{"stig":{"title":"VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-258801","ruleId":"SV-258801r933464_rule","severity":"medium","ruleTitle":"The Photon operating system must audit all account creations.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000476-GPOS-00221","checkContent":"At the command line, run the following command to verify an audit rule exists to audit account creations:\n\n# auditctl -l | grep -E \"(useradd|groupadd)\"\n\nExample result:\n\n-w /usr/sbin/useradd -p x -k useradd\n-w /usr/sbin/groupadd -p x -k groupadd\n\nIf either \"useradd\" or \"groupadd\" are not listed with a permissions filter of at least \"x\", this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-w /usr/sbin/useradd -p x -k useradd\n-w /usr/sbin/groupadd -p x -k groupadd\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000018","CCI-000172"]},{"vulnId":"V-258802","ruleId":"SV-258802r933467_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.","checkContent":"At the command line, run the following commands to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period:\n\n# grep '^deny =' /etc/security/faillock.conf\n\nExample result:\n\ndeny = 3\n\nIf the \"deny\" option is not set to \"3\" or less (but not \"0\"), is missing or commented out, this is a finding.\n\n# grep '^fail_interval =' /etc/security/faillock.conf\n\nExample result:\n\nfail_interval = 900\n\nIf the \"fail_interval\" option is not set to \"900\" or more, is missing or commented out, this is a finding.\n\nNote: If faillock.conf is not used to configure the \"pam_faillock.so\" module, then these options may be specified on the faillock lines in the system-auth and system-account PAM files.","fixText":"Navigate to and open:\n\n/etc/security/faillock.conf\n\nAdd or update the following lines:\n\ndeny = 3\nfail_interval = 900\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000044"]},{"vulnId":"V-258803","ruleId":"SV-258803r933470_rule","severity":"medium","ruleTitle":"The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088","checkContent":"At the command line, run the following command to verify SSH is configured to use the /etc/issue file for a banner:\n\n# sshd -T|&grep -i Banner\n\nExample result:\n\nbanner /etc/issue\n\nIf the \"banner\" setting is not configured to \"/etc/issue\", this is a finding. \n\nNext, open /etc/issue with a text editor.\n\nIf the file does not contain the Standard Mandatory DOD Notice and Consent Banner, this is a finding.\n\nStandard Mandatory DOD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"Banner\" line is uncommented and set to the following:\n\nBanner /etc/issue\n\nNavigate to and open:\n\n/etc/issue\n\nEnsure the file contains the Standard Mandatory DOD Notice and Consent Banner.\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000048","CCI-001384"]},{"vulnId":"V-258804","ruleId":"SV-258804r933473_rule","severity":"low","ruleTitle":"The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.","description":"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial of Service (DoS) attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.","checkContent":"At the command line, run the following command to verify the limit for the number of concurrent sessions:\n\n# grep \"^[^#].*maxlogins.*\" /etc/security/limits.conf\n\nExample result:\n\n* hard maxlogins 10\n\nIf \"* hard maxlogins\" is not configured to \"10\", this is a finding.\n\nNote: The expected result may be repeated multiple times.","fixText":"Navigate to and open:\n\n/etc/security/limits.conf\n\nAdd or update the following line:\n\n* hard maxlogins 10","ccis":["CCI-000054"]},{"vulnId":"V-258805","ruleId":"SV-258805r933476_rule","severity":"medium","ruleTitle":"The Photon operating system must monitor remote access logins.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable.\n\nAt the command line, run the following command to verify rsyslog is configured to log authentication requests:\n\n# grep -E \"(^auth.*|^authpriv.*|^daemon.*)\" /etc/rsyslog.conf\n\nExample result:\n\nauth.*;authpriv.*;daemon.* /var/log/audit/sshinfo.log\n\nIf \"auth.*\", \"authpriv.*\", and \"daemon.*\" are not configured to be logged, this is a finding.","fixText":"Navigate to and open:\n\n/etc/rsyslog.conf\n\nAdd or update the following line:\n\nauth.*;authpriv.*;daemon.* /var/log/audit/sshinfo.log\n\nNote: The path can be substituted for another suitable log destination dedicated to authentication logs.\n\nAt the command line, run the following command:\n\n# systemctl restart rsyslog.service","ccis":["CCI-000067"]},{"vulnId":"V-258806","ruleId":"SV-258806r933479_rule","severity":"high","ruleTitle":"The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nOpenSSH on the Photon operating system when configured appropriately can utilize a FIPS validated OpenSSL for cryptographic operations.