Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide

V1R3 · · · Released 24 Jan 2024 · 113 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R2 · 26 Jul 2023 ✎ 3

Comparison against the immediately-prior release (V1R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 3

  • V-256534 Low checkfix The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
  • V-256558 Medium check The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
  • V-256578 Medium check The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.
Sort by
b
The Photon operating system must audit all account creations.
AC-2 - Medium - CCI-000018 - V-256478 - SV-256478r887108_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
PHTN-30-000001
Vuln IDs
  • V-256478
Rule IDs
  • SV-256478r887108_rule
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.
Checks: C-60153r887106_chk

At the command line, run the following command: # auditctl -l | grep -E "(useradd|groupadd)" Expected result: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-30-000013.

Fix: F-60096r887107_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
AC-7 - Medium - CCI-000044 - V-256479 - SV-256479r887111_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
PHTN-30-000002
Vuln IDs
  • V-256479
Rule IDs
  • SV-256479r887111_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Checks: C-60154r887109_chk

At the command line, run the following commands: # grep pam_tally2 /etc/pam.d/system-auth Expected result: auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300 # grep pam_tally2 /etc/pam.d/system-account Expected result: account required pam_tally2.so onerr=fail audit If the output does not list the "pam_tally2" options as configured in the expected results, this is a finding.

Fix: F-60097r887110_fix

Navigate to and open: /etc/pam.d/system-auth Remove any existing "pam_tally2.so" line and add the following line after the "pam_unix.so" statement: auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300 Navigate to and open: /etc/pam.d/system-account Remove any existing "pam_tally2.so" line and add the following line after the "pam_unix.so" statement: account required pam_tally2.so onerr=fail audit Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting Secure Shell (SSH) access.
AC-8 - Medium - CCI-000048 - V-256480 - SV-256480r887114_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
PHTN-30-000003
Vuln IDs
  • V-256480
Rule IDs
  • SV-256480r887114_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
Checks: C-60155r887112_chk

At the command line, run the following command: # sshd -T|&grep -i Banner Expected result: banner /etc/issue If the output does not match the expected result, this is a finding. Open "/etc/issue" with a text editor. If the file does not contain the Standard Mandatory DOD Notice and Consent Banner, this is a finding. Standard Mandatory DOD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-60098r887113_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "Banner" line is uncommented and set to the following: Banner /etc/issue Navigate to and open: /etc/issue Ensure the file contains the Standard Mandatory DOD Notice and Consent Banner. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
AC-10 - Medium - CCI-000054 - V-256481 - SV-256481r887117_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
PHTN-30-000004
Vuln IDs
  • V-256481
Rule IDs
  • SV-256481r887117_rule
Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service attacks.
Checks: C-60156r887115_chk

At the command line, run the following command: # grep "^[^#].*maxlogins.*" /etc/security/limits.conf Expected result: * hard maxlogins 10 If the output does not match the expected result, this is a finding. Note: The expected result may be repeated multiple times.

Fix: F-60099r887116_fix

At the command line, run the following command: # echo '* hard maxlogins 10' >> /etc/security/limits.conf

b
The Photon operating system must set a session inactivity timeout of 15 minutes or less.
AC-11 - Medium - CCI-000057 - V-256482 - SV-256482r887120_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
PHTN-30-000005
Vuln IDs
  • V-256482
Rule IDs
  • SV-256482r887120_rule
A session timeout is an action taken when a session goes idle for any reason. Rather than relying on the user to manually disconnect their session prior to going idle, the Photon operating system must be able to identify when a session has idled and take action to terminate the session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000279-GPOS-00109, SRG-OS-000126-GPOS-00066
Checks: C-60157r887118_chk

At the command line, run the following command: # cat /etc/profile.d/tmout.sh Expected result: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null If the file "tmout.sh" does not exist or the output does not look like the expected result, this is a finding.

Fix: F-60100r887119_fix

Navigate to and open: /etc/profile.d/tmout.sh Set its content to the following: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b
The Photon operating system must have the sshd SyslogFacility set to "authpriv".
AC-17 - Medium - CCI-000067 - V-256483 - SV-256483r887123_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
PHTN-30-000006
Vuln IDs
  • V-256483
Rule IDs
  • SV-256483r887123_rule
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.
Checks: C-60158r887121_chk

At the command line, run the following command: # sshd -T|&grep -i SyslogFacility Expected result: syslogfacility AUTHPRIV If there is no output or if the output does not match the expected result, this is a finding.

Fix: F-60101r887122_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "SyslogFacility" line is uncommented and set to the following: SyslogFacility AUTHPRIV At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must have sshd authentication logging enabled.
AC-17 - Medium - CCI-000067 - V-256484 - SV-256484r887126_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
PHTN-30-000007
Vuln IDs
  • V-256484
Rule IDs
  • SV-256484r887126_rule
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. Shipping sshd authentication events to syslog allows organizations to use their log aggregators to correlate forensic activities among multiple systems.
Checks: C-60159r887124_chk

At the command line, run the following command: # grep "^authpriv" /etc/rsyslog.conf Expected result should be similar to the following: authpriv.* /var/log/auth.log If "authpriv" is not configured to be logged, this is a finding.

Fix: F-60102r887125_fix

Navigate to and open: /etc/rsyslog.conf Add the following line: authpriv.* /var/log/auth.log Note: The path can be substituted for another suitable log destination. At the command line, run the following command: # systemctl restart rsyslog.service

b
The Photon operating system must have the sshd LogLevel set to "INFO".
AC-17 - Medium - CCI-000067 - V-256485 - SV-256485r887129_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
PHTN-30-000008
Vuln IDs
  • V-256485
Rule IDs
  • SV-256485r887129_rule
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. The INFO LogLevel is required, at least, to ensure the capturing of failed login events.
Checks: C-60160r887127_chk

At the command line, run the following command: # sshd -T|&grep -i LogLevel Expected result: LogLevel INFO If the output does not match the expected result, this is a finding.

Fix: F-60103r887128_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "LogLevel" line is uncommented and set to the following: LogLevel INFO At the command line, run the following command: # systemctl restart sshd.service

a
The Photon operating system must configure sshd to use approved encryption algorithms.
AC-17 - Low - CCI-000068 - V-256486 - SV-256486r887132_rule
RMF Control
AC-17
Severity
L
CCI
CCI-000068
Version
PHTN-30-000009
Vuln IDs
  • V-256486
Rule IDs
  • SV-256486r887132_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. OpenSSH on the Photon operating system is compiled with a FIPS-validated cryptographic module. The "FipsMode" setting controls whether this module is initialized and used in FIPS 140-2 mode. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000393-GPOS-00173, SRG-OS-000396-GPOS-00176, SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187
Checks: C-60161r887130_chk

At the command line, run the following command: # sshd -T|&grep -i FipsMode Expected result: FipsMode yes If the output does not match the expected result, this is a finding.

Fix: F-60104r887131_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "FipsMode" line is uncommented and set to the following: FipsMode yes At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure auditd to log to disk.
AU-3 - Medium - CCI-000130 - V-256487 - SV-256487r887135_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
PHTN-30-000010
Vuln IDs
  • V-256487
Rule IDs
  • SV-256487r887135_rule
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content must be shipped to a central location, but it must also be logged locally. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019
Checks: C-60162r887133_chk

At the command line, run the following command: # grep "^write_logs" /etc/audit/auditd.conf Expected result: write_logs = yes If there is no output, this is not a finding. If the output does not match the expected result, this is a finding.

Fix: F-60105r887134_fix

Navigate to and open: /etc/audit/auditd.conf Ensure the "write_logs" line is uncommented and set to the following: write_logs = yes At the command line, run the following command: # killproc auditd -TERM # systemctl start auditd

b
The Photon operating system must configure auditd to use the correct log format.
AU-3 - Medium - CCI-000131 - V-256488 - SV-256488r887138_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
PHTN-30-000011
Vuln IDs
  • V-256488
Rule IDs
  • SV-256488r887138_rule
To compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know exact, unfiltered details of the event in question.
Checks: C-60163r887136_chk

At the command line, run the following command: # grep "^log_format" /etc/audit/auditd.conf Expected result: log_format = RAW If there is no output, this is not a finding. If the output does not match the expected result, this is a finding.

Fix: F-60106r887137_fix

Navigate to and open: /etc/audit/auditd.conf Ensure the "log_format" line is uncommented and set to the following: log_format = RAW At the command line, run the following command: # killproc auditd -TERM # systemctl start auditd

b
The Photon operating system must be configured to audit the execution of privileged functions.
AU-3 - Medium - CCI-000135 - V-256489 - SV-256489r887141_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000135
Version
PHTN-30-000012
Vuln IDs
  • V-256489
Rule IDs
  • SV-256489r887141_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing all actions by superusers is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Checks: C-60164r887139_chk

At the command line, run the following command: # auditctl -l | grep execve Expected result: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done in control PHTN-30-000013.

