{"stig":{"title":"Nutanix Acropolis Application Server Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-279415","ruleId":"SV-279415r1191367_rule","severity":"medium","ruleTitle":"Nutanix AOS must limit the number of concurrent sessions to 10 for all accounts and/or account types.","description":"Application management includes the ability to control the number of sessions that use an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in limiting risks related to denial-of-service (DOS) attacks.\n\nApplication servers host and expose business logic and application processes.\n\nThe application server must limit the maximum number of concurrent sessions in a manner that affects the entire application server or on an individual application basis.\n\nAlthough there is some latitude concerning the settings themselves, the settings should follow DOD-recommended values, but the settings should be configurable to allow for future DOD direction.\n\nWhile the DOD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.","checkContent":"Verify DODIN mode is enabled to ensure maximum concurrent session is limited to 10.\n\n1. For AOS, run the following command:\n\n$ ncli cluster get-cvm-security-config\nEnable DoDin Additiona... : true\n\n2. For Prism Central, run the following command:\n\n$ ncli cluster get-pcvm-security-config\nEnable DoDin Additiona... : true\n\n3. For Files, run the following command:\n\n$ ncli cluster get-afs-security-config\nEnable DoDin Additiona... : true\n\nIf the value for \"Enable DoDin Additional\" is not set to \"True\", this is a finding.","fixText":"Set max concurrent connections to 10 by running the following command:\n\n$ configure_dod_mode.sh enter_dod_mode","ccis":["CCI-000054"]},{"vulnId":"V-279416","ruleId":"SV-279416r1191034_rule","severity":"medium","ruleTitle":"Nutanix AOS must automatically terminate a user session after a maximum of 15 minutes for nonprivileged users.","description":"An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.\n\nTo thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.","checkContent":"Validate the Prism WebUI Session Idle timeout and Timeout Override is set to 15 minutes and Deny Override.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"UI Settings\".\n4. Verify the \"Session Idle Timeout for current User\" to 15 Minutes.\n5. Verify the \"Default Session Idle Timeout for Non-Admin Users\" to 15 Minutes.\n6. Verify the \"Session Idle Override for Non-Admin Users\" to \"Deny Override\".\n\nIf the any of the idle timeout settings or override setting do not match the required settings, this is a finding.","fixText":"Configure the Nutanix AOS Prism Element WebUI Session Idle timeout and Override settings.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"UI Settings\".\n4. Set the \"Session Idle Timeout for current User\" to 15 Minutes.\n5. Set the \"Default Session Idle Timeout for Non-Admin Users\" to 15 Minutes.\n6. Set the \"Session Idle Override for Non-Admin Users\" to \"Deny Override\".","ccis":["CCI-002361"]},{"vulnId":"V-279418","ruleId":"SV-279418r1191040_rule","severity":"medium","ruleTitle":"Nutanix AOS must have TLS enabled.","description":"Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the application server. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.\n\nTypes of management interfaces used by an application server include web-based HTTPS interfaces as well as command line-based management interfaces.\n\nSatisfies: SRG-APP-000014-AS-000009, SRG-APP-000015-AS-000010","checkContent":"Verify the Signing Algorithm of the current TLS certificate.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"SSL Certificate\".\n\nIf there is no DOD TLS certificate loaded, this is a finding.","fixText":"Import a DOD PKI-issued TLS certificate.\n\n1. Click the gear icon in the upper-right corner.\n2. Navigate to \"SSL Certificate\".\n3. Select the option to import certificate and follow the prompts.","ccis":["CCI-000068","CCI-001453"]},{"vulnId":"V-279421","ruleId":"SV-279421r1192347_rule","severity":"medium","ruleTitle":"Nutanix AOS must configure role mapping.","description":"Strong access controls are critical to securing the application server. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be implemented to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, application domains) in the application server.\n\nWithout stringent logical access and authorization controls, an adversary may have the ability, with very little effort, to compromise the application server and associated supporting infrastructure.\n\nSatisfies: SRG-APP-000033-AS-000024, SRG-APP-000340-AS-000185","checkContent":"Nutanix AOS supports user and group role mapping. Verify all users or groups match that of the documented mapping policies in the system security plan (SSP).\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Role mapping\".\n\nFor each user or group listed, verify the role granted is according to access control policies. If not, this is a finding.","fixText":"Configure the user and group mappings to be compliant with the documented mapping policies defined by in the SSP.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Role mapping\".\n4. Add users and groups to role mappings per policy.","ccis":["CCI-000213","CCI-002235"]},{"vulnId":"V-279422","ruleId":"SV-279422r1191052_rule","severity":"medium","ruleTitle":"Nutanix AOS server management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.","description":"Application servers are required to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance that states that: \n\n(i) users are accessing a U.S. Government information system; \n(ii) system usage may be monitored, recorded, and subject to audit; \n(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and \n(iv) using the system indicates consent to monitoring and recording.