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190","checkContent":"At the command line, run the following command to verify the OpenSSL FIPS provider is installed:\n\n# rpm -qa | grep openssl-fips\n\nExample result:\n\nopenssl-fips-provider-3.0.3-1.ph4.x86_64\n\nIf there is no output indicating that the OpenSSL FIPS provider is installed, this is a finding.","fixText":"At the command line, run the following command:\n\n# tdnf install openssl-fips-provider","ccis":["CCI-000068","CCI-002418","CCI-002420","CCI-002422","CCI-002890","CCI-003123"]},{"vulnId":"V-258807","ruleId":"SV-258807r933482_rule","severity":"medium","ruleTitle":"The Photon operating system must configure auditd to log to disk.","description":"Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content must be shipped to a central location, but it must also be logged locally.","checkContent":"At the command line, run the following command to verify auditd is configured to write logs to disk:\n\n# grep '^write_logs' /etc/audit/auditd.conf\n\nExample result:\n\nwrite_logs = yes\n\nIf there is no output, this is not a finding.\n\nIf \"write_logs\" exists and is not configured to \"yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the \"write_logs\" line is uncommented and set to the following:\n\nwrite_logs = yes\n\nAt the command line, run the following command:\n\n# pkill -SIGHUP auditd","ccis":["CCI-000130"]},{"vulnId":"V-258808","ruleId":"SV-258808r933485_rule","severity":"medium","ruleTitle":"The Photon operating system must enable the auditd service.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times.\n\nSatisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000062-GPOS-00031, SRG-OS-000255-GPOS-00096, SRG-OS-000363-GPOS-00150, SRG-OS-000365-GPOS-00152, SRG-OS-000446-GPOS-00200","checkContent":"At the command line, run the following command to verify auditd is enabled and running:\n\n# systemctl status auditd\n\nIf the service is not enabled and running, this is a finding.","fixText":"At the command line, run the following commands:\n\n# systemctl enable auditd\n# systemctl start auditd","ccis":["CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000169","CCI-001487","CCI-001744","CCI-001814","CCI-002699"]},{"vulnId":"V-258809","ruleId":"SV-258809r933488_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing all actions by superusers is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000326-GPOS-00126","checkContent":"At the command line, run the following command to verify audit rules exist to audit privileged functions:\n\n# auditctl -l | grep execve\n\nExpected result:\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000135","CCI-002233"]},{"vulnId":"V-258810","ruleId":"SV-258810r933491_rule","severity":"medium","ruleTitle":"The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000344-GPOS-00135","checkContent":"At the command line, run the following command to verify auditd is configured to send an alert via syslog in the event of an audit processing failure:\n\n# grep -E \"^disk_full_action|^disk_error_action|^admin_space_left_action\" /etc/audit/auditd.conf\n\nExample result:\n\nadmin_space_left_action = SYSLOG\ndisk_full_action = SYSLOG\ndisk_error_action = SYSLOG\n\nIf \"disk_full_action\", \"disk_error_action\", and \"admin_space_left_action\" are not set to SYSLOG or are missing, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the following lines are present, not duplicated, and not commented:\n\ndisk_full_action = SYSLOG\ndisk_error_action = SYSLOG\nadmin_space_left_action = SYSLOG\n\nAt the command line, run the following command:\n\n# pkill -SIGHUP auditd","ccis":["CCI-000139","CCI-001858"]},{"vulnId":"V-258811","ruleId":"SV-258811r933494_rule","severity":"medium","ruleTitle":"The Photon operating system must protect audit logs from unauthorized access.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"At the command line, run the following command to find the current auditd log location:\n\n# grep -iw log_file /etc/audit/auditd.conf\n\nExample result:\n\nlog_file = /var/log/audit/audit.log\n\nAt the command line, run the following command using the file found in the previous step to verify auditd logs are protected from authorized access:\n\n# stat -c \"%n %U:%G %a\" /var/log/audit/audit.log\n\nExample result:\n\n/var/log/audit/audit.log root:root 600\n\nIf the audit log file does not have permissions set to \"0600\", this is a finding.\nIf the audit log file is not owned by root, this is a finding.\nIf the audit log file is not group owned by root, this is a finding.","fixText":"At the command line, run the following commands:\n\n# chmod 0600 \n# chown root:root \n\nReplace with the target log file.\n\nNote: If \"log_group\" is configured in the auditd.conf file and set to something other than \"root\", the permissions changes will not be persistent.","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-258812","ruleId":"SV-258812r933497_rule","severity":"medium","ruleTitle":"The Photon operating system must allow only authorized users to configure the auditd service.