C-42296r675061_chk

At the command line, execute the following command: # grep "^space_left_action" /etc/audit/auditd.conf Expected result: space_left_action = SYSLOG If the output does not match the expected result, this is a finding.

Fix: F-42255r675062_fix

Open /etc/audit/auditd.conf with a text editor. Ensure that the "space_left_action" line is uncommented and set to the following: space_left_action = SYSLOG At the command line, execute the following command: # service auditd reload

b

The Photon operating system audit log must attempt to log audit failures to syslog.

AU-5 - Medium - CCI-000140 - V-239086 - SV-239086r675066_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

PHTN-67-000014

Vuln IDs

V-239086

Rule IDs

SV-239086r675066_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Checks: C-42297r675064_chk

At the command line, execute the following commands: # grep -E "^disk_full_action|^disk_error_action|^admin_space_left_action" /etc/audit/auditd.conf If any of the above parameters are not set to SYSLOG or are missing, this is a finding.

Fix: F-42256r675065_fix

Open /etc/audit/auditd.conf with a text editor. Ensure that the following lines are present, not duplicated, and not commented: disk_full_action = SYSLOG disk_error_action = SYSLOG admin_space_left_action = SYSLOG At the command line, execute the following command: # service auditd reload

b

The Photon operating system audit log must have correct permissions.

AU-9 - Medium - CCI-000162 - V-239087 - SV-239087r675069_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

PHTN-67-000015

Vuln IDs

V-239087

Rule IDs

SV-239087r675069_rule

Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

Checks: C-42298r675067_chk

At the command line, execute the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n permissions are %a" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If the permissions on any audit log file is more permissive than 0600, this is a finding.

Fix: F-42257r675068_fix

At the command line, execute the following command: # chmod 0600 <audit log file> Replace <audit log file> with the log files more permissive than 0600.

b

The Photon operating system audit log must be owned by root.

AU-9 - Medium - CCI-000163 - V-239088 - SV-239088r675072_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

PHTN-67-000016

Vuln IDs

V-239088

Rule IDs

SV-239088r675072_rule

Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

Checks: C-42299r675070_chk

At the command line, execute the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n is owned by %U" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by root, this is a finding.

Fix: F-42258r675071_fix

At the command line, execute the following command: # chown root:root <audit log file> Replace <audit log file> with the log files not owned by root.

b

The Photon operating system audit log must be group-owned by root.

AU-9 - Medium - CCI-000164 - V-239089 - SV-239089r675075_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000164

Version

PHTN-67-000017

Vuln IDs

V-239089

Rule IDs

SV-239089r675075_rule

Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

Checks: C-42300r675073_chk

At the command line, execute the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n is group owned by %G" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group-owned by root, this is a finding.

Fix: F-42259r675074_fix

At the command line, execute the following command: # chown root:root <audit log file> Replace <audit log file> with the log files not group owned by root.

b

The Photon operating system must have the auditd service running.

AU-3 - Medium - CCI-000135 - V-239090 - SV-239090r675078_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000135

Version

PHTN-67-000018

Vuln IDs

V-239090

Rule IDs

SV-239090r675078_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00021, SRG-OS-000255-GPOS-00096, SRG-OS-000363-GPOS-00150, SRG-OS-000365-GPOS-00152, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000461-GPOS-00205, SRG-OS-000465-GPOS-00209, SRG-OS-000467-GPOS-00211, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220

Checks: C-42301r675076_chk

At the command line, execute the following command: # service auditd status | grep running If the service is not running, this is a finding.

Fix: F-42260r675077_fix

At the command line, execute the following command: # systemctl enable auditd.service # service auditd start

b

The Photon operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

AU-12 - Medium - CCI-000171 - V-239091 - SV-239091r675081_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

PHTN-67-000019

Vuln IDs

V-239091

Rule IDs

SV-239091r675081_rule

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-42302r675079_chk

At the command line, execute the following command: # find /etc/audit/* -type f -exec stat -c "%n permissions are %a" {} $1\; If the permissions of any files are more permissive than 640, this is a finding.

Fix: F-42261r675080_fix

At the command line, execute the following command: # chmod 640 <file> Replace <file> with any file with incorrect permissions.

b

The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.

AU-12 - Medium - CCI-000172 - V-239092 - SV-239092r816603_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

PHTN-67-000020

Vuln IDs

V-239092

Rule IDs

SV-239092r816603_rule

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206

Checks: C-42303r816601_chk

At the command line, execute the following command: # auditctl -l | grep chmod Expected result: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42262r816602_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -k perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -k perm_mod At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.

IA-5 - Medium - CCI-000192 - V-239093 - SV-239093r816912_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

PHTN-67-000021

Vuln IDs

V-239093

Rule IDs

SV-239093r816912_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-42304r816911_chk

At the command line, execute the following command: # grep "^password requisite pam_cracklib.so" /etc/pam.d/system-password|grep --color=always "enforce_for_root" Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.

Fix: F-42263r816604_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.

IA-5 - Medium - CCI-000193 - V-239094 - SV-239094r816607_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

PHTN-67-000022

Vuln IDs

V-239094

Rule IDs

SV-239094r816607_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-42305r675088_chk

At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "lcredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.

Fix: F-42264r816606_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.

IA-5 - Medium - CCI-000194 - V-239095 - SV-239095r816609_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000194

Version

PHTN-67-000023

Vuln IDs

V-239095

Rule IDs

SV-239095r816609_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-42306r675091_chk

At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "dcredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.

Fix: F-42265r816608_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system must require that new passwords are at least four characters different from the old password.

IA-5 - Medium - CCI-000195 - V-239096 - SV-239096r816611_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000195

Version

PHTN-67-000024

Vuln IDs

V-239096

Rule IDs

SV-239096r816611_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-42307r675094_chk

At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "difok=." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.

Fix: F-42266r816610_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system must store only encrypted representations of passwords.

IA-5 - Medium - CCI-000196 - V-239097 - SV-239097r816613_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000196

Version

PHTN-67-000025

Vuln IDs

V-239097

Rule IDs

SV-239097r816613_rule

Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. If they are encrypted with a weak cipher, those passwords are much more vulnerable to offline brute forcing attacks.

Checks: C-42308r675097_chk

At the command line, execute the following command: # grep password /etc/pam.d/system-password|grep --color=always "sha512" If the output does not include "sha512", this is a finding.

Fix: F-42267r816612_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Add the following argument (sha512) to the password line: password required pam_unix.so sha512 shadow try_first_pass Save and close.

b

The Photon operating system must store only encrypted representations of passwords.

IA-5 - Medium - CCI-000196 - V-239098 - SV-239098r675102_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000196

Version

PHTN-67-000026

Vuln IDs

V-239098

Rule IDs

SV-239098r675102_rule

Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. If they are encrypted with a weak cipher, those passwords are much more vulnerable to offline brute forcing attacks.

Checks: C-42309r675100_chk

At the command line, execute the following command: # grep SHA512 /etc/login.defs|grep -v "#" Expected result: ENCRYPT_METHOD SHA512 If there is no output or if the output does match the expected result, this is a finding.

Fix: F-42268r675101_fix

Open /etc/login.defs with a text editor. Add or replace the ENCRYPT_METHOD line as follows: ENCRYPT_METHOD SHA512

b

The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.

IA-5 - Medium - CCI-000198 - V-239099 - SV-239099r675105_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

PHTN-67-000027

Vuln IDs

V-239099

Rule IDs

SV-239099r675105_rule

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-42310r675103_chk

At the command line, execute the following command: # grep "^PASS_MIN_DAYS" /etc/login.defs If PASS_MIN_DAYS is not set to 1, this is a finding.

Fix: F-42269r675104_fix

Open /etc/login.defs with a text editor. Modify the PASS_MIN_DAYS line to the following: PASS_MIN_DAYS 1

b

The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.

IA-5 - Medium - CCI-000199 - V-239100 - SV-239100r675108_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

PHTN-67-000028

Vuln IDs

V-239100

Rule IDs

SV-239100r675108_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Checks: C-42311r675106_chk

At the command line, execute the following command: # grep "^PASS_MAX_DAYS" /etc/login.defs If the value of PASS_MAX_DAYS is greater than 90, this is a finding.

Fix: F-42270r675107_fix

Open /etc/login.defs with a text editor. Modify the PASS_MAX_DAYS line to the following: PASS_MAX_DAYS 90

b

The Photon operating system must prohibit password reuse for a minimum of five generations.

