{"stig":{"title":"Nutanix Acropolis GPOS Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-279527","ruleId":"SV-279527r1192379_rule","severity":"medium","ruleTitle":"Nutanix VMM must be configured to remove ypserv.","description":"It is detrimental for VMMs to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nVMMs can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).","checkContent":"1. Confirm Nutanix AOS is configured to disable nonessential capabilities using the following command.\n\n$ sudo yum list installed ypserv\n\nIf the \"ypserv\" package is installed, this is a finding.","fixText":"Remove any finding using the following command.\n\n$ sudo yum remove ypserv","ccis":["CCI-000381"]},{"vulnId":"V-279528","ruleId":"SV-279528r1192544_rule","severity":"low","ruleTitle":"Nutanix OS must limit the number of concurrent sessions to 10 for all accounts and/or account types.","description":"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.","checkContent":"For AHV, this requirement is Inherently Met.\n\nFor AOS, Prism Central, and Files, run the following command to verify Nutanix OS instances limit concurrent logins to 10 or fewer:\n\n$ sudo grep \"maxlogins\" /etc/security/limits.conf \n\nIf the line \"* hard maxlogins 10\" is missing, commented out, or set to a number more than 10, this is a finding.","fixText":"Configure Nutanix OS instances to limit concurrent logins to 10.\n\n1. For AHV, the value of \"* hard maxlogins\" is set to 10 by the vendor and must not be altered by customers. If the value is not set to the 10, this is an unauthorized modification which may indicate the security settings for the build has been modified. Rebuild the system from source to correct this issue.\n\n2. For AOS, Prism Central, and Files, run the following command.\n\n$ configure_dod_mode.sh enter_dod_mode","ccis":["CCI-000054"]},{"vulnId":"V-279529","ruleId":"SV-279529r1192546_rule","severity":"medium","ruleTitle":"Nutanix OS must set the value of \"lock-after-time\" to 890 seconds for remote access sessions.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems must be able to identify when a user's session is idle and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\n\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009","checkContent":"Verify Nutanix TMUX shell is enabled, which sets the user session lock for the Admin account of last resort. \n\n1. For AOS, Prism Central, and Files, log in to the CVM as the Admin user. \n \n2. For AHV, verify the value of \"locl-after-time\" is set to \"890\" using the following command.\n\n$ sudo grep -i \"lock-after-time\" /etc/tmux.conf\nset -g lock-after-time 890\n\nIf the Nutanix TMUX shell is not enabled or if \"lock-after-time\" is not configured, this is a finding.","fixText":"1. For AOS, Prism Central, and Files, log in as Admin and run the following command to set the Nutanix TMUX and configure options for the Admin account of last resort.\n\n$ configure_dod_mode.sh enter_dod_mode\n\n2. For AHV, this is set by default in the OS. The value of \"lock-after-time\" is set to \"890\" by the vendor and must not be altered by customers. If the value is not set to the default, this is an unauthorized modification which may indicate the security settings for the build has been modified. Rebuild the system from source to correct this issue.","ccis":["CCI-000057","CCI-000060","CCI-000056"]},{"vulnId":"V-279530","ruleId":"SV-279530r1192590_rule","severity":"medium","ruleTitle":"Nutanix OS must configure the ClientAliveInterval to \"600\" and ClientAliveCountMax to \"1\".","description":"Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.\n\nSatisfies: SRG-OS-000279-GPOS-00109, SRG-OS-000163-GPOS-00072","checkContent":"Verify Nutanix OS is configured to terminate all network sessions to meet the more stringent session requirement of privileged sessions using the following command.\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\nClientAliveInterval 600\nClientAliveCountMax 1\n\nIf ClientAliveInterval is not \"600\" and ClientAliveCountMax is not \"1\" (or \"0\" for AHV), this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-002361","CCI-001133"]},{"vulnId":"V-279531","ruleId":"SV-279531r1192591_rule","severity":"medium","ruleTitle":"Nutanix OS must monitor SSH access.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Verify SSH access is monitored using the following command.\n\n$ sudo grep -i loglevel /etc/ssh/sshd_config\n\nIf the LogLevel is not set to \"VERBOSE\", this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-000067"]},{"vulnId":"V-279532","ruleId":"SV-279532r1192283_rule","severity":"medium","ruleTitle":"Nutanix OS must configure the firewall to control remote access methods.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nOperating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Verify using remote access methods are prohibited or restricted.\n\n1. Verify IPv4 configuration using the following command.\n\n$ sudo systemctl status iptables.service\niptables.service - IPv4 firewall with iptables\nLoaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)\nActive: active (exited) since Thu 2024-10-10 20:05:33 UTC; 1 day 7h ago\n\n2. If IPv6 is in use, use the following command to verify IPv6 configuration.\n\n$ sudo systemctl status ip6tables.service\nip6tables.service - IPv6 firewall with ip6tables\nLoaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)\nActive: active (exited) since Thu 2024-10-10 20:05:36 UTC; 1 day 7h ago\n Main PID: 6641 (code=exited, status=0/SUCCESS)\n\nIf there are no iptables services \"Loaded\" and \"Active\", this is a finding.","fixText":"Restrict using functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.\n\n1. For AOS, run the following command.\n\n$ sudo salt-call state.sls security/CVM/iptables/init\n\n2. For Prism Central, run the following command.\n\n$ sudo salt-call state.sls security/PVCM/iptables/init\n\n3. For Files, run the following command.\n\n$ sudo salt-call state.sls security/AFS/iptables/init\n\n4. For AHV, run the following command.\n\n$ sudo salt-call state.sls security/KVM/iptablesKVM","ccis":["CCI-002314"]},{"vulnId":"V-279533","ruleId":"SV-279533r1192035_rule","severity":"high","ruleTitle":"Nutanix OS must implement DOD-approved encryption to protect the confidentiality of SSH sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.","checkContent":"Verify Nutanix implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\n1. Verify FIPS mode is enabled using the following command.\n\n$ fips-mode-setup --check\nFIPS mode is enabled.\n\n2. If FIPS mode is \"enabled\", check if the kernel boot parameter is configured for FIPS mode using the following command.\n\n$ grub2-editenv list | grep fips\nkernelopts=crashkernel=1G-4G:192M,4G-64G:256M,64G-4096G:512M,4096G-:1G nomodeset biosdevname=0 rhgb quiet intel_iommu=on iommu=pt fips=1 audit=1 split_lock_detect=off audit_backlog_limit=8192 net.ifnames=0 systemd.unified_cgroup_hierarchy=1 boot=/dev/disk/by-label/boot ahv.platform=onprem l1tf=flush,nowarn retbleed=off page_poison=0 slub_debug=- spec_rstack_overflow=microcode\n\n3. If the kernel command line is configured to use FIPS mode, check if the system is in FIPS mode using the following command.\n\n$ sudo cat /proc/sys/crypto/fips_enabled \n1\n\nIf FIPS mode is not \"enabled\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.","fixText":"Configure the system to run in FIPS mode.\n\n1. For AOS, configure FIPS mode.\n\n$ sudo salt-call state.sls security/CVM/fipsCVM\n\n2. For Prism Central, configure FIPS mode.\n\n$ sudo salt-call state.sls security/PCVM/fipsPCVM\n\n3. For Files, configure FIPS mode.\n\n$ sudo salt-call state.sls security/AFS/fipsAFS\n\n4. For AHV, configure FIPS mode.\n\n$ sudo salt-call state.sls security/KVM/fipsKVM","ccis":["CCI-000068"]},{"vulnId":"V-279534","ruleId":"SV-279534r1192285_rule","severity":"high","ruleTitle":"Nutanix OS must implement cryptography to protect the integrity of remote access sessions by using only HMACs employing FIPS 140-3-approved algorithms.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nSatisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065","checkContent":"Verify Nutanix OS is configured to use approved ciphers. \n\n1. Configure AOS, Prism Central, and Files OS VMs to use only HMACs employing FIPS 140-3-approved algorithms for remote access using the following command.\n\n$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config\nMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com\n\n2. Verify AHV \"Ciphers\" configuration using the following command.\n\n$ sudo grep -i ciphers /etc/ssh/sshd_config\nCiphers aes256-ctr\n\nIf unapproved ciphers are listed, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-001453","CCI-002890","CCI-003123","CCI-000877"]},{"vulnId":"V-279535","ruleId":"SV-279535r1192593_rule","severity":"high","ruleTitle":"Nutanix OS must implement cryptography to protect the integrity of remote access session by setting the systemwide policy to use FIPS mode.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nSatisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188","checkContent":"Note: For AHV, this requirement is Not Applicable. \n\nVerify AOS, Prism Central, and Files OS VMs are configured to only use ciphers employing FIPS 140-3-approved algorithms.\n\n1. Verify the \"opensslcnf.config\" is defined in the \"/etc/pki/tls/openssl.cnf\" file.\n\nsudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf\n.include /etc/crypto-policies/back-ends/opensslcnf.config\n\n2. Verify the systemwide crypto policy is set to \"FIPS\".\n\n$ sudo update-crypto-policies --show\nFIPS\n\nIf the systemwide crypto policy is not set to \"FIPS\" or the \"opensslcnf.config\" is not defined in the \"/etc/pki/tls/openssl.cnf\", this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-001453","CCI-002890","CCI-003123","CCI-002450","CCI-002418","CCI-002421"]},{"vulnId":"V-279536","ruleId":"SV-279536r1192381_rule","severity":"high","ruleTitle":"Nutanix OS must implement TLS to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.","checkContent":"Note: For AHV, this requirement is Not Applicable. \n\nVerify AOS, Prism Central, and Files OS VMs are configured to only use DOD-approved TLS encryption using the following command.\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nIf the \"TLS.MinProtocol\" is not set to \"TLVSv1.2\" (or later) or the \"DTLS.Min.Protocol\" is not set to \"DTLSv1.2\", this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd","ccis":["CCI-001453"]},{"vulnId":"V-279537","ruleId":"SV-279537r1192383_rule","severity":"high","ruleTitle":"Nutanix OS must implement cryptography to protect the integrity of remote access sessions.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.","checkContent":"Note: For AHV, this requirement is Not Applicable. \n\nVerify AOS, Prism Central, and Files OS VMs are configured to use only FIPS-validated key exchange algorithms using the following command.\n\n$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config\nCRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'\n\nIf the entries following \"KexAlgorithms\" are not \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512\", appear in a different order than shown, or are missing or commented out, this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd","ccis":["CCI-001453"]},{"vulnId":"V-279538","ruleId":"SV-279538r1192550_rule","severity":"high","ruleTitle":"Nutanix OS must implement cryptography to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nSatisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174","checkContent":"Note: For AHV, this requirement is Not Applicable. \n\nVerify AOS, Prism Central, and Files OS VMs are configured to have systemwide crypto policies using the following command.\n\n$ sudo grep -i crypto_policy /etc/sysconfig/sshd\n# CRYPTO_POLICY=\n\nIf \"CRYPTO_POLICY\" is uncommented, this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd","ccis":["CCI-001453","CCI-002890","CCI-003123"]},{"vulnId":"V-279539","ruleId":"SV-279539r1192552_rule","severity":"medium","ruleTitle":"Nutanix OS must automatically remove or disable temporary user accounts after 72 hours.","description":"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n\nIf temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DOD-defined time period of 72 hours.\n\nTo address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.","checkContent":"Verify temporary accounts have been provisioned with an expiration date of 72 hours.\n\n1. For every existing temporary account, run the following command to obtain its account expiration information:\n\n$ sudo chage -l system_account_name\n\n2. Verify each account has an expiration date set within 72 hours.\n\nIf any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.","fixText":"If a temporary account must be created, configure the system to terminate the account after a 72-hour time period using the following command.\n\nsudo chage -E `date -d \"+3 days\" +%Y-%m-%d` system_account_name","ccis":["CCI-000016"]},{"vulnId":"V-279540","ruleId":"SV-279540r1192387_rule","severity":"medium","ruleTitle":"Nutanix OS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.","description":"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems must track periods of inactivity and disable application identifiers after 35 days of inactivity.","checkContent":"Verify Nutanix OS is configured to disable user accounts after the password expires using the following command.\n\n$ sudo grep -i inactive /etc/default/useradd\nINACTIVE=0\n\nIf the \"INACTIVE\" value is set to \"-1\", a value greater than \"35\", or is commented out, this is a finding.","fixText":"Configure Nutanix OS to use complex password.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV AOS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-003627"]},{"vulnId":"V-279541","ruleId":"SV-279541r1192389_rule","severity":"medium","ruleTitle":"Nutanix OS must audit all account change actions.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. \n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000001-GPOS-00001","checkContent":"Verify the OS is configured to audit all account change actions.\n\nRun the following command to verify account creation and modification is audited:\n\n$ sudo auditctl -l | grep \"audit_account_changes\"\n\nIf the command does not return the following output, this is a finding.\n\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes","fixText":"Configure Nutanix OS to audit all account change actions.\n\n1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000018","CCI-001403","CCI-001404","CCI-001405","CCI-002130","CCI-000015"]},{"vulnId":"V-279542","ruleId":"SV-279542r1192391_rule","severity":"medium","ruleTitle":"Nutanix VMM must encrypt the boot password for root.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.","checkContent":"Verify the Nutanix OS VMs encrypt the boot password for root using the following command.