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"At the command line, run the following command to verify permissions on auditd configuration and rules files:\n\n# find /etc/audit/* -type f -exec stat -c \"%n %U:%G %a\" {} $1\\;\n\nIf any files are returned with permissions more permissive than \"0640\", this is a finding.\nIf any files are returned not owned by root, this is a finding.\nIf any files are returned not group owned by root, this is a finding.","fixText":"At the command line, run the following commands:\n\n# chmod 0640 \n# chown root:root \n\nReplace with the target file.","ccis":["CCI-000171"]},{"vulnId":"V-258813","ruleId":"SV-258813r933500_rule","severity":"medium","ruleTitle":"The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.","description":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000474-GPOS-00219","checkContent":"At the command line, run the following command to verify an audit rule exists to audit account creations:\n\n# auditctl -l | grep chmod\n\nExpected result:\n\n-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.\n\nNote: auid!=-1, auid!=4294967295, auid!=unset are functionally equivalent in this check and the output of the above commands may be displayed in either format.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000172"]},{"vulnId":"V-258814","ruleId":"SV-258814r933503_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"At the command line, run the following command to verify at least one uppercase character be used:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"ucredit\" option is not < 0, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"ucredit\" option set to \"-1\" as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000192"]},{"vulnId":"V-258815","ruleId":"SV-258815r933506_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"At the command line, run the following command to verify at least one lowercase character be used:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"lcredit\" option is not < 0, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"lcredit\" option set to \"-1\" as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000193"]},{"vulnId":"V-258816","ruleId":"SV-258816r933509_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"At the command line, run the following command to verify at least one numeric character be used:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"dcredit\" option is not < 0, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"dcredit\" option set to \"-1\" as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000194"]},{"vulnId":"V-258817","ruleId":"SV-258817r933512_rule","severity":"medium","ruleTitle":"The Photon operating system must require the change of at least eight characters when passwords are changed.","description":"If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least eight characters.","checkContent":"At the command line, run the following command to verify at least eight different characters be used:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"difok\" option is not >= 8, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"difok\" option set to \"8\" as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000195"]},{"vulnId":"V-258818","ruleId":"SV-258818r933515_rule","severity":"high","ruleTitle":"The operating system must store only encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"At the command line, run the following command to verify passwords are stored with only encrypted representations:\n\n# grep ^ENCRYPT_METHOD /etc/login.defs\n\nExample result:\n\nENCRYPT_METHOD SHA512\n\nIf the \"ENCRYPT_METHOD\" option is not set to \"SHA512\", is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd or update the following line:\n\nENCRYPT_METHOD SHA512","ccis":["CCI-000196"]},{"vulnId":"V-258819","ruleId":"SV-258819r933518_rule","severity":"high","ruleTitle":"The Photon operating system must not have the telnet package installed.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"At the command line, run the following command to verify telnet is not installed:\n\n# rpm -qa | grep telnet\n\nIf any results are returned indicating telnet is installed, this is a finding.","fixText":"At the command line, run the following command:\n\n# tdnf remove ","ccis":["CCI-000197"]},{"vulnId":"V-258820","ruleId":"SV-258820r933521_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce one day as the minimum password lifetime.","description":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"At the command line, run the following command to verify one day as the minimum password lifetime:\n\n# grep '^PASS_MIN_DAYS' /etc/login.defs\n\nIf \"PASS_MIN_DAYS\" is not set to 1, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd or update the following line: \n\nPASS_MIN_DAYS 1","ccis":["CCI-000198"]},{"vulnId":"V-258821","ruleId":"SV-258821r933524_rule","severity":"medium","ruleTitle":"The Photon operating systems must enforce a 90-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.","checkContent":"At the command line, run the following command to verify a 90-day maximum password lifetime restriction:\n\n# grep '^PASS_MAX_DAYS' /etc/login.defs\n\nIf \"PASS_MAX_DAYS\" is not set to <= 90, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd or update the following line: \n\nPASS_MAX_DAYS 90","ccis":["CCI-000199"]},{"vulnId":"V-258822","ruleId":"SV-258822r933527_rule","severity":"medium","ruleTitle":"The Photon operating system must prohibit password reuse for a minimum of five generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.","checkContent":"At the command line, run the following commands to verify passwords are not reused for a minimum of five generations:\n\n# grep '^password.