\n\nSystem use notification messages can be implemented in the form of warning banners displayed when individuals log on to the information system. \n\nSystem use notification is intended only for information system access including an interactive logon interface with a human user and is not required when an interactive interface does not exist. \n\nUse this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner must be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nSatisfies: SRG-APP-000068-AS-000035, SRG-APP-000069-AS-000036","checkContent":"Verify the Prism WebUI \"Welcome Banner\" is enabled.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the \"Welcome Banner\".\n4. Verify the \"Enable Banner\" box is selected.\n\nIf the \"Enable Banner\" box is not checked, this is a finding.\n\nConfirm the Nutanix AOS Prism WebUI is set to display the Standard Mandatory DOD Notice and Consent Banner.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the \"Welcome Banner\" and enter the following text exactly as presented below.\n \nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n-At any time, the USG may inspect and seize data stored on this IS. \n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nIf the Welcome Banner is not configured with the Standard Mandatory DOD Notice and Consent Banner, this is a finding.","fixText":"Configure the Nutanix AOS Prism Element WebUI to display the Standard Mandatory DOD Notice and Consent Banner.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the \"Welcome Banner\".\n4. Set the Welcome Banner to use the DOD banner text below.\n5. Check \"Enable Banner\".\n6. Click \"Save\".\n\nStandard Mandatory DOD Notice and Consent Banner:\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n-At any time, the USG may inspect and seize data stored on this IS. \n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.","ccis":["CCI-000048","CCI-000050"]},{"vulnId":"V-279423","ruleId":"SV-279423r1191055_rule","severity":"medium","ruleTitle":"Nutanix AOS must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation.","description":"Nonrepudiation of actions taken is required to maintain application integrity. Examples of actions include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNonrepudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. \n\nTypical application server actions requiring nonrepudiation will be related to application deployment among developers/users and administrative actions taken by admin personnel.","checkContent":"Confirm the Nutanix VM application server Prism Element WebUI requires client authentication.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the \"Authentication\" section.\n4. Click the \"Client\" tab.\n5. Verify \"Client Authentication\" is enabled.\n\nIf Client Authentication (CAC Auth) is not enabled, this is a finding.","fixText":"Configure the Nutanix VM application server Prism Element WebUI to require client authentication. \n\n1. Log in to Prism Element.\n2. Click the gear in the upper-right corner and navigate to \"Authentication\".\n3. Click the \"Client\" tab.\n4. Select the \"Configure Client Chain Certificate\" check box.\n5. Click the \"Choose File\" button, browse to and select a client chain certificate to upload, and then click the \"Open\" button to upload the certificate.\n6. Click \"Enable Client Authentication\".","ccis":["CCI-000166"]},{"vulnId":"V-279424","ruleId":"SV-279424r1191058_rule","severity":"medium","ruleTitle":"Nutanix AOS must off-load log records onto a different system or media from the system being logged.","description":"Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.\n\nOff-loading is a common process in information systems with limited log storage capacity.\n\nCentralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records onto a different system or media than the system being logged.\n\nSatisfies: SRG-APP-000358-AS-000064, SRG-APP-000515-AS-000203","checkContent":"Confirm the Nutanix VM application server is configured to off-load log records onto a different system. \n\n$ ncli rsyslog-config ls-servers\n\nIf no remote syslog servers are defined, this is a finding.","fixText":"Configure the Nutanix VM application server to off-load log records onto a different system by running the following command:\n\n$ ncli rsyslog-config add-server name=<remote_server_name> relp-enabled=<true | false> ip-address=<remote_ip_address> port=<port_num> network-protocol=<tcp | udp>","ccis":["CCI-001851"]},{"vulnId":"V-279425","ruleId":"SV-279425r1192580_rule","severity":"medium","ruleTitle":"Nutanix Cluster Check (NCC) must be configured to provide alerts to the system administrator (SA) and information system security officer (ISSO), immediately when audit storage reaches 75 percent capacity.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. Notification of the storage condition will allow administrators to take actions so that logs are not lost. This requirement can be met by configuring the application server to use a dedicated logging tool that meets this requirement.\n\nSatisfies: SRG-APP-000359-AS-000065, SRG-APP-000360-AS-000066, SRG-APP-000108-AS-000067","checkContent":"Confirm the NCC \"CVM DISK | System Audit Volume Usage\" is enabled and an alert is sent when the disk capacity reaches or exceeds 75 percent.\n\n1. Log in to Prism Element.\n2. Select \"Health dashboard\" from the navigation drop-down.\n3. Select Actions >> Manage Checks.