{"stig":{"title":"Nutanix AOS 5.20.x OS Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-254120","ruleId":"SV-254120r958398_rule","severity":"medium","ruleTitle":"Nutanix AOS must limit the number of concurrent sessions to ten for all accounts and/or account types.","description":"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system.","checkContent":"Verify Nutanix AOS limits the number of concurrent sessions to \"10\" or less for all accounts and/or account types by issuing the following command:\n\n$ sudo grep \"maxlogins\" /etc/security/limits.conf \n\nIf the line * hard maxlogins 10, is missing or set to a number more than 10, this is a finding.","fixText":"Modify the file /etc/security/limits.conf and add the line * hard maxlogins 10 or set the number to less than or equal to 10.","ccis":["CCI-000054"]},{"vulnId":"V-254121","ruleId":"SV-254121r958402_rule","severity":"medium","ruleTitle":"Nutanix AOS must disconnect a session after 15 minutes of idle time for all connection types.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.\n\nPublicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.\n\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012","checkContent":"Confirm Nutanix AOS is configured for autologout after 15 minutes of idle time.\n\n$ sudo grep -i tmout /etc/profile.d/*\n/etc/profile.d/os-security.sh:readonly TMOUT=900\n\nIf \"TMOUT\" is not set to \"900\" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.","fixText":"Configure Nutanix AOS for autologout of idle sessions by running the following commands.\n\n$ sudo salt-call state.sls security/CVM/shellCVM","ccis":["CCI-000057","CCI-000058","CCI-000060"]},{"vulnId":"V-254122","ruleId":"SV-254122r958636_rule","severity":"medium","ruleTitle":"Nutanix AOS must automatically terminate a user session after inactivity time-outs have expired or at shutdown.","description":"Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.\n\nSatisfies: SRG-OS-000279-GPOS-00109, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072","checkContent":"Confirm Nutanix AOS is configured to auto disconnect remote session to prevent session hijacking.\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIf ClientAliveInterval is not \"600\" and ClientAliveCountMax is not \"0\", this is a finding.","fixText":"Configure SSH to terminate remote sessions to prevent session hijacking by running the following command.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n\nThe SSH service will need to be restarted for the changes to take effect:\n\n$ sudo systemctl restart sshd","ccis":["CCI-000879","CCI-001133","CCI-002361"]},{"vulnId":"V-254123","ruleId":"SV-254123r958406_rule","severity":"medium","ruleTitle":"Nutanix AOS must monitor remote access methods.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Confirm Nutanix AOS monitors remote access methods.\n\n$ sudo grep -i loglevel /etc/ssh/sshd_config\n\nIf the LogLevel is not set to \"VERBOSE\", this is a finding.","fixText":"Configure SSH to verbosely log connection attempts and failed logon attempts to the operating system by running the following command.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n\nThe SSH service will need to be restarted for the changes to take effect:\n\n$ sudo systemctl restart sshd","ccis":["CCI-000067"]},{"vulnId":"V-254124","ruleId":"SV-254124r958672_rule","severity":"medium","ruleTitle":"Nutanix AOS must control remote access methods.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nOperating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Confirm Nutanix AOS prohibits or restricts the use of remote access methods, using the iptables firewall service.\n\n$ sudo service iptables status\niptables.service - IPv4 firewall with iptables\n   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)\n   Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago\n Main PID: 1250 (code=exited, status=0/SUCCESS)\n   CGroup: /system.slice/iptables.service\n\nIf IPv6 is in use:\n$ sudo service ip6tables status\nip6tables.service - IPv6 firewall with ip6tables\n   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)\n   Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago\n Main PID: 1313 (code=exited, status=0/SUCCESS)\n   CGroup: /system.slice/ip6tables.service\n\nIf no iptables services are \"Loaded\" and \"Active\", this is a finding.","fixText":"Configure the system to restrict the use of remote access methods by running the following command.\n\n$ sudo salt-call state.sls security/CVM/iptables/init","ccis":["CCI-002314"]},{"vulnId":"V-254125","ruleId":"SV-254125r958408_rule","severity":"high","ruleTitle":"Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065, SRG-OS-000424-GPOS-00188","checkContent":"Inspect the \"Ciphers\" configuration with the following command:\n\n$ sudo grep -i ciphers /etc/ssh/sshd_config\nCiphers aes256-ctr\n\nIf any ciphers other than \"aes256-ctr\" are listed, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.","fixText":"Configure SSH to use only DoD approved ciphers by running the following command.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n\nThe SSH service will need to be restarted for the changes to take effect:\n\n$ sudo systemctl restart sshd","ccis":["CCI-000068","CCI-000877","CCI-001453","CCI-002421","CCI-002890","CCI-003123"]},{"vulnId":"V-254126","ruleId":"SV-254126r958364_rule","severity":"low","ruleTitle":"Nutanix AOS must automatically remove or disable temporary user accounts after 72 hours.","description":"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n\nIf temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064","checkContent":"Nutanix AOS does not natively support temporary user accounts, named or otherwise. However, if temporary accounts are created, they must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n\nVerify that temporary accounts have been provisioned with an expiration date of 72 hours.\n\nFor every existing temporary account, run the following command to obtain its account expiration information.\n\n$ sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date set within 72 hours.\n\nIf any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.","fixText":"Configure any temporary account(s) that have been created with an expiration date exceeding the DoD-defined time period of 72 hours by running the following command:\n\nsudo chage -E `date -d \"+3 days\" +%Y-%m-%d` system_account_name","ccis":["CCI-000016","CCI-001682"]},{"vulnId":"V-254127","ruleId":"SV-254127r958368_rule","severity":"medium","ruleTitle":"Nutanix AOS must audit all account actions.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120","checkContent":"Verify Nutanix AOS is configured to audit all account creations.\n\nRun the following command to verify account creation and modification is audited.\n\n$ sudo auditctl -l | grep \"audit_account_changes\"\n\nIf the command does not return the following output, this is a finding.\n\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes","fixText":"Run the salt stack call to set the audit configuration to audit all account creation and modification.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000018","CCI-001403","CCI-001404","CCI-001405","CCI-002130"]},{"vulnId":"V-254128","ruleId":"SV-254128r958472_rule","severity":"low","ruleTitle":"Nutanix AOS must be configured with an encrypted boot password for root.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.","checkContent":"Confirm Nutanix AOS is configured to enforce approved authorizations for logical access to information and system resources.\n\n$ sudo grep -i password /boot/grub/grub.conf\npassword [superusers-account] [password-hash]\n\nIf the root password entry does not begin with \"password\", this is a finding.\n\n$ sudo grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\nExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n\nIf \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding.","fixText":"Configure the system to encrypt the boot password for root. \n\n1. Use the following command as root to generate a grub sha512 password hash: python -c 'import crypt; print crypt.crypt(\"password\", crypt.mksalt(crypt.METHOD_SHA512))' Replacing \"password\" with the password string desired for grub. \n\n2. Edit the /boot/grub/grub.conf file as root and add the following line above the title line: 'password --encrypted [password-hash]', replacing [password-hash] with the hash result of the python command output.","ccis":["CCI-000213"]},{"vulnId":"V-254129","ruleId":"SV-254129r958702_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce discretionary access control on symlinks and hardlinks.","description":"Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nSatisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124","checkContent":"Confirm Nutanix AOS enforces discretionary access control on symlinks and hardlinks.\n\n$ sudo sysctl fs.protected_symlinks\nfs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\" or is missing, this is a finding.\n\nCheck the status of the fs.protected_hardlinks kernel parameter.\n\n$ sudo sysctl fs.protected_hardlinks\nfs.protected_hardlinks = 1\n\nIf \"fs.protected_hardlinks\" is not set to \"1\" or is missing, this is a finding.","fixText":"Configure Nutanix AOS to allow operating system admins to pass information to other operating system admins or users adding or modifying the following line(s) in the system configuration file /etc/syscrl.d/\n\nfs.protected_symlinks = 1\nfs.protected_hardlinks = 1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system","ccis":["CCI-002165"]},{"vulnId":"V-254130","ruleId":"SV-254130r958732_rule","severity":"medium","ruleTitle":"Nutanix AOS must audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.","checkContent":"Confirm Nutanix AOS is configured to audit the misuse of privileged commands.\n\n$ sudo grep -iw execve /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\nIf both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n\nIf both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.","fixText":"Configure Nutanix AOS to audit the misuse of privileged commands by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-002234"]},{"vulnId":"V-254131","ruleId":"SV-254131r958388_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128","checkContent":"Confirm that Nutanix AOS locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:\n\n$ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\nauth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=900 root_unlock_time=900 fail_interval=900\nauth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900 root_unlock_time=900 fail_interval=900\n\nIf the \"deny\" parameter is set to \"0\" or a value greater than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\".\n\nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nIf the \"deny\" parameter is set to \"0\" or a value greater than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\".\n\nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.","fixText":"Configure the pam.d modules to comply with the locking an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:\n\n1. Enable high-strength passwords:\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true\n\n2. After enabling the high-strength passwords, the system will process the salt stack to enable the DoD versions of the pam.d files. Recheck the Check Text for compliance.  \n\nTo run the salt command manually to enable the pam.d auth files, run the following command (high-strength passwords must be set to true):\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000044","CCI-002238"]},{"vulnId":"V-254132","ruleId":"SV-254132r958390_rule","severity":"low","ruleTitle":"Nutanix AOS must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007","checkContent":"Verify that the Standard Mandatory DoD Notice and Consent Banner is configured.\n\nVerify that SSH is configured to display the Standard Mandatory DoD Notice Consent Banner:\n$ sudo grep -i banner /etc/ssh/sshd_config\nbanner /etc/issue\n\nIf \"banner\" is not set or is commented out, this is a finding.","fixText":"Configure the Standard Mandatory DoD Notice and Consent Banner.