IA-5 - Medium - CCI-000200 - V-239101 - SV-239101r816615_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

PHTN-67-000029

Vuln IDs

V-239101

Rule IDs

SV-239101r816615_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-42312r675109_chk

At the command line, execute the following command: # grep pam_pwhistory /etc/pam.d/system-password|grep --color=always "remember=." Expected result: password required pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3 If the output does not match the expected result, this is a finding.

Fix: F-42271r816614_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Add the following line after the last auth statement: password required pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3 Save and close.

b

The Photon operating system must ensure old passwords are being stored.

IA-5 - Medium - CCI-000200 - V-239102 - SV-239102r675114_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

PHTN-67-000030

Vuln IDs

V-239102

Rule IDs

SV-239102r675114_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-42313r675112_chk

At the command line, execute the following command: # ls -al /etc/security/opasswd If "/etc/security/opasswd" does not exist, this is a finding.

Fix: F-42272r675113_fix

At the command line, execute the following commands: # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd

b

The Photon operating system must enforce a minimum eight-character password length.

IA-5 - Medium - CCI-000205 - V-239103 - SV-239103r816617_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

PHTN-67-000031

Vuln IDs

V-239103

Rule IDs

SV-239103r816617_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-42314r675115_chk

At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "minlen=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.

Fix: F-42273r816616_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system must only allow installation of packages signed by VMware.

CM-7 - Medium - CCI-000381 - V-239104 - SV-239104r675120_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

PHTN-67-000032

Vuln IDs

V-239104

Rule IDs

SV-239104r675120_rule

Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by VMware.

Checks: C-42315r675118_chk

At the command line, execute the following command: # rpm -qa gpg-pubkey --qf "%{version}-%{release} %{summary}\n"|grep -v "66fd4949-4803fe57" If there is any output, an unsupported package has been installed and this is a finding.

Fix: F-42274r675119_fix

Confirm with VMware support that this package is not supported (for potential package additions after STIG publication). At the command line, execute the following command: # rpm -e <package-name-from-check>

b

The Photon operating system must disable the loading of unnecessary kernel modules.

CM-7 - Medium - CCI-000382 - V-239105 - SV-239105r840147_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

PHTN-67-000033

Vuln IDs

V-239105

Rule IDs

SV-239105r840147_rule

To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059

Checks: C-42316r840146_chk

At the command line, execute the following command: # modprobe --showconfig | grep "^install" | grep "/bin" Expected result: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb_storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false The output may include other statements outside of the expected result. This is acceptable. If the output does not include at least every statement in the expected result, this is a finding.

Fix: F-42275r675122_fix

Open /etc/modprobe.d/modprobe.conf with a text editor and set the contents as follows: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb-storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false

b

The Photon operating system must not have Duplicate User IDs (UIDs).

IA-2 - Medium - CCI-000764 - V-239106 - SV-239106r675126_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

PHTN-67-000034

Vuln IDs

V-239106

Rule IDs

SV-239106r675126_rule

To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and provide for non-repudiation.

Checks: C-42317r675124_chk

At the command line, execute the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If any lines are returned, this is a finding.

Fix: F-42276r675125_fix

Open /etc/passwd with a text editor. Configure each user account that has a duplicate UID with a unique UID.

b

The Photon operating system must configure sshd to disallow root logins.

IA-2 - Medium - CCI-000770 - V-239107 - SV-239107r675129_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

PHTN-67-000035

Vuln IDs

V-239107

Rule IDs

SV-239107r675129_rule

Logging on with a user-specific account provides individual accountability for actions performed on the system. Users must log in with their individual accounts and elevate to root as necessary. Disallowing root SSH login also reduces the distribution of the root password to users who may not otherwise need that level of privilege.

Checks: C-42318r675127_chk

At the command line, execute the following command: # sshd -T|&grep -i PermitRootLogin Expected result: permitrootlogin no If the output does not match the expected result, this is a finding.

Fix: F-42277r675128_fix

Open /etc/ssh/sshd_config with a text editor and ensure that the "PermitRootLogin" line is uncommented and set to the following: PermitRootLogin no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must disable new accounts immediately upon password expiration.

IA-4 - Medium - CCI-000795 - V-239108 - SV-239108r675132_rule

RMF Control

IA-4

Severity

M

CCI

CCI-000795

Version

PHTN-67-000036

Vuln IDs

V-239108

Rule IDs

SV-239108r675132_rule

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Disabling inactive accounts ensures that accounts that may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Checks: C-42319r675130_chk

At the command line, execute the following command: # grep INACTIVE /etc/default/useradd Expected result: INACTIVE=0 If the output does not match the expected result, this is a finding.

Fix: F-42278r675131_fix

Open /etc/default/useradd with a text editor. Remove any existing "INACTIVE" line and add the following line: INACTIVE=0

b

The Photon operating system must use TCP syncookies.

SC-5 - Medium - CCI-001095 - V-239109 - SV-239109r816622_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

PHTN-67-000037

Vuln IDs

V-239109

Rule IDs

SV-239109r816622_rule

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected and enables the system to continue servicing valid connection requests. Satisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000420-GPOS-00186

Checks: C-42320r816620_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern tcp_syncookies Expected result: net.ipv4.tcp_syncookies = 1 If the output does not match the expected result, this is a finding.

Fix: F-42279r816621_fix

Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.tcp_syncookies=1 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must configure sshd to disconnect idle SSH sessions.

SC-10 - Medium - CCI-001133 - V-239110 - SV-239110r675138_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

PHTN-67-000038

Vuln IDs

V-239110

Rule IDs

SV-239110r675138_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

Checks: C-42321r675136_chk

At the command line, execute the following command: # sshd -T|&grep -i ClientAliveInterval Expected result: ClientAliveInterval 900 If the output does not match the expected result, this is a finding.

Fix: F-42280r675137_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "ClientAliveInterval" line is uncommented and set to the following: ClientAliveInterval 900 At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to disconnect idle SSH sessions.

SC-10 - Medium - CCI-001133 - V-239111 - SV-239111r675141_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

PHTN-67-000039

Vuln IDs

V-239111

Rule IDs

SV-239111r675141_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

Checks: C-42322r675139_chk

At the command line, execute the following command: # sshd -T|&grep -i ClientAliveCountMax Expected result: ClientAliveCountMax 0 If the output does not match the expected result, this is a finding.

Fix: F-42281r675140_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "ClientAliveCountMax" line is uncommented and set to the following: ClientAliveCountMax 0 At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure rsyslog to offload system logs to a central server.

SI-11 - Medium - CCI-001312 - V-239112 - SV-239112r816625_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001312

Version

PHTN-67-000040

Vuln IDs

V-239112

Rule IDs

SV-239112r816625_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs. Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224

Checks: C-42323r816623_chk

At the command line, execute the following command: # cat /etc/vmware-syslog/syslog.conf The output should be similar to the following (*.* or AO approved logging events): *.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding. OR Navigate to https://<hostname>:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration". If no site-specific syslog server is configured, this is a finding.

Fix: F-42282r816624_fix

Open /etc/vmware-syslog/syslog.conf with a text editor. Remove any existing content and create a new remote server configuration line. For UDP (*.* or AO approved logging events): *.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format For TCP (*.* or AO approved logging events): *.* @@<syslog server>:port;RSYSLOG_syslogProtocol23Format OR Navigate to https://<hostname>:5480 to access the VAMI. Authenticate and navigate to "Syslog Configuration". Click "Edit" in the top right. Configure a remote syslog server and click "OK".

b

The Photon operating system /var/log directory must be owned by root.

SI-11 - Medium - CCI-001314 - V-239113 - SV-239113r675147_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001314

Version

PHTN-67-000041

Vuln IDs

V-239113

Rule IDs

SV-239113r675147_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.

Checks: C-42324r675145_chk

At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /var/log If the /var/log is not owned by root, this is a finding.

Fix: F-42283r675146_fix

At the command line, execute the following command: # chown root:root /var/log

b

The Photon operating system messages file must be owned by root.

SI-11 - Medium - CCI-001314 - V-239114 - SV-239114r675150_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001314

Version

PHTN-67-000042

Vuln IDs

V-239114

Rule IDs

SV-239114r675150_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.

Checks: C-42325r675148_chk

At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /var/log/vmware/messages If /var/log/vmware/messages is not owned by root or not group owned by root, this is a finding.

Fix: F-42284r675149_fix

At the command line, execute the following command: # chown root:root /var/log/vmware/messages

b

The Photon operating system messages file must have mode 0640 or less permissive.

SI-11 - Medium - CCI-001314 - V-239115 - SV-239115r675153_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001314

Version

PHTN-67-000043

Vuln IDs

V-239115

Rule IDs

SV-239115r675153_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.