\n\n$ sudo grep -iw grub2_password /boot/grub2/user.cfg\nGRUB2_PASSWORD=grub.pbkdf2.sha512.10000.D5A1D797EFCF694E49691FED9FC586FB5\n\n$ sudo grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\nIf the root password entry does not begin with \"grub2_password\" or \"ExecStart\" line is configured for anything other than \"/usr/lib/systemd/systemd-sulogin-shell rescue\", this is a finding.","fixText":"1. Configure the Nutanix OS VMs to encrypt the boot password for root using the following command. \n\n$ fix_bootloader_pw\n\n2. Follow the prompts to set the password.","ccis":["CCI-000213"]},{"vulnId":"V-279543","ruleId":"SV-279543r1192595_rule","severity":"medium","ruleTitle":"Nutanix OS must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.","description":"DAC is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained regarding what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control (MAC) policies is still able to operate under the less rigorous constraints of this requirement. Thus, while MAC imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bound by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of DAC require identity-based access control, that limitation is not required for this use of DAC.\n\nSatisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000324-GPOS-00125","checkContent":"1. Verify \"fs.protected_hardlinks\" is set to \"1\" using the following command.\n\n$ sudo sysctl fs.protected_hardlinks\nfs.protected_hardlinks = 1 \n\n2. Verify the configuration files are present to enable this kernel parameter using the following command.\n\n$ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc.sysctl.conf\n/usr/lib/sysctl.d/50-default.conf:fs.protected_hardlinks = 1\n/lib/sysctl.d/50-default.conf:fs.protected_hardlinks = 1\n\nIf \"fs.protected_hardlinks\" is not set to \"1\" or is commented out or missing, this is a finding.","fixText":"Nutanix AOS, Prism Central, and Files OS VMs are designed and engineered to have DAC-enabled hardlinks by default. If the DAC hardlinks setting is missing or not active and running, then some corruption has occurred and the OS must be rebuilt.\n\n1. Configure Nutanix AHV to allow operating system admins to pass information to other operating system admins or users by adding or modifying the following line in the system configuration file /etc/syscrl.d/:\n\nfs.protected_hardlinks = 1\n\n2. After adding the changes, load settings from all system configuration files using the following command.\n\n$ sudo sysctl --system","ccis":["CCI-002165","CCI-002235"]},{"vulnId":"V-279544","ruleId":"SV-279544r1192057_rule","severity":"medium","ruleTitle":"Nutanix OS must enable kernel parameters to enforce discretionary access control on symlinks.","description":"Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen DAC policies are implemented, subjects are not constrained regarding what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control (MAC) policies is still able to operate under the less rigorous constraints of this requirement. Thus, while MAC imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bound by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of DAC require identity-based access control, that limitation is not required for this use of DAC.\n\nSatisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125","checkContent":"1. Verify Nutanix AOS enables DAC on symlinks using the following command.\n\n$ sudo sysctl fs.protected_symlinks\nfs.protected_symlinks = 1 \n\n2. Verify that the configuration files are present to enable this kernel parameter using the following command.\n\n$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc.sysctl.conf\n/usr/lib/sysctl.d/50-default.conf:fs.protected_symlinks = 1\n/lib/sysctl.d/50-default.conf:fs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\", is missing or commented out, this is a finding.","fixText":"1. Nutanix AOS, Prism Central, and Files OS VMs are designed and engineered to have DAC-enabled symlinks by default. If the DAC symlinks setting is missing or not active and running, then some corruption has occurred and the OS must be rebuilt.\n\n2. Configure Nutanix AHV to allow operating system admins to pass information to other operating system admins or users adding or modifying the following line in the system configuration file /etc/syscrl.d/:\n\nfs.protected_symlinks = 1\n\n3. After adding the changes, load settings from all system configuration files using the following command.\n\n$ sudo sysctl --system","ccis":["CCI-002165","CCI-002235"]},{"vulnId":"V-279545","ruleId":"SV-279545r1192393_rule","severity":"medium","ruleTitle":"Nutanix OS must audit the execution of privileged functions.","description":"Misusing privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\nSatisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000326-GPOS-00126","checkContent":"Verify Nutanix OS is configured to audit the misuse of privileged commands using the following command.\n\n$ sudo grep -iw execve /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -F auid>2000 -F auid!=4294967295 -k audit_execve\n-a always,exit -F arch=b32 -S execve -F auid>2000 -F auid!=4294967295 -k audit_execve\n\nIf both the \"b32\" and \"b64\" audit rules for \"UID\" and \"GID\" files are not defined, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-002234","CCI-002233"]},{"vulnId":"V-279546","ruleId":"SV-279546r1192554_rule","severity":"medium","ruleTitle":"Nutanix OS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128","checkContent":"Verify accounts are locked for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes.\n\n1. For AOS OS, Prism Central OS and Files OS, enter the following commands. Verify the deny option is set to \"3\" or less (but not \"0\") and the \"fail_interval\" option is not set to \"900\" or more.\n\n$ sudo grep -i deny /etc/security/faillock.conf \ndeny = 3\neven_deny_root\n\n$ sudo grep -i fail_interval /etc/security/faillock.conf \nfail_interval = 900\n\n2. For AHV OS, verify by entering the following commands for pam.d.\n\n$ sudo grep pam_faillock.so /etc/pam.d/password-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=900 root_unlock_time=900 fail_interval=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900 root_unlock_time=900 fail_interval=900\n\n3. Verify the following settings are explicitly configured.\n- The \"deny\" parameter is set to \"0\" or a value greater than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module.\n- The \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module.\n- The \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module.\n- The \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module.\n- Any line referencing the \"pam_faillock.so\" module is commented out.\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\n4. Verify the following settings are explicitly set. \n- The \"deny\" parameter is set to \"0\" or a value greater than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module.\n- The \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module.\n- The \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module.\n- The \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module.\n- Any line referencing the \"pam_faillock.so\" module is commented out.\n\nIf all required configuration settings are not met or if any settings are missing, this is a finding.","fixText":"Configure Nutanix OS to use complex password.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-000044","CCI-002238"]},{"vulnId":"V-279547","ruleId":"SV-279547r1192395_rule","severity":"medium","ruleTitle":"Nutanix OS must display the Standard Mandatory DOD Notice and Consent Banner for SSH access.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Verify SSH is configured to display the Standard Mandatory DOD Notice Consent Banner using the following command.\n\n$ sudo grep -i banner /etc/ssh/sshd_config\nbanner /etc/issue\n\nIf the SSH banner is not enabled and set to display the DOD Consent Banner, this is a finding.","fixText":"Configure the Standard Mandatory DOD Notice and Consent Banner.\n\n1. For AOS, Prism Central, and AHV, enter the following commands, then add the banner below.\n\n$ ncli cluster edit-cvm-security-params enable-banner=true'\n\n2. For Nutanix Files, enter the following commands, then add the banner below.\n\n$ afs security.edit_security_config enable_banner=enable\n\nFor all operating systems, enter the banner exactly, including the syntax.\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.","ccis":["CCI-000048"]},{"vulnId":"V-279548","ruleId":"SV-279548r1192062_rule","severity":"low","ruleTitle":"Nutanix OS must display the Standard Mandatory DOD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.","description":"The banner must be acknowledged by the user prior to allowing the user access to the operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DOD will not be in compliance with system use notifications required by law.\n\nTo establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".\n\nSatisfies: SRG-OS-000024-GPOS-00007, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007","checkContent":"Verify the banner is enabled and configured to display the Standard Mandatory DOD Notice Consent Banner upon local login.\n\n1. For Files only, verify the value of the Enable Banner is not \"true\".\n\n$ afs security.get_security_config\n Enable Aide : true\n Enable Core : false\n Enable High Strength P... : true\n Enable Banner : true\n\n2. For all OS configurations, verify the banner displays the Standard Mandatory DOD Notice Consent Banner.\n\n$ sudo more /etc/issue\n\nIf the banner is not set to display the DOD Consent Banner, this is a finding.","fixText":"1. For Nutanix Files only, enable the banner using the following command.\n\n$ afs security.edit_security_config enable_banner=enable\n\n2. For AOS, AHV, and Prism Central, configure the Standard Mandatory DOD Notice and Consent Banner using the following command.\n\n$ ncli cluster edit-cvm-security-params enable-banner=true'\n\n3. Enter the following banner for all OS components:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"","ccis":["CCI-000050","CCI-000048","CCI-000050"]},{"vulnId":"V-279549","ruleId":"SV-279549r1192397_rule","severity":"medium","ruleTitle":"Nutanix OS must provide audit record generation capability for DOD-defined auditable events for account changes.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021","checkContent":"Verify Nutanix OS generates full-text recording of privileged commands by running the following commands.\n\n$ sudo grep -iw \"postdrop\" /etc/audit/audit.rules \n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid=nutanix -F auid!=4294967295 -k privileged\n-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n $ sudo grep -iw \"unix_update\" /etc/audit/audit.rules \n-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid=nutanix -F auid!=unset -k privileged-unix-update\n-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update\n\n$ sudo grep -w \"postqueue\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid=nutanix -F auid!=4294967295 -k privileged\n-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w \"semanage\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid=nutanix -F auid!=4294967295 -k secobjects\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -w \"setfiles\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid=nutanix -F auid!=4294967295 -k privileged-priv_change\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n$ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid=nutanix -F auid!=4294967295 -k privileged-passwd\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\n$ sudo grep -w \"setsebool\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid=nutanix -F auid!=4294967295 -k secobjects\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid=nutanix -F auid!=4294967295 -k privileged\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf any of the audit rule commands does not return a line or the line is commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169","CCI-000135"]},{"vulnId":"V-279550","ruleId":"SV-279550r1192399_rule","severity":"medium","ruleTitle":"Nutanix OS must configure /etc/audit/audit.rules to generate audit records for account access actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.","checkContent":"Verify Nutanix OS auditing is configured to generate audit records for all access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.\n\n$ sudo grep -w chcon /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep ssh-agent /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w /usr/bin/mount /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w /usr/bin/umount /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep ssh-keysign /etc/audit/audit.rules\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w pam_timestamp_check /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w crontab /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w chsh /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf the commands do not return the appropriate response line, as indicated above, or if the lines are commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169"]},{"vulnId":"V-279551","ruleId":"SV-279551r1192401_rule","severity":"medium","ruleTitle":"Nutanix OS must configure /etc/audit/audit.rules to generate audit records for account deletion actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000458-GPOS-00203","checkContent":"Verify Nutanix OS auditing is configured to generate audit records for all Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system using the following commands.\n\n$ sudo grep -w lremovexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w removexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S removexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S removexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w lsetxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lsetxattr-F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fsetxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fsetxattr-F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fremovexattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w setxattr /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S setxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S setxattr -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169","CCI-000172"]},{"vulnId":"V-279552","ruleId":"SV-279552r1192403_rule","severity":"medium","ruleTitle":"Nutanix OS must provide audit record generation for successful and unsuccessful uses of the init_module and finit_module system calls.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.","checkContent":"Verify Nutanix OS auditing is configured to generate audit records for all access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system.