Fix: F-60107r887140_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must have the auditd service running.
AU-3 - Medium - CCI-000135 - V-256490 - SV-256490r887144_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000135
Version
PHTN-30-000013
Vuln IDs
  • V-256490
Rule IDs
  • SV-256490r887144_rule
Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). They also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Satisfies: SRG-OS-000042-GPOS-00021, SRG-OS-000062-GPOS-00031, SRG-OS-000255-GPOS-00096, SRG-OS-000363-GPOS-00150, SRG-OS-000365-GPOS-00152, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000461-GPOS-00205, SRG-OS-000467-GPOS-00211, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220
Checks: C-60165r887142_chk

At the command line, run the following command: # systemctl status auditd If the service is not running, this is a finding.

Fix: F-60108r887143_fix

At the command line, run the following commands: # systemctl enable auditd # systemctl start auditd

b
The Photon operating system audit log must log space limit problems to syslog.
AU-5 - Medium - CCI-000139 - V-256491 - SV-256491r887147_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000139
Version
PHTN-30-000014
Vuln IDs
  • V-256491
Rule IDs
  • SV-256491r887147_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000344-GPOS-00135
Checks: C-60166r887145_chk

At the command line, run the following command: # grep "^space_left_action" /etc/audit/auditd.conf Expected result: space_left_action = SYSLOG If the output does not match the expected result, this is a finding.

Fix: F-60109r887146_fix

Navigate to and open: /etc/audit/auditd.conf Ensure the "space_left_action" line is uncommented and set to the following: space_left_action = SYSLOG At the command line, run the following commands: # killproc auditd -TERM # systemctl start auditd

b
The Photon operating system audit log must attempt to log audit failures to syslog.
AU-5 - Medium - CCI-000140 - V-256492 - SV-256492r887150_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000140
Version
PHTN-30-000015
Vuln IDs
  • V-256492
Rule IDs
  • SV-256492r887150_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
Checks: C-60167r887148_chk

At the command line, run the following command: # grep -E "^disk_full_action|^disk_error_action|^admin_space_left_action" /etc/audit/auditd.conf If any of the above parameters are not set to "SYSLOG" or are missing, this is a finding.

Fix: F-60110r887149_fix

Navigate to and open: /etc/audit/auditd.conf Ensure the following lines are present, not duplicated, and not commented: disk_full_action = SYSLOG disk_error_action = SYSLOG admin_space_left_action = SYSLOG At the command line, run the following commands: # killproc auditd -TERM # systemctl start auditd

b
The Photon operating system audit log must have correct permissions.
AU-9 - Medium - CCI-000162 - V-256493 - SV-256493r887153_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
PHTN-30-000016
Vuln IDs
  • V-256493
Rule IDs
  • SV-256493r887153_rule
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Checks: C-60168r887151_chk

At the command line, run the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n permissions are %a" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If the permissions on any audit log file are more permissive than "0600", this is a finding.

Fix: F-60111r887152_fix

At the command line, run the following command: # chmod 0600 <audit log file> Replace <audit log file> with the log files more permissive than 0600.

b
The Photon operating system audit log must be owned by root.
AU-9 - Medium - CCI-000163 - V-256494 - SV-256494r887156_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
PHTN-30-000017
Vuln IDs
  • V-256494
Rule IDs
  • SV-256494r887156_rule
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Checks: C-60169r887154_chk

At the command line, run the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) &amp;&amp; if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n is owned by %U" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by root, this is a finding.

Fix: F-60112r887155_fix

At the command line, run the following command: # chown root:root <audit log file> Replace <audit log file> with the log files not owned by root.

b
The Photon operating system audit log must be group-owned by root.
AU-9 - Medium - CCI-000164 - V-256495 - SV-256495r887159_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
PHTN-30-000018
Vuln IDs
  • V-256495
Rule IDs
  • SV-256495r887159_rule
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Checks: C-60170r887157_chk

At the command line, run the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) &amp;&amp; if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n is group owned by %G" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group owned by root, this is a finding.

Fix: F-60113r887158_fix

At the command line, run the following command: # chown root:root <audit log file> Replace <audit log file> with the log files not group owned by root.

b
The Photon operating system must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
AU-12 - Medium - CCI-000171 - V-256496 - SV-256496r887162_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000171
Version
PHTN-30-000019
Vuln IDs
  • V-256496
Rule IDs
  • SV-256496r887162_rule
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-60171r887160_chk

At the command line, run the following command: # find /etc/audit/* -type f -exec stat -c "%n permissions are %a" {} $1\; If the permissions of any files are more permissive than "640", this is a finding.

Fix: F-60114r887161_fix

At the command line, run the following command: # chmod 640 <file> Replace <file> with any file with incorrect permissions.

b
The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
AU-12 - Medium - CCI-000172 - V-256497 - SV-256497r887165_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
PHTN-30-000020
Vuln IDs
  • V-256497
Rule IDs
  • SV-256497r887165_rule
Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212
Checks: C-60172r887163_chk

At the command line, run the following command: # auditctl -l | grep chmod Expected result: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid&gt;=1000 -F auid!=4294967295 -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid&gt;=1000 -F auid!=4294967295 -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod If the output does not match the expected result, this is a finding. Note: The auid!= parameter may display as 4294967295 or -1, which are equivalent. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60115r887164_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
IA-5 - Medium - CCI-000192 - V-256498 - SV-256498r887168_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000192
Version
PHTN-30-000021
Vuln IDs
  • V-256498
Rule IDs
  • SV-256498r887168_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-60173r887166_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "ucredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not include ucredit= &lt;= -1, this is a finding.

Fix: F-60116r887167_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.
IA-5 - Medium - CCI-000193 - V-256499 - SV-256499r887171_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000193
Version
PHTN-30-000022
Vuln IDs
  • V-256499
Rule IDs
  • SV-256499r887171_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-60174r887169_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "lcredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not include lcredit= &lt;= -1, this is a finding.

Fix: F-60117r887170_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-256500 - SV-256500r887174_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000194
Version
PHTN-30-000023
Vuln IDs
  • V-256500
Rule IDs
  • SV-256500r887174_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-60175r887172_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "dcredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not include dcredit= &lt;= -1, this is a finding.

Fix: F-60118r887173_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must require that new passwords are at least four characters different from the old password.
IA-5 - Medium - CCI-000195 - V-256501 - SV-256501r887177_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000195
Version
PHTN-30-000024
Vuln IDs
  • V-256501
Rule IDs
  • SV-256501r887177_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-60176r887175_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "difok=." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not include difok &gt;= 4, this is a finding.

Fix: F-60119r887176_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must store only encrypted representations of passwords.
IA-5 - Medium - CCI-000196 - V-256502 - SV-256502r887180_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
PHTN-30-000025
Vuln IDs
  • V-256502
Rule IDs
  • SV-256502r887180_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Checks: C-60177r887178_chk

At the command line, run the following command: # grep SHA512 /etc/login.defs|grep -v "#" Expected result: ENCRYPT_METHOD SHA512 If there is no output or if the output does match the expected result, this is a finding.

Fix: F-60120r887179_fix

Navigate to and open: /etc/login.defs Add or replace the ENCRYPT_METHOD line as follows: ENCRYPT_METHOD SHA512

b
The Photon operating system must use an OpenSSH server version that does not support protocol 1.
IA-5 - Medium - CCI-000197 - V-256503 - SV-256503r887183_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000197
Version
PHTN-30-000026
Vuln IDs
  • V-256503
Rule IDs
  • SV-256503r887183_rule
A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000395-GPOS-00175, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Checks: C-60178r887181_chk

At the command line, run the following command: # rpm -qa|grep openssh If there is no output or openssh is not &gt;= version 7.4, this is a finding.

Fix: F-60121r887182_fix

Installing openssh manually is not supported by VMware for appliances. Revert to a previous backup or redeploy the appliance.

b
The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.
IA-5 - Medium - CCI-000198 - V-256504 - SV-256504r887186_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000198
Version
PHTN-30-000027
Vuln IDs
  • V-256504
Rule IDs
  • SV-256504r887186_rule
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Checks: C-60179r887184_chk

At the command line, run the following command: # grep "^PASS_MIN_DAYS" /etc/login.defs If "PASS_MIN_DAYS" is not set to "1", this is a finding.

Fix: F-60122r887185_fix

Navigate to and open: /etc/login.defs Modify the "PASS_MIN_DAYS" line to the following: PASS_MIN_DAYS 1

b
The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.
IA-5 - Medium - CCI-000199 - V-256505 - SV-256505r887189_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000199
Version
PHTN-30-000028
Vuln IDs
  • V-256505
Rule IDs
  • SV-256505r887189_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Checks: C-60180r887187_chk

At the command line, run the following command: # grep "^PASS_MAX_DAYS" /etc/login.defs If the value of "PASS_MAX_DAYS" is greater than "90", this is a finding.

Fix: F-60123r887188_fix

Navigate to and open: /etc/login.def Modify the "PASS_MAX_DAYS" line to the following: PASS_MAX_DAYS 90

b
The Photon operating system must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-256506 - SV-256506r887192_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000200
Version
PHTN-30-000029
Vuln IDs
  • V-256506
Rule IDs
  • SV-256506r887192_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed per policy requirements.
Checks: C-60181r887190_chk

At the command line, run the following command: # grep pam_pwhistory /etc/pam.d/system-password|grep --color=always "remember=." Expected result: password requisite pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3 If the output does not include the "remember=5" setting as shown in the expected result, this is a finding.