\n4. Scroll to CVM | Disk section, and then select \"System Audit Volume Usage\".\n5. Validate the Alert Policy settings for \"Warning and Critical\" are set to 75 percent.\n\nConfirm Nutanix AOS is set to send SMTP alerts to the email address(es) for the ISSO and SA, at a minimum.\n\n1. Log in to Prism Element.\n2. Select the \"Health\" dashboard.\n3. On the \"Actions\" tab, review the setting for \"Set NCC Frequency\".\n\nIf NCC alert settings are not configured as required, this is a finding.","fixText":"Enable the NCC \"CVM DISK | System Audit Volume Usage\", set the threshold values, and verify an alert is sent when the disk capacity reaches or exceeds 75 percent.\n\n1. Log in to Prism Element.\n2. Select \"Health\" from the navigation drop-down.\n3. Select Actions >> Manage Checks.\n4. Scroll to :CVM | Disk\" section, then select \"System Audit Volume Usage\".\n5. If check is disabled, click to enable the check.\n6. Select \"Alert Policy\", then set the values for \"Warning\" and \"Critical\" thresholds to 75 percent and click \"Save\".\n\nConfigure NCC within Prism Element to send an alert and emails for ISSO and SA.\n\n1. On the Actions tab, select \"Set NCC Frequency\".\n2. Enter frequency timeframe.\n3. Enter recipient email address(es).","ccis":["CCI-001855","CCI-001858","CCI-000139"]},{"vulnId":"V-279426","ruleId":"SV-279426r1191064_rule","severity":"medium","ruleTitle":"Nutanix AOS must use internal system clocks to generate time stamps for log records.","description":"Without using an approved and synchronized time source on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the application server.\n\nIf an event has been triggered on the network and the application server is not configured with the correct time, the event may be seen as insignificant, when in reality the events are related and may have a larger impact across the network. Synchronization of system clocks is needed to correctly correlate the timing of events that occur across multiple systems. Determining the correct time a particular event occurred on a system, via time stamps, is critical when conducting forensic analysis and investigating system events. \n\nApplication servers must use the internal system clock when generating time stamps and log records.","checkContent":"Confirm Prism Element is set to use an authoritative time source to generate time stamps for log records.\n\n1. Log in to Prism Element.\n2. Select the gear icon in upper-right corner.\n3. Select \"NTP Servers\" from the left navigation pane.\n\nIf no authoritative time sources are listed, this is a finding.","fixText":"Configure Prism Element to use organization-identified authoritative time sources.\n\n1. Log in to Prism Element.\n2. Select the gear icon in upper-right corner.\n3. Select \"NTP Servers\" from the left navigation pane.\n4. Enter authoritative time sources, then click \"Add\". Multiple time sources can be added.","ccis":["CCI-000159"]},{"vulnId":"V-279427","ruleId":"SV-279427r1191067_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to protect the application server log files from unauthorized access.","description":"If log data is compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage.\n\nApplication servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized read access.\n\nSatisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080","checkContent":"Confirm the Nutanix VM application server log files are protected from unauthorized read access.\n\nThe Nutanix AOS log files are owned by the Nutanix user and have a file permission of \"640\".\n\n1. Identify the actual file name by looking at alert_manager.INFO, which is a symlink for the actual rotating file name.\n\n$ sudo ls -al /home/nutanix/data/logs/alert_manager.INFO \nlrwxrwxrwx. 1 nutanix nutanix 75 Nov  1 17:50 /home/nutanix/data/logs/alert_manager.INFO -> alert_manager.ntnx-<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER>\n\n2. Execute a stat command on the actual application server log file name.\n\n$ sudo stat -c \"%a %n\" /home/nutanix/data/logs/alert_manager.ntnx-<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER>\n640  /home/nutanix/data/logs/alert_manager.ntnx<CVM_NAME>.nutanix.log.INFO.<LOG_NUMBER>\n\nIf the output of the actual log file name is not 640, this is a finding.","fixText":"Configure the Nutanix VM application server Prism Element log file permissions.\n\n1. Run the following command:\n\n$ sudo salt-call state.sls security/CVM/interactivenutanixCVM\n\n2. For Prism Central, run the following command:\n\n$ sudo salt-call state.sls security/PCVM/interactivenutanixPCVM\n\n3. For Files, run the following command:\n\n$ sudo salt-call state.sls security/AFS/interactivenutanixAFS","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-279430","ruleId":"SV-279430r1191372_rule","severity":"medium","ruleTitle":"Nutanix AOS must configure the Nutanix Cluster Check (NCC) to alert the information system security officer (ISSO)/information system security manager (ISSM) or designated personnel, at a minimum.","description":"NCC is a diagnostic framework designed to ensure the health and stability of Nutanix clusters. It consists of a collection of scripts and tools that perform automated checks to identify potential issues in the cluster's configuration, performance, and overall health. Users can run all checks or select specific ones based on their needs. NCC is an essential tool for maintaining the health and reliability of Nutanix environments, providing both automated diagnostics and actionable insights for administrators.