\n\n$ sudo grep -w \"init_module\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S init_module -k audit_network_modifications_modules\n-a always,exit -F arch=b32 -S init_module -k audit_network_modifications_modules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\n$ sudo grep -w \"finit_module\" /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S finit_module -k module-change\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\n$ sudo grep -w \"delete_module\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S delete_module -k audit_network_modifications_modules\n-a always,exit -F arch=b32 -S delete_module -k audit_network_modifications_modules\n-a always,exit -F arch=b64 -S delete_module -k modules\n-a always,exit -F arch=b32 -S delete_module -k modules\n\nIf the command(s) does not return the appropriate response line, as indicated above, or if the line(s) is commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169"]},{"vulnId":"V-279553","ruleId":"SV-279553r1192405_rule","severity":"medium","ruleTitle":"Nutanix OS must provide audit record generation for successful and unsuccessful attempts to move, remove, or delete files and directories.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000474-GPOS-00219","checkContent":"Verify Nutanix OS generates an audit record upon successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by using the following commands to check the file system rules in \"/etc/audit/audit.rules\" using the following commands.\n\n$ sudo grep -w \"\\-S mount\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S mount -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S mount -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"rename\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S rename -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rename -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"renameat\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S renameat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S renameat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"rmdir\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S rmdir -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rmdir -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"unlink\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S unlink -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlink -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w \"unlinkat\" /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S unlinkat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlinkat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w chown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w chmod /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S chmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w lchown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchownat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchownat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchown /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchown -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchmodat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\n$ sudo grep -w fchmod /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S fchmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmod -F auid=0 -k audit_time_perm_mod_export_delete\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k audit_time_perm_mod_export_delete\n\nIf the commands do not return the appropriate response line as indicated above, or if the lines are commented out, this is a finding.","fixText":"Configure the OS to generate audit records for successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls by using the following command to check the file system rules in \"/etc/audit/audit.rules\".\n\n1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169","CCI-000172"]},{"vulnId":"V-279554","ruleId":"SV-279554r1192407_rule","severity":"medium","ruleTitle":"Nutanix OS must generate audit records when successful/unsuccessful attempts to access security objects occur.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000064-GPOS-00033, SRG-OS-000461-GPOS-00205","checkContent":"Verify Nutanix OS auditing is configured to generate audit records for all successful and unsuccessful system changes using the following commands.\n\n$ sudo grep -iw truncate /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S truncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S truncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw openat /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S openat-F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S openat -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S openat -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw open /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S open-F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S open -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S open -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw open_by_handle_at /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S open_by_handle_at-F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S open_by_handle_at -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n$ sudo grep -iw ftruncate /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b64 -S ftruncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid=0 -k access\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid=0 -k access\n-a always,exit -F arch=b32 -S ftruncate -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\nIf the commands do not return the appropriate response line, as indicated above, or if the lines are commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169","CCI-000172"]},{"vulnId":"V-279555","ruleId":"SV-279555r1192409_rule","severity":"medium","ruleTitle":"Nutanix OS must provide audit record generation capability for all account actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215, SRG-OS-000462-GPOS-00206","checkContent":"Verify Nutanix OS auditing is configured to generate audit records for all account creations, modifications, disabling, and terminations using the following commands.\n\n$ sudo grep /etc/shadow /etc/audit/audit.rules\n-w /etc/shadow -p wa -k audit_account_changes\n\n$ sudo grep /etc/security/opasswd /etc/audit/audit.rules\n-w /etc/security/opasswd -p wa -k audit_account_changes\n\n$ sudo grep /etc/passwd /etc/audit/audit.rules\n-w /etc/passwd -p wa -k audit_account_changes\n\n$ sudo grep /etc/gshadow /etc/audit/audit.rules\n-w /etc/gshadow -p wa -k audit_account_changes\n\n$ sudo grep /etc/group /etc/audit/audit.rules\n-w /etc/group -p wa -k audit_account_changes\n\n$ sudo grep /etc/sudoers /etc/audit/audit.rules\n-w /etc/sudoers -p wa -k actions\n\n$ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules\n-w /etc/sudoers.d/ -p wa -k actions\n\n$ sudo grep -w /usr/bin/su /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w sudo /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w gpasswd /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w passwd /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\n$ sudo grep -w chage /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w newgrp /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf the commands do not return the appropriate response line, as indicated above, or if the lines are commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169","CCI-000172"]},{"vulnId":"V-279556","ruleId":"SV-279556r1192411_rule","severity":"medium","ruleTitle":"Nutanix OS must provide audit record generation capability for DOD-defined auditable events for all kernel module load, unload, and restart actions.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are generated. This set of events is typically a subset of the list of all events for which the system can generate audit records.\n\nDOD has defined the list of events for which the operating system will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.","checkContent":"Verify Nutanix OS is configured to generate audit records on all kernel module load, unload, and restart actions using the following command.\n\n$ sudo grep \"/usr/bin/kmod\" /etc/audit/audit.rules\n-w /usr/bin/kmod -p x -F auid!=unset -k module-change\n\n$ sudo cat /boot/grub/grub.conf | grep audit\nkernel /boot/vmlinuz-3.10.0-1160.24.1.el7.nutanix.20210425.cvm.x86_64 ro root=UUID=71a1fe8c-812f-4403-80ed-894f554b061c rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us audit=1 audit_backlog_limit=8192 nousb fips=1 nomodeset biosdevname=0 net.ifnames=0 scsi_mod.use_blk_mq=y panic=30 console=ttyS0,115200n8 console=tty0 clocksource=tsc kvm_nopvspin=1 xen_nopvspin=1 hv_netvsc.ring_size=512 mds=off mitigations=off\n\nIf the commands do not return the appropriate response line, as indicated above, or if the lines are commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000169"]},{"vulnId":"V-279557","ruleId":"SV-279557r1192413_rule","severity":"medium","ruleTitle":"Nutanix OS must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Verify Nutanix OS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited using the following command.\n\nNote: Nutanix OS audit facility is locked down so that only root has access to browse below the /etc/audit/ directory. \n\n$ sudo ls -al /etc/audit/rules.d/audit.rules\n-rw-r-----. 1 root root 21587 Oct 11 03:16 /etc/audit/rules.d/audit.rules\n\n$ sudo ls -l /etc/audit/auditd.conf\n-rw-r-----. 1 root root 908 Oct 10 20:00 /etc/audit/auditd.conf\n\nIf the files in the \"/etc/audit/rules.d/\" directory or the \"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000171"]},{"vulnId":"V-279558","ruleId":"SV-279558r1192415_rule","severity":"medium","ruleTitle":"Nutanix OS must generate audit records when successful/unsuccessful attempts to modify security objects and categories of information (e.g., classification levels) occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209","checkContent":"Verify Nutanix OS generates audit records for successful/unsuccessful attempts to modify security objects occur using the following commands.\n\n$ sudo grep -i /usr/sbin/semanage /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/bin/chcon /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the commands do not return any output, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000172"]},{"vulnId":"V-279559","ruleId":"SV-279559r1192597_rule","severity":"medium","ruleTitle":"Nutanix OS must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify Nutanix OS generates audit records when concurrent logons to the same account occur using the following commands.\n\n$ sudo grep -i /var/run/faillock /etc/audit/audit.rules\n-w /var/run/faillock -p wa -k logins\n\n$ sudo grep -i /var/log/lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins \n\nIf the commands listed do not return any output, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000172"]},{"vulnId":"V-279560","ruleId":"SV-279560r1192419_rule","severity":"medium","ruleTitle":"Nutanix OS must generate audit records for privileged activities or other system-level access.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify Nutanix OS generates audit records for privileged activities or other system-level access using the following commands.\n\n$ sudo grep -w chage /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w newgrp /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -i /usr/bin/chsh /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w \"userhelper\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\n$ sudo grep -w \"unix_chkpwd\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\n$ sudo grep -w faillock /etc/audit/audit.rules\n-w /var/run/faillock/ -p wa -k logins\n\n$ sudo grep -w lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins\n\n$ sudo grep -iw \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n\nIf the privileged activities access listed does not return any output, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000172"]},{"vulnId":"V-279561","ruleId":"SV-279561r1192421_rule","severity":"medium","ruleTitle":"The audit system must be configured to audit the loading and unloading of dynamic kernel modules.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify Nutanix OS generates audit records for all kernel module load, unload, restart actions, and initiations using the following commands.\n\n$ sudo grep -iw create_module /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S create_module -k module-change\n-a always,exit -F arch=b64 -S create_module -k module-change\n\n$ sudo grep -iw init_module /etc/audit/audit.rules \n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\n$ sudo grep -iw finit_module /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S finit_module -k module-change\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\n$ sudo grep -iw delete_module /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\n$ sudo grep -iw kmod /etc/audit/audit.rules\n-w /usr/bin/kmod -p x -F auid!=unset -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the module(s) listed syscall or does not produce an output, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000172"]},{"vulnId":"V-279562","ruleId":"SV-279562r1192301_rule","severity":"medium","ruleTitle":"Nutanix OS must generate audit records when concurrent logons to the same account occur from different sources.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"1. Verify Nutanix AOS generates audit records when concurrent logons to the same account occur using the following command.\n\n$ sudo grep dir /etc/security/faillock.conf\n# The directory where the user files with the failure records are kept.\ndir = /var/log/faillock\n\n2. Using the location of the faillock log file, check that the following calls are being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\".\n\n$ sudo grep -w faillock /etc/audit/audit.rules \n-w /var/log/faillock -p wa -k logins\n\nIf the commands do not return a line, or the lines are commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000172"]},{"vulnId":"V-279563","ruleId":"SV-279563r1192423_rule","severity":"medium","ruleTitle":"Nutanix OS must generate audit records for all account creations, modifications, disabling, and termination events.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify Nutanix OS generates audit records for all account creation, modifications, disabling and terminations using the following command.\n\n$ sudo grep /etc/passwd /etc/audit/audit.rules\n-w /etc/passwd -p wa -k audit_account_changes\n\nIf the command does not return a line, or the line is commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000172"]},{"vulnId":"V-279564","ruleId":"SV-279564r1192080_rule","severity":"medium","ruleTitle":"Nutanix OS must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"1. Verify Nutanix OS generates audit records for all kernel module load, unload, restart actions, and initiations using the following commands.\n\n$ sudo grep -iw create_module /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S create_module -k module-change\n-a always,exit -F arch=b64 -S create_module -k module-change\n\n$ sudo grep -iw init_module /etc/audit/audit.rules \n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\n$ sudo grep -iw finit_module /etc/audit/audit.rules\n-a always,exit -F arch=b32 -S finit_module -k module-change\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\n$ sudo grep -iw delete_module /etc/audit/audit.rules\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the module(s) listed syscall, this is a finding.