*pam_pwhistory.so' /etc/pam.d/system-password\n\nExample result:\n\npassword required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok\n\nIf the \"remember\" option is not set to \"5\" or greater, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwhistory.so line to have the \"remember\" option set to 5 or greater as follows:\n\npassword required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000200"]},{"vulnId":"V-258823","ruleId":"SV-258823r933530_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"At the command line, run the following command to verify a minimum 15-character password length:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"minlen\" option is not >= 15, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"minlen\" option set to \"15\" as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000205"]},{"vulnId":"V-258824","ruleId":"SV-258824r933533_rule","severity":"medium","ruleTitle":"The Photon operating system must require authentication upon booting into single-user and maintenance modes.","description":"If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all files on the system. GRUB2 is the boot loader for Photon OS and can be configured to require a password to boot into single-user mode or make modifications to the boot menu.\n\nNote: Photon does not support building grub changes via grub2-mkconfig.","checkContent":"At the command line, run the following command to verify a password is required to edit the grub bootloader to boot into single-user mode:\n\n# grep -E \"^set\\ssuperusers|^password_pbkdf2\" /boot/grub2/grub.cfg\n\nExample output:\n\nset superusers=\"root\"\npassword_pbkdf2 root grub.pbkdf2.sha512.[password_hash]\n\nIf superusers is not set, this is a finding.\nIf a password is not set for the super user, this is a finding.","fixText":"Before proceeding, ensure a snapshot is taken to rollback if needed.\n\nAt the command line, run the following command to generate a grub password:\n\n# grub2-mkpasswd-pbkdf2\n\nEnter a secure password and ensure this password is stored for break-glass situations. Users will not be able to recover the root account without knowing this separate password. Copy the resulting encrypted string.\n\nAn example string is below:\n\ngrub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86\n\nNote: The grub2 package must be installed to generate a password for grub.\n\nNavigate to and open:\n\n/boot/grub2/grub.cfg\n\nFind the line that begins with \"set rootpartition\". Below this line, paste the following on its own line:\n\nset superusers=\"root\"\n\nNote: The superusers name can be a value other than root and is not tied to an OS account.\n\nBelow this paste the following, substituting the user's own encrypted string from the steps above:\n\npassword_pbkdf2 root \n\nNext edit the default Photon menuentry block with the \"--unrestricted\" parameter so that it will continue to boot without prompting for credentials, for example:\n\nmenuentry \"Photon\" --unrestricted {\n linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1\n if [ -f /boot/$photon_initrd ]; then\n initrd /boot/$photon_initrd\n fi\n}\n\nWhen booting now, if users press \"e\" when the Photon splash screen appears, users will be prompted for credentials before being presented the option to edit the boot loader before system startup.\n\nNote: Photon does not support building grub changes via grub2-mkconfig.","ccis":["CCI-000213"]},{"vulnId":"V-258825","ruleId":"SV-258825r933536_rule","severity":"medium","ruleTitle":"The Photon operating system must disable unnecessary kernel modules.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nSatisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000114-GPOS-00059","checkContent":"At the command line, run the following command to verify the following kernel modules are not loaded:\n\n# modprobe --showconfig | grep \"^install\" | grep \"/bin\"\n\nExpected result:\n\ninstall bridge /bin/false\ninstall sctp /bin/false\ninstall dccp /bin/false\ninstall dccp_ipv4 /bin/false\ninstall dccp_ipv6 /bin/false\ninstall ipx /bin/false\ninstall appletalk /bin/false\ninstall decnet /bin/false\ninstall rds /bin/false\ninstall tipc /bin/false\ninstall bluetooth /bin/false\ninstall usb_storage /bin/false\ninstall ieee1394 /bin/false\ninstall cramfs /bin/false\ninstall freevxfs /bin/false\ninstall jffs2 /bin/false\ninstall hfs /bin/false\ninstall hfsplus /bin/false\ninstall squashfs /bin/false\ninstall udf /bin/false\n\nThe output may include other statements outside of the expected result.