\n\nNCC is an essential tool for maintaining the health and reliability of Nutanix environments, providing both automated diagnostics and actionable insights for administrators.\n\nHowever, the information contained in the report is sensitive and the report should be appropriately identified personnel.","checkContent":"Verify the Nutanix NCC is set to send SMTP send alerts to the ISSO/ISSM (or designated personnel), at a minimum. The site can define a frequency that meets their needs.\n\n1. Log in to Prism Element.\n2. Select \"Health dashboard\".\n3. In the \"Actions\" tab, select \"Set NCC Frequency\".\n\nIf the organization-defined recipient(s) are not configured for the NCC, this is a finding.","fixText":"Configure the NCC to alert the ISSO/ISSM or designated personnel, at a minimum. The site can define a frequency that meets their needs.\n\n1. Log in to Prism Element.\n2. Select \"Health dashboard\".\n3. In the \"Actions\" tab, select \"Set NCC Frequency\".\n4. Enter frequency timeframe.\n5. Enter recipient email address(es).","ccis":["CCI-003831"]},{"vulnId":"V-279431","ruleId":"SV-279431r1191079_rule","severity":"medium","ruleTitle":"Nutanix AOS must enforce access restrictions associated with changes to configuration and software libraries.","description":"When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant effects on the overall security of the system.\n\nAccess restrictions for changes also include application software libraries.\n\nIf the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict using automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.\n\nSatisfies: SRG-APP-000380-AS-000088, SRG-APP-000133-AS-000092","checkContent":"Confirm Prism Element is set up with Role-Based Access Control (RBAC).\n\n1. Log in to Prism Element.\n2. Select the gear icon in the top-right corner.\n3. Select \"Authentication\" from the left navigation pane.\n\nIf no organization-approved directory (AD /LDAP) is listed, this is a finding.\n\n4. Next, select \"Role Mapping\".\n\nIf no role mappings are listed, this is a finding.","fixText":"Configure the Nutanix VM application server Prism Element to use RBAC with an organization-approved directory (AD, LDAP).\n\n1. Log in to Prism Element.\n2. Select the gear icon in the top-right corner.\n3. Select \"Authentication\" from the left navigation pane.\n4. Add an authenticated organization-approved directory. \n5. Set up role mappings for users and/or groups.","ccis":["CCI-001813","CCI-001499"]},{"vulnId":"V-279433","ruleId":"SV-279433r1191374_rule","severity":"medium","ruleTitle":"Nutanix AOS must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).","description":"To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished using a user store which is either local (OS-based) or centralized (LDAP) in nature.\n\nTo ensure support to the enterprise, the authentication must use an enterprise solution.","checkContent":"Confirm the Nutanix VM application server is set to use enterprise user management systems.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the Authentication settings.\n\nIf an Active Directory or OpenLDAP servers are not configured, this is a finding.","fixText":"Configure the Nutanix VM application server to use an enterprise user management system to authenticate individual users.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the Authentication settings.\n4. Add an Active Directory or OpenLDAP server to the directory list.\n\nAlternatively, create individual local users within Prism.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Local User Management\".\n4. Select \"+ New Users\".","ccis":["CCI-000764"]},{"vulnId":"V-279434","ruleId":"SV-279434r1192622_rule","severity":"high","ruleTitle":"Nutanix AOS must use multifactor authentication for access to privileged and nonprivileged accounts by enabling common access card (CAC) authentication.","description":"Multifactor authentication (MFA) is defined as using two or more factors to achieve authentication. MFA creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement the attacker must have something from the user, such as a token, or to biometrically be the user.\n\nFactors include: \n(i) Something a user knows (e.g., password/PIN); \n(ii) Something a user has (e.g., cryptographic identification device, token); or \n(iii) Something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.\n\nA privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface.\n\nWhen accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled.\n\nSatisfies: SRG-APP-000149-AS-000102, SRG-APP-000401-AS-000243, SRG-APP-000402-AS-000247, SRG-APP-000177-AS-000126, SRG-APP-000403-AS-000248","checkContent":"Verify the Nutanix AOS uses a centralized AAA server that uses DOD PKI to authenticate individual users.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the Authentication settings.\n\nIf CAC authentication is not enabled, this is a finding.","fixText":"Configure the Nutanix AOS to use a centralized AAA server that uses DOD PKI to authenticate individual users.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the Authentication settings. \n4. Select the \"Configure Service Account\" check box and then complete the following in the indicated fields:\na. Select the authentication directory that contains the CAC users to be authenticated. This list includes the directories configured on the Directory List tab.\nb. Service Username: Enter the username in the username@domain.com format the web console will use to log in to the Active Directory.\nc. Service Password: Enter the password for the service username.