Checks: C-42326r675151_chk

At the command line, execute the following command: # stat -c "%n permissions are %a" /var/log/vmware/messages If the permissions on the file are more permissive than 0640, this is a finding.

Fix: F-42285r675152_fix

At the command line, execute the following command: # chmod 0640 /var/log/vmware/messages

b

The Photon operating system must audit all account modifications.

AC-2 - Medium - CCI-001403 - V-239116 - SV-239116r816628_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001403

Version

PHTN-67-000045

Vuln IDs

V-239116

Rule IDs

SV-239116r816628_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. Satisfies: SRG-OS-000239-GPOS-00089, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121

Checks: C-42327r816626_chk

At the command line, execute the following command: # auditctl -l | grep -E "(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)" Expected result: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42286r816627_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must audit all account disabling actions.

AC-2 - Medium - CCI-001404 - V-239117 - SV-239117r816631_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001404

Version

PHTN-67-000046

Vuln IDs

V-239117

Rule IDs

SV-239117r816631_rule

When operating system accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or the operating system processes themselves. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions.

Checks: C-42328r816629_chk

At the command line, execute the following command: # auditctl -l | grep "^-w /usr/bin/passwd" Expected result: -w /usr/bin/passwd -p x -k passwd If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42287r816630_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/bin/passwd -p x -k passwd At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must audit all account removal actions.

AC-2 - Medium - CCI-001405 - V-239118 - SV-239118r816634_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001405

Version

PHTN-67-000047

Vuln IDs

V-239118

Rule IDs

SV-239118r816634_rule

When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or the operating system processes themselves. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions.

Checks: C-42329r816632_chk

At the command line, execute the following command: # auditctl -l | grep -E "(userdel|groupdel)" Expected result: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42288r816633_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must initiate auditing as part of the boot process.

AU-14 - Medium - CCI-001464 - V-239119 - SV-239119r675165_rule

RMF Control

AU-14

Severity

M

CCI

CCI-001464

Version

PHTN-67-000048

Vuln IDs

V-239119

Rule IDs

SV-239119r675165_rule

Each process on the system carries an "auditable" flag, which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes that launch after it starts, adding the kernel argument ensures the flag is set at boot for every process on the system. This includes processes created before auditd starts.

Checks: C-42330r675163_chk

At the command line, execute the following command: # grep "audit=1" /proc/cmdline If no results are returned, this is a finding.

Fix: F-42289r675164_fix

Open /boot/grub2/grub.cfg with a text editor and locate the boot command line arguments. An example follows: linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 Add "audit=1" to the end of the line so it reads as follows: linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 audit=1 Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append "audit=1" to it. Reboot the system for the change to take effect.

b

The Photon operating system audit files and directories must have correct permissions.

AU-9 - Medium - CCI-001493 - V-239120 - SV-239120r675168_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

PHTN-67-000049

Vuln IDs

V-239120

Rule IDs

SV-239120r675168_rule

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Checks: C-42331r675166_chk

At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /etc/audit/auditd.conf If auditd.conf is not owned by root and group owned by root, this is a finding.

Fix: F-42290r675167_fix

At the command line, execute the following command: # chown root:root /etc/audit/auditd.conf

b

The Photon operating system audit files and directories must have correct permissions.

AU-9 - Medium - CCI-001493 - V-239121 - SV-239121r675171_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

PHTN-67-000050

Vuln IDs

V-239121

Rule IDs

SV-239121r675171_rule

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Checks: C-42332r675169_chk

At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace If any file is not owned by root and group owned by root, this is a finding.

Fix: F-42291r675170_fix

At the command line, execute the following command for each file returned: # chown root:root <file>

b

The Photon operating system must protect audit tools from unauthorized modification.

AU-9 - Medium - CCI-001494 - V-239122 - SV-239122r675174_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001494

Version

PHTN-67-000051

Vuln IDs

V-239122

Rule IDs

SV-239122r675174_rule

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099

Checks: C-42333r675172_chk

At the command line, execute the following command: # stat -c "%n permissions are %a" /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace If any file is more permissive than 750, this is a finding.

Fix: F-42292r675173_fix

At the command line, execute the following command for each file returned: # chmod 750 <file>

b

The Photon operating system must enforce password complexity by requiring that at least one special character be used.

IA-5 - Medium - CCI-001619 - V-239123 - SV-239123r816636_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

PHTN-67-000052

Vuln IDs

V-239123

Rule IDs

SV-239123r816636_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-42334r675175_chk

At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "ocredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.

Fix: F-42293r816635_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system package files must not be modified.

AU-9 - Medium - CCI-001496 - V-239124 - SV-239124r675180_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001496

Version

PHTN-67-000053

Vuln IDs

V-239124

Rule IDs

SV-239124r675180_rule

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Without confidence in the integrity of the auditing system and tools, the information it provides cannot be trusted.

Checks: C-42335r675178_chk

Use the verification capability of rpm to check the MD5 hashes of the audit files on disk versus the expected ones from the installation package. At the command line, execute the following command: # rpm -V audit | grep "^..5" | grep -v "^...........c" If there is output, this is a finding.

Fix: F-42294r675179_fix

If the audit system binaries have been altered, the system must be taken offline and the ISSM must be notified immediately. Reinstalling the audit tools is not supported. The appliance should be restored from a backup or a snapshot or redeployed once the root cause is remediated.

b

The Photon operating system must set an inactivity timeout value for non-interactive sessions.

AC-12 - Medium - CCI-002361 - V-239125 - SV-239125r675183_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

PHTN-67-000054

Vuln IDs

V-239125

Rule IDs

SV-239125r675183_rule

A session timeout is an action taken when a session goes idle for any reason. Rather than relying on the user to manually disconnect their session prior to going idle, the Photon operating system must be able to identify when a session has idled and take action to terminate the session.

Checks: C-42336r675181_chk

At the command line, execute the following command: # grep TMOUT /etc/bash.bashrc Expected result: TMOUT=900 readonly TMOUT export TMOUT If the file does not exist or the output does not match the expected result, this is a finding.

Fix: F-42295r675182_fix

Open /etc/bash.bashrc with a text editor and add the following to the end: TMOUT=900 readonly TMOUT export TMOUT

b

The Photon operating system must configure sshd with a specific ListenAddress.

AC-17 - Medium - CCI-002314 - V-239126 - SV-239126r675186_rule

RMF Control

AC-17

Severity

M

CCI

CCI-002314

Version

PHTN-67-000055

Vuln IDs

V-239126

Rule IDs

SV-239126r675186_rule

Without specifying a ListenAddress, sshd will listen on all interfaces. In situations with multiple interfaces, this may not be intended behavior and could lead to offering remote access on an unapproved network.

Checks: C-42337r675184_chk

At the command line, execute the following command: # sshd -T|&grep -i ListenAddress If the ListenAddress is not configured to the VCSA management IP, this is a finding.

Fix: F-42296r675185_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "ListenAddress" line is uncommented and set to a valid local IP: Example: ListenAddress 169.254.1.2 Replace "169.254.1.2" with the management address of the VCSA. At the command line, execute the following command: # service sshd reload

b

The Photon operating system must audit the execution of privileged functions.

AU-12 - Medium - CCI-000172 - V-239127 - SV-239127r816639_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

PHTN-67-000056

Vuln IDs

V-239127

Rule IDs

SV-239127r816639_rule

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215

Checks: C-42338r816637_chk

At the command line, execute the following command to obtain a list of setuid files: # find / -xdev -perm -4000 -type f -o -perm -2000 -type f Execute the following command for each setuid file found in the first command: # grep <setuid_path> /etc/audit/audit.rules Replace <setuid_path> with each path found in the first command. If each <setuid_path> does not have a corresponding line in the audit rules, this is a finding. A typical corresponding line will look like the following: -a always,exit -F path=<setuid_path> -F perm=x -F auid>=1000 -F auid!=-1 -k privileged Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42297r816638_fix

At the command line, execute the following command to obtain a list of setuid files: # find / -xdev -perm -4000 -type f -o -perm -2000 -type f Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following line: Replace <setuid_path> with each path found in the first command. -a always,exit -F path=<setuid_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must configure auditd to keep five rotated log files.

AU-4 - Medium - CCI-001849 - V-239128 - SV-239128r675192_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

PHTN-67-000057

Vuln IDs

V-239128

Rule IDs

SV-239128r675192_rule

Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.

Checks: C-42339r675190_chk

At the command line, execute the following command: # grep "^num_logs" /etc/audit/auditd.conf Expected result: num_logs = 5 If the output of the command does not match the expected result, this is a finding.

Fix: F-42298r675191_fix

Open /etc/audit/auditd.conf with a text editor. Add or change the "num_logs" line as follows: num_logs = 5 At the command line, execute the following command: # service auditd reload

b

The Photon operating system must configure auditd to keep five rotated log files.