\n\n$ ncli cluster edit-cvm-security-params enable-banner=true'","ccis":["CCI-000048","CCI-000050"]},{"vulnId":"V-254133","ruleId":"SV-254133r958586_rule","severity":"medium","ruleTitle":"Any publicly accessible connection to Nutanix AOS must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.","description":"Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Confirm Nutanix AOS is configured to use the Standard Mandatory DoD Notice and Consent Banner.\n\n$ sudo more /etc/issue\n\nThe command should return the following text:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the \"/etc/issue\" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.","fixText":"Configure the Standard Mandatory DoD Notice and Consent Banner by running the following command.\n\n$ ncli cluster edit-cvm-security-params enable-banner=true","ccis":["CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"vulnId":"V-254134","ruleId":"SV-254134r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the operating system will provide an audit record generation capability as: Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).","checkContent":"Confirm Nutanix AOS is configured to generate audit records on all successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).\n\n$ sudo grep -w \"postdrop\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w \"postqueue\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w \"semanage\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -w \"setfiles\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n$ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\n$ sudo grep -w \"setsebool\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w faillock /etc/audit/audit.rules\n-w /var/run/faillock/ -p wa -k logins\n\n$ sudo grep -w lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000169"]},{"vulnId":"V-254135","ruleId":"SV-254135r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system and account management actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the operating system will provide an audit record generation capability as: Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.","checkContent":"Confirm Nutanix AOS auditing is configured to generate audit records for all access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.\n\n$ sudo yum list installed audit\nInstalled Packages\naudit.x86_64 \n\n$ sudo grep -w chcon /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep ssh-agent /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w /usr/bin/mount /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w /usr/bin/umount /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep ssh-keysign /etc/audit/audit.rules\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w crontab /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w chsh /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVMI18:J21N18I18:J22I18:J22N18I18:J22I18:J23N18I18:J22I18:J24N18I18:J22I18:J25N18II18:J22","ccis":["CCI-000169"]},{"vulnId":"V-254136","ruleId":"SV-254136r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file attribute management actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the operating system will provide an audit record generation capability as: Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.","checkContent":"Confirm Nutanix AOS auditing is configured to generate audit records for all access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.\n\n$ sudo grep -w lremovexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w removexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w lsetxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lsetxattr-F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fsetxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fsetxattr-F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fremovexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w setxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000169"]},{"vulnId":"V-254137","ruleId":"SV-254137r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system module management actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the operating system will provide an audit record generation capability as: Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.","checkContent":"Confirm Nutanix AOS auditing is configured to generate audit records for all access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.\n\n$ sudo grep -w \"init_module\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S init_module -k audit_network_modifications_modules\n-a always,exit -F arch=b32 -S init_module -k audit_network_modifications_modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\n$ sudo grep -w \"finit_module\" /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S finit_module -k module-change\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S delete_module -k audit_network_modifications_modules\n-a always,exit -F arch=b32 -S delete_module -k audit_network_modifications_modules\n-a always,exit -F arch=b64 -S delete_module -k modules\n-a always,exit -F arch=b32 -S delete_module -k modules\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000169"]},{"vulnId":"V-254138","ruleId":"SV-254138r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for directory and permissions management actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the operating system will provide an audit record generation capability as: Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.","checkContent":"Confirm Nutanix AOS auditing is configured to generate audit records for all access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.\n\n$ sudo grep -w \"\\-S mount\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S mount -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S mount -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"rename\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S rename -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rename -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"renameat\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S renameat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S renameat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"rmdir\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S rmdir -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rmdir -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"unlink\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S unlink -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlink -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"unlinkat\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S unlinkat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlinkat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w chown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w chmod /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w lchown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchownat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchmodat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchmod /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000169"]},{"vulnId":"V-254139","ruleId":"SV-254139r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file management actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the operating system will provide an audit record generation capability as: Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.","checkContent":"Confirm Nutanix AOS auditing is configured to generate audit records for all access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.\n\n$ sudo grep -iw truncate /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S truncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S truncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw openat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S openat-F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S openat -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S openat -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw open /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S open-F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S open -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S open -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S open_by_handle_at-F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S open_by_handle_at -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw ftruncate /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S ftruncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S ftruncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw creat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S creat -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S creat -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000169"]},{"vulnId":"V-254140","ruleId":"SV-254140r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for all account creations, modifications, disabling, and terminations.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the operating system will provide an audit record generation capability as all account creations, modifications, disabling, and terminations.","checkContent":"Confirm Nutanix AOS auditing is configured to generate audit records for all account creations, modifications, disabling, and terminations.\n\n$ sudo grep /etc/shadow /etc/audit/audit.rules\n-w /etc/shadow -p wa -k audit_account_changes\n\n$ sudo grep /etc/security/opasswd /etc/audit/audit.rules\n-w /etc/security/opasswd -p wa -k audit_account_changes\n\n$ sudo grep /etc/passwd /etc/audit/audit.rules\n-w /etc/passwd -p wa -k audit_account_changes\n\n$ sudo grep /etc/gshadow /etc/audit/audit.rules\n-w /etc/gshadow -p wa -k audit_account_changes\n\n$ sudo grep /etc/group /etc/audit/audit.rules\n-w /etc/group -p wa -k audit_account_changes\n\n$ sudo grep /etc/sudoers /etc/audit/audit.rules\n-w /etc/sudoers -p wa -k actions\n\n$ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n-w /etc/sudoers.d/ -p wa -k actions\n\n$ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w sudo /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w gpasswd /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w passwd /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\n$ sudo grep -w chage /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w newgrp /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000169"]},{"vulnId":"V-254141","ruleId":"SV-254141r958444_rule","severity":"medium","ruleTitle":"Nutanix AOS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Confirm Nutanix AOS must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.\n\nNote: Nutanix AOS audit facility is locked down so that only root has access to browse below the /etc/audit/ directory. \n\n$ sudo su -\n# ls -al /etc/audit/rules.d/*.rules\n-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules\n\n$ sudo su -\nsudo stat -c \"%a %n\" /etc/audit/auditd.conf\n640 /etc/audit/auditd.conf\n\nIf the files in the \"/etc/audit/rules.d/\" directory or the \"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this is a finding.","fixText":"Configure the files in directory \"/etc/audit/rules.d/\" and the \"/etc/audit/auditd.conf\" file to have a mode of \"0640\" with the following commands:\n\n$ sudo su -\n# chmod 0640 /etc/audit/rules.d/audit.rules\n# chmod 0640 /etc/audit/rules.d/[customrulesfile].rules\n# chmod 0640 /etc/audit/auditd.conf","ccis":["CCI-000171"]},{"vulnId":"V-254142","ruleId":"SV-254142r958446_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the chown privileged commands.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access privileges occur.\n\n$ sudo grep -iw chown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chown -F auid=0 -k audit_time_perm_mod_export_delete\n -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S chown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw fchown /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a exit,never -F arch=b64 -S openat -S open -S fchown -F success=0 -F uid=1000 -F exit=-13.\n -a exit,never -F arch=b64 -S fchown -F success=0 -F uid=0 -F exit=-13.