Fix: F-60124r887191_fix

Navigate to and open: /etc/pam.d/system-password Add the following line after the "password requisite pam_cracklib.so" statement: password requisite pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must enforce a minimum eight-character password length.
IA-5 - Medium - CCI-000205 - V-256507 - SV-256507r887195_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
PHTN-30-000030
Vuln IDs
  • V-256507
Rule IDs
  • SV-256507r887195_rule
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-60182r887193_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "minlen=.." Example result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not include minlen &gt;= 8, this is a finding.

Fix: F-60125r887194_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

c
The Photon operating system must require authentication upon booting into single-user and maintenance modes.
AC-3 - High - CCI-000213 - V-256508 - SV-256508r887198_rule
RMF Control
AC-3
Severity
H
CCI
CCI-000213
Version
PHTN-30-000031
Vuln IDs
  • V-256508
Rule IDs
  • SV-256508r887198_rule
If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all files on the system. GRUB2 is the boot loader for Photon OS and can be configured to require a password to boot into single-user mode or make modifications to the boot menu. Note: Photon does not support building grub changes via grub2-mkconfig.
Checks: C-60183r887196_chk

At the command line, run the following command: # grep -i ^password_pbkdf2 /boot/grub2/grub.cfg If there is not output, this is a finding. If the output does not begin with "password_pbkdf2 root", this is a finding.

Fix: F-60126r887197_fix

At the command line, run the following command: # grub2-mkpasswd-pbkdf2 Enter a secure password and ensure this password is stored for break-glass situations. The vCenter root account cannot be recovered without knowing this separate password. Copy the resulting encrypted string. An example string is below: grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 Navigate to and open: /boot/grub2/grub.cfg Find the line that begins with "set rootpartition". Below this line, paste the following on its own line: set superusers="root" Below this, paste the following, substituting the encrypted string from the steps above: password_pbkdf2 root <YOUR-LONG-STRING-FROM-ABOVE> Photon ships with one menuentry block by default. Copy that entire block and paste it right below itself. Example: menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } Modify the first menuentry block to add the "--unrestricted" option as follows: menuentry "Photon" --unrestricted { Modify the second menuentry block to add the allowed user as follows: menuentry "Recover Photon" --users root { This concludes the fix. To verify, here is an example grub.cfg snippet: ... set rootpartition=PARTUUID=326e5b0f-42fb-471a-8209-18964c4a2ed3 set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 menuentry "Photon" --unrestricted { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Recover Photon" --users root { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi }

b
The Photon operating system must disable the loading of unnecessary kernel modules.
CM-7 - Medium - CCI-000382 - V-256509 - SV-256509r887201_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
PHTN-30-000032
Vuln IDs
  • V-256509
Rule IDs
  • SV-256509r887201_rule
To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059
Checks: C-60184r887199_chk

At the command line, run the following command: # modprobe --showconfig | grep "^install" | grep "/bin" Expected result: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb_storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false The output may include other statements outside of the expected result. If the output does not include at least every statement in the expected result, this is a finding.

Fix: F-60127r887200_fix

Navigate to and open: /etc/modprobe.d/modprobe.conf Set the contents as follows: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb_storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false

b
The Photon operating system must not have duplicate User IDs (UIDs).
IA-2 - Medium - CCI-000764 - V-256510 - SV-256510r887204_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000764
Version
PHTN-30-000033
Vuln IDs
  • V-256510
Rule IDs
  • SV-256510r887204_rule
To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and provide for nonrepudiation.
Checks: C-60185r887202_chk

At the command line, run the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If any lines are returned, this is a finding.

Fix: F-60128r887203_fix

Navigate to and open: /etc/passwd Configure each user account that has a duplicate UID with a unique UID.

b
The Photon operating system must disable new accounts immediately upon password expiration.
IA-4 - Medium - CCI-000795 - V-256511 - SV-256511r887207_rule
RMF Control
IA-4
Severity
M
CCI
CCI-000795
Version
PHTN-30-000035
Vuln IDs
  • V-256511
Rule IDs
  • SV-256511r887207_rule
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Disabling inactive accounts ensures accounts that may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Checks: C-60186r887205_chk

At the command line, run the following command: # grep INACTIVE /etc/default/useradd Expected result: INACTIVE=0 If the output does not match the expected result, this is a finding.

Fix: F-60129r887206_fix

Navigate to and open: /etc/default/useradd Remove an existing "INACTIVE" line and add the following line: INACTIVE=0

b
The Photon operating system must use Transmission Control Protocol (TCP) syncookies.
SC-5 - Medium - CCI-001095 - V-256512 - SV-256512r887210_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001095
Version
PHTN-30-000036
Vuln IDs
  • V-256512
Rule IDs
  • SV-256512r887210_rule
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected and enables the system to continue servicing valid connection requests. Satisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000420-GPOS-00186
Checks: C-60187r887208_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern tcp_syncookies Expected result: net.ipv4.tcp_syncookies = 1 If the output does not match the expected result, this is a finding.

Fix: F-60130r887209_fix

At the command line, run the following commands: # sed -i -e "/^net.ipv4.tcp_syncookies/d" /etc/sysctl.conf # echo net.ipv4.tcp_syncookies=1>>/etc/sysctl.conf # /sbin/sysctl --load

b
The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.
SC-10 - Medium - CCI-001133 - V-256513 - SV-256513r887213_rule
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
PHTN-30-000037
Vuln IDs
  • V-256513
Rule IDs
  • SV-256513r887213_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on a console or console port that has been left unattended.
Checks: C-60188r887211_chk

At the command line, run the following command: # sshd -T|&amp;grep -i ClientAliveInterval Expected result: ClientAliveInterval 900 If the output does not match the expected result, this is a finding.

Fix: F-60131r887212_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "ClientAliveInterval" line is uncommented and set to the following: ClientAliveInterval 900 At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.
SC-10 - Medium - CCI-001133 - V-256514 - SV-256514r887216_rule
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
PHTN-30-000038
Vuln IDs
  • V-256514
Rule IDs
  • SV-256514r887216_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on a console or console port that has been left unattended.
Checks: C-60189r887214_chk

At the command line, run the following command: # sshd -T|&amp;grep -i ClientAliveCountMax Expected result: ClientAliveCountMax 0 If the output does not match the expected result, this is a finding.

Fix: F-60132r887215_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "ClientAliveCountMax" line is uncommented and set to the following: ClientAliveCountMax 0 At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system "/var/log" directory must be owned by root.
SI-11 - Medium - CCI-001314 - V-256515 - SV-256515r887219_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
PHTN-30-000040
Vuln IDs
  • V-256515
Rule IDs
  • SV-256515r887219_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.
Checks: C-60190r887217_chk

At the command line, run the following command: # stat -c "%n is owned by %U and group owned by %G" /var/log If the "/var/log directory" is not owned by root, this is a finding.

Fix: F-60133r887218_fix

At the command line, run the following command: # chown root:root /var/log

b
The Photon operating system messages file must have the correct ownership and file permissions.
SI-11 - Medium - CCI-001314 - V-256516 - SV-256516r887222_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
PHTN-30-000041
Vuln IDs
  • V-256516
Rule IDs
  • SV-256516r887222_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.
Checks: C-60191r887220_chk

At the command line, run the following command: # stat -c "%n is owned by %U and group owned by %G with %a permissions" /var/log/messages If the "/var/log/messages" directory is not owned by root or not group owned by root, or the file permissions are more permission than "640", this is a finding.

Fix: F-60134r887221_fix

At the command line, run the following commands: # chown root:root /var/log/messages # chmod 0640 /var/log/messages

b
The Photon operating system must audit all account modifications.
AC-2 - Medium - CCI-001403 - V-256517 - SV-256517r887225_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001403
Version
PHTN-30-000042
Vuln IDs
  • V-256517
Rule IDs
  • SV-256517r887225_rule
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes.
Checks: C-60192r887223_chk

At the command line, run the following command: # auditctl -l | grep -E "(usermod|groupmod)" Expected result: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60135r887224_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must audit all account modifications.
AC-2 - Medium - CCI-001403 - V-256518 - SV-256518r887228_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001403
Version
PHTN-30-000043
Vuln IDs
  • V-256518
Rule IDs
  • SV-256518r887228_rule
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. Satisfies: SRG-OS-000239-GPOS-00089, SRG-OS-000303-GPOS-00120
Checks: C-60193r887226_chk

At the command line, run the following command: # auditctl -l | grep -E "(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)" Expected result: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60136r887227_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must audit all account disabling actions.
AC-2 - Medium - CCI-001404 - V-256519 - SV-256519r887231_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001404
Version
PHTN-30-000044
Vuln IDs
  • V-256519
Rule IDs
  • SV-256519r887231_rule
When operating system accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or operating system processes. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions.
Checks: C-60194r887229_chk

At the command line, run the following command: # auditctl -l | grep "w /usr/bin/passwd" Expected result: -w /usr/bin/passwd -p x -k passwd If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60137r887230_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -w /usr/bin/passwd -p x -k passwd At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must audit all account removal actions.
AC-2 - Medium - CCI-001405 - V-256520 - SV-256520r887234_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001405
Version
PHTN-30-000045
Vuln IDs
  • V-256520
Rule IDs
  • SV-256520r887234_rule
When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or operating system processes. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions.
Checks: C-60195r887232_chk

At the command line, run the following command: # auditctl -l | grep -E "(userdel|groupdel)" Expected result: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done in control PHTN-30-000013.