\n\nIf the output does not include at least every statement in the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/modprobe.d/modprobe.conf\n\nSet the contents as follows:\n\ninstall bridge /bin/false\ninstall sctp /bin/false\ninstall dccp /bin/false\ninstall dccp_ipv4 /bin/false\ninstall dccp_ipv6 /bin/false\ninstall ipx /bin/false\ninstall appletalk /bin/false\ninstall decnet /bin/false\ninstall rds /bin/false\ninstall tipc /bin/false\ninstall bluetooth /bin/false\ninstall usb_storage /bin/false\ninstall ieee1394 /bin/false\ninstall cramfs /bin/false\ninstall freevxfs /bin/false\ninstall jffs2 /bin/false\ninstall hfs /bin/false\ninstall hfsplus /bin/false\ninstall squashfs /bin/false\ninstall udf /bin/false","ccis":["CCI-000381","CCI-000778"]},{"vulnId":"V-258826","ruleId":"SV-258826r933539_rule","severity":"medium","ruleTitle":"The Photon operating system must not have duplicate User IDs (UIDs).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and provide for nonrepudiation.","checkContent":"At the command line, run the following command to verify there are no duplicate user IDs present:\n\n# awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf any lines are returned, this is a finding.","fixText":"Navigate to and open:\n\n/etc/passwd\n\nConfigure each user account that has a duplicate UID with a unique UID.","ccis":["CCI-000764"]},{"vulnId":"V-258827","ruleId":"SV-258827r933542_rule","severity":"medium","ruleTitle":"The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.","checkContent":"At the command line, run the following command to verify system-password is configured to encrypt representations of passwords:\n\n# grep sha512 /etc/pam.d/system-password\n\nExample result:\n\npassword required pam_unix.so sha512 shadow use_authtok\n\nIf the \"pam_unix.so\" module is not configured with the \"sha512\" parameter, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd or update the following line:\n\npassword required pam_unix.so sha512 shadow use_authtok","ccis":["CCI-000803"]},{"vulnId":"V-258828","ruleId":"SV-258828r933545_rule","severity":"medium","ruleTitle":"The Photon operating system must restrict access to the kernel message buffer.","description":"Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.","checkContent":"At the command line, run the following command to verify kernel message buffer restrictions are enabled:\n\n# /sbin/sysctl kernel.dmesg_restrict\n\nExample result:\n\nkernel.dmesg_restrict = 1\n\nIf the \"kernel.dmesg_restrict\" kernel parameter is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nkernel.dmesg_restrict = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-001090"]},{"vulnId":"V-258829","ruleId":"SV-258829r933548_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to use TCP syncookies.","description":"A TCP SYN flood attack can cause a Denial of Service (DOS) by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected and enables the system to continue servicing valid connection requests.\n\nSatisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000420-GPOS-00186","checkContent":"At the command line, run the following command to verify TCP syncookies are enabled:\n\n# /sbin/sysctl net.ipv4.tcp_syncookies\n\nExample result:\n\nnet.ipv4.tcp_syncookies = 1\n\nIf \"net.ipv4.tcp_syncookies\" is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nnet.ipv4.tcp_syncookies = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-001095","CCI-002385"]},{"vulnId":"V-258830","ruleId":"SV-258830r933551_rule","severity":"medium","ruleTitle":"The Photon operating system must terminate idle Secure Shell (SSH) sessions after 15 minutes.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000395-GPOS-00175","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i ClientAliveInterval\n\nExample result:\n\nClientAliveInterval 900\n\nIf there is no output or if \"ClientAliveInterval\" is not set to \"900\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"ClientAliveInterval\" line is uncommented and set to the following:\n\nClientAliveInterval 900\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-001133","CCI-002891"]},{"vulnId":"V-258831","ruleId":"SV-258831r933554_rule","severity":"medium","ruleTitle":"The Photon operating system /var/log directory must be restricted.","description":"Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.\n\nOrganizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.","checkContent":"At the command line, run the following command to verify permissions on the /var/log directory:\n\n# stat -c \"%n is owned by %U and group owned by %G with permissions of %a\" /var/log\n\nExpected result:\n\n/var/log is owned by root and group owned by root with permissions of 755\n\nIf the /var/log directory is not owned by root, this is a finding.