\n\n2. Run the command:\n\n$ sudo grep -iw kmod /etc/audit/audit.rules\n-w /usr/bin/kmod -p x -F auid!=unset -k module-change\n\nIf the command does not return any output, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000172"]},{"vulnId":"V-279565","ruleId":"SV-279565r1192081_rule","severity":"medium","ruleTitle":"Nutanix OS must have the audit.x86_64 package installed.","description":"If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.\n\nSatisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000358-GPOS-00145, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152","checkContent":"1. Verify Nutanix OS is configured with the ausearch tool using the following command. The ausearch tool is a feature of the audit rpm. \n\n$ sudo yum list installed audit\nInstalled Packages\naudit.x86_64\n\n2. Verify the package has not been removed using the following command.\n\n$ sudo yum list installed audit\nInstalled Packages\naudit.x86_64\n\n3. Verify the package has not been disabled using the following command.\n\n$ sudo systemctl status auditd.service\nauditd.service - Security Auditing Service\nLoaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Fri 2024-10-11 03:16:33 UTC; 21h ago\n\nIf audit.x86_64 is not installed or is not active, this is a finding.","fixText":"1. For AOS, Files, and Prism Central, this setting is configured by default to have ownership and permission levels set correctly to meet this requirement. If these are found to be out of compliance, some corruption has taken place and the OS must be rebuilt. \n\n2. For AHV, configure the audit service to be active and start automatically with the system at startup. The audit service is protected and restricted to allow access or modifications only from the root account.\n\n$ sudo su -\n# systemctl start auditd.service","ccis":["CCI-001464","CCI-001487","CCI-000154","CCI-000158","CCI-001876","CCI-001889","CCI-002699","CCI-002702","CCI-001875","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001889","CCI-003938"]},{"vulnId":"V-279566","ruleId":"SV-279566r1192425_rule","severity":"low","ruleTitle":"Nutanix OS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.","description":"To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems must be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the operating system.","checkContent":"Verify Nutanix OS preconfigures storage for one week's worth of audit records when audit records are not immediately sent to a central audit record facility using the following command.\n\n$ sudo cat /boot/grub/grub.conf | grep audit_backlog_limit\naudit_backlog_limit=8192\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\", is missing, or the line is commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-001849"]},{"vulnId":"V-279567","ruleId":"SV-279567r1192427_rule","severity":"low","ruleTitle":"Nutanix OS must be configured to send audit records to a site-specific remote syslog server.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224","checkContent":"Verify there are lines in the \"/etc/rsyslog.d/rsyslog-nutanix.conf\" files that contain the \"@\" or \"@@\" symbol(s) and also lines with the correct symbol(s) to send output a remote log.\n\n$ sudo grep @ /etc/rsyslog.d/rsyslog-nutanix.conf\nlocal0.*; @remote-log-host:514\n\nIf the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.","fixText":"1. Configure the OS to off-load audit records to a site-specific syslog server by running the following command.\n\nncli rsyslog-config add-server name=[alias_of_central_host] ip-address=[IP_of_central_host] port=[port_of_central_host] network-protocol=tcp|udp|relp relp-enabled=yes|no; ncli rsyslog-config add-module module-name=syslog_module level=info server-name=[alias_of_central_host]\n\n2. Configure the remote syslog server to perform the following:\n- Notify designated personnel if baseline configurations are changed in an unauthorized manner.\n- Notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n- Notify designated personnel if baseline configurations are changed in an unauthorized manner.\n- Notify system administrators and ISSOs when accounts are created.\n- Notify system administrators and ISSOs when accounts are modified.\n- Notify system administrators and ISSOs when accounts are removed.\n- Notify system administrators and ISSOs when accounts are disabled.\n- Notify SAs and ISSOs of account enabling actions.","ccis":["CCI-001851"]},{"vulnId":"V-279568","ruleId":"SV-279568r1192085_rule","severity":"low","ruleTitle":"Nutanix OS must immediately notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.","description":"If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capacity expansion.","checkContent":"1. Verify Nutanix OS is configured to act when allocated audit record storage volume reaches 75 percent utilization using the following command.\n\n$ sudo grep -w space_left /etc/audit/auditd.conf\nspace_left = 25%\n\nIf the value of the \"space_left\" keyword is not set to \"25%\", or is commented out, this is a finding.\n\n2. Run the following command. \n\n$ sudo grep -w space_left_action /etc/audit/auditd.conf\nspace_left_action = SYSLOG\n\nIf the value of the \"space_left_action\" is not set to \"SYSLOG\" or is commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-001855"]},{"vulnId":"V-279569","ruleId":"SV-279569r1192086_rule","severity":"medium","ruleTitle":"Nutanix OS must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","checkContent":"1. Verify Nutanix OS is set to notify the SA and ISSO in the event of an audit processing failure using the following command.\n\n$ sudo grep action_mail_acct /etc/audit/auditd.conf\naction_mail_acct = root\n\nIf \"action_mail_acct\" is not set to \"root\" or the keyword is missing, this is a finding.\n\n2. Verify Nutanix OS is set to notify administrators in the event of an auditing processing failure using the following command.\n\n$ sudo grep -i \"postmaster:\\s*root$\" /etc/aliases\npostmaster: root\n\nIf the command does not return a line, or is commented out, this is a finding.","fixText":"1. For AOS, configure the audit rules.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-000139"]},{"vulnId":"V-279570","ruleId":"SV-279570r1192430_rule","severity":"medium","ruleTitle":"Nutanix AHV must disable network management of the chrony daemon.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services provided may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"For AOS, Prism Central, or Files, this is not a finding.\n\nVerify Nutanix AHV disables network management of the chrony daemon using the following command.\n\n$ sudo grep -w 'cmdport' /etc/chrony.conf\ncmdport 0\n\nIf the \"cmdport\" option is not set to \"0\", is commented out, or missing, this is a finding.","fixText":"Configure the AHV to disable network management of the chrony daemon by adding or modifying the following line in the \"/etc/chrony.conf\" file:\n\ncmdport 0","ccis":["CCI-000381"]},{"vulnId":"V-279571","ruleId":"SV-279571r1192432_rule","severity":"medium","ruleTitle":"Nutanix AHV must disable the chrony daemon from acting like a server.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services provided may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"For AOS, Prism Central, or Files, this is not a finding.\n\n1. Verify Nutanix AHV disables the chrony daemon from acting as a server using the following command.\n\n$ sudo grep -w 'port' /etc/chrony.conf\nport 0\n\nIf the \"port\" option is not set to \"0\", is commented out, or missing, this is a finding.\n\n2. Verify the OS disables the ability to use the cramfs kernel module. Check if the cramfs kernel module is disabled using the following command.\n\n$ sudo grep -r cramfs /etc/modprobe.d/* | grep \"blacklist\"\nblacklist cramfs\n\nIf the command does not return any output or the output is not \"blacklist cramfs\", and using the cramfs kernel module is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.","fixText":"Configure the operating system to disable the chrony daemon from acting as a server by adding or modifying the following line in the \"/etc/chrony.conf\" file:\n\nport 0","ccis":["CCI-000381"]},{"vulnId":"V-279572","ruleId":"SV-279572r1192092_rule","severity":"medium","ruleTitle":"Nutanix AHV must disable the use or cramfs kernel module.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services provided may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"For AOS, Prism Central, or Files, this is not a finding.\n\n1. Verify Nutanix AHV disables the ability to load the cramfs kernel module using the following command.\n\n$ sudo grep -r cramfs /etc/modprobe.d/* | grep \"/bin/false\"\ninstall cramfs /bin/false\n\nIf the command does not return any output, or the line is commented out, and using the cramfs protocol is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.\n\n2. Verify the operating system disables the ability to use the cramfs kernel module. Check if the cramfs kernel module is disabled using the following command.\n\n$ sudo grep -r cramfs /etc/modprobe.d/* | grep \"blacklist\"\nblacklist cramfs\n\nIf the command does not return any output or the output is not \"blacklist cramfs\", and using the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding.","fixText":"Configure the AOS to disable the ability to use the cramfs kernel module.\n\n1. Add or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\ninstall cramfs /bin/false\nblacklist cramfs\n\n2. Reboot the system for the settings to take effect.","ccis":["CCI-000381"]},{"vulnId":"V-279573","ruleId":"SV-279573r1192434_rule","severity":"low","ruleTitle":"Nutanix OS must configure redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).","description":"Nutanix OS must compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant USNO time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the GPS to synchronize clocks between NetIM components.\n\nSatisfies: SRG-OS-000359-GPOS-00146, SRG-OS-000785-GPOS-00250, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144","checkContent":"Verify Nutanix OS is using Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).\n\n1. Verify the \"maxpoll\" option is set to 16 or fewer and is not commented out using the following command.\n\n$ sudo grep maxpoll /etc/chrony.conf\nserver 0.us.pool.ntp.mil maxpoll 10 iburst\n\n2. Verify the \"chrony.conf\" file is configured to an authoritative DOD time source using the following command.\n\n$ sudo grep -i server /etc/chrony.conf\nserver 0.us.pool.ntp.mil\n\nIf the parameter \"server\" is not set to an authoritative DOD time source, this is a finding.","fixText":"Run the following command to add a list of DOD-approved NTP servers.\n\n$ ncli cluster add-to-ntp-servers servers=IP_1,IP_2,IP_3","ccis":["CCI-001890","CCI-004922","CCI-004923","CCI-004926"]},{"vulnId":"V-279574","ruleId":"SV-279574r1192094_rule","severity":"high","ruleTitle":"Nutanix OS must use cryptographic mechanisms to protect the integrity of audit tools.","description":"Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file(s).","checkContent":"Verify AIDE is enabled and configured.\n\n1. For AOS, verify AIDE is enabled and configured using the following command.\n\n$ ncli cluster get-cvm-security-config \nEnable Aide : true\n\n2. For Prism Central, verify AIDE is enabled and configured using the following command.\n\n$ ncli cluster get-pvcm-security-config \nEnable Aide : true\n\n3. For Files, verify AIDE is enabled and configured using the following command.\n\n$ ncli cluster get-afs-security-config \nEnable Aide : true\n\n4. For AHV, verify AIDE is enabled and configured using the following command.\n\n$ ncli cluster get-hypervisor-security-config | egrep \"Aide\"\nEnable Aide : true\n\nIf value for \"Enable AIDE\" is not \"true\", this is a finding.","fixText":"Enable AIDE for each OS VM.\n\n1. For AOS, configure Aide using the following command.\n\n$ ncli cluster edit-CVM-security-params enable-aide=true\n\n2. For Prism Central, configure AIDE using the following command.\n\n$ ncli cluster edit-PCVM-security-params enable-aide=true\n\n3. For Files, configure AIDE using the following command.\n\n$ ncli cluster edit-AFS-security-params enable-aide=true\n\n4. For AHV, configure AIDE using the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-aide=true","ccis":["CCI-001496"]},{"vulnId":"V-279575","ruleId":"SV-279575r1192436_rule","severity":"medium","ruleTitle":"Nutanix OS must configure audit log permissions for 0600 or less.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"Verify Nutanix OS audit log permissions are 0600 or less permissive using the following command.\n\n$ sudo ls -al /home/log/audit/\ntotal 17902\n-rw-------. 1 root root 5721316 Oct 11 22:31 audit.log\n-r--------. 1 root root 6291469 Oct 11 13:41 audit.log.1\n-r--------. 1 root root 6291562 Oct 11 04:00 audit.log.2\n\nIf the audit.log file(s) are more permissive than 0600, this is a finding.","fixText":"Nutanix OS VMs are configured by default to have ownership and permission levels set to meet this requirement. If these are found to be out of compliance, some corruption has taken place and a rebuild of the OS is required.","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-279576","ruleId":"SV-279576r1192616_rule","severity":"medium","ruleTitle":"Nutanix OS must configure the audit log files to be owned by root.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000258-GPOS-00099, SRG-OS-000257-GPOS-00098, SRG-OS-000206-GPOS-00084","checkContent":"Verify access to /etc/audit/auditd.conf directory access permissions are set for only authorized users using the following command.\n\n$ sudo ls -al /home/log/audit/audit.log\n-rw-------. 1 root root 1630962 Oct 12 02:08 /home/log/audit/audit.log\n\nIf the audit log is not owned by \"root\", this is a finding.","fixText":"Nutanix OS VMs are configured by default to have ownership and permission levels set correctly to meet this requirement. If these are found to be out of compliance, some corruption has taken place and a rebuild of the OS is required.","ccis":["CCI-001493","CCI-001495","CCI-001494","CCI-001314"]},{"vulnId":"V-279577","ruleId":"SV-279577r1192601_rule","severity":"high","ruleTitle":"Nutanix OS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.","description":"Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).","checkContent":"Nutanix OS is a vendor-supported appliance; no connection to any upstream repos is configured or allowed. All patches, service packs, device drivers, and operating system components are solely provided by the vendor. The vendor ensures that all installation packages are properly signed prior to distribution to customer(s). \n\nVerify Nutanix AOS is configured to require \"gpgcheck\" and \"localpkg_gpgcheck\" for all installation packages provided by the vendor using the following commands:\n\n$ sudo grep gpgcheck /etc/yum.conf\ngpgcheck=1\n\n$ sudo grep localpkg_gpgcheck /etc/yum.conf\nlocalpkg_gpgcheck=1\n\n$ sudo grep repo_gpgcheck /etc/yum.conf\nrepo_gpgcheck=1\n\nIf any output is not set to \"1\", this is a finding.","fixText":"Configure Yum settings to remove all software components after an updated version is installed.