Fix: F-60138r887233_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must initiate auditing as part of the boot process.
AU-14 - Medium - CCI-001464 - V-256521 - SV-256521r887237_rule
RMF Control
AU-14
Severity
M
CCI
CCI-001464
Version
PHTN-30-000046
Vuln IDs
  • V-256521
Rule IDs
  • SV-256521r887237_rule
Each process on the system carries an "auditable" flag, which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes that launch after it starts, adding the kernel argument ensures the flag is set at boot for every process on the system. This includes processes created before auditd starts.
Checks: C-60196r887235_chk

At the command line, run the following command: # grep "audit=1" /proc/cmdline If no results are returned, this is a finding.

Fix: F-60139r887236_fix

Navigate to and open: /boot/grub2/grub.cfg Locate the boot command line arguments. An example follows: linux /$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline Add "audit=1" to the end of the line so it reads as follows: linux /$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1 Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append "audit=1" to it. Reboot the system for the change to take effect.

b
The Photon operating system audit files and directories must have correct permissions.
AU-9 - Medium - CCI-001493 - V-256522 - SV-256522r887240_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001493
Version
PHTN-30-000047
Vuln IDs
  • V-256522
Rule IDs
  • SV-256522r887240_rule
Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
Checks: C-60197r887238_chk

At the command line, run the following command: # stat -c "%n is owned by %U and group owned by %G" /etc/audit/auditd.conf If "auditd.conf" is not owned by root and group owned by root, this is a finding.

Fix: F-60140r887239_fix

At the command line, run the following command: # chown root:root /etc/audit/auditd.conf

b
The Photon operating system must protect audit tools from unauthorized modification and deletion.
AU-9 - Medium - CCI-001494 - V-256523 - SV-256523r887243_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001494
Version
PHTN-30-000048
Vuln IDs
  • V-256523
Rule IDs
  • SV-256523r887243_rule
Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Checks: C-60198r887241_chk

At the command line, run the following command: # stat -c "%n is owned by %U and group owned by %G and permissions are %a" /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace If any file is not owned by root or group-owned by root or permissions are more permissive than "750", this is a finding.

Fix: F-60141r887242_fix

At the command line, run the following command for each file returned for user and group ownership: # chown root:root <file> At the command line, run the following command for each file returned for file permissions: # chmod 750 <file>

b
The Photon operating system must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-256524 - SV-256524r887246_rule
RMF Control
IA-5
Severity
M
CCI
CCI-001619
Version
PHTN-30-000050
Vuln IDs
  • V-256524
Rule IDs
  • SV-256524r887246_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-60199r887244_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "ocredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not include ocredit= &lt;= -1, this is a finding.

Fix: F-60142r887245_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system package files must not be modified.
AU-9 - Medium - CCI-001496 - V-256525 - SV-256525r887249_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001496
Version
PHTN-30-000051
Vuln IDs
  • V-256525
Rule IDs
  • SV-256525r887249_rule
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Without confidence in the integrity of the auditing system and tools, the information it provides cannot be trusted.
Checks: C-60200r887247_chk

Use the verification capability of rpm to check the MD5 hashes of the audit files on disk versus the expected ones from the installation package. At the command line, run the following command: # rpm -V audit | grep "^..5" | grep -v "^...........c" If there is any output, this is a finding.

Fix: F-60143r887248_fix

If the audit system binaries have been altered, the system must be taken offline and the information system security manager (ISSM) notified immediately. Reinstalling the audit tools is not supported. The appliance should be restored from a backup or redeployed once the root cause is remediated.

b
The Photon operating system must audit the execution of privileged functions.
AU-12 - Medium - CCI-000172 - V-256526 - SV-256526r918960_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
PHTN-30-000054
Vuln IDs
  • V-256526
Rule IDs
  • SV-256526r918960_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215
Checks: C-60201r918959_chk

At the command line, run the following command to obtain a list of setuid files: # find / -xdev -path /var/lib/containerd -prune -o \( -perm -4000 -type f -o -perm -2000 \) -type f -print | sort Run the following command for each setuid file found in the first command: # auditctl -l | grep &lt;setuid_path&gt; Replace &lt;setuid_path&gt; with each path found in the first command. If each &lt;setuid_path&gt; does not have a corresponding line in the audit rules, this is a finding. A typical corresponding line will look like the following: -a always,exit -S all -F path=&lt;setuid_path&gt; -F perm=x -F auid&gt;=1000 -F auid!=-1 -F key=privileged Note: The auid!= parameter may display as 4294967295 or -1, which are equivalent. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60144r887251_fix

At the command line, run the following command to obtain a list of setuid files: # find / -xdev -perm -4000 -type f -o -perm -2000 -type f | sort Execute the following for each setuid file found in the first command that does not have a corresponding line in the audit rules: Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following line: -a always,exit -F path=<setuid_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged Execute the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must configure auditd to keep five rotated log files.
AU-4 - Medium - CCI-001849 - V-256527 - SV-256527r887255_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001849
Version
PHTN-30-000055
Vuln IDs
  • V-256527
Rule IDs
  • SV-256527r887255_rule
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep, and configuring auditd to not rotate the logs on its own. This ensures audit logs are accessible to the information system security officer (ISSO) in the event of a central log processing failure.
Checks: C-60202r887253_chk

At the command line, run the following command: # grep "^num_logs" /etc/audit/auditd.conf Expected result: num_logs = 5 If the output of the command does not match the expected result, this is a finding.

Fix: F-60145r887254_fix

Navigate to and open: /etc/audit/auditd.conf Add or change the "num_logs" line as follows: num_logs = 5 At the command line, run the following commands: # killproc auditd -TERM # systemctl start auditd

b
The Photon operating system must configure auditd to keep logging in the event max log file size is reached.
AU-4 - Medium - CCI-001849 - V-256528 - SV-256528r887258_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001849
Version
PHTN-30-000056
Vuln IDs
  • V-256528
Rule IDs
  • SV-256528r887258_rule
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep, and configuring auditd to not rotate the logs on its own. This ensures audit logs are accessible to the information system security officer (ISSO) in the event of a central log processing failure. If another solution is not used to rotate auditd logs, auditd can be configured to rotate logs.
Checks: C-60203r887256_chk

At the command line, run the following command: # grep "^max_log_file_action" /etc/audit/auditd.conf Example result: max_log_file_action = IGNORE If logs are rotated outside of auditd with a tool such as logrotated, and this setting is not set to "IGNORE", this is a finding. If logs are NOT rotated outside of auditd, and this setting is not set to "ROTATE", this is a finding.

Fix: F-60146r887257_fix

Navigate to and open: /etc/audit/auditd.conf Add or change the "max_log_file_action" line as follows: max_log_file_action = IGNORE Note: This can also be set to "ROTATE" if another tool is not used to rotate auditd logs. At the command line, run the following commands: # killproc auditd -TERM # systemctl start auditd

b
The Photon operating system must configure auditd to log space limit problems to syslog.
AU-5 - Medium - CCI-001855 - V-256529 - SV-256529r887261_rule
RMF Control
AU-5
Severity
M
CCI
CCI-001855
Version
PHTN-30-000057
Vuln IDs
  • V-256529
Rule IDs
  • SV-256529r887261_rule
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
Checks: C-60204r887259_chk

At the command line, run the following command: # grep "^space_left " /etc/audit/auditd.conf Expected result: space_left = 75 If the output does not match the expected result, this is a finding.

Fix: F-60147r887260_fix

Navigate to and open: /etc/audit/auditd.conf Ensure the "space_left" line is uncommented and set to the following: space_left = 75 At the command line, run the following commands: # killproc auditd -TERM # systemctl start auditd

b
The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
CM-5 - Medium - CCI-001749 - V-256530 - SV-256530r887264_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001749
Version
PHTN-30-000059
Vuln IDs
  • V-256530
Rule IDs
  • SV-256530r887264_rule
Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Checks: C-60205r887262_chk

At the command line, run the following command: # grep -s nosignature /usr/lib/rpm/rpmrc /etc/rpmrc ~root/.rpmrc If the command returns any output, this is a finding.

Fix: F-60148r887263_fix

Open the file containing "nosignature" with a text editor and remove the option.

b
The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
CM-5 - Medium - CCI-001749 - V-256531 - SV-256531r887267_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001749
Version
PHTN-30-000060
Vuln IDs
  • V-256531
Rule IDs
  • SV-256531r887267_rule
Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Cryptographically verifying the authenticity of all software packages during installation ensures the software has not been tampered with and has been provided by a trusted vendor.
Checks: C-60206r887265_chk

At the command line, run the following command: # grep "^gpgcheck" /etc/tdnf/tdnf.conf If "gpgcheck" is not set to "1", this is a finding.