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw lchown /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw fchownat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254143","ruleId":"SV-254143r958446_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the creat privileged commands.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access privileges occur.\n\n$ sudo grep -iw creat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254144","ruleId":"SV-254144r958446_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the open-related privileged commands.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access privileges occur.\n\n$ sudo grep -iw open /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw openat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254145","ruleId":"SV-254145r958446_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the truncate-related privileged commands.","description":"Without generating audit records  specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access privileges occur.\n\n$ sudo grep -iw truncate /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw ftruncate /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254146","ruleId":"SV-254146r991570_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for file access actions.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access categories of information occur.\n\n$ sudo grep -iw creat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n\n$ sudo grep -iw open /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw openat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n\n$ sudo grep -iw truncate /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw ftruncate /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254147","ruleId":"SV-254147r991570_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for file ownership actions.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access categories of information occur.\n\n$ sudo grep -iw chown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chown -F auid=0 -k audit_time_perm_mod_export_delete\n -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S chown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n\n$ sudo grep -iw fchown /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a exit,never -F arch=b64 -S openat -S open -S fchown -F success=0 -F uid=1000 -F exit=-13.\n -a exit,never -F arch=b64 -S fchown -F success=0 -F uid=0 -F exit=-13.\n\n$ sudo grep -iw lchown /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n\n$ sudo grep -iw fchownat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254148","ruleId":"SV-254148r991570_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for file permission actions.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access categories of information occur.\n\n$ sudo grep -w chmod /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchmod /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchmodat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254149","ruleId":"SV-254149r991570_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for file extended attribute actions.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access categories of information occur.\n\n$ sudo grep -w setxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fsetxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fsetxattr-F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w lsetxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lsetxattr-F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w removexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fremovexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w lremovexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254150","ruleId":"SV-254150r991571_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access categories of information occur.\n\n$ sudo grep -iw creat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n\n$ sudo grep -iw open /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw openat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n\n$ sudo grep -iw truncate /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw ftruncate /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid=0 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid=0 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access.\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254151","ruleId":"SV-254151r991572_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify privileges occur.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records when successful/unsuccessful attempts to modify privileged objects occur.\n\n$ sudo grep /etc/sudoers /etc/audit/audit.rules\n-w /etc/sudoers -p wa -k actions\n\n$ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n-w /etc/sudoers.d/ -p wa -k actions\n\n$ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w sudo /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w newgrp /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -i /usr/bin/chsh /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf the privileged activities access listed do not return any output, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254152","ruleId":"SV-254152r991573_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records for successful/unsuccessful attempts to modify security objects occur.\n\n$ sudo grep -i /usr/sbin/semanage /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/bin/chcon /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the commands does not return any output, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254153","ruleId":"SV-254153r991574_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify categories of information occur.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records for successful/unsuccessful attempts to modify categories of information.\n\n$ sudo grep -i /usr/sbin/semanage /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/bin/chcon /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the commands does not return any output, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254154","ruleId":"SV-254154r991575_rule","severity":"medium","ruleTitle":"Nutanix AOS must audit attempts to modify or delete security objects.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212","checkContent":"Confirm Nutanix AOS generates audit records when successful/unsuccessful attempts to delete security objects occur.\n\n$ sudo grep -iw rename /etc/audit/audit.rules\n-a exit,never -F arch=b64 -S rename -F success=1 -F uid=1000 -F exit=0\n-a exit,never -F arch=b64 -S rename -F success=0 -F uid=1000 -F exit=-2\n-a always,exit -F arch=b64 -S rename -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rename -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -iw renameat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S renameat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S renameat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -iw rmdir /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S rmdir -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rmdir -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\ngrep -iw unlink /etc/audit/audit.rules\n-a exit,never -F arch=b64 -S unlink -F success=1 -F uid=1000 -F exit=0\n-a exit,never -F arch=b64 -S unlink -F success=0 -F uid=1000 -F exit=-2\n-a always,exit -F arch=b64 -S unlink -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlink -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\ngrep -iw unlinkat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S unlinkat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlinkat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the syscalls listed, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254155","ruleId":"SV-254155r991578_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records when concurrent logons to the same account occur.\n\n$ sudo  grep -i /var/run/faillock /etc/audit/audit.rules\n-w /var/run/faillock -p wa -k logins\n\n$ sudo grep -i /var/log/lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins \n\nIf the commands listed do not return any output, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254156","ruleId":"SV-254156r991579_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for privileged security activities.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records for privileged activities or other system-level access.\n\n$ sudo grep /etc/shadow /etc/audit/audit.rules\n-w /etc/shadow -p wa -k audit_account_changes\n\n$ sudo grep /etc/security/opasswd /etc/audit/audit.rules\n-w /etc/security/opasswd -p wa -k audit_account_changes\n\n$ sudo grep /etc/passwd /etc/audit/audit.rules\n-w /etc/passwd -p wa -k audit_account_changes\n\n$ sudo grep /etc/gshadow /etc/audit/audit.rules\n-w /etc/gshadow -p wa -k audit_account_changes\n\n$ sudo grep /etc/group /etc/audit/audit.rules\n-w /etc/group -p wa -k audit_account_changes\n\n$ sudo grep /etc/sudoers /etc/audit/audit.rules\n-w /etc/sudoers -p wa -k actions\n\n$ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n-w /etc/sudoers.d/ -p wa -k actions\n\n$ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w sudo /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w gpasswd /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w passwd /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the privileged activities access listed do not return any output, this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254157","ruleId":"SV-254157r991579_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for privileged account activities.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records for privileged activities or other system-level access.\n\n$ sudo grep -w chage /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w newgrp /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -i /usr/bin/chsh /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\n$ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w faillock /etc/audit/audit.rules\n-w /var/run/faillock/ -p wa -k logins\n\n$ sudo grep -w lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins\n\n$ sudo grep -iw \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf the privileged activities access listed do not return any output, this is a finding.","fixText":"Configure the audit rules by running the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254158","ruleId":"SV-254158r958442_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to audit the loading and unloading of dynamic kernel modules.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222","checkContent":"Confirm Nutanix AOS generates audit records for all kernel module load, unload, restart actions, and initiations.\n\n$ sudo grep -iw create_module /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S create_module -k module-change\n-a always,exit -F arch=b64 -S create_module -k module-change\n\n$ sudo grep -iw init_module /etc/audit/audit.rules \n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\n$ sudo grep -iw finit_module /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S finit_module -k module-change\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\n$ sudo grep -iw delete_module /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the module(s) listed syscall, this is a finding.\n\n$ sudo grep -iw kmod /etc/audit/audit.rules\n-w /usr/bin/kmod -p x -F auid!=unset -k module-change\n\nIf the command does not return any output, this is a finding.\n\n$ sudo cat /boot/grub/grub.conf | grep audit\n\tkernel /boot/vmlinuz-3.10.0-1160.24.1.el7.nutanix.20210425.cvm.x86_64 ro root=UUID=71a1fe8c-812f-4403-80ed-894f554b061c rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us audit=1 audit_backlog_limit=8192 nousb fips=1 nomodeset biosdevname=0 net.ifnames=0 scsi_mod.use_blk_mq=y panic=30 console=ttyS0,115200n8 console=tty0 clocksource=tsc kvm_nopvspin=1 xen_nopvspin=1 hv_netvsc.ring_size=512 mds=off mitigations=off\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000169","CCI-000172"]},{"vulnId":"V-254159","ruleId":"SV-254159r991582_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records when concurrent logons to the same account occur from different sources.