AU-4 - Medium - CCI-001849 - V-239129 - SV-239129r675195_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

PHTN-67-000058

Vuln IDs

V-239129

Rule IDs

SV-239129r675195_rule

Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.

Checks: C-42340r675193_chk

At the command line, execute the following command: # grep "^max_log_file_action" /etc/audit/auditd.conf Expected result: max_log_file_action = IGNORE If the output of the command does not match the expected result, this is a finding.

Fix: F-42299r675194_fix

Open /etc/audit/auditd.conf with a text editor. Add or change the "max_log_file_action" line as follows: max_log_file_action = IGNORE At the command line, execute the following command: # service auditd reload

b

The Photon operating system must configure a cron job to rotate auditd logs daily.

AU-4 - Medium - CCI-001849 - V-239130 - SV-239130r675198_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

PHTN-67-000059

Vuln IDs

V-239130

Rule IDs

SV-239130r675198_rule

Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.

Checks: C-42341r675196_chk

At the command line, execute the following command: # cat /etc/cron.daily/audit-rotate Expected result: #!/bin/bash service auditd rotate If the output of the command does not match the expected result, this is a finding.

Fix: F-42300r675197_fix

If /etc/cron.daily/audit-rotate does not exist, run the following commands: # touch /etc/cron.daily/audit-rotate # chown root:root /etc/cron.daily/audit-rotate # chmod 0700 /etc/cron.daily/audit-rotate Open /etc/cron.daily/audit-rotate with a text editor. Set its contents as follows: #!/bin/bash service auditd rotate

b

The Photon operating system must configure auditd to log space limit problems to syslog.

AU-5 - Medium - CCI-001855 - V-239131 - SV-239131r675201_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

PHTN-67-000060

Vuln IDs

V-239131

Rule IDs

SV-239131r675201_rule

If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.

Checks: C-42342r675199_chk

At the command line, execute the following command: # grep "^space_left " /etc/audit/auditd.conf Expected result: space_left = 75 If the output does not match the expected result, this is a finding.

Fix: F-42301r675200_fix

Open /etc/audit/auditd.conf with a text editor. Ensure that the "space_left" line is uncommented and set to the following: space_left = 75 At the command line, execute the following command: # service auditd reload

b

The Photon operating system must be configured to synchronize with an approved DoD time source.

AU-8 - Medium - CCI-001891 - V-239132 - SV-239132r675204_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001891

Version

PHTN-67-000061

Vuln IDs

V-239132

Rule IDs

SV-239132r675204_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144

Checks: C-42343r675202_chk

At the command line, execute the following command: # grep -E '^\s*(server|peer|multicastclient)' /etc/ntp.conf Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. DoD source. If no lines are returned or a non-local/non-authoritative time server is used, this is a finding. OR Navigate to https://<hostname>:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Time". If no appropriate time server is specified, this is a finding.

Fix: F-42302r675203_fix

Open /etc/ntp.conf with a text editor and set its contents to the following: tinker panic 0 restrict default kod nomodify notrap nopeer restrict 127.0.0.1 restrict -6 ::1 driftfile /var/lib/ntp/drift/ntp.drift server <site-specific-time-source-IP> At the command line, execute the following commands: # chkconfig ntpd on # systemctl start ntp OR Navigate to https://<hostname>:5480 to access the VAMI. Authenticate and navigate to "Time". Click "Edit" in the top right and configure at least one appropriate NTP server. Click "OK".

b

The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

CM-5 - Medium - CCI-001749 - V-239133 - SV-239133r675207_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

PHTN-67-000062

Vuln IDs

V-239133

Rule IDs

SV-239133r675207_rule

Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.

Checks: C-42344r675205_chk

At the command line, execute the following command: # grep -s nosignature /usr/lib/rpm/rpmrc /etc/rpmrc ~root/.rpmrc If the command returns any output, this is a finding.

Fix: F-42303r675206_fix

Open the file containing "nosignature" with a text editor and remove the option.

b

The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

CM-5 - Medium - CCI-001749 - V-239134 - SV-239134r675210_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

PHTN-67-000063

Vuln IDs

V-239134

Rule IDs

SV-239134r675210_rule

Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.

Checks: C-42345r675208_chk

At the command line, execute the following command: # grep "^gpgcheck" /etc/tdnf/tdnf.conf If "gpgcheck" is not set to "1", this is a finding.

Fix: F-42304r675209_fix

Open /etc/tdnf/tdnf.conf with a text editor. Remove any existing gpgcheck setting and add the following line: gpgcheck=1

b

The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

CM-5 - Medium - CCI-001749 - V-239135 - SV-239135r675213_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

PHTN-67-000064

Vuln IDs

V-239135

Rule IDs

SV-239135r675213_rule

Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.

Checks: C-42346r675211_chk

At the command line, execute the following command: # grep gpgcheck /etc/yum.repos.d/* If "gpgcheck" is not set to "1" in any returned file, this is a finding.

Fix: F-42305r675212_fix

Open the file where gpgcheck is not set to "1" with a text editor. Remove any existing gpgcheck setting and add the following line at the end of the file: gpgcheck=1

b

The Photon operating system must require users to reauthenticate for privilege escalation.

IA-11 - Medium - CCI-002038 - V-239136 - SV-239136r675216_rule

RMF Control

IA-11

Severity

M

CCI

CCI-002038

Version

PHTN-67-000065

Vuln IDs

V-239136

Rule IDs

SV-239136r675216_rule

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Checks: C-42347r675214_chk

At the command line, execute the following commands: # grep -ihs nopasswd /etc/sudoers /etc/sudoers.d/*|grep -v "^#"|grep -v "^%"|awk '{print $1}' # awk -F: '($2 != "x" && $2 != "!") {print $1}' /etc/shadow If any account listed in the first output is also listed in the second output, this is a finding.

Fix: F-42306r675215_fix

Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: # visudo OR # visudo -f /etc/sudoers.d/<file name> Remove any occurrences of "NOPASSWD" tags associated with user accounts with a password hash.

b

The Photon operating system must prohibit the use of cached authenticators after one day.

IA-5 - Medium - CCI-002007 - V-239137 - SV-239137r675219_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

PHTN-67-000066

Vuln IDs

V-239137

Rule IDs

SV-239137r675219_rule

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Checks: C-42348r675217_chk

At the command line, execute the following command: # /opt/likewise/bin/lwregshell list_values "HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory"|grep "CacheEntryExpiry" If the value returned is not 14400 or less, this is a finding.

Fix: F-42307r675218_fix

At the command line, execute the following command: # /opt/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]" CacheEntryExpiry 14400

c

The Photon operating system must configure sshd to use FIPS 140-2 ciphers.

SC-8 - High - CCI-002421 - V-239138 - SV-239138r816640_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002421

Version

PHTN-67-000067

Vuln IDs

V-239138

Rule IDs

SV-239138r816640_rule

Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The operating system can meet this requirement through leveraging a cryptographic module. Satisfies: SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223

Checks: C-42349r675220_chk

At the command line, execute the following command: # sshd -T|&grep -i Ciphers Expected result: ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr If the output does not match the expected result, this is a finding.

Fix: F-42308r675221_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "Ciphers" line is uncommented and set to the following: Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr At the command line, execute the following command: # service sshd reload

b

The Photon operating system must use OpenSSH for remote maintenance sessions.

IA-5 - Medium - CCI-000197 - V-239139 - SV-239139r675225_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000197

Version

PHTN-67-000068

Vuln IDs

V-239139

Rule IDs

SV-239139r675225_rule

If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when nonlocal maintenance sessions have been terminated and are no longer available for use. Satisfies: SRG-OS-000395-GPOS-00175, SRG-OS-000074-GPOS-00042, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190

Checks: C-42350r675223_chk

At the command line, execute the following command: # rpm -qa|grep openssh If there is no output, this is a finding.

Fix: F-42309r675224_fix

Installing openssh manually is not supported by VMware. Revert to a previous backup or redeploy the VCSA.

b

The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

SI-16 - Medium - CCI-002824 - V-239140 - SV-239140r675228_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

PHTN-67-000069

Vuln IDs

V-239140

Rule IDs

SV-239140r675228_rule

ASLR makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming techniques.

Checks: C-42351r675226_chk

At the command line, execute the following command: # cat /proc/sys/kernel/randomize_va_space If the value of "randomize_va_space" is not "2", this is a finding.