\n\n1. Configure AOS Yum settings using the following command.\n\n$ sudo salt-call state.sls security/CVM/yumCVM\n\n2. Configure Prism Central Yum settings using the following command.\n\n$ sudo salt-call state.sls security/PCVM/yumPCVM\n\n3. Configure Files Yum settings using the following command.\n\n$ sudo salt-call state.sls security/AFS/yumAFS\n\n4. Configure AHV Yum settings using the following command.\n\n$ sudo salt-call state.sls security/KVM/yumKVM","ccis":["CCI-003992"]},{"vulnId":"V-279578","ruleId":"SV-279578r1192443_rule","severity":"medium","ruleTitle":"Nutanix OS must prevent SSH from permitting Generic Security Service Application Program Interface (GSSAPI) authentication.","description":"Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.\n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","checkContent":"Verify Nutanix OS enforces access restrictions.\n\nCheck that the SSH daemon does not permit GSSAPI authentication using the following command.\n\n$ sudo grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the information system security officer (ISSO), or the returned line is commented out, this is a finding.","fixText":"Configure SSH to not permit GSSAPI authentication using the following command.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd","ccis":["CCI-001813"]},{"vulnId":"V-279579","ruleId":"SV-279579r1192445_rule","severity":"medium","ruleTitle":"Nutanix AHV must not be configured to allow Kerberos authentication.","description":"Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.\n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","checkContent":"If this is not AHV OS, this requirement is Not Applicable.\n\nVerify Nutanix AHV enforces access restrictions. Check that the SSH daemon does not permit Kerberos to authenticate passwords using the following command.\n\n$ sudo grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the \"KerberosAuthentication\" keyword is missing or is set to \"yes\" and is not documented with the information system security officer (ISSO), or the returned line is commented out, this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect using the following commands.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect using the following commands.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect using the following commands.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV configure SSH, then restart the SSH for the changes to take effect using the following commands.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-001813"]},{"vulnId":"V-279580","ruleId":"SV-279580r1192309_rule","severity":"medium","ruleTitle":"Nutanix OS must prevent using dictionary words for passwords.","description":"If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"Verify Nutanix OS prevents dictionary attacks.\n\n1. For AOS, Prism Central, and Files, verify the \"dictcheck\" parameter is set to \"1\", or is commented out using the following command.\n\n$ sudo grep -i dictcheck /etc/security/pwquality.conf\ndictcheck = 1\n\n2. For AHV, verify the output contains \"pam_pwquality.so\" with the option of \"required\" or \"requisite\" using the following commands.\n\n$ sudo grep pwquality.so /etc/pam.d/password-auth\npassword requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 authtok_type=\n\nIf Nutanix OS VMs are not configured to prevent dictionary attacks, this is a finding.","fixText":"Configure the use of complex passwords for Nutanix OS VMs.\n\n1. For AOS, configure the use of complex passwords using the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, configure the use of complex passwords using the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, configure the use of complex passwords using the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For Prism Central, configure the use of complex passwords using the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004061"]},{"vulnId":"V-279581","ruleId":"SV-279581r1192447_rule","severity":"medium","ruleTitle":"Nutanix OS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"Verify Nutanix OS enforces a delay of at least four seconds between console logon prompts following a failed logon attempt using the following command.\n\n$ sudo grep -i fail_delay /etc/login.defs\nFAIL_DELAY 4\n\nIf the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.","fixText":"Configure the use of complex passwords for Nutanix OS VMs.\n\n1. For AOS, configure the use of complex passwords using the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, configure the use of complex passwords using the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, configure the use of complex passwords using the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For Prism Central, configure the use of complex passwords using the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-000044"]},{"vulnId":"V-279582","ruleId":"SV-279582r1192311_rule","severity":"medium","ruleTitle":"Nutanix OS must set the SCMA framework to check the baseline daily.","description":"Configuring the operating system to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"1. For AOS, Prism Central, and Files, verify the SCMA framework is set to check the baseline daily using the following command.\n\n$ ncli cluster get-cvm-security-config | egrep 'Schedule'\nSchedule : DAILY\n\n2. For AHV, verify the SCMA framework is set to check the baseline daily using the following command.\n\n$ ncli cluster get-hypervisor-security-config | egrep 'Schedule'\nSchedule : DAILY\n\nIf the SCMA framework \"Schedule\" is not set to \"DAILY\", this is a finding.","fixText":"1. For AOS, Prism Central, and Files, set the SCMA framework to check the baseline daily using the following command.\n\n$ sudo ncli cluster edit-cvm-security-params schedule=daily\n\n2. For AHV, set the SCMA framework to check the baseline daily using the following command.\n\n$ sudo ncli cluster edit-hypervisor-security-params schedule=hourly","ccis":["CCI-001764"]},{"vulnId":"V-279583","ruleId":"SV-279583r1192449_rule","severity":"medium","ruleTitle":"Nutanix OS must define default permissions for all authenticated users so the user can only read and modify their own files.","description":"Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.","checkContent":"Verify Nutanix AOS defines default permissions for all authenticated users in such a way that the user can only read and modify their own files using the following command.\n\n$ sudo grep -i umask /etc/login.defs\nUMASK 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing, or commented out, this is a finding.","fixText":"1. For AOS, configure the default permissions \"UMASK\" to \"077\" using the following command.\n\nsalt-call state.sls security/CVM/shellCVM\n\n2. For Prism Central, configure the default permissions \"UMASK\" to \"077\" using the following command.\n\nsalt-call state.sls security/PCVM/shellPCVM\n\n3. For Files, configure the default permissions \"UMASK\" to \"077\" using the following command.\n\nsalt-call state.sls security/AFS/shellAFS\n\n4. For AHV, configure the default permissions \"UMASK\" to \"077\" using the following command.\n\nsalt-call state.sls security/KVM/shellKVM","ccis":["CCI-000213"]},{"vulnId":"V-279584","ruleId":"SV-279584r1192313_rule","severity":"high","ruleTitle":"Nutanix OS must not allow an unattended or automatic logon to the system.","description":"Failure to restrict system access to authenticated users negatively impacts operating system security.","checkContent":"Verify Nutanix OS does not allow users to override environment variables to the SSH daemon.\n\n1. Check for the value of the \"PermitUserEnvironment\" keyword using the following command. Verify the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out.\n\n$ sudo grep -i permituserenvironment /etc/ssh/sshd_config\nPermitUserEnvironment no\n\n2. Verify \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out.\n\n$ sudo grep -i hostbasedauthentication /etc/ssh/sshd_config\nHostbasedAuthentication no\n\nIf Nutanix OS does allows users to override environment variables to the SSH daemon, this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-000044"]},{"vulnId":"V-279585","ruleId":"SV-279585r1192452_rule","severity":"medium","ruleTitle":"Nutanix OS must limit the ability of nonprivileged users to grant other users direct access to the contents of their home directories/folders.","description":"Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.","checkContent":"Verify Nutanix OS has assigned home directory of all local interactive users has a mode of \"0750\" or less permissive using the following command.\n\n$ ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\ndrwxr-x---. 3 admin admin 4096 Nov 6 2020 /home/admin\ndrwxr-x---. 26 nutanix nutanix 4096 Aug 17 08:02 /home/nutanix\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less, this is a finding.","fixText":"For AOS, Prism Central, and Files, configure any interactive users home directory to have a mode of 0750 or less using the following command.\n\n$ sudo chmod 0750 [path to interactive user's home directory]\n\nFor AHV, this setting is a default setting set by the vendor and is not supported to be changed in the field. If any interactive user accounts exist then something has been modified and the hypervisor OS VM must be rebuilt from source.","ccis":["CCI-002165"]},{"vulnId":"V-279586","ruleId":"SV-279586r1192556_rule","severity":"medium","ruleTitle":"Nutanix OS must enable an application firewall.","description":"Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.\n\nSatisfies: SRG-OS-000480-GPOS-00232, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155","checkContent":"1. Verify AOS, Prism Central, and Files has \"fapolicyd\" installed and is configured for deny-all, permit by exception policy using the following command.\n\n$ sudo systemctl status fapolicyd.service \nfapolicyd.service - File Access Policy Daemon\n Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)\n Active: active (running)\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf \npermissive = 0\n\n$sudo tail /etc/fapolicyd/compiled.rules\ndeny_audit perm=any pattern=ld_so : all\ndeny_audit perm=any all : ftype=application/x-bad-elf\nallow perm=open all : ftype=application/x-sharedlib trust=1\ndeny perm=any all : all\n\n2. For AHV, verify iptables services are \"Loaded\" and \"Active\".\n\n$ sudo service iptables status\niptables.service - IPv4 firewall with iptables\n Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)\n Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago\n Main PID: 1250 (code=exited, status=0/SUCCESS)\n CGroup: /system.slice/iptables.service\n\n3. If IPv6 is in use, run the following command.\n\n$ sudo service ip6tables status\nip6tables.service - IPv6 firewall with ip6tables\n Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)\n Active: active (exited) since Mon 2021-08-02 15:02:12 CDT; 2 weeks 6 days ago\n Main PID: 1313 (code=exited, status=0/SUCCESS)\n CGroup: /system.slice/ip6tables.service\n\nIf an application firewall is not configured or is not installed or enabled, this is a finding.","fixText":"1. For AOS, configure fapolicyd.service using the following command.\n\n$ sudo salt-call state.sls security/CVM/fapolicydCVM.sls\n\n2. For Prism Central, configure fapolicyd.service using the following command.\n\n$ sudo salt-call state.sls security/PCVM/fapolicydPCVM.sls\n\n3. For Files, configure fapolicyd.service using the following command.\n\n$ sudo salt-call state.sls security/AFS/fapolicydAFS.sls\n\n4. Configure AHV to restrict using SSH using the following command.\n\n$ sudo salt-call state.sls security/KVM/iptables/init","ccis":["CCI-001764","CCI-001774"]},{"vulnId":"V-279587","ruleId":"SV-279587r1192454_rule","severity":"medium","ruleTitle":"Nutanix OS must mount /dev/shm with secure options.","description":"Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting program execution in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"Verify in Nutanix OS that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /dev/shm using the following command.\n\n$ cat /etc/fstab | grep /dev/shm\ntmpfs /dev/shm tmpfs defaults,size=512m,noexec,rw,seclabel,nosuid,nodev 0 0\n\nIf /dev/shm is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.","fixText":"Nutanix OS is designed and engineered to have mount option preconfigured by default and changes are not supported. If any mount options are found, then some corruption has occurred and the OS must be rebuilt.","ccis":["CCI-001764"]},{"vulnId":"V-279588","ruleId":"SV-279588r1192456_rule","severity":"medium","ruleTitle":"Nutanix OS must mount /tmp with secure options.","description":"Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removing executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting program execution in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"For AHV, this requirement is Not Applicable.\n\nVerify in Nutanix OS that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /tmp using the following command.\n\n$ sudo cat /etc/fstab | grep /tmp\n/tmp ext4 loop,rw,seclabel,nodev,nosuid,noexec,noatime 0 0\n\nIf /tmp is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.","fixText":"Nutanix OS is designed and engineered to have mount option preconfigured by default and changes are not supported. If any mount options are found, then some corruption has occurred and the OS must be rebuilt.","ccis":["CCI-001764"]},{"vulnId":"V-279589","ruleId":"SV-279589r1192458_rule","severity":"medium","ruleTitle":"Nutanix OS must mount /var/log/audit with secure options.","description":"Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting program execution in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"For AHV, this requirement is Not Applicable.\n\nVerify in Nutanix OS that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /var/log/audit using the following command.\n\n$ sudo cat /etc/fstab | grep /var/log/audit\n/home/log/audit /var/log/audit none defaults,noexec,rw,seclabel,nosuid,noatime,nodev,bind 0 2\n\nIf /var/log/audit is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.","fixText":"Nutanix OS is designed and engineered to have mount option preconfigured by default and changes are not supported. If any mount options are found, then some corruption has occurred and a rebuild of the OS is required.","ccis":["CCI-001764"]},{"vulnId":"V-279590","ruleId":"SV-279590r1192460_rule","severity":"medium","ruleTitle":"Nutanix OS must mount /var/tmp with secure options.","description":"Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting program execution in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"For AHV, this requirement is Not Applicable.\n\nVerify in Nutanix OS that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /var/tmp using the following command.