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records when concurrent logons to the same account occur.\n\n$ sudo  grep -i /var/run/faillock /etc/audit/audit.rules\n-w /var/run/faillock -p wa -k logins\n\n$ sudo grep -i /var/log/lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins \n\nIf the commands listed do not return any output, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254160","ruleId":"SV-254160r991583_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records when successful/unsuccessful accesses to objects occur.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records on all successful/unsuccessful attempts to access privileges occur.\n\n$ sudo grep -iw chown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chown -F auid=0 -k audit_time_perm_mod_export_delete\n -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S chown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw fchown /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a exit,never -F arch=b64 -S openat -S open -S fchown -F success=0 -F uid=1000 -F exit=-13.\n -a exit,never -F arch=b64 -S fchown -F success=0 -F uid=0 -F exit=-13.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw lchown /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.\n\n$ sudo grep -iw fchownat /etc/audit/audit.rules\n -a always,exit -F arch=b64 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete.\n -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete.\nIf the output does not contain all of the above rules, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules are not defined for the listed syscall(s), this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254161","ruleId":"SV-254161r991581_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for all direct access to the information system.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000472-GPOS-00217, SRG-OS-000475-GPOS-00220","checkContent":"Confirm Nutanix AOS is configured with the ausearch tool. The ausearch tool is a feature of the audit rpm. \n\n$ sudo yum list installed audit\nInstalled Packages\naudit.x86_64\n\nIf Installed Packages does not list the audit.x86_64 or No matching Packages to list is returned, this is a finding.","fixText":"Configure the system to generate audit records for all direct access to the information system by installing the audit package.\n\n$ sudo yum install audit","ccis":["CCI-000172"]},{"vulnId":"V-254162","ruleId":"SV-254162r991585_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate audit records for all account creations, modifications, disabling, and termination events.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Confirm Nutanix AOS generates audit records for all account creation, modification, disabling, and termination.\n\n$ sudo grep /etc/passwd /etc/audit/audit.rules\n-w /etc/passwd -p wa -k audit_account_changes\n\nIf the command does not return a line, or the line is commented out, this is a finding.","fixText":"Configure Nutanix AOS to generate audit records for all account creations, modifications, disabling, and terminations by running the following command.\n\n$ sudo \tsalt-call state.sls security/CVM/auditCVM","ccis":["CCI-000172"]},{"vulnId":"V-254163","ruleId":"SV-254163r991555_rule","severity":"medium","ruleTitle":"Nutanix AOS must initiate session audits at system start-up.","description":"If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.","checkContent":"Determine if auditing is active by issuing the following command:\n\n$ sudo systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.","fixText":"Configure the audit service to be active and start automatically with the system at startup. The Audit service is protected and restricted to allow access or modifications only from the root account.\n$ sudo su -\n# systemctl start auditd.service","ccis":["CCI-001464"]},{"vulnId":"V-254164","ruleId":"SV-254164r958412_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing information to establish what type of events occurred.","description":"Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo auditctl -l | grep -iw /usr/bin/su /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.\n\n$ sudo auditctl -l | grep -iw /usr/bin/sudo /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.\n\n$ sudo grep -i \"/etc/sudoers\" /etc/audit/audit.rules\nIf the output is not -w /etc/sudoers -p wa -k actions, this is a finding.\n\n$ sudo grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\nIf the output is not -w /etc/sudoers.d/ -p wa -k actions, this is a finding.\n\n$ sudo grep -i /usr/bin/newgrp /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.\n\n$ sudo grep -i /usr/bin/chsh /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000130"]},{"vulnId":"V-254165","ruleId":"SV-254165r958414_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing information to establish when events occurred.","description":"Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nTo compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time).\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.","checkContent":"Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nDetermine if auditing is active by issuing the following command:\n\n$ sudo systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.","fixText":"Enable the auditd service to run automatically.\n\n$ sudo systemctl enable auditd","ccis":["CCI-000131"]},{"vulnId":"V-254166","ruleId":"SV-254166r958416_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing information to establish where events occurred.","description":"Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nTo compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components, modules, device identifiers, node names, file names, and functionality.\n\nAssociating information about where the event occurred within the operating system provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.","checkContent":"Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nDetermine if auditing is active by issuing the following command:\n\n$ sudo systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.","fixText":"Enable the auditd service to run automatically.\n\n$ sudo systemctl enable auditd","ccis":["CCI-000132"]},{"vulnId":"V-254167","ruleId":"SV-254167r958418_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing information to establish the source of events.","description":"Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nIn addition to logging where events occur within the operating system, the operating system must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes, and services.\n\nTo compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event.","checkContent":"Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nDetermine if auditing is active by issuing the following command:\n\n$ sudo systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.","fixText":"Enable the auditd service to run automatically.\n\n$ sudo systemctl enable auditd","ccis":["CCI-000133"]},{"vulnId":"V-254168","ruleId":"SV-254168r958420_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing information to establish the outcome of events.","description":"Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.","checkContent":"Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nDetermine if auditing is active by issuing the following command:\n\n$ sudo systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.","fixText":"Enable the auditd service to run automatically.\n\n$ sudo systemctl enable auditd","ccis":["CCI-000134"]},{"vulnId":"V-254169","ruleId":"SV-254169r991556_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing information to establish the identity of any individual or process associated with the event.","description":"Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.","checkContent":"Confirm Nutanix AOS produces audit records containing information to establish when (date and time) the events occurred.\n\nDetermine if auditing is active by issuing the following command:\n\n$ sudo systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.","fixText":"Configure the audit service to be active and start automatically with the system at startup. The Audit service is protected and restricted to allow access or modifications only from the root account.\n\n$ sudo su -\n# systemctl start auditd.service","ccis":["CCI-001487"]},{"vulnId":"V-254170","ruleId":"SV-254170r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the passwd/gpasswd/unix-chkpwd privileged commands.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -i /usr/bin/passwd /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.\n\n$ sudo grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.\n\n$ sudo grep -i /usr/bin/gpasswd /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000135"]},{"vulnId":"V-254171","ruleId":"SV-254171r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the chage privileged command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -i /usr/bin/chage /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000135"]},{"vulnId":"V-254172","ruleId":"SV-254172r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the userhelper privileged command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -i /usr/sbin/userhelper /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000135"]},{"vulnId":"V-254173","ruleId":"SV-254173r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the mount and umount privileged commands.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -iw \"mount\" /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.\n\n$ sudo grep -iw \"/usr/bin/umount\" /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000135"]},{"vulnId":"V-254174","ruleId":"SV-254174r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the post-related privileged commands.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -iw /usr/sbin/postdrop /etc/audit/audit.rules\nIf the output is not clear-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.\n\n$ sudo grep -iw /usr/sbin/postqueue /etc/audit/audit.rules\nIf the output in not, -a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000135"]},{"vulnId":"V-254175","ruleId":"SV-254175r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the opensshrelated privileged commands.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000135"]},{"vulnId":"V-254176","ruleId":"SV-254176r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the crontab-related privileged commands.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify Nutanix AOS generates audit records when successful/unsuccessful attempts to use the following commands occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\":\n\n$ sudo grep -iw /usr/bin/crontab /etc/audit/audit.rules\nIf the output is not -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged, this is a finding.","fixText":"Configure the audit rules by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000135"]},{"vulnId":"V-254177","ruleId":"SV-254177r958422_rule","severity":"medium","ruleTitle":"Nutanix AOS must produce audit records containing the individual identities of group account users.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the individual identities of group users. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the actual account involved in the activity.","checkContent":"Verify Nutanix AOS produces audit records containing information to establish when (date and time) the events occurred.\n\nDetermine if auditing is active by issuing the following command:\n\n$ sudo systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.","fixText":"Enable the auditd service to run automatically.\n\n$ sudo systemctl enable auditd","ccis":["CCI-000135"]},{"vulnId":"V-254178","ruleId":"SV-254178r958752_rule","severity":"medium","ruleTitle":"Nutanix AOS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.","description":"To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems must be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the operating system.","checkContent":"Confirm Nutanix AOS preconfigures storage for one week's worth of audit records, when audit records are not immediately sent to a central audit record facility.