\nIf the /var/log directory is not group owned by root, this is a finding.\nIf the /var/log directory permissions are not set to 0755 or less, this is a finding.","fixText":"At the command line, run the following commands:\n\n# chown root:root /var/log\n# chmod 0755 /var/log","ccis":["CCI-001312"]},{"vulnId":"V-258832","ruleId":"SV-258832r933557_rule","severity":"medium","ruleTitle":"The Photon operating system must reveal error messages only to authorized users.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.","checkContent":"If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable.\n\nAt the command line, run the following command to verify rsyslog generates log files that are not world readable:\n\n# grep '^\\$umask' /etc/rsyslog.conf\n\nExample result:\n\n$umask 0037\n\nIf \"$umask\" is not set to \"0037\" or more restrictive, this is a finding.","fixText":"Navigate to and open:\n\n/etc/rsyslog.conf\n\nAdd or update the following line:\n\n$umask 0037\n\nAt the command line, run the following command:\n\n# systemctl restart rsyslog.service","ccis":["CCI-001314"]},{"vulnId":"V-258833","ruleId":"SV-258833r933560_rule","severity":"medium","ruleTitle":"The Photon operating system must audit all account modifications.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. \n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.","checkContent":"At the command line, run the following command to verify an audit rule exists to audit account modifications:\n\n# auditctl -l | grep -E \"(usermod|groupmod)\"\n\nExample result:\n\n-w /usr/sbin/usermod -p x -k usermod\n-w /usr/sbin/groupmod -p x -k groupmod\n\nIf either \"usermod\" or \"groupmod\" are not listed with a permissions filter of at least \"x\", this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-w /usr/sbin/usermod -p x -k usermod\n-w /usr/sbin/groupmod -p x -k groupmod\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-001403"]},{"vulnId":"V-258834","ruleId":"SV-258834r933563_rule","severity":"medium","ruleTitle":"The Photon operating system must audit all account removal actions.","description":"When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.","checkContent":"At the command line, run the following command to verify an audit rule exists to audit account removals:\n\n# auditctl -l | grep -E \"(userdel|groupdel)\"\n\nExample result:\n\n-w /usr/sbin/userdel -p x -k userdel\n-w /usr/sbin/groupdel -p x -k groupdel\n\nIf either \"userdel\" or \"groupdel\" are not listed with a permissions filter of at least \"x\", this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-w /usr/sbin/userdel -p x -k userdel\n-w /usr/sbin/groupdel -p x -k groupdel\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-001405"]},{"vulnId":"V-258835","ruleId":"SV-258835r933566_rule","severity":"high","ruleTitle":"The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i Ciphers\n\nExpected result:\n\nciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\nIf the output matches the ciphers in the expected result or a subset thereof, this is not a finding.\n\nIf the ciphers in the output contain any ciphers not listed in the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"Ciphers\" line is uncommented and set to the following:\n\nCiphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-001453"]},{"vulnId":"V-258836","ruleId":"SV-258836r933569_rule","severity":"medium","ruleTitle":"The Photon operating system must initiate session audits at system startup.","description":"If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.","checkContent":"At the command line, run the following command to verify auditing is enabled at startup:\n\n# grep 'audit' /proc/cmdline\n\nExample result:\n\nBOOT_IMAGE=/boot/vmlinuz-5.10.109-2.ph4-esx root=PARTUUID=6e6293c6-9ab6-49e9-aa97-9b212f2e037a init=/lib/systemd/systemd rcupdate.rcu_expedited=1 rw systemd.show_status=1 quiet noreplace-smp cpu_init_udelay=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes audit=1\n\nIf the \"audit\" parameter is not present with a value of \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/boot/grub2/grub.cfg\n\nLocate the boot command line arguments. An example follows:\n\nlinux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline\n\nAdd \"audit=1\" to the end of the line so it reads as follows:\n\nlinux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1\n\nNote: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append \"audit=1\" to it.\n\nReboot the system for the change to take effect.","ccis":["CCI-001464"]},{"vulnId":"V-258837","ruleId":"SV-258837r933572_rule","severity":"medium","ruleTitle":"The Photon operating system must protect audit tools from unauthorized access.