\nd. Click \"Enable CAC\".","ccis":["CCI-000765","CCI-004068","CCI-002009","CCI-000187","CCI-002010","CCI-004046"]},{"vulnId":"V-279435","ruleId":"SV-279435r1191091_rule","severity":"high","ruleTitle":"Nutanix AOS must use multifactor authentication for local access to privileged accounts.","description":"Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement the attacker must have something from the user, such as a token, or to biometrically be the user.\n\nMultifactor authentication is defined as using two or more factors to achieve authentication. \n\nFactors include: \n(i) Something a user knows (e.g., password/PIN); \n(ii) Something a user has (e.g., cryptographic identification device, token); or \n(iii) Something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.\n\nA privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the command line management interface.\n\nWhen accessing the application server via a local connection, administrative access to the application server must be PKI hardware token enabled.","checkContent":"Confirm the Nutanix VM application server Envoy Reverse Proxy server only has one local account, and that it is the account of last resort. The Envoy Reverse Proxy server relies on AD for user management.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n\nIf an Active Directory or OpenLDAP servers are not configured, this is a finding.","fixText":"Configure the Nutanix VM application server to use an enterprise user management system to authenticate individual users.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n4. Add an Active Directory or OpenLDAP server to the directory list.\n\nAlternatively, individual local users can be created within Prism.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Local User Management.\n4. Select \"+ New Users\".","ccis":["CCI-000765"]},{"vulnId":"V-279438","ruleId":"SV-279438r1191100_rule","severity":"medium","ruleTitle":"Nutanix AOS must authenticate users individually prior to using a group authenticator.","description":"To ensure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated. \n\nA group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. \n\nApplication servers must ensure individual users are authenticated prior to authenticating via role or group authentication. This is to ensure there is nonrepudiation for actions taken.","checkContent":"Confirm the Nutanix VM application server is set to use enterprise user management systems. Envoy Reverse Proxy does not support group authenticators.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n\nIf an Active Directory or OpenLDAP servers are not configured, this is a finding.","fixText":"Configure the Nutanix VM application server to use an enterprise user management system to authenticate individual users.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n4. Add an Active Directory or OpenLDAP server to the directory list.\n\nAlternatively, individual local users can be created within Prism.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Local User Management.\n4. Select \"+ New Users\".","ccis":["CCI-004045"]},{"vulnId":"V-279439","ruleId":"SV-279439r1191103_rule","severity":"medium","ruleTitle":"Nutanix AOS must use multifactor authentication (MFA) for access to privileged and nonprivileged accounts by enabling client authentication.","description":"Requiring a device separate from the system to which the user is attempting to gain access for one of the factors during MFA is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength mechanism and an increased level of assurance in the authentication process.\n\nSatisfies: SRG-APP-000825-AS-000180, SRG-APP-000820-AS-000170","checkContent":"Confirm the Prism Element WebUI requires client authentication.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication.\n4. Click the \"Client\" tab.\n5. Verify client authentication is enabled.\n\nIf client authentication is not enabled, this is a finding.","fixText":"Configure the Prism Element WebUI to require client authentication. \n\n1. Log in to Prism Element.\n2. Click the gear in the upper-right corner and navigate to Authentication.\n3. Click the \"Client\" tab.\n4. Select the \"Configure Client Chain Certificate\" check box.\n5. Click \"Choose File\", browse to and select a client chain certificate to upload, and then click \"Open\" to upload the certificate.\n6. Click \"Enable Client Authentication\".","ccis":["CCI-004047","CCI-004046"]},{"vulnId":"V-279440","ruleId":"SV-279440r1191106_rule","severity":"medium","ruleTitle":"Nutanix AOS must use encryption when using LDAP for authentication.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. \n\nApplication servers have the capability to use LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server uses LDAP, the LDAP traffic must be encrypted.","checkContent":"Confirm the Nutanix Envoy Reverse Proxy is set to use encryption when using LDAP.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n4. Verify an Active Directory or OpenLDAP server is on the directory list.\n\nIf an Active Directory or OpenLDAP servers are not using ports 636 or 3269, which are SSL encrypted, this is a finding.","fixText":"Configure the Nutanix VM application server to use an Active Directory server to authenticate individual users.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n4. Add an Active Directory or OpenLDAP server to the directory list using SSL encrypted ports 636 or 3269.","ccis":["CCI-000197"]},{"vulnId":"V-279441","ruleId":"SV-279441r1191109_rule","severity":"medium","ruleTitle":"Nutanix VMM must terminate UI network connections associated with a communications session at the end of the session for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.","description":"When the application server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network. If cached authentication information is out of date, the validity of the authentication information may be questionable.","checkContent":"Confirm the Nutanix AOS session timeout settings are set to 10 minutes.