Fix: F-60149r887266_fix

Navigate to and open: /etc/tdnf/tdnf.conf Remove any existing "gpgcheck" setting and add the following line: gpgcheck=1

b
The  Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation.
CM-5 - Medium - CCI-001749 - V-256532 - SV-256532r887270_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001749
Version
PHTN-30-000061
Vuln IDs
  • V-256532
Rule IDs
  • SV-256532r887270_rule
Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Cryptographically verifying the authenticity of all software packages during installation ensures the software has not been tampered with and has been provided by a trusted vendor.
Checks: C-60207r887268_chk

At the command line, run the following command: # grep gpgcheck /etc/yum.repos.d/* If "gpgcheck" is not set to "1" in any returned file, this is a finding.

Fix: F-60150r887269_fix

Open the file where "gpgcheck" is not set to "1" with a text editor. Remove any existing "gpgcheck" setting and add the following line at the end of the file: gpgcheck=1

b
The Photon operating system must require users to reauthenticate for privilege escalation.
IA-11 - Medium - CCI-002038 - V-256533 - SV-256533r887273_rule
RMF Control
IA-11
Severity
M
CCI
CCI-002038
Version
PHTN-30-000062
Vuln IDs
  • V-256533
Rule IDs
  • SV-256533r887273_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Checks: C-60208r887271_chk

At the command line, run the following commands: # grep -ihs nopasswd /etc/sudoers /etc/sudoers.d/*|grep -v "^#"|grep -v "^%"|awk '{print $1}' # awk -F: '($2 != "x" &amp;&amp; $2 != "!") {print $1}' /etc/shadow If any account listed in the first output is also listed in the second output and is not documented, this is a finding.

Fix: F-60151r887272_fix

Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: # visudo OR # visudo -f /etc/sudoers.d/<file name> Remove any occurrences of "NOPASSWD" tags associated with user accounts with a password hash.

a
The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
SC-8 - Low - CCI-002421 - V-256534 - SV-256534r942493_rule
RMF Control
SC-8
Severity
L
CCI
CCI-002421
Version
PHTN-30-000064
Vuln IDs
  • V-256534
Rule IDs
  • SV-256534r942493_rule
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through an external network (e.g., the internet) or internal network. Local maintenance and diagnostic activities are carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. It does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The operating system can meet this requirement by leveraging a cryptographic module. Satisfies: SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188
Checks: C-60209r942491_chk

At the command line, run the following command: # sshd -T|&amp;grep -i Ciphers Expected result: ciphers aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-gcm@openssh.com,aes256-ctr If the output matches the ciphers in the expected result or a subset thereof, this is not a finding. If the ciphers in the output contain any ciphers not listed in the expected result, this is a finding.

Fix: F-60152r942492_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "Ciphers" line is uncommented and set to the following: Ciphers aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-gcm@openssh.com,aes256-ctr At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-256535 - SV-256535r887279_rule
RMF Control
SI-16
Severity
M
CCI
CCI-002824
Version
PHTN-30-000065
Vuln IDs
  • V-256535
Rule IDs
  • SV-256535r887279_rule
ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. ASLR also makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming (ROP) techniques.
Checks: C-60210r887277_chk

At the command line, run the following command: # cat /proc/sys/kernel/randomize_va_space If the value of "randomize_va_space" is not "2", this is a finding.

Fix: F-60153r887278_fix

Navigate to and open: /etc/sysctl.d/50-security-hardening.conf Ensure the "randomize_va_space" is uncommented and set to the following: kernel.randomize_va_space=2 At the command line, run the following command: # sysctl --system

b
The Photon operating system must remove all software components after updated versions have been installed.
SI-2 - Medium - CCI-002617 - V-256536 - SV-256536r887282_rule
RMF Control
SI-2
Severity
M
CCI
CCI-002617
Version
PHTN-30-000066
Vuln IDs
  • V-256536
Rule IDs
  • SV-256536r887282_rule
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Checks: C-60211r887280_chk

At the command line, run the following command: # grep -i "^clean_requirements_on_remove" /etc/tdnf/tdnf.conf Expected result: clean_requirements_on_remove=true If the output does not match the expected result, this is a finding.

Fix: F-60154r887281_fix

Navigate to and open: /etc/tdnf/tdnf.conf Remove any existing "clean_requirements_on_remove" line and ensure the following line is present: clean_requirements_on_remove=true

b
The Photon operating system must generate audit records when the sudo command is used.
AU-12 - Medium - CCI-000172 - V-256537 - SV-256537r918962_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
PHTN-30-000067
Vuln IDs
  • V-256537
Rule IDs
  • SV-256537r918962_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207
Checks: C-60212r918961_chk

At the command line, run the following command: # auditctl -l | grep sudo Expected result: -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid&gt;=1000 -F auid!=-1 -F key=privileged If the output does not match the expected result, this is a finding. Note: The auid!= parameter may display as 4294967295 or -1, which are equivalent. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60155r887284_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged Execute the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
AU-12 - Medium - CCI-000172 - V-256538 - SV-256538r887288_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
PHTN-30-000068
Vuln IDs
  • V-256538
Rule IDs
  • SV-256538r887288_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218
Checks: C-60213r887286_chk

At the command line, run the following command: # auditctl -l | grep -E "faillog|lastlog|tallylog" Expected result: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60156r887287_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa Execute the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must audit the "insmod" module.
AU-12 - Medium - CCI-000172 - V-256539 - SV-256539r887291_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
PHTN-30-000069
Vuln IDs
  • V-256539
Rule IDs
  • SV-256539r887291_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Checks: C-60214r887289_chk

At the command line, run the following command: # auditctl -l | grep "/sbin/insmod" Expected result: -w /sbin/insmod -p x If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60157r887290_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following lines: -w /sbin/insmod -p x Execute the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.
AU-12 - Medium - CCI-000172 - V-256540 - SV-256540r887294_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
PHTN-30-000070
Vuln IDs
  • V-256540
Rule IDs
  • SV-256540r887294_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-60215r887292_chk

At the command line, run the following command: # auditctl -l | grep -E /etc/security/opasswd If any of these are not listed with a permissions filter of at least "w", this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.

Fix: F-60158r887293_fix

Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following line: -w /etc/security/opasswd -p wa -k opasswd Execute the following command to load the new audit rules: # /sbin/augenrules --load Note: A new "audit.STIG.rules" file is provided for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist if the file exists and references older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

b
The Photon operating system must use the "pam_cracklib" module.
CM-6 - Medium - CCI-000366 - V-256541 - SV-256541r887297_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000071
Vuln IDs
  • V-256541
Rule IDs
  • SV-256541r887297_rule
If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Checks: C-60216r887295_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password If the output does not return at least "password requisite pam_cracklib.so", this is a finding.

Fix: F-60159r887296_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must set the "FAIL_DELAY" parameter.
CM-6 - Medium - CCI-000366 - V-256542 - SV-256542r887300_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000072
Vuln IDs
  • V-256542
Rule IDs
  • SV-256542r887300_rule
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Checks: C-60217r887298_chk

At the command line, run the following command: # grep FAIL_DELAY /etc/login.defs Expected result: FAIL_DELAY 4 If the output does not match the expected result, this is a finding.

Fix: F-60160r887299_fix

Navigate to and open: /etc/login.defs Add the following line after the last auth statement: FAIL_DELAY 4

b
The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
CM-6 - Medium - CCI-000366 - V-256543 - SV-256543r887303_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000073
Vuln IDs
  • V-256543
Rule IDs
  • SV-256543r887303_rule
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Checks: C-60218r887301_chk

At the command line, run the following command: # grep pam_faildelay /etc/pam.d/system-auth|grep --color=always "delay=" Expected result: auth optional pam_faildelay.so delay=4000000 If the output does not match the expected result, this is a finding.

Fix: F-60161r887302_fix

Navigate to and open: /etc/pam.d/system-auth Remove any existing "pam_faildelay" line and add the following line at the end of the file: auth optional pam_faildelay.so delay=4000000 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must ensure audit events are flushed to disk at proper intervals.
CM-6 - Medium - CCI-000366 - V-256544 - SV-256544r887306_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000074
Vuln IDs
  • V-256544
Rule IDs
  • SV-256544r887306_rule
Without setting a balance between performance and ensuring all audit events are written to disk, performance of the system may suffer or the risk of missing audit entries may be too high.
Checks: C-60219r887304_chk

At the command line, run the following command: # grep -E "freq|flush" /etc/audit/auditd.conf Expected result: flush = INCREMENTAL_ASYNC freq = 50 If the output does not match the expected result, this is a finding.

Fix: F-60162r887305_fix

Navigate to and open: /etc/audit/auditd.conf Ensure the following line is present and any existing "flush" and "freq" settings are removed: flush = INCREMENTAL_ASYNC freq = 50

b
The Photon operating system must create a home directory for all new local interactive user accounts.
CM-6 - Medium - CCI-000366 - V-256545 - SV-256545r887309_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000075
Vuln IDs
  • V-256545
Rule IDs
  • SV-256545r887309_rule
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Checks: C-60220r887307_chk

At the command line, run the following command: # grep -i "^create_home" /etc/login.defs If there is no output or the output does not equal "CREATE_HOME yes", this is a finding.