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099","checkContent":"At the command line, run the following command to verify permissions on audit tools:\n\n# stat -c \"%n is owned by %U and group owned by %G and permissions are %a\" /usr/sbin/audispd /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace /usr/sbin/augenrules\n\nExpected result:\n\n/usr/sbin/audispd is owned by root and group owned by root and permissions are 750\n/usr/sbin/auditctl is owned by root and group owned by root and permissions are 755\n/usr/sbin/auditd is owned by root and group owned by root and permissions are 755\n/usr/sbin/aureport is owned by root and group owned by root and permissions are 755\n/usr/sbin/ausearch is owned by root and group owned by root and permissions are 755\n/usr/sbin/autrace is owned by root and group owned by root and permissions are 755\n/usr/sbin/augenrules is owned by root and group owned by root and permissions are 750\n\nIf any file is not owned by root or group owned by root or permissions are more permissive than listed above, this is a finding.","fixText":"At the command line, run the following commands for each file returned:\n\n# chown root:root \n# chmod 750 \n\nNote: Update permissions to match the target file as listed in the check text.","ccis":["CCI-001493","CCI-001494","CCI-001495"]},{"vulnId":"V-258838","ruleId":"SV-258838r933575_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"At the command line, run the following command to verify at least one special character be used:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"ocredit\" option is not < 0, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"ocredit\" option set to \"-1\" as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-001619"]},{"vulnId":"V-258839","ruleId":"SV-258839r933578_rule","severity":"high","ruleTitle":"The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools.","description":"Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.","checkContent":"Use the verification capability of rpm to check the MD5 hashes of the audit files on disk versus the expected ones from the installation package.\n\nAt the command line, run the following command:\n\n# rpm -V audit | grep \"^..5\"\n\nExample output:\n\nS.5....T. c /etc/audit/auditd.conf\n\nIf there is any output for files that are not configuration files, this is a finding.","fixText":"If the audit system binaries have been altered investigate the cause and then reinstall the audit package to restore the integrity of the package.\n\nIf performed on a VMware reinstalling the audit tools is not supported. The appliance should be restored from a backup or redeployed once the root cause is remediated.","ccis":["CCI-001496"]},{"vulnId":"V-258840","ruleId":"SV-258840r933581_rule","severity":"medium","ruleTitle":"The operating system must automatically terminate a user session after inactivity time-outs have expired.","description":"Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.\n\nSatisfies: SRG-OS-000279-GPOS-00109, SRG-OS-000126-GPOS-00066","checkContent":"At the command line, run the following command:\n\n# grep -E \"TMOUT=900\" /etc/bash.bashrc /etc/profile.d/*\n\nExample result:\n\n/etc/profile.d/tmout.sh:TMOUT=900\n\nIf the \"TMOUT\" environmental variable is not set, the value is more than \"900\", or is set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/profile.d/tmout.sh\n\nSet its content to the following: \n\nTMOUT=900\nreadonly TMOUT \nexport TMOUT\nmesg n 2>/dev/null","ccis":["CCI-000879","CCI-002361"]},{"vulnId":"V-258841","ruleId":"SV-258841r933584_rule","severity":"high","ruleTitle":"The Photon operating system must enable symlink access control protection in the kernel.","description":"By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().","checkContent":"At the command line, run the following command to verify symlink protection is enabled:\n\n# /sbin/sysctl fs.protected_symlinks\n\nExample result:\n\nfs.protected_symlinks = 1\n\nIf the \"fs.protected_symlinks\" kernel parameter is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nfs.protected_symlinks = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-002235"]},{"vulnId":"V-258842","ruleId":"SV-258842r933587_rule","severity":"medium","ruleTitle":"The Photon operating system must audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\nSatisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000240-GPOS-00090, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215","checkContent":"At the command line, run the following command to output a list of files with setuid/setgid configured and their corresponding audit rules:\n\n# for file in $(find / -xdev -path /var/lib/containerd -prune -o \\( -perm -4000 -o -perm -2000 \\) -type f -print | sort); do echo \"Found file with setuid/setgid configured: $file\";rule=\"$(auditctl -l | grep \"$file \")\";echo \"Audit Rule Result: $rule\";echo \"\"; done\n\nExample output:\n\nFound file with setuid/setgid configured: /usr/bin/chage\nAudit Rule Result: -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged\n\nFound file with setuid/setgid configured: /usr/bin/chfn\nAudit Rule Result: -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged\n\nIf each file returned does not have a corresponding audit rule, this is a finding. \n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.