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"UI Settings\" in the left navigation pane.\n\nFor each user type, verify the session timeout is set correctly. If not, this is a finding.","fixText":"Configure the Nutanix AOS session timeout settings to 10 minutes.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"UI Settings\" in the left navigation pane. \n4. Set the session timeout settings to 10 minutes per user type.","ccis":["CCI-002007"]},{"vulnId":"V-279442","ruleId":"SV-279442r1192581_rule","severity":"medium","ruleTitle":"Nutanix AOS must perform RFC 5280-compliant certification path validation.","description":"A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.","checkContent":"Confirm the Nutanix VM application server has OCSP checking enabled.\n\nRun the following command:\n\n$ ncli authconfig get-client-authentication-config\n 'Auth Config Status        : true'\n\nIf \"Auth config status\" is not set to \"true\", this is a finding.","fixText":"Configure the Nutanix VM application server to use OSCP for certificate revocation.\n\nSet the OCSP responder URL:\n\n$ ncli authconfig set-certificate-revocation set-ocsp-responder=<ocsp url><ocsp url>","ccis":["CCI-000185"]},{"vulnId":"V-279443","ruleId":"SV-279443r1192354_rule","severity":"medium","ruleTitle":"Nutanix AOS must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.","description":"Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted.\n\nThis requirement typically applies to organizational information systems that are accessible to nonfederal government agencies and other partners. This allows federal government-relying parties to trust such credentials at their approved assurance levels.\n\nThird-party credentials are those credentials issued by nonfederal government entities approved by the FICAM Trust Framework Solutions initiative.","checkContent":"If configured, Confirm the Nutanix VM application server Prism Element is configured to accept FICAM-approved third party credentials.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n4. Verify a SAML-based identity provider is configured.\n\nIf a SAML-based identity provider is not configured, this is a finding.","fixText":"Configure the Nutanix VM application server Prism Element to use FICAM authentication.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner. \n3. Navigate to Authentication settings.\n4. Select \"Configure SAML Authentication Account\" check box, and then do the following in the indicated fields:\na. Select the authentication directory that contains the CAC users to authenticate. This list includes the directories that are configured on the directory list tab.\nb. Service Username: Enter the username in the username@domain.com for the web console to use to log in to the Active Directory.\nc. Service Password: Enter the password for the service username.\nd. Click \"Enable CAC\".","ccis":["CCI-004083"]},{"vulnId":"V-279444","ruleId":"SV-279444r1192356_rule","severity":"medium","ruleTitle":"Nutanix AOS must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.","description":"Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0.\n\nThis requirement addresses open identity management standards.","checkContent":"Confirm the Nutanix VM application server Prism Element is configured to accept FICAM-approved third party credentials.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n4. Verify a SAML-based identity provider is configured.\n\nIf a SAML-based identity provider is not configured this is a finding.","fixText":"Configure the Nutanix VM application server Prism Element to use FICAM authentication.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to Authentication settings.\n4. Select the \"Configure SAML Authentication Account\" check box, and then do the following in the indicated fields:\na. Select the authentication directory that contains the CAC users to authenticate. This list includes the directories that are configured on the Directory List tab.\nb. Service Username: Enter the username in the username@domain.com format that you want the web console to use to log in to the Active Directory.\nc. Service Password: Enter the password for the service username.\nd. Click \"Enable CAC\".","ccis":["CCI-004085"]},{"vulnId":"V-279445","ruleId":"SV-279445r1192540_rule","severity":"medium","ruleTitle":"Nutanix AOS must be configured to use DOD PKI-issued certificates.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes using SSL/TLS certificates. The application server must only allow using DOD PKI-established certificate authorities for verification.\n\nSatisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137","checkContent":"Confirm the Nutanix VM application server is configured with a trusted DOD root CA-signed certificate.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the SSL Certificate section.\n4. Ensure the approved CA signed certificate is installed.\n\nIf the certificate used is not from an approved DOD-approved CA, this is a finding.","fixText":"Configure the Nutanix VM application server to use a trusted DOD root CA-signed certificate.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to the SSL Certificate section.\n4. Click \"Relace Certificate\".\n5. Select \"Import Key and Certificate\".\n6. Select the Private Key Type and upload the private key, public certificate, and the CA certificate or chain.