Fix: F-60163r887308_fix

Navigate to and open: /etc/login.defs Ensure the following is present and any existing "CREATE_HOME" line is removed: CREATE_HOME yes

b
The Photon operating system must disable the debug-shell service.
CM-6 - Medium - CCI-000366 - V-256546 - SV-256546r887312_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000076
Vuln IDs
  • V-256546
Rule IDs
  • SV-256546r887312_rule
The debug-shell service is intended to diagnose systemd-related boot issues with various "systemctl" commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.
Checks: C-60221r887310_chk

At the command line, run the following command: # systemctl status debug-shell.service|grep -E --color=always disabled If the debug-shell service is not disabled, this is a finding.

Fix: F-60164r887311_fix

At the command line, run the following commands: # systemctl stop debug-shell.service # systemctl disable debug-shell.service Reboot for changes to take effect.

b
The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
CM-6 - Medium - CCI-000366 - V-256547 - SV-256547r887315_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000078
Vuln IDs
  • V-256547
Rule IDs
  • SV-256547r887315_rule
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SSH) exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
Checks: C-60222r887313_chk

At the command line, run the following command: # sshd -T|&amp;grep -i GSSAPIAuthentication Expected result: GSSAPIAuthentication no If the output does not match the expected result, this is a finding.

Fix: F-60165r887314_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "GSSAPIAuthentication" line is uncommented and set to the following: GSSAPIAuthentication no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to disable environment processing.
CM-6 - Medium - CCI-000366 - V-256548 - SV-256548r887318_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000079
Vuln IDs
  • V-256548
Rule IDs
  • SV-256548r887318_rule
Enabling environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.
Checks: C-60223r887316_chk

At the command line, run the following command: sshd -T|&amp;grep -i PermitUserEnvironment Expected result: PermitUserEnvironment no If the output does not match the expected result, this is a finding.

Fix: F-60166r887317_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "PermitUserEnvironment" line is uncommented and set to the following: PermitUserEnvironment no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to disable X11 forwarding.
CM-6 - Medium - CCI-000366 - V-256549 - SV-256549r887321_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000080
Vuln IDs
  • V-256549
Rule IDs
  • SV-256549r887321_rule
X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.
Checks: C-60224r887319_chk

At the command line, run the following command: # sshd -T|&amp;grep -i X11Forwarding Expected result: X11Forwarding no If the output does not match the expected result, this is a finding.

Fix: F-60167r887320_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "X11Forwarding" line is uncommented and set to the following: X11Forwarding no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
CM-6 - Medium - CCI-000366 - V-256550 - SV-256550r887324_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000081
Vuln IDs
  • V-256550
Rule IDs
  • SV-256550r887324_rule
If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the system as another user.
Checks: C-60225r887322_chk

At the command line, run the following command: # sshd -T|&amp;grep -i StrictModes Expected result: StrictModes yes If the output does not match the expected result, this is a finding.

Fix: F-60168r887323_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "StrictModes" line is uncommented and set to the following: StrictModes yes At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to disallow Kerberos authentication.
CM-6 - Medium - CCI-000366 - V-256551 - SV-256551r887327_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000082
Vuln IDs
  • V-256551
Rule IDs
  • SV-256551r887327_rule
If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled.
Checks: C-60226r887325_chk

At the command line, run the following command: # sshd -T|&amp;grep -i KerberosAuthentication Expected result: KerberosAuthentication no If the output does not match the expected result, this is a finding.

Fix: F-60169r887326_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "KerberosAuthentication" line is uncommented and set to the following: KerberosAuthentication no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to disallow authentication with an empty password.
CM-6 - Medium - CCI-000366 - V-256552 - SV-256552r887330_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000083
Vuln IDs
  • V-256552
Rule IDs
  • SV-256552r887330_rule
Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blank password on the operating system, sshd must not allow that user to log in.
Checks: C-60227r887328_chk

At the command line, run the following command: # sshd -T|&amp;grep -i PermitEmptyPasswords Expected result: PermitEmptyPasswords no If the output does not match the expected result, this is a finding.

Fix: F-60170r887329_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "PermitEmptyPasswords" line is uncommented and set to the following: PermitEmptyPasswords no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
CM-6 - Medium - CCI-000366 - V-256553 - SV-256553r887333_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000084
Vuln IDs
  • V-256553
Rule IDs
  • SV-256553r887333_rule
If compression is allowed in a Secure Shell (SSH) connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.
Checks: C-60228r887331_chk

At the command line, run the following command: # sshd -T|&amp;grep -i Compression Expected result: Compression no If the output does not match the expected result, this is a finding.

Fix: F-60171r887332_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "Compression" line is uncommented and set to the following: Compression no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to display the last login immediately after authentication.
CM-6 - Medium - CCI-000366 - V-256554 - SV-256554r887336_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000085
Vuln IDs
  • V-256554
Rule IDs
  • SV-256554r887336_rule
Providing users with feedback on the last time they logged on via Secure Shell (SSH) facilitates user recognition and reporting of unauthorized account use.
Checks: C-60229r887334_chk

At the command line, run the following command: # sshd -T|&amp;grep -i PrintLastLog Expected result: PrintLastLog yes If the output does not match the expected result, this is a finding.

Fix: F-60172r887335_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "PrintLastLog" line is uncommented and set to the following: PrintLastLog yes At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
CM-6 - Medium - CCI-000366 - V-256555 - SV-256555r887339_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000086
Vuln IDs
  • V-256555
Rule IDs
  • SV-256555r887339_rule
Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.
Checks: C-60230r887337_chk

At the command line, run the following command: # sshd -T|&amp;grep -i IgnoreRhosts Expected result: IgnoreRhosts yes If the output does not match the expected result, this is a finding.

Fix: F-60173r887338_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "IgnoreRhosts" line is uncommented and set to the following: IgnoreRhosts yes At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to ignore user-specific "known_host" files.
CM-6 - Medium - CCI-000366 - V-256556 - SV-256556r887342_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000087
Vuln IDs
  • V-256556
Rule IDs
  • SV-256556r887342_rule
Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines that must also be ignored while disabling host-based authentication generally.
Checks: C-60231r887340_chk

At the command line, run the following command: # sshd -T|&amp;grep -i IgnoreUserKnownHosts Expected result: IgnoreUserKnownHosts yes If the output does not match the expected result, this is a finding.

Fix: F-60174r887341_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "IgnoreUserKnownHosts" line is uncommented and set to the following: IgnoreUserKnownHosts yes At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
CM-6 - Medium - CCI-000366 - V-256557 - SV-256557r887345_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000088
Vuln IDs
  • V-256557
Rule IDs
  • SV-256557r887345_rule
By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.
Checks: C-60232r887343_chk

At the command line, run the following command: # sshd -T|&amp;grep -i MaxAuthTries Expected result: MaxAuthTries 6 If the output does not match the expected result, this is a finding.

Fix: F-60175r887344_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "MaxAuthTries" line is uncommented and set to the following: MaxAuthTries 6 At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
CM-6 - Medium - CCI-000366 - V-256558 - SV-256558r942495_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000089
Vuln IDs
  • V-256558
Rule IDs
  • SV-256558r942495_rule
When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed operating system environment, this can create the risk of short-term loss of systems availability due to unintentional reboot.
Checks: C-60233r942494_chk

At the command line, run the following command: # systemctl status ctrl-alt-del.target Expected result: ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) If the "ctrl-alt-del.target" is not "inactive" and "masked", this is a finding.

Fix: F-60176r887347_fix

At the command line, run the following command: # systemctl mask ctrl-alt-del.target

b
The Photon operating system must be configured so the "/etc/skel" default scripts are protected from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256559 - SV-256559r887351_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000090
Vuln IDs
  • V-256559
Rule IDs
  • SV-256559r887351_rule
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
Checks: C-60234r887349_chk

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/skel/.[^.]* Expected result: /etc/skel/.bash_logout permissions are 750 and owned by root:root /etc/skel/.bash_profile permissions are 644 and owned by root:root /etc/skel/.bashrc permissions are 750 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-60177r887350_fix

At the command line, run the following commands: # chmod 750 /etc/skel/.bash_logout # chmod 644 /etc/skel/.bash_profile # chmod 750 /etc/skel/.bashrc # chown root:root /etc/skel/.bash_logout # chown root:root /etc/skel/.bash_profile # chown root:root /etc/skel/.bashrc

b
The Photon operating system must be configured so the "/root" path is protected from unauthorized access.
CM-6 - Medium - CCI-000366 - V-256560 - SV-256560r887354_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000091
Vuln IDs
  • V-256560
Rule IDs
  • SV-256560r887354_rule
If the "/root" path is accessible to users other than root, unauthorized users could change the root partitions files.
Checks: C-60235r887352_chk

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /root Expected result: /root permissions are 700 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-60178r887353_fix

At the command line, run the following commands: # chmod 700 /root # chown root:root /root

b
The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256561 - SV-256561r887357_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000092
Vuln IDs
  • V-256561
Rule IDs
  • SV-256561r887357_rule
Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon login.
Checks: C-60236r887355_chk

At the command line, run the following command: # find /etc/bash.bashrc /etc/profile /etc/profile.d/ -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-60179r887356_fix

At the command line, run the following commands for each returned file: # chmod o-w <file> # chown root:root <file>

b
The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256562 - SV-256562r887360_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000093
Vuln IDs
  • V-256562
Rule IDs
  • SV-256562r887360_rule
If system startup scripts are accessible to unauthorized modification, this could compromise the system on startup.
Checks: C-60237r887358_chk

At the command line, run the following command: # find /etc/rc.d/* -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-60180r887359_fix

At the command line, run the following commands for each returned file: # chmod o-w <file> # chown root:root <file>

b
The Photon operating system must be configured so that all files have a valid owner and group owner.
CM-6 - Medium - CCI-000366 - V-256563 - SV-256563r887363_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000094
Vuln IDs
  • V-256563
Rule IDs
  • SV-256563r887363_rule
If files do not have valid user and group owners, unintended access to files could occur.
Checks: C-60238r887361_chk

At the command line, run the following command: # find / -fstype ext4 -nouser -o -nogroup -exec ls -ld {} \; 2&gt;/dev/null If any files are returned, this is a finding.