\n\n$ sudo cat /etc/fstab | grep /var/tmp\n/tmp /var/tmp none bind,noatime,nodev,noexec,nosuid,rw,seclabel 0 0\n\nIf /var/tmp is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.","fixText":"Nutanix OS is designed and engineered to have mount option preconfigured by default and changes are not supported. If any mount options are found, then some corruption has occurred and the OS must be rebuilt.","ccis":["CCI-001764"]},{"vulnId":"V-279591","ruleId":"SV-279591r1192462_rule","severity":"medium","ruleTitle":"Nutanix OS must mount /var/log with secure options.","description":"Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting program execution in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"For AHV, this requirement is Not Applicable.\n\nVerify in Nutanix OS that the \"nodev\",\"nosuid\", and \"noexec\" options are configured for /var/log using the following command.\n\n$ sudo cat /etc/fstab | grep /var/log\n/root/filesystems/varlog.bin /var/log ext4 defaults,nodev,nosuid,noexec 0 2\n\nIf /var/log is mounted without secure options \"nodev\", \"nosuid\", and \"noexec\", this is a finding.","fixText":"Nutanix AOS is designed and engineered to have mount option preconfigured by default and changes are not supported. If any mount options are found, then some corruption has occurred and the CVM must be rebuilt.","ccis":["CCI-001764"]},{"vulnId":"V-279592","ruleId":"SV-279592r1192602_rule","severity":"medium","ruleTitle":"Nutanix OS must have the fapolicyd.service installed and active.","description":"Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"Verify in Nutanix OS that fapolicyd is installed and active using the following command.\n\n$ sudo yum list installed fapolicyd\nInstalled Packages\nfapolicyd.x86_64 \n\n$ sudo systemctl status fapolicyd.service\nfapolicyd.service - File Access Policy Daemon\nLoaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf fapolicyd is not installed and active, this is a finding.","fixText":"1. For AOS, configure fapolicyd.service using the following command.\n\n$ sudo salt-call state.sls security/CVM/fapolicydCVM.sls\n\n2. For Prism Central, configure fapolicyd.service using the following command.\n\n$ sudo salt-call state.sls security/PCVM/fapolicydPCVM.sls\n\n3. For Files, configure fapolicyd.service using the following command.\n\n$ sudo salt-call state.sls security/AFS/fapolicydAFS.sls\n\n4. Configure AHV to restrict the use of SSH using the following command.\n\n$ sudo salt-call state.sls security/KVM/iptables/init","ccis":["CCI-001764"]},{"vulnId":"V-279593","ruleId":"SV-279593r1192467_rule","severity":"medium","ruleTitle":"Nutanix OS must be configured to remove rsh-server.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"Verify Nutanix AOS is configured to disable nonessential capabilities using the following command.\n\n$ sudo yum list installed rsh-server\n\nIf the rsh-server package is installed, this is a finding.","fixText":"Remove any finding identified using the following command.\n\n$ sudo yum remove rsh-server","ccis":["CCI-000381"]},{"vulnId":"V-279594","ruleId":"SV-279594r1192470_rule","severity":"medium","ruleTitle":"Nutanix OS must be configured to remove telnet-server.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"Verify Nutanix AOS is configured to disable nonessential capabilities using the following command.\n\n$ sudo yum list installed telnet-server\n\nIf the telnet-server package is installed, this is a finding.","fixText":"Remove any finding identified using the following command.\n\n$ sudo yum remove telnet-server","ccis":["CCI-000381"]},{"vulnId":"V-279595","ruleId":"SV-279595r1192473_rule","severity":"medium","ruleTitle":"Nutanix OS must be configured to remove abrt.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"For Nutanix AHV, this requirement is Not Applicable.\n\nFor AOS, Prism Central, and Files, verify the OS is configured to disable nonessential capabilities using the following command.\n\n$ sudo yum list installed abrt*\n\nIf any automated bug reporting package is installed, this is a finding.","fixText":"Remove any finding identified using the following command.\n\n$ sudo yum remove abrt*","ccis":["CCI-000381"]},{"vulnId":"V-279596","ruleId":"SV-279596r1192475_rule","severity":"medium","ruleTitle":"Nutanix OS must be configured to remove sendmail.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"For AHV, this requirement is Not Applicable.\n\nFor AOS, Prism Central, and Files, verify the OS is configured to disable nonessential capabilities using the following command.\n\n$ sudo yum list installed sendmail\n\nIf the sendmail package is installed, this is a finding.","fixText":"For AOS, Prism Central, and Files, remove any finding identified using the following command.\n\n$ sudo yum remove sendmail","ccis":["CCI-000381"]},{"vulnId":"V-279597","ruleId":"SV-279597r1192559_rule","severity":"medium","ruleTitle":"Nutanix OS must be configured to prohibit or restrict using functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.","description":"To prevent unauthorized device connection, unauthorized information transfer, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nOperating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.","checkContent":"1. Verify Nutanix OS prohibits or restricts using functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments using the following command.\n\n$ sudo iptables -S\n\n2. If IPv6 is in use, run the following command.\n\n$ sudo ip6tables -S\n\n3. Review the site or program PPSM CAL; Verify the services allowed by the firewall match the PPSM Component Local Service Assessment (CLSA). \n\nIf there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.","fixText":"Restrict using functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.\n\n1. For AOS, run the following command.\n\n$ sudo salt-call state.sls security/CVM/iptables/init\n\n2. For Prism Central, run the following command.\n\n$ sudo salt-call state.sls security/PVCM/iptables/init\n\n3. For Files, run the following command.\n\n$ sudo salt-call state.sls security/AFS/iptables/init\n\n4. For AHV, run the following command.\n\n$ sudo salt-call state.sls security/KVM/iptablesKVM","ccis":["CCI-000382"]},{"vulnId":"V-279598","ruleId":"SV-279598r1192561_rule","severity":"medium","ruleTitle":"Nutanix OS must require users to reauthenticate for privilege escalation.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.","checkContent":"For AHV, this requirement is Not Applicable.\n\nConfirm Nutanix OS is configured as shown for reauthentication in the sudoers file:\n\n$ grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group using multifactor authentication (MFA), this is a finding.","fixText":"Remove occurrences of \"NOPASSWD\". \n\n1. For AOS, use the following command.\n\nsalt-call state.sls security/CVM/manualCVM\n\n2. For Prism Central, use the following command.\n\nsalt-call state.sls security/PCVM/manualPCVM\n\n3. For Files, use the following command.\n\nsalt-call state.sls security/AFS/manualAFS\n\n4. The AHV hypervisor does not support local interactive user accounts. AHV has been designed and configured to run essentially headless. The only accounts allowed on AHV are the preconfigured system accounts.","ccis":["CCI-002038"]},{"vulnId":"V-279599","ruleId":"SV-279599r1192563_rule","severity":"medium","ruleTitle":"Nutanix OS must require users to reauthenticate for privilege escalation.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to change security roles, it is critical that the user reauthenticate.","checkContent":"For AHV, this requirement is Not Applicable.\n\nConfirm Nutanix OS is configured as shown for reauthentication in the sudoers file:\n\n$ grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group using multifactor authentication (MFA), this is a finding.","fixText":"Remove occurrences of \"NOPASSWD\" found. \n\n1. For AOS, use the following command.\n\nsalt-call state.sls security/CVM/manualCVM\n\n2. For Prism Central, use the following command.\n\nsalt-call state.sls security/PCVM/manualPCVM\n\n3. For Files, use the following command.\n\nsalt-call state.sls security/AFS/manualAFS\n\n4. The AHV hypervisor does not support local interactive user accounts. AHV has been designed and configured to run essentially headless. The only accounts allowed on AHV are the pre-configured system accounts.","ccis":["CCI-002038"]},{"vulnId":"V-279600","ruleId":"SV-279600r1192481_rule","severity":"medium","ruleTitle":"Nutanix OS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Verify Nutanix OS contains no duplicate User IDs (UIDs) for interactive users using the following command.\n\nawk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd \n\nIf any output is returned, this is a finding.","fixText":"Nutanix OS is a purpose-built OS that comes with the account of last resort and system accounts needed. All user accounts required for the proper functionality of the OS are present.\n\nIf any additional accounts are found on the system, corruption may have occurred and the OS must be rebuilt.","ccis":["CCI-000764"]},{"vulnId":"V-279601","ruleId":"SV-279601r1192483_rule","severity":"medium","ruleTitle":"Nutanix OS must not install autofs.service.","description":"Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.","checkContent":"Verify Nutanix OS is configured to not automount devices using the following command.\n\n$ sudo systemctl status autofs\n\nIf \"autofs.sevice\" is installed and or enabled, this is a finding.","fixText":"Nutanix OS does not support the autofs.service by design. If autofs.service is enabled, some type of corruption has occurred and the OS must be rebuilt.","ccis":["CCI-000778"]},{"vulnId":"V-279602","ruleId":"SV-279602r1192485_rule","severity":"medium","ruleTitle":"Nutanix OS must disable the ability to use USB mass storage devices.","description":"Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, flash drives, external storage, and printers.","checkContent":"Verify Nutanix OS is set to disable the ability to use USB mass storage devices using the following command.\n\n$ sudo grep -i usb-storage /etc/modprobe.d/stig-reqs.conf \ninstall usb-storage /bin/false\n\n$ sudo grep -i usb-storage /etc/modprobe.d/blacklist.conf \nblacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage devices is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.","fixText":"1. For AOS, disable USB mass storage and blacklist from executing using the following command.\n\n$ sudo salt-call state.sls security/CVM/modprobeCVM\n\n2. For Prism Central, disable USB mass storage and blacklist from executing using the following command.\n\n$ sudo salt-call state.sls security/PCVM/modprobePCVM\n\n3. For Files, disable USB mass storage and blacklist from executing using the following command.\n\n$ sudo salt-call state.sls security/AFS/modprobeAFS\n\n4. Configure AHV to disable USB mass storage and blacklist from executing using the following command.\n\n$ sudo salt-call state.sls security/KVM/modprobeKVM","ccis":["CCI-000778"]},{"vulnId":"V-279603","ruleId":"SV-279603r1192618_rule","severity":"medium","ruleTitle":"Nutanix VMM must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify Nutanix OS prevents using dictionary words for passwords.\n\nDetermine if the field \"dictcheck\" is set using the following command.\n\n$ sudo grep -r dictcheck /etc/security/pwquality.conf*\n\n/etc/security/pwquality.conf:dictcheck=1\n\nIf the \"dictcheck\" parameter is not set to \"1\", is commented out, or if conflicting results are returned, this is a finding.","fixText":"Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option using the following command.\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-004061"]},{"vulnId":"V-279604","ruleId":"SV-279604r1192604_rule","severity":"high","ruleTitle":"Nutanix OS must store only encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"1. Verify Nutanix OS is configured to store encrypted representation of passwords and that the encryption meets required standards using the following command.\n\n$ sudo grep -i encrypt /etc/login.defs\nENCRYPT_METHOD SHA512\n\nIf the /etc/login.defs file does not contain the required output, this is a finding.\n\n2. Confirm that the interactive user account passwords are using a strong password hash using the following command.\n\n$ sudo cut -d: -f2 /etc/shadow\n\n$6$hMKOdbToveIPcp$ybbhyd/bY/.nbce5H1Qc8Ji7ECmTZvs50ASDFHSY9XEW/TkK7Xer5xUYp7AHYzrk815rkJecsCDIMIgYXBQ9C/\n\nPassword hashes \"!\" or \"*\" indicate inactive accounts not available for logon and are not evaluated. If any interactive user passwords do not begin with \"$6$\", this is a finding.\n\n3. Check that a minimum number of hash rounds is configured using the following command.\n\n$ sudo grep -iE \"^SHA_CRYPT_\" /etc/login.defs\nSHA_CRYPT_MAX_ROUNDS 5000\n\nIf the value of \"SHA_CRYPT_MAX_ROUNDS\" is not set to 5000 or more, this is a finding.","fixText":"Configure Nutanix OS to use complex password using the following command.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls","ccis":["CCI-004062"]},{"vulnId":"V-279605","ruleId":"SV-279605r1192605_rule","severity":"medium","ruleTitle":"Nutanix OS must enforce password complexity by requiring that at least one uppercase character be used.","description":"Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"1. Verify Nutanix OS uses \"pwquality\" to enforce password complexity rules using the following command.\n\n$ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\npassword requisite pam_pwquality.so try_first_pass …\n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.\n\n2. Verify Nutanix AOS is configured to require complex passwords. Note: The value to require a number of uppercase characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\n3. Check the value for \"ucredit\" in \"/etc/security/pwquality.conf\" using the following command.\n\n$ sudo grep ucredit /etc/security/pwquality.conf \nucredit = -1\n\nIf the value of \"ucredit\" is not set to a negative value, this is a finding.","fixText":"Configure Nutanix OS to use complex passwords.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279606","ruleId":"SV-279606r1192492_rule","severity":"medium","ruleTitle":"Nutanix OS must enforce password complexity by requiring at least one lowercase character be used.","description":"Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Verify Nutanix AOS is configured to require complex passwords. Note: The value to require a number of lowercase characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"lcredit\" in \"/etc/security/pwquality.conf\" using the following command.\n\n$ sudo grep lcredit /etc/security/pwquality.conf \nlcredit = -1\n\nIf the value of \"lcredit\" is not set to a negative value, this is a finding.","fixText":"Configure Nutanix OS to use complex passwords.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279607","ruleId":"SV-279607r1192494_rule","severity":"medium","ruleTitle":"Nutanix OS must enforce password complexity by requiring that at least one numeric character be used.","description":"Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Verify Nutanix AOS is configured to require complex passwords. Note: The value to require a number of numeric characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"dcredit\" in \"/etc/security/pwquality.conf\" using the following command.