\n\n$ sudo cat /boot/grub/grub.conf | grep audit_backlog_limit\naudit_backlog_limit=8192\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\", is missing, or the line is commented out, this is a finding.","fixText":"As root, modify the /boot/grub/grub.conf file to include the following line:\n\naudit_backlog_limit=8192","ccis":["CCI-001849"]},{"vulnId":"V-254179","ruleId":"SV-254179r958754_rule","severity":"medium","ruleTitle":"Nutanix AOS must offload audit records to a syslog server.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.\n\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224","checkContent":"Confirm Nutanix AOS is configured to offload the audit records to a site-specific syslog server.\n\n$ sudo grep @ /etc/rsyslog.d/rsyslog-nutanix.conf\nlocal0.*; @remote-log-host:514\n\nIf there are no lines in the \"/etc/rsyslog.d/rsyslog-nutanix.conf\" files that contain the \"@\" or \"@@\" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\" output, ask the System Administrator to indicate how the audit logs are offloaded to a different system or media.\n\nIf the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.","fixText":"Configure AOS to offload audit records to site specific syslog server by running the following command.\n\nncli rsyslog-config add-server name=[alias_of_central_host] ip-address=[IP_of_central_host] port=[port_of_central_host] network-protocol=tcp|udp|relp relp-enabled=yes|no; ncli rsyslog-config add-module module-name=syslog_module level=info server-name=[alias_of_central_host]","ccis":["CCI-001851"]},{"vulnId":"V-254180","ruleId":"SV-254180r958426_rule","severity":"medium","ruleTitle":"Nutanix AOS must shut down by default upon audit failure (unless availability is an overriding concern).","description":"It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.","checkContent":"Confirm the audit configuration regarding how auditing processing failures are handled in Nutanix AOS.\n\n$ sudo auditctl -s | grep -i \"fail\"\nIf the output is not failure 1, this is a finding.","fixText":"Configure the audit alert setting by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000140"]},{"vulnId":"V-254181","ruleId":"SV-254181r958428_rule","severity":"medium","ruleTitle":"Nutanix AOS must provide the capability to centrally review and analyze audit records from multiple components within the system.","description":"Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient manner. If the operating system does not provide the ability to centrally review the operating system logs, forensic analysis is negatively impacted.\n\nSegregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems.\n\nTo support the centralized capability, the operating system must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement.\n\nSatisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142","checkContent":"Confirm Nutanix AOS is configured with the ausearch tool. The ausearch tool is a feature of the audit rpm. \n\n$ sudo yum list installed audit\nInstalled Packages\naudit.x86_64\n\nIf Installed Packages does not list the audit.x86_64 or No matching Packages to list is returned, this is a finding.","fixText":"Configure the system to provide on-demand (i.e., ad hoc ) audit report generation by installing the correct audit.x86_64 rpm.\n\n$ sudo yum install audit","ccis":["CCI-000154","CCI-000158","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882"]},{"vulnId":"V-254182","ruleId":"SV-254182r982208_rule","severity":"low","ruleTitle":"Nutanix AOS must compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations must consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\nSatisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144","checkContent":"Confirm Nutanix AOS is running the NTP service.\n\n# sudo ps -ef | grep ntp\nntp       7447     1  0 Aug17 ?        00:00:05 /usr/sbin/ntpd -u ntp:ntp -g\n\nIf the NTP service is not running, this is a finding.\n\nNext Check the ntp.conf file for the \"maxpoll\" option setting.\n\n$ sudo grep maxpoll /etc/ntp.conf\nserver #.#.#.# maxpoll 10\n\nIf the option is set to \"17\" or is not set, this is a finding.","fixText":"Log in to the Nutanix CVM.\n\nRun the following command to add a list of DoD Approved NTP servers:  $ ncli cluster add-to-ntp-servers servers=IP_1,IP_2,IP_3","ccis":["CCI-001891","CCI-002046"]},{"vulnId":"V-254183","ruleId":"SV-254183r958434_rule","severity":"medium","ruleTitle":"Nutanix AOS must protect audit information from unauthorized access.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"Verify Nutanix AOS audit log permissions are \"0600\" or less permissive.\n\n$ sudo stat -c \"%a %n\" /home/log/audit/audit.log\n600 /home/log/audit/audit.log\n\nIf the audit.log file(s) are more permissive than \"0600\", this is a finding.","fixText":"Run the salt stack call to set the audit log file permissions to \"600\".\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-254184","ruleId":"SV-254184r991557_rule","severity":"medium","ruleTitle":"Nutanix AOS audit tools must be configured to 0755 or less permissive.","description":"Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.","checkContent":"Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode.\n\nCheck the octal permission of each audit tool by running the following command:\n$ sudo stat -c \"%a %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n750 /sbin/auditctl\n750 /sbin/aureport\n750 /sbin/ausearch\n750 /sbin/autrace\n750 /sbin/auditd\n755 /sbin/rsyslogd\n755 /sbin/augenrules\n\nIf any of the audit tools has a mode more permissive than \"0755\", this is a finding.","fixText":"Configure the audit tools to be protected from unauthorized access by setting the correct permissive mode using the following command:\n\n$ sudo chmod 0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the correct permissive mode.","ccis":["CCI-001493"]},{"vulnId":"V-254185","ruleId":"SV-254185r991558_rule","severity":"medium","ruleTitle":"Nutanix AOS audit tools must be owned by root.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has to make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Verify the audit tools are owned by \"root\" to prevent any unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following commands:\n$ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n[sudo] password for admin: \nroot /sbin/auditctl\nroot /sbin/aureport\nroot /sbin/ausearch\nroot /sbin/autrace\nroot /sbin/auditd\nroot /sbin/rsyslogd\nroot /sbin/augenrules\n\nIf any of the audit tools are not owned by \"root\", this is a finding.","fixText":"Configure the audit tools to be owned by \"root\", by running the following command:\n\n$ sudo chown root [audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by \"root\".","ccis":["CCI-001494"]},{"vulnId":"V-254186","ruleId":"SV-254186r991559_rule","severity":"medium","ruleTitle":"Nutanix AOS audit tools must be group-owned by root.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Verify the audit tools are group-owned by \"root\" to prevent any unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following commands:\n$ sudo stat -c \"%G %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n[sudo] password for admin: \nroot /sbin/auditctl\nroot /sbin/aureport\nroot /sbin/ausearch\nroot /sbin/autrace\nroot /sbin/auditd\nroot /sbin/rsyslogd\nroot /sbin/augenrules\n\nIf any of the audit tools are not group-owned by \"root\", this is a finding.","fixText":"Configure the audit tools to be group-owned by \"root\", by running the following command:\n\n$ sudo chgrp root [audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by \"root\".","ccis":["CCI-001495"]},{"vulnId":"V-254187","ruleId":"SV-254187r991567_rule","severity":"high","ruleTitle":"Nutanix AOS must use cryptographic mechanisms to protect the integrity of audit tools.","description":"Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.","checkContent":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nVerify the location of the seven auditing tools that require cryptographic protection with the following command:\n(auditctl, auditd, ausearch, aureport, autrace, augenrules, rsyslogd)\n\n$ sudo ls -al /usr/sbin/ | egrep '(audit|au|rsys)'\n\nIf the seven identified audit tools are not listed, this is a finding.\n\nCheck the aide.conf file for the  configured rule set.\n\n$ sudo grep -i \"FIPSR =\" /etc/aide.conf  \nFIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512\n\nIf the FIPSR rule set is commented out or does not display, this is a finding.\n\nCheck to ensure that the root directory of the seven audit tools is configured to be monitored and that the proper rule set is applied to that directory (/usr/).\n\n$ sudo grep -i /usr /etc/aide.conf\n/usr    FIPSR\n\nif the /usr directory is not listed or  has a preceding '=' or '!' sign or the Rule  Set is not set to FIPSR, this is a finding.","fixText":"Configure AIDE on Nutanix AOS by running the following command:\n\n$ ncli cluster edit-cvm-security-params enable-aide=true","ccis":["CCI-001496"]},{"vulnId":"V-254188","ruleId":"SV-254188r958794_rule","severity":"medium","ruleTitle":"Nutanix AOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.","description":"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.","checkContent":"Confirm that Nutanix AOS has been set to have the Advanced Intrusion Detection Environment (AIDE) installed and enabled.\n\n$ sudo yum list installed aide\nInstalled Packages\naide.x86_64 \n\nIf the aide_x86_64 package is not installed, this is a finding.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. \n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n$ sudo  ls -al /etc/cron.* | grep aide\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.","fixText":"Configure AIDE on Nutanix AOS by running the following command:\n\n$ ncli cluster edit-cvm-security-params enable-aide=true","ccis":["CCI-001744"]},{"vulnId":"V-254189","ruleId":"SV-254189r958796_rule","severity":"medium","ruleTitle":"Nutanix AOS must not be configured to allow GSSAPIAuthentication.","description":"Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.\n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","checkContent":"Confirm Nutanix AOS enforces access restrictions.\n\nCheck that the SSH daemon does not permit GSSAPI authentication with the following command:\n\n$ sudo grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.","fixText":"Configure Nutanix AOS to enforce access restrictions by running the following command:\n\n$ sudo salt-call state.sls security/CVM/sshdCVM","ccis":["CCI-001813"]},{"vulnId":"V-254190","ruleId":"SV-254190r958796_rule","severity":"medium","ruleTitle":"Nutanix AOS must not be configured to allow KerberosAuthentication.","description":"Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.\n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","checkContent":"Confirm Nutanix AOS enforces access restrictions.\n\nCheck that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n\n$ sudo grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.","fixText":"Configure Nutanix AOS to enforce access restrictions by running the following command.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM","ccis":["CCI-001813"]},{"vulnId":"V-254191","ruleId":"SV-254191r982212_rule","severity":"medium","ruleTitle":"Nutanix AOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.","description":"Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.","checkContent":"Confirm that Nutanix AOS is configured to require gpgcheck and localpkg_gpgcheck for all installation packages provided by the vendor.