Fix: F-60181r887362_fix

At the command line, run the following command for each returned file: # chown root:root <file>

b
The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256564 - SV-256564r887366_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000095
Vuln IDs
  • V-256564
Rule IDs
  • SV-256564r887366_rule
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.
Checks: C-60239r887364_chk

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/cron.allow Expected result: /etc/cron.allow permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-60182r887365_fix

At the command line, run the following commands: # chmod 600 /etc/cron.allow # chown root:root /etc/cron.allow

b
The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256565 - SV-256565r887369_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000096
Vuln IDs
  • V-256565
Rule IDs
  • SV-256565r887369_rule
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.
Checks: C-60240r887367_chk

At the command line, run the following command: # find /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.monthly/ /etc/cron.weekly/ -xdev -type f -a '(' -perm -022 -o -not -user root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-60183r887368_fix

At the command line, run the following commands for each returned file: # chmod 644 <file> # chown root <file>

b
The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256566 - SV-256566r887372_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000097
Vuln IDs
  • V-256566
Rule IDs
  • SV-256566r887372_rule
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.
Checks: C-60241r887370_chk

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly Expected result: /etc/cron.d permissions are 755 and owned by root:root /etc/cron.daily permissions are 755 and owned by root:root /etc/cron.hourly permissions are 755 and owned by root:root /etc/cron.monthly permissions are 755 and owned by root:root /etc/cron.weekly permissions are 755 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-60184r887371_fix

At the command line, run the following commands for each returned file: # chmod 755 <path> # chown root:root <path>

b
The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
CM-6 - Medium - CCI-000366 - V-256567 - SV-256567r887375_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000098
Vuln IDs
  • V-256567
Rule IDs
  • SV-256567r887375_rule
Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the packet must take. There is also an option to record the hops as the route is traversed. The list of hops taken, the "route record", provides the destination with a return path to the source. This allows the source (the sending host) to specify the route, loosely or strictly, ignoring the routing tables of some or all of the routers. It can allow a user to redirect network traffic for malicious purposes and should therefore be disabled.
Checks: C-60242r887373_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv[4|6].conf.(all|default|eth.*).accept_source_route" Expected result: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.eth0.accept_source_route = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-60185r887374_fix

At the command line, run the following command: # for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv[4|6].conf.(all|default|eth.*).accept_source_route"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done # /sbin/sysctl --load

b
The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
CM-6 - Medium - CCI-000366 - V-256568 - SV-256568r887378_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000099
Vuln IDs
  • V-256568
Rule IDs
  • SV-256568r887378_rule
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Checks: C-60243r887376_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern ignore_broadcasts Expected result: net.ipv4.icmp_echo_ignore_broadcasts = 1 If the output does not match the expected result, this is a finding.

Fix: F-60186r887377_fix

At the command line, run the following commands: # sed -i -e "/^net.ipv4.icmp_echo_ignore_broadcasts/d" /etc/sysctl.conf # echo net.ipv4.icmp_echo_ignore_broadcasts=1>>/etc/sysctl.conf # /sbin/sysctl --load

b
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
CM-6 - Medium - CCI-000366 - V-256569 - SV-256569r887381_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000100
Vuln IDs
  • V-256569
Rule IDs
  • SV-256569r887381_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Checks: C-60244r887379_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).accept_redirects" Expected result: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-60187r887380_fix

At the command line, run the following command: # for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv4.conf.(all|default|eth.*).accept_redirects"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done # /sbin/sysctl --load

b
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
CM-6 - Medium - CCI-000366 - V-256570 - SV-256570r887384_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000101
Vuln IDs
  • V-256570
Rule IDs
  • SV-256570r887384_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Checks: C-60245r887382_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).secure_redirects" Expected result: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.eth0.secure_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-60188r887383_fix

At the command line, run the following command: # for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv4.conf.(all|default|eth.*).secure_redirects"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done # /sbin/sysctl --load

b
The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
CM-6 - Medium - CCI-000366 - V-256571 - SV-256571r887387_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000102
Vuln IDs
  • V-256571
Rule IDs
  • SV-256571r887387_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Checks: C-60246r887385_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).send_redirects" Expected result: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-60189r887386_fix

At the command line, run the following command: # for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv4.conf.(all|default|eth.*).send_redirects"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done # /sbin/sysctl --load

b
The Photon operating system must log IPv4 packets with impossible addresses.
CM-6 - Medium - CCI-000366 - V-256572 - SV-256572r887390_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000103
Vuln IDs
  • V-256572
Rule IDs
  • SV-256572r887390_rule
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Checks: C-60247r887388_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).log_martians" Expected result: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "1".

Fix: F-60190r887389_fix

At the command line, run the following command: # for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv4.conf.(all|default|eth.*).log_martians"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=1>>/etc/sysctl.conf; done # /sbin/sysctl --load

b
The Photon operating system must use a reverse-path filter for IPv4 network traffic.
CM-6 - Medium - CCI-000366 - V-256573 - SV-256573r887393_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000104
Vuln IDs
  • V-256573
Rule IDs
  • SV-256573r887393_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.
Checks: C-60248r887391_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*)\.rp_filter" Expected result: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "1".

Fix: F-60191r887392_fix

At the command line, run the following command: # for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv4.conf.(all|default|eth.*)\.rp_filter"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=1>>/etc/sysctl.conf; done # /sbin/sysctl --load

b
The Photon operating system must not perform multicast packet forwarding.
CM-6 - Medium - CCI-000366 - V-256574 - SV-256574r887396_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000105
Vuln IDs
  • V-256574
Rule IDs
  • SV-256574r887396_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Checks: C-60249r887394_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv[4|6].conf.(all|default|eth.*).mc_forwarding" Expected result: net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix: F-60192r887395_fix

At the command line, run the following command: # for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv[4|6].conf.(all|default|eth.*).mc_forwarding"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done # /sbin/sysctl --load

b
The Photon operating system must not perform IPv4 packet forwarding.
CM-6 - Medium - CCI-000366 - V-256575 - SV-256575r887399_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000106
Vuln IDs
  • V-256575
Rule IDs
  • SV-256575r887399_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Checks: C-60250r887397_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv4.ip_forward$" Expected result: net.ipv4.ip_forward = 0 If the output does not match the expected result, this is a finding.

Fix: F-60193r887398_fix

At the command line, run the following commands: # sed -i -e "/^net.ipv4.ip_forward/d" /etc/sysctl.conf # echo net.ipv4.ip_forward=0>>/etc/sysctl.conf # /sbin/sysctl --load

b
The Photon operating system must send Transmission Control Protocol (TCP) timestamps.
CM-6 - Medium - CCI-000366 - V-256576 - SV-256576r887402_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000107
Vuln IDs
  • V-256576
Rule IDs
  • SV-256576r887402_rule
TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can help a bad actor in determining likely patch levels for vulnerabilities.
Checks: C-60251r887400_chk

At the command line, run the following command: # /sbin/sysctl -a --pattern "net.ipv4.tcp_timestamps$" Expected result: net.ipv4.tcp_timestamps = 1 If the output does not match the expected result, this is a finding.

Fix: F-60194r887401_fix

At the command line, run the following commands: # sed -i -e "/^net.ipv4.tcp_timestamps/d" /etc/sysctl.conf # echo net.ipv4.tcp_timestamps=1>>/etc/sysctl.conf # /sbin/sysctl --load

b
The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256577 - SV-256577r918964_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000108
Vuln IDs
  • V-256577
Rule IDs
  • SV-256577r918964_rule
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Checks: C-60252r918963_chk

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key.pub Expected result: /etc/ssh/ssh_host_ecdsa_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_ed25519_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_rsa_key.pub permissions are 644 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-60195r887404_fix

At the command line, run the following commands for each returned file: # chmod 644 <file> # chown root:root <file>

b
The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.
CM-6 - Medium - CCI-000366 - V-256578 - SV-256578r942497_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000109
Vuln IDs
  • V-256578
Rule IDs
  • SV-256578r942497_rule
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Checks: C-60253r942496_chk

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key Expected result: /etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root If any key file listed is not owned by root or not group owned by root or does not have permissions of "0600", this is a finding.