\n7. Select \"Import Files\".","ccis":["CCI-002470","CCI-002450"]},{"vulnId":"V-279446","ruleId":"SV-279446r1192360_rule","severity":"medium","ruleTitle":"Nutanix AOS must protect the confidentiality and integrity of all information at rest.","description":"When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise.\n\nFewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by unauthorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection.\n\nAs part of a defense-in-depth strategy, data owners and DOD consider routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.\n\nThe strength of mechanisms is commensurate with the classification and sensitivity of the information.\n\nThe application server must directly provide, or provide access to, cryptographic libraries and functionality that allow applications to encrypt data when it is stored.","checkContent":"Confirm the Nutanix VM application server is set to use data-at-rest encryption.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Data-at-Rest Encryption\".\n4. Verify software encryption is enabled.\n\nIf software encryption is not enabled, this is a finding.","fixText":"Configure the Nutanix VM application server to use data-at-rest encryption.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Data-at-Rest Encryption\".\n4. Select \"Edit configuration\".\n5. Select either the cluster local KMS or an external KMS.\n6. Click \"Protect\" and confirm by typing \"ENCRYPT\".","ccis":["CCI-001199"]},{"vulnId":"V-279447","ruleId":"SV-279447r1192582_rule","severity":"medium","ruleTitle":"Nutanix AOS must employ cryptographic mechanisms to ensure confidentiality and integrity of all information at rest when stored offline.","description":"This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system.\n\nApplication servers generate information throughout the course of their use, most notably, log data. If the data is not encrypted while at rest, the data used later for forensic investigation cannot be guaranteed to be unchanged and cannot be used for prosecution of an attacker. To accomplish a credible investigation and prosecution, the data integrity and information confidentiality must be guaranteed.\n\nApplication servers must provide the capability to protect all data, especially log data, to ensure confidentiality and integrity.","checkContent":"Confirm the Nutanix VM application server is set to use data-at-rest encryption when stored offline.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Data-at-Rest Encryption\".\n4. Verify software encryption is enabled.\n\nIf software encryption is not enabled, this is a finding.","fixText":"Configure the Nutanix VM application server to use data-at-rest encryption when stored offline.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Data-at-Rest Encryption\".\n4. Select \"Edit configuration\".\n5. Select either the cluster local KMS or an external KMS.\n6. Click \"Protect\" and confirm by typing \"ENCRYPT\".","ccis":["CCI-001199"]},{"vulnId":"V-279448","ruleId":"SV-279448r1192364_rule","severity":"medium","ruleTitle":"Nutanix AOS must implement cryptographic mechanisms to prevent unauthorized access to data at rest.","description":"Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an application server. Alternative physical protection measures include protected distribution systems.\n\nIn order to prevent unauthorized disclosure or modification of the information, application servers must protect data at rest by using cryptographic mechanisms.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nSatisfies: SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157","checkContent":"Confirm the Nutanix VM application server is configured to enable data-at-rest encryption.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Data-at-Rest Encryption\".\n4. Verify software encryption is enabled.\n\nIf encryption is not enabled, this is a finding.","fixText":"Configure the Nutanix VM application server to enable data-at-rest encryption.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Data-at-Rest Encryption\".\n4. Select \"Edit configuration\".\n5. Select either the cluster local KMS or an external KMS.\n6. Click \"Protect\" and confirm by typing \"ENCRYPT\".","ccis":["CCI-002475","CCI-002476"]},{"vulnId":"V-279450","ruleId":"SV-279450r1192366_rule","severity":"medium","ruleTitle":"Nutanix AOS must configure Network Time Protocol (NTP).","description":"Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support the capabilities.\n\nSatisfies: SRG-APP-000920-AS-000320, SRG-APP-000371-AS-000077","checkContent":"Confirm the Prism Element is configured to use an authoritative NTP source.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"NTP Servers\".\n4. Verify external NTP servers have been configured.\n\nIf external NTP sources are not configured, this is a finding.","fixText":"Configure the Prism Element to use an authoritative NTP time source.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"NTP Servers\".\n4. Configure an authoritative NTP server.","ccis":["CCI-004922","CCI-004923"]},{"vulnId":"V-279451","ruleId":"SV-279451r1192368_rule","severity":"medium","ruleTitle":"Nutanix AOS must restrict error messages only to authorized users.","description":"If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nApplication servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure the proper file permissions are used when the log files are created.","checkContent":"Nutanix VM application server supports user and group role mapping. Verify that all users or groups match that of the documented mapping policies defined by the information system security officer (ISSO).