Fix: F-42310r675227_fix

Open /etc/sysctl.d/50-security-hardening.conf with a text editor. Ensure that the "randomize_va_space" is uncommented and set to the following: kernel.randomize_va_space=2 At the command line, execute the following command: # sysctl --system

b

The Photon operating system must remove all software components after updated versions have been installed.

SI-2 - Medium - CCI-002617 - V-239141 - SV-239141r675231_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

PHTN-67-000070

Vuln IDs

V-239141

Rule IDs

SV-239141r675231_rule

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.

Checks: C-42352r675229_chk

At the command line, execute the following command: # grep -i "^clean_requirements_on_remove" /etc/tdnf/tdnf.conf Expected result: clean_requirements_on_remove=true If the output does not match the expected result, this is a finding.

Fix: F-42311r675230_fix

Open /etc/tdnf/tdnf.conf with a text editor. Remove any existing "clean_requirements_on_remove" line and ensure the following line is present: clean_requirements_on_remove=true

b

The Photon operating system must generate audit records when the sudo command is used.

AU-12 - Medium - CCI-000172 - V-239142 - SV-239142r821356_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

PHTN-67-000071

Vuln IDs

V-239142

Rule IDs

SV-239142r821356_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212

Checks: C-42353r821355_chk

At the command line, execute the following command: # auditctl -l | grep sudo Expected result: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=1 -k privileged OR -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42312r816642_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.

AU-12 - Medium - CCI-000172 - V-239143 - SV-239143r816646_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

PHTN-67-000072

Vuln IDs

V-239143

Rule IDs

SV-239143r816646_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218

Checks: C-42354r816644_chk

At the command line, execute the following command: # auditctl -l | grep -E "faillog|lastlog|tallylog" Expected result: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42313r816645_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must audit the insmod module.

AU-12 - Medium - CCI-000172 - V-239144 - SV-239144r816649_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

PHTN-67-000073

Vuln IDs

V-239144

Rule IDs

SV-239144r816649_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222

Checks: C-42355r816647_chk

At the command line, execute the following command: # auditctl -l | grep "/sbin/insmod" Expected result: -w /sbin/insmod -p x If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42314r816648_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /sbin/insmod -p x At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.

AU-12 - Medium - CCI-000172 - V-239145 - SV-239145r816652_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

PHTN-67-000074

Vuln IDs

V-239145

Rule IDs

SV-239145r816652_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42356r816650_chk

At the command line, execute the following command: # auditctl -l | grep -E /etc/security/opasswd If any of these are not listed with a permissions filter of at least "w", this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-42315r816651_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /etc/security/opasswd -p wa -k opasswd At the command line, execute the following command: # /sbin/augenrules --load

b

The Photon operating system must use the pam_cracklib module.

CM-6 - Medium - CCI-000366 - V-239146 - SV-239146r816654_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000075

Vuln IDs

V-239146

Rule IDs

SV-239146r816654_rule

If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-42357r675244_chk

At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password If the output does not return at least "password requisite pam_cracklib.so", this is a finding.

Fix: F-42316r816653_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system must set the FAIL_DELAY parameter.

CM-6 - Medium - CCI-000366 - V-239147 - SV-239147r675249_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000076

Vuln IDs

V-239147

Rule IDs

SV-239147r675249_rule

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-42358r675247_chk

At the command line, execute the following command: # grep FAIL_DELAY /etc/login.defs Expected result: FAIL_DELAY 4 If the output does not match the expected result, this is a finding.

Fix: F-42317r675248_fix

Open /etc/login.defs with a text editor. Add the following line after the last auth statement: FAIL_DELAY 4

b

The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

CM-6 - Medium - CCI-000366 - V-239148 - SV-239148r675252_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000077

Vuln IDs

V-239148

Rule IDs

SV-239148r675252_rule

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-42359r675250_chk

At the command line, execute the following command: # grep pam_faildelay /etc/pam.d/system-auth|grep --color=always "delay=" Expected result: auth optional pam_faildelay.so delay=4000000 If the output does not match the expected result, this is a finding.

Fix: F-42318r675251_fix

Open /etc/pam.d/system-auth with a text editor. Remove any existing "pam_faildelay" line and add the following line at the end of the file: auth optional pam_faildelay.so delay=4000000

b

The Photon operating system must ensure audit events are flushed to disk at proper intervals.

CM-6 - Medium - CCI-000366 - V-239149 - SV-239149r675255_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000078

Vuln IDs

V-239149

Rule IDs

SV-239149r675255_rule

Without setting a balance between performance and ensuring all audit events are written to disk, performance of the system may suffer or the risk of missing audit entries may be too high.

Checks: C-42360r675253_chk

At the command line, execute the following command: # grep -E "freq|flush" /etc/audit/auditd.conf Expected result: flush = INCREMENTAL_ASYNC freq = 50 If the output does not match the expected result, this is a finding.

Fix: F-42319r675254_fix

Open /etc/audit/auditd.conf with a text editor. Ensure that the line below is present and any existing "flush" and "freq" settings are removed. flush = INCREMENTAL_ASYNC freq = 50

b

The Photon operating system must ensure root $PATH entries are appropriate.

CM-6 - Medium - CCI-000366 - V-239150 - SV-239150r675258_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000079

Vuln IDs

V-239150

Rule IDs

SV-239150r675258_rule

The $PATH variable contains a semicolon-delimited set of directories that allows root to not specify the full path for a limited set of binaries. Having unexpected directories in $PATH can lead to root running a binary other than the one intended.

Checks: C-42361r675256_chk

At the command line, execute the following command: # echo $PATH Expected result: /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/java/jre-vmware/bin:/opt/vmware/bin If the output does not match the expected result, this is a finding.

Fix: F-42320r675257_fix

At the command line, execute the following command: # export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/java/jre-vmware/bin:/opt/vmware/bin

b

The Photon operating system must create a home directory for all new local interactive user accounts.

CM-6 - Medium - CCI-000366 - V-239151 - SV-239151r675261_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000080

Vuln IDs

V-239151

Rule IDs

SV-239151r675261_rule

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Checks: C-42362r675259_chk

At the command line, execute the following command: # grep -i "^create_home" /etc/login.defs If there is no output or the output does not equal "CREATE_HOME yes", this is a finding.

Fix: F-42321r675260_fix

Open /etc/login.defs with a text editor. Ensure that the following is present and any existing CREATE_HOME line is removed: CREATE_HOME yes

b

The Photon operating system must disable the debug-shell service.

CM-6 - Medium - CCI-000366 - V-239152 - SV-239152r675264_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000081

Vuln IDs

V-239152

Rule IDs

SV-239152r675264_rule

The debug-shell service is intended to diagnose system-related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.

Checks: C-42363r675262_chk

At the command line, execute the following command: # systemctl status debug-shell.service|grep -E --color=always disabled If the debug-shell service is not disabled, this is a finding.

Fix: F-42322r675263_fix

At the command line, execute the following commands: # systemctl stop debug-shell.service # systemctl disable debug-shell.service Reboot for changes to take effect.

b

The Photon operating system must configure a secure umask for all shells.

CM-6 - Medium - CCI-000366 - V-239153 - SV-239153r675267_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000082

Vuln IDs

V-239153

Rule IDs

SV-239153r675267_rule

A user's umask influences the permissions assigned to files that a user creates. Setting an appropriate umask is important to make sure that information is not exposed to unprivileged users.

Checks: C-42364r675265_chk

At the command line, execute the following command: # cat /etc/profile.d/umask.sh Expected result: # By default, the umask should be set. if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then umask 002 else umask 027 fi If the output does not match the expected result, this is a finding.

Fix: F-42323r675266_fix

Open /etc/profile.d/umask.sh with a text editor. Set the contents as follows: # By default, the umask should be set. if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then umask 002 else umask 027 fi

b

The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.

CM-6 - Medium - CCI-000366 - V-239154 - SV-239154r675270_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000083

Vuln IDs

V-239154

Rule IDs

SV-239154r675270_rule

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system.

Checks: C-42365r675268_chk

At the command line, execute the following command: # sshd -T|&grep -i GSSAPIAuthentication Expected result: GSSAPIAuthentication no If the output does not match the expected result, this is a finding.

Fix: F-42324r675269_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "GSSAPIAuthentication" line is uncommented and set to the following: GSSAPIAuthentication no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to disable environment processing.

CM-6 - Medium - CCI-000366 - V-239155 - SV-239155r675273_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000084

Vuln IDs

V-239155

Rule IDs

SV-239155r675273_rule

Enabling environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.

Checks: C-42366r675271_chk

At the command line, execute the following command: sshd -T|&grep -i PermitUserEnvironment Expected result: PermitUserEnvironment no If the output does not match the expected result, this is a finding.