\n\n$ sudo grep gpgcheck /etc/yum.conf\ngpgcheck=1\n\n$ sudo grep localpkg_gpgcheck /etc/yum.conf\nlocalpkg_gpgcheck=1\n\n$ sudo grep repo_gpgcheck /etc/yum.conf\nrepo_gpgcheck=1\n\nIf any of the three gpg checks output is not set to \"1\", this is a finding.","fixText":"Configure Nutanix AOS to require gpgcheck validation checks on all required yum repo configurations by running the following command:\n\n$ sudo salt-call state.sls security/CVM/yumCVM","ccis":["CCI-001749"]},{"vulnId":"V-254192","ruleId":"SV-254192r991587_rule","severity":"medium","ruleTitle":"Nutanix AOS must prevent the use of dictionary words for passwords.","description":"If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"Confirm Nutanix AOS prevents the use of dictionary words for passwords. \n\nCheck the /etc/pam.d/password-auth file for pam_pwquality.so\n\n$ sudo grep pwquality.so /etc/pam.d/password-auth\npassword    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 authtok_type=\n \nIf the output does not contain \"pam_pwquality.so\" with the option of \"required\" or \"requisite\", this is a finding.","fixText":"Configure Nutanix AOS to enforce the use of pam_pwquality.so by running the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000366"]},{"vulnId":"V-254193","ruleId":"SV-254193r991588_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"Confirm Nutanix AOS enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.\n\n$ sudo grep -i fail_delay /etc/login.defs\nFAIL_DELAY 4\n\nIf the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.","fixText":"Configure Nutanix AOS to enforce a delay between logon prompts following a failed logon attempt by running the following command:\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000366"]},{"vulnId":"V-254194","ruleId":"SV-254194r991589_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to run SCMA daily.","description":"The Nutanix platform leverages the use of the Security Configuration Management Automation (SCMA) framework to ensure secure configurations have not been altered from their desired state. If the SCMA framework is not run on a daily basis, changes to the secure baseline could be made, compromising multiple security functions and features on the operating system.","checkContent":"Verify that the SCMA framework is set to run daily:\n\n$ ncli cluster get-cvm-security-config | egrep 'Schedule'\nSchedule : DAILY\n\nIf \"Schedule\" is not set to \"DAILY\", this is a finding.","fixText":"Set the SCMA framework to check the baseline daily:\n$ sudo ncli cluster edit-cvm-security-params schedule=daily","ccis":["CCI-000366"]},{"vulnId":"V-254195","ruleId":"SV-254195r991590_rule","severity":"low","ruleTitle":"Nutanix AOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.","description":"Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.","checkContent":"Confirm Nutanix AOS defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\n$ sudo grep -i umask /etc/login.defs\nUMASK 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding.","fixText":"Configure Nutanix AOS default permissions UMASK to 077 by running the following command.\n\nsalt-call state.sls security/CVM/shellCVM","ccis":["CCI-000366"]},{"vulnId":"V-254196","ruleId":"SV-254196r991591_rule","severity":"medium","ruleTitle":"Nutanix AOS must not allow an unattended or automatic logon to the system.","description":"Failure to restrict system access to authenticated users negatively impacts operating system security.","checkContent":"Confirm Nutanix AOS does not allow users to override environment variables to the SSH daemon.\n\nCheck for the value of the \"PermitUserEnvironment\" keyword with the following command:\n\n$ sudo grep -i permituserenvironment /etc/ssh/sshd_config\nPermitUserEnvironment no\n\nIf the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.\n\n$ sudo grep -i hostbasedauthentication /etc/ssh/sshd_config\nHostbasedAuthentication no\n\nIf the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.","fixText":"Configure Nutanix AOS to not allow users to override environment variables to the SSH daemon by running the following command.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM","ccis":["CCI-000366"]},{"vulnId":"V-254197","ruleId":"SV-254197r991592_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured so that all local interactive user home directories have mode \"0750\" or less permissive.","description":"Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.","checkContent":"Confirm Nutanix AOS has assigned home directory of all local interactive users has a mode of \"0750\" or less permissive.\n\nStep 1. Determine interactive users\n$ sudo cat $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\ncat: /home/nutanix: Is a directory\ncat: /home/admin: Is a directory\n\nStep 2. Determine permissions on interactive users home directories.\n$ sudo stat -c \"%a %n\" /home/admin\n750 /home/admin\n\n$ sudo stat -c \"%a %n\" /home/nutanix\n750 /home/nutanix\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.","fixText":"Configure any interactive users home directory to have a mode of \"0750\" or less by running the command:\n\n$ sudo chmod 0750 [path to interactive users home directory]","ccis":["CCI-000366"]},{"vulnId":"V-254198","ruleId":"SV-254198r991593_rule","severity":"medium","ruleTitle":"Nutanix AOS must enable an application firewall, if available.","description":"Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.","checkContent":"Confirm Nutanix AOS prohibits or restricts the use of remote access methods, using the iptables firewall service.\n\n$ sudo service iptables status\niptables.service - IPv4 firewall with iptables\n   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)\n   Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago\n Main PID: 1250 (code=exited, status=0/SUCCESS)\n   CGroup: /system.slice/iptables.service\n\nIf IPv6 is in use:\n$ sudo service ip6tables status\nip6tables.service - IPv6 firewall with ip6tables\n   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)\n   Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago\n Main PID: 1313 (code=exited, status=0/SUCCESS)\n   CGroup: /system.slice/ip6tables.service\n\nIf no iptables services are \"Loaded\" and \"Active\", this is a finding.","fixText":"Configure the system to restrict the use of remote access methods by running the following command.\n\n$ sudo salt-call state.sls security/CVM/iptables/init","ccis":["CCI-000366"]},{"vulnId":"V-254199","ruleId":"SV-254199r958804_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured with nodev, nosuid, and noexec options for /dev/shm.","description":"Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"Confirm Nutanix AOS that \"nodev\",\"nosuid\", and \"noexec\" options are configured for /dev/shm:\n\n$ cat /etc/fstab | grep /dev/shm\ntmpfs\t\t/dev/shm\ttmpfs\tdefaults,size=512m,noexec,rw,seclabel,nosuid,nodev\t0 0\n\nIf /dev/shm is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.","fixText":"Configure Nutanix AOS so that /dev/shm is mounted with the \"nodev\", \"nosuid\", and \"noexec\" options by adding /modifying the /etc/fstab with the following line:\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0","ccis":["CCI-001764"]},{"vulnId":"V-254200","ruleId":"SV-254200r958478_rule","severity":"medium","ruleTitle":"Nutanix AOS must not have the rsh-server package installed.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nSatisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042","checkContent":"Confirm Nutanix AOS is configured to disable nonessential capabilities.\n\n$ sudo yum list installed rsh-server\n\nIf the rsh-server package is installed, this is a finding.","fixText":"Remove any finding identified by running the correlating command:\n\n$ sudo yum remove rsh-server","ccis":["CCI-000197","CCI-000381"]},{"vulnId":"V-254201","ruleId":"SV-254201r958478_rule","severity":"medium","ruleTitle":"Nutanix AOS must not have the ypserv package installed.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"Confirm Nutanix AOS is configured to disable nonessential capabilities.\n\n$ sudo yum list installed ypserv\n\nIf the \"ypserv\" package is installed, this is a finding.","fixText":"Remove any finding identified by running the correlating command:\n\n$ sudo yum remove ypserv","ccis":["CCI-000381"]},{"vulnId":"V-254202","ruleId":"SV-254202r958478_rule","severity":"medium","ruleTitle":"Nutanix AOS must not have the telnet-server package installed.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"Confirm Nutanix AOS is configured to disable nonessential capabilities.\n\n$ sudo yum list installed telnet-server\n\nIf the telnet-server package is installed, this is a finding.","fixText":"Remove any finding identified by running the correlating command:\n\n$ sudo yum remove telnet-server","ccis":["CCI-000381"]},{"vulnId":"V-254203","ruleId":"SV-254203r958480_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.","checkContent":"Confirm Nutanix AOS prohibits or restricts the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.\n\n$ sudo iptables -S\n\nIf IPv6 is in use:\n$ sudo ip6tables -S\n\nReview the site or program PPSM CAL; verify the services allowed by the firewall match the PPSM CLSA. \n\nIf there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.","fixText":"Configure the system to restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments by running the following command:\n\n$ sudo salt-call state.sls security/CVM/iptables/init","ccis":["CCI-000382"]},{"vulnId":"V-254204","ruleId":"SV-254204r987879_rule","severity":"medium","ruleTitle":"Nutanix AOS must require users to reauthenticate for privilege escalation.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.\n\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158","checkContent":"Confirm Nutanix AOS is configured as shown for reauthentication in the sudoers file.\n\n$ grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.","fixText":"If any occurrences of \"NOPASSWD\" found are not documented with the ISSO need to be removed. Configure Nutanix AOS to meet this requirement run the following command:\n\nsalt-call state.sls security/CVM/manualCVM","ccis":["CCI-002038"]},{"vulnId":"V-254205","ruleId":"SV-254205r958494_rule","severity":"medium","ruleTitle":"Nutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nA privileged account is any information system account with authorizations of a privileged user.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.\n\nSatisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058","checkContent":"Confirm Nutanix AOS has SSH loaded and active.\n\n$ sudo systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.\n\nIf the \"SSH server\" package is not installed, this is a finding.","fixText":"Configure SSH on Nutanix AOS by running the following command:\n\n$ sudo salt-call state.sls security/CVM/sshdCVM","ccis":["CCI-001941","CCI-001942"]},{"vulnId":"V-254206","ruleId":"SV-254206r958498_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to disable USB mass storage devices.","description":"Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, devices such as flash drives, external storage, and printers.","checkContent":"Confirm Nutanix AOS is configured to disable USB mass storage devices.\n\n$ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\ninstall usb-storage /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\nDetermine if USB mass storage is disabled with the following command:\n\n$ sudo grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\nblacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.","fixText":"Configure the system to disable USB mass storage and blacklist from executing by running the following command:\n\n$ sudo salt-call state.sls security/CVM/modprobeCVM","ccis":["CCI-000778"]},{"vulnId":"V-254207","ruleId":"SV-254207r982189_rule","severity":"low","ruleTitle":"Nutanix AOS must be configured to disable user accounts after the password expires.","description":"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.","checkContent":"Confirm Nutanix AOS is configured to disable user accounts after the password expires.\n\n$ sudo grep -i inactive /etc/default/useradd\nINACTIVE=0\n\nIf the value is not set to \"0\", is commented out, or is not defined, this is a finding.","fixText":"Configure the system to disable inactive user accounts after the password expires by running the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000795"]},{"vulnId":"V-254208","ruleId":"SV-254208r982195_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Confirm Nutanix AOS is configured to require complex passwords.