\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Role mapping\".\n\nFor each user or group listed, verify the role granted is in accordance with access control policies. If not, this is a finding.","fixText":"Configure the user and group mappings to be compliant with the documented mapping policies defined by the ISSO.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Role mapping\".\n4. Add users and groups to role mappings per policy.","ccis":["CCI-001314"]},{"vulnId":"V-279464","ruleId":"SV-279464r1192371_rule","severity":"medium","ruleTitle":"Nutanix UI must initiate session logging upon startup.","description":"An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missing and not available during a forensic investigation. To ensure all loggable events are captured, the web server must begin logging once the first web server process is initiated.","checkContent":"Verify Prism Element enables logging upon startup of Envoy proxy services by running the following command:\n\n$ ps -ef | grep ikat_proxy.out\nnutanix    68158       1  0 Oct10 ?        00:00:00 /bin/bash -lc  /home/nutanix/bin/service_monitor  --run_as_user=apache /home/nutanix/data/logs/ikat_proxy.FATAL -- /usr/local/nutanix/ikat_proxy/bin/envoy -c /home/nutanix/config/ikat_proxy/envoy.yaml --disable-hot-restart  --concurrency 4 |& /home/nutanix/bin/logpipe -o /home/nutanix/data/logs/ikat_proxy.out\nnutanix    68376   68158  0 Oct10 ?        00:00:01 /home/nutanix/bin/logpipe -o /home/nutanix/data/logs/ikat_proxy.out\n\nIf the output of \"ikat_proxy.out\" does not list the path as \"/home/nutanix/data/logs/ikat_proxy.out\", or if there is no output, this is a finding.","fixText":"Prism Element is configured by default for the Envoy proxy services with logging level of \"info\". If this control is a finding, then some corruption has occurred and the VM must be rebuilt.","ccis":["CCI-001464"]},{"vulnId":"V-279486","ruleId":"SV-279486r1192542_rule","severity":"medium","ruleTitle":"Nutanix VMM must separate user functionality (including user interface services) from VMM management functionality.","description":"VMM management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access VMM management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. \n\nVMM management functionality includes functions necessary to administer console, network components, workstations, or servers, and typically requires privileged user access. \n\nThe separation of user functionality from VMM management functionality is either physical or logical and is accomplished by using different guest VMs, different computers, different central processing units, different instances of the VMM, different network addresses, different TCP/UDP ports, other virtualization techniques, combinations of these methods, or other methods, as appropriate.","checkContent":"Management information flow can be isolated to a separate VLAN from the guest VMs. Verify a management LAN is configured.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper right-corner.\n3. Under the \"Settings\" menu, click \"Network Configuration\", then select the \"Internal Interfaces\" tab.\n4. Click \"Management LAN\".\n\nIf \"VLAN ID\" is \"0\" or blank, this is a finding.","fixText":"Configure management information flow to isolate to a separate VLAN from the guest VMs.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Under the \"Settings\" menu, click \"Network Configuration\", then select the \"Internal Interfaces\" tab.\n4. Click \"Management LAN\".\n5. Set the VLAN to the VLAN used for management functions.\na. SSH into each CVM host as user \"Nutanix\" and issue the following command: \n\nchange_cvm_vlan vlan_id.\n\nb. SSH into each AHV host as root and issue the following command: \n\novs-vsctl set port br0 tag=vlan_id\n\nNote: All network switches connected to Nutanix nodes must be appropriately configured with the same VLAN ID.","ccis":["CCI-001082"]},{"vulnId":"V-279526","ruleId":"SV-279526r1191364_rule","severity":"medium","ruleTitle":"All guest VM network communications must be implemented using virtual network devices provisioned and serviced by the VMM.","description":"Mechanisms to detect and prevent unauthorized communication flow must be configured or provided as part of the VMM design. If information flow control is not enforced based on proper functioning of the VMM and its service, helper, and guest VMs, the VMM may become compromised. Information flow control regulates where information is allowed to travel between a VMM (and its guest VMs) and external systems. In some cases, the VMM may delegate interface device management to a service VM, but the VMM still maintains control of all information flows. The flow of all system information must be monitored and controlled so it does not introduce any unacceptable risk to the VMM, its guest VMs, or data.","checkContent":"Validate Nutanix CVM VM networking has been implemented and all of the virtual networks are defined and documented by the information system security officer (ISSO).\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Network Configuration\".\n\nValidate that all of the organizational-defined guest VM networks are defined. If not, this is a finding.","fixText":"Add the guest VM networks. All interactions between guest VMs and external systems via other interface devices are mediated by the VMM or its service VMs.\n\n1. Log in to Prism Element.\n2. Click the gear icon in the upper-right corner.\n3. Navigate to \"Network Configuration\".\n4. Add the guest VM networks as defined by the organization.","ccis":["CCI-001082"]}]}