\n\n$ sudo grep dcredit /etc/security/pwquality.conf \ndcredit = -1\n\nIf the value of \"dcredit\" is not set to a negative value, this is a finding.","fixText":"Configure Nutanix OS to use complex passwords.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279608","ruleId":"SV-279608r1192322_rule","severity":"medium","ruleTitle":"Nutanix OS must require the change of at least 50 percent of the total number of characters when passwords are changed.","description":"If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least eight characters.","checkContent":"1. Verify Nutanix AOS is configured to require complex passwords using the following command. Note: The values to require for complex passwords is located in \"/etc/security/pwquality.conf\".\n\n$ sudo grep difok /etc/security/pwquality.conf \ndifok = 8\n\nIf the value of \"difok\" is set to less than \"8\", this is a finding.\n\n2. Verify Nutanix AOS is configured to require complex passwords using the following command.\n\n$ sudo grep minclass /etc/security/pwquality.conf \nminclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\", this is a finding.\n\n3. Verify Nutanix AOS is configured to require complex passwords using the following command.\n\n$ sudo grep maxrepeat /etc/security/pwquality.conf \nmaxrepeat = 2\n\nIf the value of \"maxrepeat\" is set to more than \"2\", this is a finding.\n\n4. Verify Nutanix AOS is configured to require complex passwords using the following command.\n\n$ sudo grep maxclassrepeat /etc/security/pwquality.conf \nmaxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to more than \"4\", this is a finding.","fixText":"Configure Nutanix OS to use complex password by running the following command.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279609","ruleId":"SV-279609r1192569_rule","severity":"medium","ruleTitle":"Operating systems must enforce 24 hours/1 day as the minimum password lifetime.","description":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"1. Verify Nutanix AOS is configured to enforce 24hour/1day minimum password lifetime using the following command.\n\n$ sudo grep -i pass_min_days /etc/login.defs\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.\n\n2. Run the following command. \n\n$ sudo awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.","fixText":"Configure Nutanix OS to use complex password.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279610","ruleId":"SV-279610r1192571_rule","severity":"medium","ruleTitle":"Operating systems must enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.","checkContent":"1. Verify Nutanix AOS is configured to enforce a 60-day maximum password lifetime using the following command.\n\n$ sudo grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding.\n\n2. Run the following command. \n\n$ sudo awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.","fixText":"Configure Nutanix OS to use complex password.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279611","ruleId":"SV-279611r1192328_rule","severity":"medium","ruleTitle":"Nutanix OS must enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Using more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Verify Nutanix OS is configured to enforce a minimum 15-character password length using the following command.\n\n$ sudo grep minlen /etc/security/pwquality.conf\nminlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding.","fixText":"Configure Nutanix OS to use complex password.\n\n1. For AOS, enter the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM.sls\n\n2. For Prism Central, enter the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM.sls\n\n3. For Files, enter the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS.sls\n\n4. For AHV OS CVM, enter the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279612","ruleId":"SV-279612r1192607_rule","severity":"medium","ruleTitle":"Nutanix OS must enforce password complexity by requiring that at least one special character be used.","description":"Using a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"Verify Nutanix AOS enforces password complexity by requiring that at least one special character be used.\n\nNote: The value to require a number of special characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ocredit\" in \"/etc/security/pwquality.conf\" using the following command.\n\n$ sudo grep ocredit /etc/security/pwquality.conf \nocredit=-1\n\nIf the value of \"ocredit\" is not set to a negative value, this is a finding.","fixText":"Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nLog in to Nutanix CVM and run the following command.\n\n$ ncli cluster edit-cvm-security-params enable-high-strength-password=true","ccis":["CCI-004066"]},{"vulnId":"V-279613","ruleId":"SV-279613r1192499_rule","severity":"medium","ruleTitle":"Nutanix OS must configure pam_uni.so module to use SHA-512 for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nOperating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n\nFIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.","checkContent":"Verify pam_uni.so module is configured to use SHA-512 using the following command.\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\npassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nIf \"sha512\" is missing or commented out, this is a finding.","fixText":"1. For AOS, disable inactive user accounts after the password expires using the following command.\n\n$ sudo salt-call state.sls security/CVM/pamCVM\n\n2. For Prism Central, disable inactive user accounts after the password expires using the following command.\n\n$ sudo salt-call state.sls security/PCVM/pamPCVM\n\n3. For Files, disable inactive user accounts after the password expires using the following command.\n\n$ sudo salt-call state.sls security/AFS/pamAFS\n\n4. Configure AHV to disable inactive user accounts after the password expires using the following command.\n\n$ sudo salt-call state.sls security/KVM/pamKVM","ccis":["CCI-000803"]},{"vulnId":"V-279614","ruleId":"SV-279614r1192501_rule","severity":"medium","ruleTitle":"Nutanix OS must audit all activities performed during nonlocal maintenance and diagnostic sessions.","description":"If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.\n\nThis requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.\n\nThis requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch.","checkContent":"Verify Nutanix OS audits all required activities performed during nonlocal maintenance and diagnostic sessions using the following commands.\n\n$ sudo grep -i /usr/sbin/semanage /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -i /usr/bin/chcon /etc/audit/audit.rules\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k secobjects\n\n$ sudo grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n$ sudo grep -i /var/run/faillock /etc/audit/audit.rules\n-w /var/run/faillock/ -p wa -k logins\n\n$ sudo grep -i /var/log/lastlog /etc/audit/audit.rules\n-w /var/log/lastlog -p wa -k logins\n\nIf any of the commands listed do not return any output, this is a finding.","fixText":"1. For AOS, configure the audit rules using the following command.\n\n$ sudo salt-call state.sls security/CVM/auditCVM\n\n2. For Prism Central, configure the audit rules using the following command.\n\n$ sudo salt-call state.sls security/PCVM/auditPCVM\n\n3. For Files, configure the audit rules using the following command.\n\n$ sudo salt-call state.sls security/AFS/auditAFS\n\n4. For AHV, configure the audit rules using the following command.\n\n$ sudo salt-call state.sls security/KVM/auditKVM","ccis":["CCI-002884"]},{"vulnId":"V-279619","ruleId":"SV-279619r1192185_rule","severity":"high","ruleTitle":"Nutanix OS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.","description":"Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. \n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. \n\nThe operating system can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch).","checkContent":"Confirm that the Nutanix OS OpenSSL library is configured to only use DOD-approved TLS encryption using the following command.\n\n$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nIf the \"TLS.MinProtocol\" is set to anything older than \"TLVSv1.2\" or the \"DTLS.Min.Protocol\" is set to anything older than DTLSv1.2, this is a finding.","fixText":"Configure the system to run in FIPS mode.\n\n1. For AOS, configure FIPS mode using the following command.\n\n$ sudo salt-call state.sls security/CVM/fipsCVM\n\n2. For Prism Central, configure FIPS mode using the following command.\n\n$ sudo salt-call state.sls security/PCVM/fipsPCVM\n\n3. For Files, configure FIPS mode using the following command.\n\n$ sudo salt-call state.sls security/AFS/fipsAFS\n\n4. For AHV, configure FIPS mode using the following command.\n\n$ sudo salt-call state.sls security/KVM/fipsKVM","ccis":["CCI-002890"]},{"vulnId":"V-279620","ruleId":"SV-279620r1192503_rule","severity":"high","ruleTitle":"Nutanix OS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.","description":"If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data.\n\nSome maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.","checkContent":"Verify Nutanix OS is configured to use only MACs employing FIPS 140-3-approved algorithms using the following command.\n\n$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config\nCRYPTO_POLICY=Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com \n\nIf the cipher entries in the \"opensshserver.config\" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.","fixText":"Configure SSH.\n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV configure SSH, then restart the SSH for the changes to take effect.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-000877"]},{"vulnId":"V-279621","ruleId":"SV-279621r1192336_rule","severity":"high","ruleTitle":"Nutanix OS must protect the confidentiality and integrity of all information at rest.","description":"Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.\n\nThis requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n\nSatisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184","checkContent":"1. For AOS, Prism Central, and Files, verify every persistent disk partition present is the type \"crytpo_LUKS\" using the following command.\n\n$ sudo blkid\n/dev/sdb4: UUID=\"990b15e8-64b1-4720-bc63-57d1ffdfef96\" TYPE=\"crypto_LUKS\" PARTLABEL=\"primary\" PARTUUID=\"860391ab-f6dd-4315-915c-9bf3f5aec840\"\n/dev/sdc1: UUID=\"a61e3060-a330-420f-be2e-dd25f4a4d5cc\" TYPE=\"crypto_LUKS\" PARTLABEL=\"primary\" PARTUUID=\"c685393a-1bea-4831-9058-7baadc5f5bfb\"\n/dev/sdd1: UUID=\"4a45d2a9-1022-4f12-b547-df565f21c10d\" TYPE=\"crypto_LUKS\" PARTLABEL=\"primary\" PARTUUID=\"7ec91c7a-211d-43cf-8766-1f976d1a2ee6\"\n/dev/sde1: UUID=\"7932a4d3-4e6b-44cc-a91b-2163e1a2ae08\" TYPE=\"crypto_LUKS\" PARTLABEL=\"primary\" PARTUUID=\"eea7b909-f533-47cf-af9a-fbe6547f1a81\"\n/dev/sdf1: UUID=\"fb191583-434d-4efe-af42-649b0a8d8d7e\" TYPE=\"crypto_LUKS\" PARTLABEL=\"primary\" PARTUUID=\"8db3b9f9-db7e-4e23-b13a-813cdd9fcac5\"\n/dev/md2: UUID=\"8f9f9b65-feeb-4008-8e6a-0fab3bc3b0cc\" TYPE=\"crypto_LUKS\"\n/dev/md1: UUID=\"c159835d-96de-4711-9090-4a2f3fa47b0c\" TYPE=\"crypto_LUKS\"\n/dev/md0: UUID=\"b3eaf528-eb28-4afd-b7c8-8e2d03fe4a5e\" TYPE=\"crypto_LUKS\"\n/dev/loop0: UUID=\"517f3cfa-1912-4ff0-94bb-c17d953947dc\" BLOCK_SIZE=\"4096\" TYPE=\"ext4\"\n/dev/loop1: UUID=\"e2fb344c-991b-4f50-ac8c-76b7a369737f\" BLOCK_SIZE=\"4096\" TYPE=\"ext4\"\n/dev/loop2: UUID=\"f9ca379d-74cb-49f4-9737-10852b04717d\" BLOCK_SIZE=\"4096\" TYPE=\"ext4\"\n/dev/loop3: UUID=\"f9521269-ad69-4ac1-98c1-989d258bb996\" BLOCK_SIZE=\"1024\" TYPE=\"ext4\"\n/dev/mapper/luks-b3eaf528-eb28-4afd-b7c8-8e2d03fe4a5e: UUID=\"90d4d623-919e-4d21-b4a3-66f10d23b76c\" B\n\n2. Verify that AHV is configured for data-at-rest encryption using LUKS Crypto modules using the following command.\n\nNote: A TPM hardware module is required on each AHV node.\n\n$ sudo blkid\n/dev/mapper/AHV-root: UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted. \n\nIf partitions are not encrypted, this is a finding.","fixText":"1. For AOS, Prism Central, and Files, file partition encryption is done during installation. During foundation, there is an installation option box to enable \"crypto_LUKS\", this must be ticked before proceeding with installation. If data-at-rest encryption is not enabled during installation, the system must be re-installed with the proper options selected.\n\n2. For AHV, configure data-at-rest encryption on partitions using Luks Crypto modules. Enabling partition encryption must be done during imaging using Foundation VM. On the foundation VM in the imaging deployment screen, select tick the option, then enter the following command.\n\nenable_luks=true","ccis":["CCI-001199","CCI-002475","CCI-002476"]},{"vulnId":"V-279622","ruleId":"SV-279622r1192573_rule","severity":"medium","ruleTitle":"Nutanix OS must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.","description":"A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.","checkContent":"Verify that the Nutanix OS hardware consists of a hardware TPM module installed and loaded using the following command.\n\n$ sudo lsmod | grep -i tpm\ntpm 77824 1 trusted\nrng_core 16384 1 tpm\n\nIf no lines are returned or if the TPM does not indicate \"trusted\", this is a finding.","fixText":"Hardware TPM modules consist of a hardware chip that is built into the motherboard of the physical server. If no TPM module exists, then a new physical server is required.\n\nFor AHV, if the TPM module exists but is not \"trusted' then something has been modified within AHV and the system must be rebuilt from source to correct this issue.","ccis":["CCI-004910"]},{"vulnId":"V-279623","ruleId":"SV-279623r1192507_rule","severity":"medium","ruleTitle":"Nutanix OS must isolate security functions from nonsecurity functions.","description":"An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.\n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For nonkernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions using access control mechanisms and by implementing least privilege capabilities.\n\nSatisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000445-GPOS-00199","checkContent":"Nutanix OS is configured by default to run SELinux Policies. Verify Nutanix OS SELinux is set to Enforcing Mode using the following command.\n\n$ sudo getenforce\nEnforcing\n\nIf \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding.","fixText":"1. For AOS, Prism Central, and Files, note that the Nutanix OS is designed and engineered to have SELinux preinstalled and set as active. If the package is missing or not active and running, then some corruption has occurred and the OS must be rebuilt.\n\n2. For AHV, verify correct operation of all security functions by setting the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following line. A reboot is required for the changes to take effect.