Fix: F-42325r675272_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "PermitUserEnvironment" line is uncommented and set to the following: PermitUserEnvironment no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to disable X11 forwarding.

CM-6 - Medium - CCI-000366 - V-239156 - SV-239156r675276_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000085

Vuln IDs

V-239156

Rule IDs

SV-239156r675276_rule

X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.

Checks: C-42367r675274_chk

At the command line, execute the following command: # sshd -T|&grep -i X11Forwarding Expected result: X11Forwarding no If the output does not match the expected result, this is a finding.

Fix: F-42326r675275_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "X11Forwarding" line is uncommented and set to the following: X11Forwarding no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.

CM-6 - Medium - CCI-000366 - V-239157 - SV-239157r675279_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000086

Vuln IDs

V-239157

Rule IDs

SV-239157r675279_rule

If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.

Checks: C-42368r675277_chk

At the command line, execute the following command: # sshd -T|&grep -i StrictModes Expected result: StrictModes yes If the output does not match the expected result, this is a finding.

Fix: F-42327r675278_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "StrictModes" line is uncommented and set to the following: StrictModes yes At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to disallow Kerberos authentication.

CM-6 - Medium - CCI-000366 - V-239158 - SV-239158r675282_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000087

Vuln IDs

V-239158

Rule IDs

SV-239158r675282_rule

If Kerberos is enabled through SSH, sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled.

Checks: C-42369r675280_chk

At the command line, execute the following command: # sshd -T|&grep -i KerberosAuthentication Expected result: KerberosAuthentication no If the output does not match the expected result, this is a finding.

Fix: F-42328r675281_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "KerberosAuthentication" line is uncommented and set to the following: KerberosAuthentication no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to use privilege separation.

CM-6 - Medium - CCI-000366 - V-239159 - SV-239159r675285_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000088

Vuln IDs

V-239159

Rule IDs

SV-239159r675285_rule

Privilege separation in sshd causes the process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Checks: C-42370r675283_chk

At the command line, execute the following command: # sshd -T|&grep -i UsePrivilegeSeparation Expected result: UsePrivilegeSeparation yes If the output does not match the expected result, this is a finding.

Fix: F-42329r675284_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "UsePrivilegeSeparation" line is uncommented and set to the following: UsePrivilegeSeparation yes At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to disallow authentication with an empty password.

CM-6 - Medium - CCI-000366 - V-239160 - SV-239160r675288_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000089

Vuln IDs

V-239160

Rule IDs

SV-239160r675288_rule

Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blank password on the OS, sshd must not allow that user to log in.

Checks: C-42371r675286_chk

At the command line, execute the following command: # sshd -T|&grep -i PermitEmptyPasswords Expected result: PermitEmptyPasswords no If the output does not match the expected result, this is a finding.

Fix: F-42330r675287_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "PermitEmptyPasswords" line is uncommented and set to the following: PermitEmptyPasswords no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to disallow compression of the encrypted session stream.

CM-6 - Medium - CCI-000366 - V-239161 - SV-239161r675291_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000090

Vuln IDs

V-239161

Rule IDs

SV-239161r675291_rule

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.

Checks: C-42372r675289_chk

At the command line, execute the following command: # sshd -T|&grep -i Compression Expected result: Compression no If the output does not match the expected result, this is a finding.

Fix: F-42331r675290_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "Compression" line is uncommented and set to the following: Compression no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to display the last login immediately after authentication.

CM-6 - Medium - CCI-000366 - V-239162 - SV-239162r675294_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000091

Vuln IDs

V-239162

Rule IDs

SV-239162r675294_rule

Providing users with feedback on the last time they logged on via SSH facilitates user recognition and reporting of unauthorized account use.

Checks: C-42373r675292_chk

At the command line, execute the following command: # sshd -T|&grep -i PrintLastLog Expected result: PrintLastLog yes If the output does not match the expected result, this is a finding.

Fix: F-42332r675293_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "PrintLastLog" line is uncommented and set to the following: PrintLastLog yes At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.

CM-6 - Medium - CCI-000366 - V-239163 - SV-239163r675297_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000092

Vuln IDs

V-239163

Rule IDs

SV-239163r675297_rule

SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.

Checks: C-42374r675295_chk

At the command line, execute the following command: # sshd -T|&grep -i IgnoreRhosts Expected result: IgnoreRhosts yes If the output does not match the expected result, this is a finding.

Fix: F-42333r675296_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "IgnoreRhosts" line is uncommented and set to the following: IgnoreRhosts yes At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to ignore user-specific known_host files.

CM-6 - Medium - CCI-000366 - V-239164 - SV-239164r675300_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000093

Vuln IDs

V-239164

Rule IDs

SV-239164r675300_rule

SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines which must also be ignored while disabling host-based authentication generally.

Checks: C-42375r675298_chk

At the command line, execute the following command: # sshd -T|&grep -i IgnoreUserKnownHosts Expected result: IgnoreUserKnownHosts yes If the output does not match the expected result, this is a finding.

Fix: F-42334r675299_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "IgnoreUserKnownHosts" line is uncommented and set to the following: IgnoreUserKnownHosts yes At the command line, execute the following command: # service sshd reload

b

The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.

CM-6 - Medium - CCI-000366 - V-239165 - SV-239165r675303_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000094

Vuln IDs

V-239165

Rule IDs

SV-239165r675303_rule

By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.

Checks: C-42376r675301_chk

At the command line, execute the following command: # sshd -T|&grep -i MaxAuthTries Expected result: MaxAuthTries 2 If the output does not match the expected result, this is a finding.

Fix: F-42335r675302_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "MaxAuthTries" line is uncommented and set to the following: MaxAuthTries 2 At the command line, execute the following command: # service sshd reload

b

The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.

CM-6 - Medium - CCI-000366 - V-239166 - SV-239166r675306_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000095

Vuln IDs

V-239166

Rule IDs

SV-239166r675306_rule

When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of systems availability due to unintentional reboot.

Checks: C-42377r675304_chk

At the command line, execute the following command: # systemctl status ctrl-alt-del.target Expected result: ctrl-alt-del.target Loaded: masked (/dev/null; bad) Active: inactive (dead) If the output does not match the expected result, this is a finding.

Fix: F-42336r675305_fix

At the command line, execute the following command: # systemctl mask ctrl-alt-del.target

b

The Photon operating system must be configured so that the /etc/skel default scripts are protected from unauthorized modification.

CM-6 - Medium - CCI-000366 - V-239167 - SV-239167r675309_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000096

Vuln IDs

V-239167

Rule IDs

SV-239167r675309_rule

If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.

Checks: C-42378r675307_chk

At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/skel/.[^.]* Expected result: /etc/skel/.bash_logout permissions are 750 and owned by root:root /etc/skel/.bash_profile permissions are 644 and owned by root:root /etc/skel/.bashrc permissions are 750 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-42337r675308_fix

At the command line, execute the following commands: # chmod 750 /etc/skel/.bash_logout # chmod 644 /etc/skel/.bash_profile # chmod 750 /etc/skel/.bashrc # chown root:root /etc/skel/.bash_logout # chown root:root /etc/skel/.bash_profile # chown root:root /etc/skel/.bashrc

b

The Photon operating system must be configured so that the /root path is protected from unauthorized access.

CM-6 - Medium - CCI-000366 - V-239168 - SV-239168r675312_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000097

Vuln IDs

V-239168

Rule IDs

SV-239168r675312_rule

If the /root path is accessible from users other than root, unauthorized users could change the root partitions files.

Checks: C-42379r675310_chk

At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /root Expected result: /root permissions are 700 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-42338r675311_fix

At the command line, execute the following commands: # chmod 700 /root # chown root:root /root

b

The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.

CM-6 - Medium - CCI-000366 - V-239169 - SV-239169r675315_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000098

Vuln IDs

V-239169

Rule IDs

SV-239169r675315_rule

Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon login.

Checks: C-42380r675313_chk

At the command line, execute the following command: # find /etc/bash.bashrc /etc/profile /etc/profile.d/ -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-42339r675314_fix

At the command line, execute the following commands for each returned file: # chmod o-w <file> # chown root:root <file>

b

The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.

CM-6 - Medium - CCI-000366 - V-239170 - SV-239170r675318_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000099

Vuln IDs

V-239170

Rule IDs

SV-239170r675318_rule

If system startup scripts are accessible to unauthorized modification, this could compromise the system on startup.

Checks: C-42381r675316_chk

At the command line, execute the following command: # find /etc/rc.d/* -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-42340r675317_fix

At the command line, execute the following commands for each returned file: # chmod o-w <file> # chown root:root <file>

b

The Photon operating system must be configured so that all files have a valid owner and group owner.