\nNote: The value to require a number of uppercase characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ucredit\" in \"/etc/security/pwquality.conf\" with the following command.\n\n$ sudo grep ucredit /etc/security/pwquality.conf \nucredit = -1\n\nIf the value of \"ucredit\" is not set to a negative value, this is a finding.","fixText":"Configure the complex password requirements by running the following command:\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000192"]},{"vulnId":"V-254209","ruleId":"SV-254209r982196_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Confirm Nutanix AOS is configured to require complex passwords.\nNote: The value to require a number of lowercase characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"lcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n$ sudo grep lcredit /etc/security/pwquality.conf \nlcredit = -1\n\nIf the value of \"lcredit\" is not set to a negative value, this is a finding.","fixText":"Configure the complex password requirements by running the following command:\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000193"]},{"vulnId":"V-254210","ruleId":"SV-254210r982197_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Confirm Nutanix AOS is configured to require complex passwords.\nNote: The value to require a number of numeric characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n$ sudo grep dcredit /etc/security/pwquality.conf \ndcredit = -1\n\nIf the value of \"dcredit\" is not set to a negative value, this is a finding.","fixText":"Configure the complex password requirements by running the following command:\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000194"]},{"vulnId":"V-254211","ruleId":"SV-254211r982202_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce a minimum 15 character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Confirm Nutanix AOS is configured to enforce a minimum 15 character password length.\n\n$ sudo grep minlen /etc/security/pwquality.conf\nminlen = 15\n\nIf the command does not return a \"minlen\" value of \"15\" or greater, this is a finding.","fixText":"Configure the password minimum length requirement of 15 characters by running the following command:\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-000205"]},{"vulnId":"V-254212","ruleId":"SV-254212r991561_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"Confirm Nutanix AOS enforces password complexity by requiring that at least one special character be used.\n\nNote: The value to require a number of special characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n$ sudo grep ocredit /etc/security/pwquality.conf \nocredit=-1\n\nIf the value of \"ocredit\" is not set to a negative value, this is a finding.","fixText":"Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nLog in to a Nutanix CVM and run the following command:\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-001619"]},{"vulnId":"V-254213","ruleId":"SV-254213r982198_rule","severity":"medium","ruleTitle":"Nutanix AOS must require the change of at least 50 percent of the total number of characters when passwords are changed.","description":"If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number, then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least eight characters.","checkContent":"Verify Nutanix AOS is configured to require complex passwords.\n\n$ sudo grep difok /etc/security/pwquality.conf \ndifok = 8\n\nIf the value of \"difok\" is set to less than \"8\", this is a finding.","fixText":"Configure the complex password requirements by running the following command:\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-000195"]},{"vulnId":"V-254214","ruleId":"SV-254214r982198_rule","severity":"medium","ruleTitle":"Nutanix AOS must require the change of at least four character classes when passwords are changed.","description":"If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least eight characters.","checkContent":"Verify Nutanix AOS is configured to require complex passwords.\n\n$ sudo grep minclass /etc/security/pwquality.conf \nminclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\", this is a finding.","fixText":"Configure the complex password requirements by running the following command:\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-000195"]},{"vulnId":"V-254215","ruleId":"SV-254215r982198_rule","severity":"medium","ruleTitle":"Nutanix AOS must require the maximum number of repeating characters be limited to three when passwords are changed.","description":"If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least eight characters.","checkContent":"Verify Nutanix AOS is configured to require complex passwords.\n\n$ sudo grep maxrepeat /etc/security/pwquality.conf \nmaxrepeat = 2\n\nIf the value of \"maxrepeat\" is set to more than \"2\", this is a finding.","fixText":"Configure the complex password requirements by running the following command:\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-000195"]},{"vulnId":"V-254216","ruleId":"SV-254216r982198_rule","severity":"medium","ruleTitle":"Nutanix AOS must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.","description":"If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least eight characters.","checkContent":"Verify Nutanix AOS is configured to require complex passwords.\n\n$ sudo grep maxclassrepeat /etc/security/pwquality.conf \nmaxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to more than \"4\", this is a finding.","fixText":"Configure the complex password requirements by running the following command:\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-000195"]},{"vulnId":"V-254217","ruleId":"SV-254217r982199_rule","severity":"high","ruleTitle":"Nutanix AOS must store only encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"Confirm Nutanix AOS is configured to store encrypted representation of passwords and that the encryption meets required standards.\n\n$ sudo grep -i encrypt /etc/login.defs\nENCRYPT_METHOD SHA512\n\nIf the /etc/login.defs file does not contain the required output, this is a finding.\n\n$ sudo grep -i sha512 /etc/libuser.conf\ncrypt_style = sha512\n\nIf the /etc/libuser.conf file does not contain the required output, this is a finding.","fixText":"Configure the required password encryption requirements by running the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000196"]},{"vulnId":"V-254218","ruleId":"SV-254218r982188_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce 24 hours/1 day as the minimum password lifetime.","description":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"Confirm Nutanix AOS is configured to enforce 24 hour/1 day minimum password lifetime.\n\n$ sudo grep -i pass_min_days /etc/login.defs\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.\n\n$ sudo awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.","fixText":"Configure the password minimum age by running the following command:\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000198"]},{"vulnId":"V-254219","ruleId":"SV-254219r982200_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.","checkContent":"Confirm Nutanix AOS is configured to enforce a 60-day maximum password lifetime.\n\n$ sudo grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is not \"60\" or less, or is commented out, this is a finding.\n\n$ sudo awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.","fixText":"Configure the password maximum age by running the following command:\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000199"]},{"vulnId":"V-254220","ruleId":"SV-254220r982201_rule","severity":"medium","ruleTitle":"Nutanix AOS must prohibit password reuse for a minimum of five generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.","checkContent":"Confirm Nutanix AOS is configured to prohibit password reuse for a minimum of five generations.\n\n$ sudo grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing the \"pam_pwhistory.so\" line does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.","fixText":"Configure the password maximum age by running the following command:\n\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000200"]},{"vulnId":"V-254221","ruleId":"SV-254221r958828_rule","severity":"medium","ruleTitle":"Nutanix AOS must prohibit the use of cached authenticators.","description":"If cached authentication information is out-of-date, the validity of the authentication information may be questionable.","checkContent":"Confirm Nutanix AOS is not configured to allow cached credentials via the System Security Session Daemon (SSSD).\n\n$ service sssd status\n\nIf the sssd service is installed or active, this is a finding.","fixText":"If the SSSD service is installed, the Controller VM must be reinstalled.","ccis":["CCI-002007"]},{"vulnId":"V-254222","ruleId":"SV-254222r971535_rule","severity":"high","ruleTitle":"Nutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.","description":"Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.","checkContent":"Verify that the pam_unix.so module is configured to use SHA512.\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\npassword    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\npassword    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok\n\nIf \"sha512\" is not an option in both outputs, or is commented out, this is a finding.","fixText":"Configure the pam.d modules to comply with FIPS 140-2:\n\n1. Enable high-strength passwords:\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true\n\n2. After enabling the high-strength passwords, the system will process the salt stack to enable the DoD versions of the pam.d files. Recheck the Check Text for compliance.  \n\nTo run the salt command manually to enable the pam.d auth files, run the following command (high-strength passwords must be set to true):\n$ sudo salt-call state.sls security/CVM/pamCVM","ccis":["CCI-000803"]},{"vulnId":"V-254223","ruleId":"SV-254223r958846_rule","severity":"medium","ruleTitle":"Nutanix AOS must audit all activities performed during nonlocal maintenance and diagnostic sessions.","description":"If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.\n\nThis requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.\n\nThis requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch.","checkContent":"Confirm Nutanix AOS audits all required activities performed during nonlocal maintenance and diagnostic sessions.\n\n$ sudo grep -i /usr/sbin/semanage /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/bin/chcon /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n$ sudo grep -i /var/run/faillock /etc/audit/audit.rules\n-w /var/run/faillock/ -p wa -k logins\n\n$ sudo grep -i /var/log/lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins\n\nIf any of the commands listed do not return any output, this is a finding.","fixText":"Configure Nutanix AOS to audit all required activities performed during nonlocal maintenance and diagnostic sessions by running the following command.\n\nsalt-call state.sls security/CVM/auditCVM","ccis":["CCI-002884"]},{"vulnId":"V-254224","ruleId":"SV-254224r959006_rule","severity":"high","ruleTitle":"Nutanix AOS must enable FIPS mode to implement NIST FIPS-validated cryptography.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nSatisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176","checkContent":"Confirm Nutanix AOS implements DoD-approved encryption to protect the confidentiality of remote access sessions.\n\nDetermine if the \"dracut-fips\" package is installed with the following command:\n\n$ sudo yum list installed dracut-fips\ndracut-fips.x86_64-033-572.el7 \n\nIf dracut-fips package is not installed, this is a finding.\n\nDetermine if FIPS mode is enabled with the following command:\n\n$ fipscheck\nusage: fipscheck [-s <hmac-suffix>] <paths-to-files>\nfips mode is on\n\nIf FIPS mode is \"on\", Determine if the kernel boot parameter is configured for FIPS mode with the following command:\n\n$ sudo cat /boot/grub/grub.conf | grep fips\n\nIt the  kernel output does not list \"fips=1\", this is a finding.