\n\nSELINUX=enforcing","ccis":["CCI-001084","CCI-002696"]},{"vulnId":"V-279624","ruleId":"SV-279624r1192609_rule","severity":"medium","ruleTitle":"Operating systems must prevent unauthorized and unintended information transfer via shared system resources.","description":"Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.","checkContent":"1. For AOS, Prism Central, and Files, verify Nutanix OS provides that all public directories are owned by root using the following command.\n\n$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\n2. Verify AHV is configured so all public directories are owned by root (or a system account) and all world-writable directories have the sticky bit set using the following command.\n\n$ sudo find / -type d -perm -0002 -exec ls -lLd {} \\;\ndrwxrwxrwt. 2 root root 40 Jun 4 15:21 /dev/mqueue\ndrwxrwxrwt. 2 root root 40 Jun 4 15:21 /dev/shm\ndrwxrwxrwt. 7 root root 4096 Jul 28 15:37 /tmp\n\n$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\ndrwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the public directories are not owned by root (or a system account) or are not world-writable and do not have the sticky bit set, this is a finding.","fixText":"1. For AOS, Prism Central, and Files, note that the Nutanix OS is designed and engineered to have all world-writable directories set correctly with the sticky bit set. If the package is missing or not active and running, then some corruption has occurred and the OS must be rebuilt.\n\n2. For AHV, configure all public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. Set the owner of all public directories as root or a system account by replacing \"[Public Directory]\" with any directory path not owned by root or a system account.\n\nSet the sticky bit on all world-writable directories by replacing \"[World-Writable Directory]\" with any directory path missing the sticky bit.\n\nExample command:\n\n$ sudo chown root [Public Directory]\n$ sudo chmod 1777 [World-Writable Directory]","ccis":["CCI-001090"]},{"vulnId":"V-279625","ruleId":"SV-279625r1192338_rule","severity":"medium","ruleTitle":"Nutanix OS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nManaging excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.","checkContent":"Verify Nutanix OS is configured to use syncookies. \n\n1. For AOS, Prism Central, and Files, verify the saved value of TCP syncookies using the following command.\n\n$ sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' \n/etc/sysctl.d/99-salt.conf:net.ipv4.tcp_syncookies = 1\n\n2. Verify AHV is configured to use syncookies using the following command.\n\n$ sysctl net.ipv4.tcp_syncookies \nnet.ipv4.tcp_syncookies = 1 \n\n$ sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' \n\nIf the value of syncookies is not set to \"1\", this is a finding.","fixText":"Set the value of syncookies to 1.\n\n1. For AOS, run the following command.\n\n$ sudo salt-call state.sls security/CVM/iptables/init\n\n2. For Prism Central, run the following command.\n\n$ sudo salt-call state.sls security/PCVM/iptables/init\n\n3. For Files, run the following command.\n\n$ sudo salt-call state.sls security/AFS/iptables/init\n\n4. For AHV, configure Nutanix AHV to use TCP syncookies using the following command.\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1 \n\nIf \"1\" is not the system's default value, add or update the following line in \"/etc/sysctl.conf\": \n\nnet.ipv4.tcp_syncookies = 1","ccis":["CCI-001095"]},{"vulnId":"V-279626","ruleId":"SV-279626r1192509_rule","severity":"medium","ruleTitle":"Nutanix OS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.","checkContent":"For AHV, this requirement is Not Applicable.\n\nVerify Nutanix OS protects against or limits the effects of DoS attacks by ensuring that a rate-limiting measures are enabled using the following command.\n\n$ /sbin/sysctl -a | grep 'net.ipv4.tcp_invalid_ratelimit'\nnet.ipv4.tcp_invalid_ratelimit = 500\n\nIf \"net.ipv4.tcp_invalid_ratelimit\" has a value greater than \"1000\" or equal to \"0\", this is a finding.","fixText":"Restrict using functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.\n\n1. For AOS, use the following command.\n\n$ sudo salt-call state.sls security/CVM/iptables/init\n\n2. For Prism Central, use the following command.\n\n$ sudo salt-call state.sls security/PVCM/iptables/init\n\n3. For Files, use the following command.\n\n$ sudo salt-call state.sls security/AFS/iptables/init","ccis":["CCI-002385"]},{"vulnId":"V-279627","ruleId":"SV-279627r1192610_rule","severity":"high","ruleTitle":"Nutanix OS must protect the confidentiality and integrity of communications with wireless peripherals.","description":"Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system.\n\nThis requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the authorizing official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that needs to be protected, modification of communications with these wireless peripherals may be used to compromise the operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.\n\nProtecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.","checkContent":"Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.\n\nVerify Nutanix OS has no wireless interfaces configured on the system using the following command.\n\n$ sudo nmcli device status\n\n-bash: nmcli: command not found\n\nIf a wireless interface is listed or if the nmcli has any output other than \"command not found\", this is a finding.","fixText":"This is a default setting and is not supported to be changed in the field. If any wireless interfaces exist, then something has been modified and the system must be rebuilt from source to correct this issue.","ccis":["CCI-002418"]},{"vulnId":"V-279628","ruleId":"SV-279628r1192513_rule","severity":"medium","ruleTitle":"Nutanix OS must install and use SSH for remote access.","description":"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nEnsuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption.\n\nSatisfies: SRG-OS-000425-GPOS-00189, SRG-OS-000074-GPOS-00042, SRG-OS-000425-GPOS-00189, SRG-OS-000113-GPOS-00058, SRG-OS-000426-GPOS-00190, SRG-OS-000112-GPOS-00057","checkContent":"Verify Nutanix OS has SSH loaded and active using the following command.\n\nNote: The default Protocol version of the ssh daemon is 2, which provides the necessary mitigations to prevent replay attacks.\n\n$ sudo systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.\n\nIf the \"SSH server\" package is not installed, this is a finding.","fixText":"However, Nutanix AOS has the OpenSSH-Server package preinstalled as part of its base package set. If the package is not installed, some corruption has taken place and the CVM must be rebuilt.\n\nConfigure SSH to meet DOD standard, if already installed on the OS instance. \n\n1. For AOS, configure SSH, then restart the SSH for the changes to take effect using the following command.\n\n$ sudo salt-call state.sls security/CVM/sshdCVM\n$ sudo systemctl restart sshd\n\n2. For Prism Central, configure SSH, then restart the SSH for the changes to take effect using the following command.\n\n$ sudo salt-call state.sls security/PCVM/sshdPCVM\n$ sudo systemctl restart sshd\n\n3. For Files, configure SSH, then restart the SSH for the changes to take effect using the following command.\n\n$ sudo salt-call state.sls security/AFS/sshdAFS\n$ sudo systemctl restart sshd\n\n4. For AHV configure SSH, then restart the SSH for the changes to take effect using the following command.\n\n$ sudo salt-call state.sls security/KVM/sshdKVM\n$ sudo systemctl restart sshd","ccis":["CCI-002420","CCI-002422","CCI-001941","CCI-002420","CCI-000197","CCI-001941"]},{"vulnId":"V-279629","ruleId":"SV-279629r1192207_rule","severity":"medium","ruleTitle":"Nutanix OS must restrict the message log access permissions to reveal error messages only to authorized users.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.","checkContent":"1. For AOS, Prism Central, and Files, verify the file permissions of /home/log/messages is greater than \"600\" and the ownership is \"root\" using the following command.\n\n$ sudo stat -c \"%a %n\" /home/log/messages \n600 /home/log/messages\n\n$ sudo stat -c \"%U\" /home/log/messages \nroot\n\n$ sudo stat -c \"%G\" /home/log/messages \nroot\n\n2. For AHV, remove accounts that do not support approved system activities. List all interactive user accounts using the following command.\n\n$ sudo awk -F: '$3 >= 1000 {print $1 \" \" $5}' /etc/passwd\n\nIf accounts exist on the system that are unauthorized or if the message log is not restricted as required, this is a finding.","fixText":"1. AOS, Prism Central, and Files OS VMs are configured by default to have ownership and permission levels set correctly to meet this requirement. If these are found to be out of compliance, some corruption has taken place and the OS must be rebuilt.\n\n2. For AHV, remove accounts that do not support approved system activities.","ccis":["CCI-001314"]},{"vulnId":"V-279630","ruleId":"SV-279630r1192515_rule","severity":"medium","ruleTitle":"Nutanix OS must restrict the /var/log directory access permissions to reveal error messages only to authorized users.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.","checkContent":"Verify the /var/log directory access permissions are set to \"755\" or less and restricted to \"root\" using the following command.\n\n$ sudo stat -c \"%a %n\" /var/log\n755 /var/log\n\n$ sudo stat -c \"%U\" /var/log \nroot\n\n$ sudo stat -c \"%G\" /var/log \nroot\n\nIf group ownership of /home/log/messages is anything other than \"root\", this is a finding.","fixText":"Nutanix OS VMs are configured by default to have ownership and permission levels set correctly to meet this requirement. If these are found to be out of compliance, some corruption has taken place and the OS must be rebuilt.","ccis":["CCI-001314"]},{"vulnId":"V-279631","ruleId":"SV-279631r1192517_rule","severity":"medium","ruleTitle":"Nutanix OS must implement nonexecutable data to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Verify Nutanix OS is configured to implement nonexecutable data to protect its memory from unauthorized code execution using the following command.\n\n$ sudo grep flags /proc/cpuinfo | grep -w nx\nflags. : fpu vme de …. nx pdpe1gb rdtscp...\n\nIf \"flags\" does not contain the \"nx\" flag, this is a finding.","fixText":"1. Nutanix AOS, Prism Central, and Files OS VMs have the OpenSSH-Server package preinstalled as part of its base package set. If the package is not installed, some corruption has taken place and the CVM must be rebuilt.\n\n2. For Nutanix AHV, if the system's BIOS setup configuration permits toggling the No Execution bit, then set \"/proc/cpuinfo\" to \"enable\".","ccis":["CCI-002824"]},{"vulnId":"V-279632","ruleId":"SV-279632r1192612_rule","severity":"medium","ruleTitle":"Nutanix OS must implement address space layout randomization to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Verify Nutanix OS is configured to implement address space layout randomization using the following command.\n\n$ sudo sysctl kernel.randomize_va_space\nkernel.randomize_va_space = 2\n\nIf the value of \"kernel.randomize_va_space\" is anything other than \"2\", this is a finding.","fixText":"Configure Nutanix AOS to implement address space layout randomization using the following command.\n\n$ sudo sysctl kernel.randomize_va_space=2","ccis":["CCI-002824"]},{"vulnId":"V-279633","ruleId":"SV-279633r1192521_rule","severity":"medium","ruleTitle":"Nutanix OS must remove all software components after updated versions have been installed.","description":"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.","checkContent":"Verify Nutanix OS removes all software components after updated versions have been installed using the following command.\n\n$ sudo grep -i clean_requirements_on_remove /etc/yum.conf\nclean_requirements_on_remove=1\n\nIf \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a finding.","fixText":"Configure Yum settings to remove all software components after an updated version is installed.\n\n1. Configure AOS Yum settings using the following command.\n\n$ sudo salt-call state.sls security/CVM/yumCVM\n\n2. Configure Prism Central Yum settings using the following command.\n\n$ sudo salt-call state.sls security/PCVM/yumPCVM\n\n3. Configure Files Yum settings using the following command.\n\n$ sudo salt-call state.sls security/AFS/yumAFS\n\n4. Configure AHV Yum settings using the following command.\n\n$ sudo salt-call state.sls security/KVM/yumKVM","ccis":["CCI-002617"]},{"vulnId":"V-279667","ruleId":"SV-279667r1192524_rule","severity":"medium","ruleTitle":"Nutanix AHV must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.\n\nOrganizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake such as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.","checkContent":"For AOS, Prism Central, and Files, this requirement is Inherently Met.\n\nConfirm Nutanix AHV has all system log files under the \"/var/log\" directory with a permission of \"600\" using the following command.\n\n$ sudo find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf command displays any output, this is a finding.","fixText":"Configure Nutanix AHV to set permissions of all log files under the \"/home/log\" directory to \"600\" or more restricted using the following command.\n\n$ sudo find /var/log -perm /137 -type f -exec chmod 600 '{}' \\;","ccis":["CCI-001312"]},{"vulnId":"V-279685","ruleId":"SV-279685r1192527_rule","severity":"medium","ruleTitle":"Nutanix AHV must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.","checkContent":"For AOS, Prism Central, and Files, this requirement is Not Applicable.\n\nVerify \"firewalld\" has \"nftables\" set as the default backend using the following command.\n\n$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n# FirewallBackend\nFirewallBackend=nftables\n\nIf the \"nftables\" is not set as the \"firewallbackend\" default, this is a finding.","fixText":"Configure Nutanix AHV firewall services using the following command.\n\n$ sudo salt-call state.sls security/KVM/iptablesKVM","ccis":["CCI-002385"]},{"vulnId":"V-279686","ruleId":"SV-279686r1192615_rule","severity":"high","ruleTitle":"Nutanix AHV must store only encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"1. Verify Nutanix AHV is configured to store encrypted representation of passwords and that the encryption meets required standards using the following command.\n\n$ sudo grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nOutput should match the example; if it does not this is a finding.\n\n$ sudo grep -i encrypt /etc/login.defs\nENCRYPT_METHOD SHA512\n\nIf the \"/etc/login.defs\" file does not contain the required output, this is a finding.\n\n2. Run the command:\n\n$ sudo grep -i sha512 /etc/libuser.conf\ncrypt_style = sha512\n\nIf the \"/etc/libuser.conf\" file does not contain the required output, this is a finding.","fixText":"Configure the high-strength password requirements using the following command.\n\n$ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true","ccis":["CCI-004062"]}]}