Fix: F-60196r887407_fix

At the command line, run the following commands for each returned file: # chmod 600 <file> # chown root:root <file>

b
The Photon operating system must enforce password complexity on the root account.
CM-6 - Medium - CCI-000366 - V-256579 - SV-256579r887411_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000110
Vuln IDs
  • V-256579
Rule IDs
  • SV-256579r887411_rule
Password complexity rules must apply to all accounts on the system, including root. Without specifying the "enforce_for_root flag", "pam_cracklib" does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.
Checks: C-60254r887409_chk

At the command line, run the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "enforce_for_root" Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not include "enforce_for_root", this is a finding.

Fix: F-60197r887410_fix

Navigate to and open: /etc/pam.d/system-password Add the following, replacing any existing "pam_cracklib.so" line: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must protect all boot configuration files from unauthorized modification.
CM-6 - Medium - CCI-000366 - V-256580 - SV-256580r887414_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000111
Vuln IDs
  • V-256580
Rule IDs
  • SV-256580r887414_rule
Boot configuration files control how the system boots, including single-user mode, auditing, log levels, etc. Improper or malicious configurations can negatively affect system security and availability.
Checks: C-60255r887412_chk

At the command line, run the following command: # find /boot/*.cfg -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-60198r887413_fix

At the command line, run the following commands for each returned file: # chmod 644 <file> # chown root:root <file>

b
The Photon operating system must protect sshd configuration from unauthorized access.
CM-6 - Medium - CCI-000366 - V-256581 - SV-256581r887417_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000112
Vuln IDs
  • V-256581
Rule IDs
  • SV-256581r887417_rule
The "sshd_config" file contains all the configuration items for sshd. Incorrect or malicious configuration of sshd can allow unauthorized access to the system, insecure communication, limited forensic trail, etc.
Checks: C-60256r887415_chk

At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/sshd_config Expected result: /etc/ssh/sshd_config permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.

Fix: F-60199r887416_fix

At the command line, run the following commands: # chmod 600 /etc/ssh/sshd_config # chown root:root /etc/ssh/sshd_config

b
The Photon operating system must protect all "sysctl" configuration files from unauthorized access.
CM-6 - Medium - CCI-000366 - V-256582 - SV-256582r887420_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000113
Vuln IDs
  • V-256582
Rule IDs
  • SV-256582r887420_rule
The "sysctl" configuration file specifies values for kernel parameters to be set on boot. Incorrect or malicious configuration of these parameters can have a negative effect on system security.
Checks: C-60257r887418_chk

At the command line, run the following command: # find /etc/sysctl.conf /etc/sysctl.d/* -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-60200r887419_fix

At the command line, run the following commands for each returned file: # chmod 600 <file> # chown root:root <file>

b
The Photon operating system must set the "umask" parameter correctly.
CM-6 - Medium - CCI-000366 - V-256583 - SV-256583r918968_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000114
Vuln IDs
  • V-256583
Rule IDs
  • SV-256583r918968_rule
The "umask" value influences the permissions assigned to files when they are created. The "umask" setting in "login.defs" controls the permissions for a new user's home directory. By setting the proper "umask", home directories will only allow the new user to read and write files there.
Checks: C-60258r918967_chk

At the command line, run the following command: # grep ^UMASK /etc/login.defs Example result: UMASK 077 If "UMASK" is not configured to "077", this a finding. Note: "UMASK" should only be specified once in login.defs.

Fix: F-60201r887422_fix

Navigate to and open: /etc/login.defs Ensure the "UMASK" line is uncommented and set to the following: UMASK 077

b
The Photon operating system must configure sshd to disallow HostbasedAuthentication.
CM-6 - Medium - CCI-000366 - V-256584 - SV-256584r887426_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000115
Vuln IDs
  • V-256584
Rule IDs
  • SV-256584r887426_rule
Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.
Checks: C-60259r887424_chk

At the command line, run the following command: # sshd -T|&amp;grep -i HostbasedAuthentication Expected result: hostbasedauthentication no If the output does not match the expected result, this is a finding.

Fix: F-60202r887425_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "HostbasedAuthentication" line is uncommented and set to the following: HostbasedAuthentication no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must store only encrypted representations of passwords.
IA-5 - Medium - CCI-000196 - V-256585 - SV-256585r887429_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
PHTN-30-000117
Vuln IDs
  • V-256585
Rule IDs
  • SV-256585r887429_rule
Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. If they are encrypted with a weak cipher, those passwords are much more vulnerable to offline brute-force attacks.
Checks: C-60260r887427_chk

At the command line, run the following command: # grep password /etc/pam.d/system-password|grep --color=always "sha512" If the output does not include "sha512", this is a finding.

Fix: F-60203r887428_fix

Navigate to and open: /etc/pam.d/system-password Add the argument "sha512" to the "password" line: password required pam_unix.so sha512 shadow try_first_pass Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

b
The Photon operating system must ensure the old passwords are being stored.
IA-5 - Medium - CCI-000200 - V-256586 - SV-256586r887432_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000200
Version
PHTN-30-000118
Vuln IDs
  • V-256586
Rule IDs
  • SV-256586r887432_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed per policy requirements.
Checks: C-60261r887430_chk

At the command line, run the following command: # ls -al /etc/security/opasswd If "/etc/security/opasswd" does not exist, this is a finding.

Fix: F-60204r887431_fix

At the command line, run the following commands: # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd

b
The Photon operating system must configure sshd to restrict AllowTcpForwarding.
CM-6 - Medium - CCI-000366 - V-256587 - SV-256587r887435_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000119
Vuln IDs
  • V-256587
Rule IDs
  • SV-256587r887435_rule
While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate for use on single-purpose appliances.
Checks: C-60262r887433_chk

At the command line, run the following command: # sshd -T|&amp;grep -i AllowTcpForwarding Expected result: allowtcpforwarding no If the output does not match the expected result, this is a finding.

Fix: F-60205r887434_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "AllowTcpForwarding" line is uncommented and set to the following: AllowTcpForwarding no At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must configure sshd to restrict LoginGraceTime.
CM-6 - Medium - CCI-000366 - V-256588 - SV-256588r887438_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000120
Vuln IDs
  • V-256588
Rule IDs
  • SV-256588r887438_rule
By default, sshd unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login would need such an amount of time to complete a login. Quickly terminating idle or incomplete login attempts will free resources and reduce the exposure any partial logon attempts may create.
Checks: C-60263r887436_chk

At the command line, run the following command: # sshd -T|&amp;grep -i LoginGraceTime Expected result: logingracetime 30 If the output does not match the expected result, this is a finding.

Fix: F-60206r887437_fix

Navigate to and open: /etc/ssh/sshd_config Ensure the "LoginGraceTime" line is uncommented and set to the following: LoginGraceTime 30 At the command line, run the following command: # systemctl restart sshd.service

b
The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, generate cryptographic hashes, and protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SC-13 - Medium - CCI-002450 - V-256589 - SV-256589r887441_rule
RMF Control
SC-13
Severity
M
CCI
CCI-002450
Version
PHTN-30-000240
Vuln IDs
  • V-256589
Rule IDs
  • SV-256589r887441_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government because this provides assurance they have been tested and validated.
Checks: C-60264r887439_chk

At the command line, run the following command: # cat /proc/sys/crypto/fips_enabled If a value of "1" is not returned, this is a finding.

Fix: F-60207r887440_fix

Navigate to and open: /boot/grub2/grub.cfg Locate the kernel command line, which will start with "linux", and add "fips=1" to the end. For example: linux /$photon_linux audit=1 root=$rootpartition $photon_cmdline coredump_filter=0x37 consoleblank=0 $systemd_cmdline fips=1 Reboot the system for the change to take effect. Note: The "fipsify" package must be installed for FIPS mode to work properly.

b
The Photon operating system must disable systemd fallback Domain Name System (DNS).
CM-6 - Medium - CCI-000366 - V-256590 - SV-256590r887444_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
PHTN-30-000245
Vuln IDs
  • V-256590
Rule IDs
  • SV-256590r887444_rule
Systemd contains an ability to set fallback DNS servers. This is used for DNS lookups in the event no system-level DNS servers are configured or other DNS servers are specified in the systemd "resolved.conf" file. If uncommented, this configuration contains Google DNS servers by default and could result in DNS leaking information unknowingly in the event DNS is absent or misconfigured at the system level.
Checks: C-60265r887442_chk

At the command line, run the following command: # resolvectl status | grep 'Fallback DNS' If the output indicates that fallback DNS servers are configured, this is a finding.

Fix: F-60208r887443_fix

Navigate to and open: /etc/systemd/resolved.conf Add or update the "FallbackDNS" entry to the following: FallbackDNS= Restart the systemd resolved service by running the following command: # systemctl restart systemd-resolved Note: If this option is not given, a compiled-in list of DNS servers is used instead, which is undesirable.