\n\nIf the kernel boot parameter is configured to use FIPS mode, Determine if the system is in FIPS mode with the following command:\n\n$ sudo cat /proc/sys/crypto/fips_enabled\n1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.","fixText":"Configure the system to run in FIPS mode by running the following command:\n\n$ sudo salt-call state.sls security/CVM/fipsCVM","ccis":["CCI-002450"]},{"vulnId":"V-254225","ruleId":"SV-254225r958518_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to run SELinux Policies.","description":"Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.","checkContent":"Nutanix AOS is configured by default to run SELinux Policies. Confirm Nutanix AOS has the policycoreutils package installed with the following command:\n\n$ sudo yum list installed policycoreutils\nInstalled Packages\npolicycoreutils.x86_64                                                 2.5-34.el7                                                 @base\n\nIf the policycoreutils package is not installed, this is a finding.","fixText":"Configure the operating system to have the policycoreutils package installed with the following command:\n\n$ sudo yum install policycoreutils","ccis":["CCI-001084"]},{"vulnId":"V-254226","ruleId":"SV-254226r958524_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to restrict public directories.","description":"Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.","checkContent":"Confirm Nutanix AOS provides that all public directories are owned by root or a system account with the following command:\n\n$ sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\ndrwxrwxrwt. 2 root root 40 Jun  4 15:21 /dev/mqueue\ndrwxrwxrwt. 2 root root 40 Jun  4 15:21 /dev/shm\ndrwxrwxrwt. 7 root root 4096 Jul 28 15:37 /tmp\n\nIf any of the returned directories are not owned by root or a system account, this is a finding.\n\nDetermine that all world-writable directories have the sticky bit set by running the following command:\n\n$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.","fixText":"Configure all public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources.\n\nSet the owner of all public directories as root or a system account using the command, replace \"[Public Directory]\" with any directory path not owned by root or a system account:\n\n$ sudo chown root [Public Directory]\n\nSet the sticky bit on all world-writable directories using the command, replace \"[World-Writable Directory]\" with any directory path missing the sticky bit:\n\n$ sudo chmod 1777 [World-Writable Directory]","ccis":["CCI-001090"]},{"vulnId":"V-254227","ruleId":"SV-254227r958902_rule","severity":"medium","ruleTitle":"Nutanix AOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.","checkContent":"Confirm Nutanix AOS protects against or limits the effects of DoS attacks by ensuring that a rate-limiting measures are enabled.\n\n$ /sbin/sysctl -a | grep 'net.ipv4.tcp_invalid_ratelimit'\nnet.ipv4.tcp_invalid_ratelimit = 500\n\nIf \"net.ipv4.tcp_invalid_ratelimit\" has a value of \"0\", this is a finding.\n\nIf \"net.ipv4.tcp_invalid_ratelimit\" has a value greater than \"1000\" and is not documented with the Information System Security Officer (ISSO), this is a finding.","fixText":"Configure Nutanix AOS firewall services by running the following command:\n\n$ sudo salt-call state.sls security/CVM/iptables/init","ccis":["CCI-002385"]},{"vulnId":"V-254228","ruleId":"SV-254228r958528_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to use syncookies to limit denial-of-service (DoS) attacks.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nManaging excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.","checkContent":"Confirm Nutanix AOS is configured to use syncookies.\n\n$ sysctl net.ipv4.tcp_syncookies \nnet.ipv4.tcp_syncookies = 1 \n\nIf the value is not \"1\", this is a finding. \n\nCheck the saved value of TCP syncookies with the following command: \n\n$ sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' \n\nIf no output is returned, this is a finding.","fixText":"Configure Nutanix AOS to use TCP syncookies by running the following command: \n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1 \n\nIf \"1\" is not the system's default value, add or update the following line in \"/etc/sysctl.conf\": \n\nnet.ipv4.tcp_syncookies = 1","ccis":["CCI-001095"]},{"vulnId":"V-254229","ruleId":"SV-254229r958908_rule","severity":"medium","ruleTitle":"Nutanix AOS must protect the confidentiality and integrity of transmitted information.","description":"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.\n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.\n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.","checkContent":"Confirm Nutanix AOS has SSH loaded and active.\n\n$ sudo systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.\n\nIf the \"SSH server\" package is not installed, this is a finding.","fixText":"Configure SSH on Nutanix AOS by running the following command:\n\n$ sudo salt-call state.sls security/CVM/sshdCVM","ccis":["CCI-002418"]},{"vulnId":"V-254230","ruleId":"SV-254230r958912_rule","severity":"medium","ruleTitle":"Nutanix AOS must maintain the confidentiality and integrity of information during preparation for transmission.","description":"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nEnsuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption.\n\nUse of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, SSL VPNs, or IPsec.","checkContent":"Confirm Nutanix AOS has SSH loaded and active.\n\n$ sudo systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.\n\nIf the \"SSH server\" package is not installed, this is a finding.","fixText":"Configure SSH on Nutanix AOS by running the following command:\n\n$ sudo salt-call state.sls security/CVM/sshdCVM","ccis":["CCI-002420"]},{"vulnId":"V-254231","ruleId":"SV-254231r958914_rule","severity":"medium","ruleTitle":"Nutanix AOS must maintain the confidentiality and integrity of information during reception.","description":"Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When receiving data, operating systems need to leverage protection mechanisms such as TLS, SSL VPNs, or IPsec.","checkContent":"Confirm Nutanix AOS has SSH loaded and active.\n\n$ sudo systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.\n\nIf the \"SSH server\" package is not installed, this is a finding.","fixText":"Configure SSH on Nutanix AOS by running the following command:\n\n$ sudo salt-call state.sls security/CVM/sshdCVM","ccis":["CCI-002422"]},{"vulnId":"V-254232","ruleId":"SV-254232r958564_rule","severity":"medium","ruleTitle":"Nutanix AOS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.\n\nOrganizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.","checkContent":"Verify Nutanix AOS has all system log files under the /home/log directory with a permission set to \"640\", by using the following command:\n\n$ sudo find /home/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf command displays any output, this is a finding.","fixText":"Configure the Nutanix AOS to set permissions of all log files under /home/log directory to \"640\" or more restricted, by using the following command:\n\n$ sudo find /var/log -perm /137 -type f -exec chmod 640 '{}' \\;","ccis":["CCI-001312"]},{"vulnId":"V-254233","ruleId":"SV-254233r958566_rule","severity":"medium","ruleTitle":"Nutanix AOS must reveal error messages only to authorized users.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.","checkContent":"Nutanix AOS audit logs must be owned by root to prevent unauthorized read access.\n\nDetermine where the audit log file is located:\n$sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /home/log/audit/audit.log\n\nUsing the location of the audit log file, determine if the audit log is owned by \"root\" using the following command:\nls -al /home/log/audit/audit.log\n-rw-------. 1 root root 3427758 Apr  8 18:43 /home/log/audit/audit.log\n\nIf the audit log is not owned by \"root\", this is a finding.","fixText":"Configure the audit rules ownership by running the following command:\n\n$ sudo salt-call state.sls security/CVM/auditCVM","ccis":["CCI-001314"]},{"vulnId":"V-254234","ruleId":"SV-254234r958928_rule","severity":"medium","ruleTitle":"Nutanix AOS must implement nonexecutable data to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Nutanix AOS is configured to implement nonexecutable data to protect its memory from unauthorized code execution.\n\n$ sudo grep flags /proc/cpuinfo | grep -w nx\nflags.       : fpu vme de …. nx pdpe1gb rdtscp...\n\nIf \"flags\" does not contain the \"nx\" flag, this is a finding.","fixText":"If Nutanix AOS does not list 'nx' flag in the /proc/cpuinfo and the system's BIOS setup configuration permits toggling the No Execution bit, then set it to \"enable\".","ccis":["CCI-002824"]},{"vulnId":"V-254235","ruleId":"SV-254235r958928_rule","severity":"medium","ruleTitle":"Nutanix AOS must implement address space layout randomization to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Confirm Nutanix AOS is configured to implement address space layout randomization.\n\n$ sudo sysctl kernel.randomize_va_space\nkernel.randomize_va_space = 2\n\nIf the value of kernel.randomize_va_space is anything other than \"2\", this is a finding.","fixText":"Configure Nutanix AOS to implement address space layout randomization by running the following command:\n\n$ sudo sysctl kernel.randomize_va_space=2","ccis":["CCI-002824"]},{"vulnId":"V-254236","ruleId":"SV-254236r958936_rule","severity":"medium","ruleTitle":"Nutanix AOS must remove all software components after updated versions have been installed.","description":"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.","checkContent":"Confirm Nutanix AOS removes all software components after updated versions have been installed.\n\n$ sudo grep -i clean_requirements_on_remove /etc/yum.conf\nclean_requirements_on_remove=1\n\nIf \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a finding.","fixText":"Configure Yum settings to remove all software components after an updated version is installed by running the following command:\n\n$ sudo salt-call state.sls security/CVM/yumCVM","ccis":["CCI-002617"]},{"vulnId":"V-254237","ruleId":"SV-254237r958944_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to use SELinux Enforcing mode.","description":"Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.\n\nSatisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SRG-OS-000134-GPOS-00068","checkContent":"Confirm Nutanix AOS verifies correct operation of all security functions.\n\n$ sudo sestatus\nSELinux status:                 enabled\nSELinuxfs mount:                /sys/fs/selinux\nSELinux root directory:         /etc/selinux\nLoaded policy name:             targeted\nCurrent mode:                   enforcing\nMode from config file:          enforcing\nPolicy MLS status:              enabled\nPolicy deny_unknown status:     allowed\nMax kernel policy version:      31\n\nIf the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\nVerify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n\n$ sudo grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\nSELINUXTYPE = targeted\n\nIf no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding.","fixText":"Configure Nutanix AOS to verify correct operation of all security functions.\n\nSet the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following line:\n\nSELINUX=enforcing\n\nA reboot is required for the changes to take effect.","ccis":["CCI-001084","CCI-002696","CCI-002699","CCI-002702"]},{"vulnId":"V-264424","ruleId":"SV-264424r992069_rule","severity":"high","ruleTitle":"Nutanix AOS must be running an operating system release that is currently supported by the vendor.","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes) to production systems after thorough testing of the patches within a lab environment. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.","checkContent":"Product version is end of life and no longer supported.\n\nIf the system is running AOS version 5.20.x, this is a finding.","fixText":"Upgrade to a supported version.","ccis":["CCI-002605"]}]}