CM-6 - Medium - CCI-000366 - V-239171 - SV-239171r675321_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000100

Vuln IDs

V-239171

Rule IDs

SV-239171r675321_rule

If files do not have valid user and group owners, unintended access to files could occur.

Checks: C-42382r675319_chk

At the command line, execute the following command: # find / -fstype ext4 -nouser -o -nogroup -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-42341r675320_fix

At the command line, execute the following command for each returned file: # chown root:root <file>

b

The Photon operating system must be configured so that the /etc/cron.allow file is protected from unauthorized modification.

CM-6 - Medium - CCI-000366 - V-239172 - SV-239172r675324_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000101

Vuln IDs

V-239172

Rule IDs

SV-239172r675324_rule

If cron files and folders are accessible to unauthorized users, malicious jobs may be created.

Checks: C-42383r675322_chk

At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/cron.allow Expected result: /etc/cron.allow permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-42342r675323_fix

At the command line, execute the following commands: # chmod 600 /etc/cron.allow # chown root:root /etc/cron.allow

b

The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.

CM-6 - Medium - CCI-000366 - V-239173 - SV-239173r675327_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000102

Vuln IDs

V-239173

Rule IDs

SV-239173r675327_rule

If cron files and folders are accessible to unauthorized users, malicious jobs may be created.

Checks: C-42384r675325_chk

At the command line, execute the following command: # find /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.monthly/ /etc/cron.weekly/ -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-42343r675326_fix

At the command line, execute the following commands for each returned file: # chmod o-w <file> # chown root:root <file>

b

The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.

CM-6 - Medium - CCI-000366 - V-239174 - SV-239174r675330_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000103

Vuln IDs

V-239174

Rule IDs

SV-239174r675330_rule

If cron files and folders are accessible to unauthorized users, malicious jobs may be created.

Checks: C-42385r675328_chk

At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly Expected result: /etc/cron.d permissions are 755 and owned by root:root /etc/cron.daily permissions are 755 and owned by root:root /etc/cron.hourly permissions are 755 and owned by root:root /etc/cron.monthly permissions are 755 and owned by root:root /etc/cron.weekly permissions are 755 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-42344r675329_fix

At the command line, execute the following commands for each returned file: # chmod 755 <path> # chown root:root <path>

b

The Photon operating system must not forward IPv4 or IPv6 source-routed packets.

CM-6 - Medium - CCI-000366 - V-239175 - SV-239175r816656_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000104

Vuln IDs

V-239175

Rule IDs

SV-239175r816656_rule

Source routing is an Internet Protocol (IP) mechanism that allows an IP packet to carry information, a list of addresses, which tells a router the path the packet must take. There is also an option to record the hops as the route is traversed. The list of hops taken, the "route record", provides the destination with a return path to the source. This allows the source (the sending host) to specify the route, loosely or strictly, ignoring the routing tables of some or all of the routers. It can allow a user to redirect network traffic for malicious purposes and should therefore be disabled.

Checks: C-42386r675331_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv[4|6].conf.(all|default|eth.*).accept_source_route" Expected result: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.eth0.accept_source_route = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-42345r816655_fix

Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.eth0.accept_source_route = 0 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

CM-6 - Medium - CCI-000366 - V-239176 - SV-239176r816658_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000105

Vuln IDs

V-239176

Rule IDs

SV-239176r816658_rule

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.

Checks: C-42387r675334_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern ignore_broadcasts Expected result: net.ipv4.icmp_echo_ignore_broadcasts = 1 If the output does not match the expected result, this is a finding.

Fix: F-42346r816657_fix

Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.icmp_echo_ignore_broadcasts=1 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

CM-6 - Medium - CCI-000366 - V-239177 - SV-239177r816660_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000106

Vuln IDs

V-239177

Rule IDs

SV-239177r816660_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks: C-42388r675337_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).accept_redirects" Expected result: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-42347r816659_fix

Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.

CM-6 - Medium - CCI-000366 - V-239178 - SV-239178r816662_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000107

Vuln IDs

V-239178

Rule IDs

SV-239178r816662_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks: C-42389r675340_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).secure_redirects" Expected result: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.eth0.secure_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-42348r816661_fix

Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.eth0.secure_redirects = 0 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.

CM-6 - Medium - CCI-000366 - V-239179 - SV-239179r816664_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000108

Vuln IDs

V-239179

Rule IDs

SV-239179r816664_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.

Checks: C-42390r675343_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).send_redirects" Expected result: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-42349r816663_fix

Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must log IPv4 packets with impossible addresses.

CM-6 - Medium - CCI-000366 - V-239180 - SV-239180r816666_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000109

Vuln IDs

V-239180

Rule IDs

SV-239180r816666_rule

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Checks: C-42391r675346_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).log_martians" Expected result: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "1".

Fix: F-42350r816665_fix

Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must use a reverse-path filter for IPv4 network traffic.

CM-6 - Medium - CCI-000366 - V-239181 - SV-239181r816668_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000110

Vuln IDs

V-239181

Rule IDs

SV-239181r816668_rule

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.

Checks: C-42392r675349_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*)\.rp_filter" Expected result: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "1".

Fix: F-42351r816667_fix

Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must not perform multicast packet forwarding.

CM-6 - Medium - CCI-000366 - V-239182 - SV-239182r816670_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000111

Vuln IDs

V-239182

Rule IDs

SV-239182r816670_rule

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Checks: C-42393r675352_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv[4|6].conf.(all|default|eth.*).mc_forwarding" Expected result: net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-42352r816669_fix

Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must not perform IPv4 packet forwarding.

CM-6 - Medium - CCI-000366 - V-239183 - SV-239183r816672_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000112

Vuln IDs

V-239183

Rule IDs

SV-239183r816672_rule

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Checks: C-42394r675355_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.ip_forward$" Expected result: net.ipv4.ip_forward = 0 If the system is intended to operate as a router, this is N/A. If the output does not match the expected result, this is a finding.

Fix: F-42353r816671_fix

Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.ip_forward = 0 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon operating system must send TCP timestamps.

CM-6 - Medium - CCI-000366 - V-239184 - SV-239184r816674_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000113

Vuln IDs

V-239184

Rule IDs

SV-239184r816674_rule

TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can help a bad actor in determining likely patch levels for vulnerabilities.

Checks: C-42395r675358_chk

At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.tcp_timestamps$" Expected result: net.ipv4.tcp_timestamps = 1 If the output does not match the expected result, this is a finding.

Fix: F-42354r816673_fix

Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.tcp_timestamps = 1 Run the following command to load the new setting: # /sbin/sysctl --load

b

The Photon OS must not have the xinetd service enabled.

CM-6 - Medium - CCI-000366 - V-239185 - SV-239185r675363_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000114

Vuln IDs

V-239185

Rule IDs

SV-239185r675363_rule

The xinetd service is not required for normal appliance operation and must be disabled.

Checks: C-42396r675361_chk

At the command line, execute the following command: # systemctl is-enabled xinetd.service Expected result: disabled If the output does not match the expected result, this is a finding.

Fix: F-42355r675362_fix

At the command line, execute the following commands: # service xinetd stop # systemctl disable xinetd.service

b

The Photon operating system must be configured to protect the SSH public host key from unauthorized modification.

CM-6 - Medium - CCI-000366 - V-239186 - SV-239186r675366_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000115

Vuln IDs

V-239186

Rule IDs

SV-239186r675366_rule

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Checks: C-42397r675364_chk

At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key.pub Expected result: /etc/ssh/ssh_host_dsa_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_ecdsa_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_ed25519_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_rsa_key.pub permissions are 644 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-42356r675365_fix

At the command line, execute the following commands for each returned file: # chmod 644 <file> # chown root:root <file>

b

The Photon operating system must be configured to protect the SSH private host key from unauthorized access.

CM-6 - Medium - CCI-000366 - V-239187 - SV-239187r675369_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000116

Vuln IDs

V-239187

Rule IDs

SV-239187r675369_rule

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Checks: C-42398r675367_chk

At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key Expected result: /etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-42357r675368_fix

At the command line, execute the following commands for each returned file: # chmod 600 <file> # chown root:root <file>

b

The Photon operating system must enforce password complexity on the root account.

CM-6 - Medium - CCI-000366 - V-239188 - SV-239188r816676_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000117

Vuln IDs

V-239188

Rule IDs

SV-239188r816676_rule

Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_cracklib does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.

Checks: C-42399r675370_chk

At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "enforce_for_root" Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.

Fix: F-42358r816675_fix

Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.

b

The Photon operating system must protect all boot configuration files from unauthorized access.

CM-6 - Medium - CCI-000366 - V-239189 - SV-239189r675375_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000118

Vuln IDs

V-239189

Rule IDs

SV-239189r675375_rule

Boot configuration files control how the system boots, including single-user mode, auditing, log levels, etc. Improper or malicious configurations can negatively affect system security and availability.

Checks: C-42400r675373_chk

At the command line, execute the following command: # find /boot/*.cfg -xdev -type f -a '(' -not -perm 600 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-42359r675374_fix

At the command line, execute the following commands for each returned file: # chmod 600 <file> # chown root:root <file>

b

The Photon operating system must protect sshd configuration from unauthorized access.

CM-6 - Medium - CCI-000366 - V-239190 - SV-239190r675378_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000119

Vuln IDs

V-239190

Rule IDs

SV-239190r675378_rule

The sshd_config file contains all the configuration items for sshd. Incorrect or malicious configuration of sshd can allow unauthorized access to the system, insecure communication, limited forensic trail, etc.

Checks: C-42401r675376_chk

At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/sshd_config Expected result: /etc/ssh/sshd_config permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-42360r675377_fix

At the command line, execute the following commands: # chmod 600 /etc/ssh/sshd_config # chown root:root /etc/ssh/sshd_config

b

The Photon operating system must protect all sysctl configuration files from unauthorized access.

CM-6 - Medium - CCI-000366 - V-239191 - SV-239191r675381_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000120

Vuln IDs

V-239191

Rule IDs

SV-239191r675381_rule

The sysctl configuration file specifies values for kernel parameters to be set on boot. Incorrect or malicious configuration of these parameters can have a negative effect on system security.

Checks: C-42402r675379_chk

At the command line, execute the following command: # find /etc/sysctl.conf /etc/sysctl.d/* -xdev -type f -a '(' -not -perm 600 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-42361r675380_fix

At the command line, execute the following commands for each returned file: # chmod 600 <file> # chown root:root <file>

b

The Photon operating system must set the UMASK parameter correctly.

CM-6 - Medium - CCI-000366 - V-239193 - SV-239193r675387_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000122

Vuln IDs

V-239193

Rule IDs

SV-239193r675387_rule

The umask value influences the permissions assigned to files when they are created. The umask setting in login.defs controls the permissions for a new user's home directory. By setting the proper umask, home directories will only allow the new user to read and write files there. Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230

Checks: C-42404r675385_chk

At the command line, execute the following command: # grep UMASK /etc/login.defs Expected result: UMASK 077 If the output does not match the expected result, this a finding.

Fix: F-42363r675386_fix

Open /etc/login.defs with a text editor. Ensure that the "UMASK" line is uncommented and set to the following: UMASK 077

b

The Photon operating system must configure sshd to disallow HostbasedAuthentication.

CM-6 - Medium - CCI-000366 - V-239194 - SV-239194r675390_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

PHTN-67-000123

Vuln IDs

V-239194

Rule IDs

SV-239194r675390_rule

SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.

Checks: C-42405r675388_chk

At the command line, execute the following command: # sshd -T|&grep -i HostbasedAuthentication Expected result: hostbasedauthentication no If the output does not match the expected result, this is a finding.

Fix: F-42364r675389_fix

Open /etc/ssh/sshd_config with a text editor. Ensure that the "HostbasedAuthentication" line is uncommented and set to the following: HostbasedAuthentication no At the command line, execute the following command: # service sshd reload

b

The Photon operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

AC-3 - Medium - CCI-000213 - V-239195 - SV-239195r675393_rule

RMF Control

AC-3

Severity

M

CCI

CCI-000213

Version

PHTN-67-000124

Vuln IDs

V-239195

Rule IDs

SV-239195r675393_rule

If the system does not require authentication before it boots into single-user mode, anyone with vCenter console rights to the VCSA can trivially access all files on the system. GRUB2 is the boot loader for Photon OS and can be configured to require a password to boot into single-user mode or make modifications to the boot menu. Note: The VCSA does not support building grub changes via grub2-mkconfig.

Checks: C-42406r675391_chk

At the command line, execute the following command: # grep -i ^password_pbkdf2 /boot/grub2/grub.cfg If there is no output, this is a finding. If the output does not begin with "password_pbkdf2 root", this is a finding.

Fix: F-42365r675392_fix

At the command line, execute the following command: # grub2-mkpasswd-pbkdf2 Enter a secure password and ensure this password is stored for break-glass situations. The vCenter root account cannot be recovered without knowing this separate password. Copy the resulting encrypted string. An example string follows: grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 Open /boot/grub2/grub.cfg with a text editor. Find the line that begins with "set rootpartition". Below this line, paste the following on its own line: set superusers="root" Below this, paste the following, substituting your own encrypted string from the steps above: password_pbkdf2 root <YOUR-LONG-STRING-FROM-ABOVE> The VCSA ships with one "menuentry" block by default. Copy that entire block and paste it right below that block. Example: menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } Modify the first menuentry block to add the "--unrestricted" option as follows: menuentry "Photon" --unrestricted { Modify the second menuentry block to add the allowed user as follows: menuentry "Recover Photon" --users root { This concludes the fix. To verify, following is an example grub.cfg snippet: ... set rootpartition=PARTUUID=326e5b0f-42fb-471a-8209-18964c4a2ed3 set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 menuentry "Photon" --unrestricted { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Recover Photon" --users root { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi }

b

The Photon operating system must audit all account modifications.

AU-12 - Medium - CCI-000172 - V-251878 - SV-251878r816564_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000172

Version

PHTN-67-000044

Vuln IDs

V-251878

Rule IDs

SV-251878r816564_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes.

Checks: C-55336r816562_chk

At the command line, execute the following command: # auditctl -l | grep -E "(usermod|groupmod)" Expected result: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.

Fix: F-55288r816563_fix

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod At the command line, execute the following command: # /sbin/augenrules --load

Content changes 5

Checks: C-42283r675022_chk

Fix: F-42242r840144_fix

Generate Mitigation Statement:

Checks: C-42284r816593_chk

Fix: F-42243r816594_fix

Generate Mitigation Statement:

Checks: C-42285r675028_chk

Fix: F-42244r675029_fix

Generate Mitigation Statement:

Checks: C-42286r675031_chk

Fix: F-42245r675032_fix

Generate Mitigation Statement:

Checks: C-42287r675034_chk

Fix: F-42246r675035_fix

Generate Mitigation Statement:

Checks: C-42288r675037_chk

Fix: F-42247r675038_fix

Generate Mitigation Statement:

Checks: C-42289r675040_chk

Fix: F-42248r675041_fix

Generate Mitigation Statement:

Checks: C-42290r675043_chk

Fix: F-42249r675044_fix

Generate Mitigation Statement:

Checks: C-42291r675046_chk

Fix: F-42250r675047_fix

Generate Mitigation Statement:

Checks: C-42292r816596_chk

Fix: F-42251r675050_fix

Generate Mitigation Statement:

Checks: C-42293r675052_chk

Fix: F-42252r675053_fix

Generate Mitigation Statement:

Checks: C-42294r675055_chk

Fix: F-42253r675056_fix

Generate Mitigation Statement:

Checks: C-42295r821353_chk

Fix: F-42254r816599_fix

Generate Mitigation Statement:

Checks: C-42296r675061_chk

Fix: F-42255r675062_fix

Generate Mitigation Statement:

Checks: C-42297r675064_chk

Fix: F-42256r675065_fix

Generate Mitigation Statement:

Checks: C-42298r675067_chk

Fix: F-42257r675068_fix

Generate Mitigation Statement:

Checks: C-42299r675070_chk

Fix: F-42258r675071_fix

Generate Mitigation Statement:

Checks: C-42300r675073_chk

Fix: F-42259r675074_fix

Generate Mitigation Statement:

Checks: C-42301r675076_chk

Fix: F-42260r675077_fix

Generate Mitigation Statement:

Checks: C-42302r675079_chk

Fix: F-42261r675080_fix

Generate Mitigation Statement:

Checks: C-42303r816601_chk

Fix: F-42262r816602_fix

Generate Mitigation Statement:

Checks: C-42304r816911_chk

Fix: F-42263r816604_fix

Generate Mitigation Statement:

Checks: C-42305r675088_chk

Fix: F-42264r816606_fix

Generate Mitigation Statement:

Checks: C-42306r675091_chk

Fix: F-42265r816608_fix

Generate Mitigation Statement:

Checks: C-42307r675094_chk

Fix: F-42266r816610_fix

Generate Mitigation Statement:

Checks: C-42308r675097_chk

Fix: F-42267r816612_fix

Generate Mitigation Statement:

Checks: C-42309r675100_chk