\n\nNote: auid!=-1, auid!=4294967295, auid!=unset are functionally equivalent in this check and the output of the above commands may be displayed in either format.","fixText":"Run the following steps for each file found in the check that does not have a corresponding line in the audit rules:\n\nNavigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following line:\n\n-a always,exit -F path= -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n\nRun the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000172","CCI-001404","CCI-002234"]},{"vulnId":"V-258843","ruleId":"SV-258843r933590_rule","severity":"medium","ruleTitle":"The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.","checkContent":"At the command line, run the following commands to verify accounts are locked until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made:\n\n# grep '^unlock_time =' /etc/security/faillock.conf\n\nExample result:\n\nunlock_time = 0\n\nIf the \"unlock_time\" option is not set to \"0\", is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/security/faillock.conf\n\nAdd or update the following lines:\n\nunlock_time = 0\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-002238"]},{"vulnId":"V-258844","ruleId":"SV-258844r933593_rule","severity":"low","ruleTitle":"The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.","description":"Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and setting a reasonable number of logs to keep. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.","checkContent":"At the command line, run the following command to verify auditd is configured to keep a number of audit logs in the event of a central log processing failure:\n\n# grep -E \"^num_logs|^max_log_file_action\" /etc/audit/auditd.conf\n\nExample result:\n\nnum_logs = 5\nmax_log_file_action = ROTATE\n\nIf \"num_logs\" is not configured to \"5\" or greater, this is a finding.\nIf \"max_log_file_action\" is not configured to \"ROTATE\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the following lines are present, not duplicated, and not commented:\n\nnum_logs = 5\nmax_log_file_action = ROTATE\n\nAt the command line, run the following command:\n\n# pkill -SIGHUP auditd","ccis":["CCI-001849"]},{"vulnId":"V-258845","ruleId":"SV-258845r935564_rule","severity":"low","ruleTitle":"The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.","description":"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.","checkContent":"At the command line, run the following command to verify auditd is alerting when low disk space is detected:\n\n# grep '^space_left' /etc/audit/auditd.conf\n\nExpected result:\n\nspace_left = 25%\nspace_left_action = SYSLOG\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the \"space_left\" and \"space_left_action\" lines are uncommented and set to the following:\n\nspace_left = 25%\nspace_left_action = SYSLOG\n\nAt the command line, run the following command:\n\n# pkill -SIGHUP auditd","ccis":["CCI-001855"]},{"vulnId":"V-258846","ruleId":"SV-258846r933599_rule","severity":"high","ruleTitle":"The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.","description":"Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.","checkContent":"At the command line, run the following command to verify software packages are cryptographically verified during installation:\n\n# grep '^gpgcheck' /etc/tdnf/tdnf.conf\n\nExample result:\n\ngpgcheck=1\n\nIf \"gpgcheck\" is not set to \"true\", \"1\", or \"yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/tdnf/tdnf.conf\n\nAdd or update the following line:\n\ngpgcheck=1","ccis":["CCI-001749"]},{"vulnId":"V-258847","ruleId":"SV-258847r933602_rule","severity":"medium","ruleTitle":"The Photon operating system must require users to reauthenticate for privilege escalation.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.\n\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158","checkContent":"At the command line, run the following commands to verify users with a set password are not allowed to sudo without reauthentication:\n\n# grep -ihs nopasswd /etc/sudoers /etc/sudoers.d/*|grep -vE '(^#|^%)'\n\n# awk -F: '($2 != \"x\" && $2 != \"!\") {print $1}' /etc/shadow\n\nIf any account listed in the first output is also listed in the second output and is not documented, this is a finding.","fixText":"Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# visudo\n\nOR\n\n# visudo -f /etc/sudoers.d/\n\nRemove any occurrences of \"NOPASSWD\" tags associated with user accounts with a password hash.","ccis":["CCI-002038"]},{"vulnId":"V-258848","ruleId":"SV-258848r933605_rule","severity":"medium","ruleTitle":"The Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"At the command line, run the following command to verify address space layout randomization is enabled:\n\n# cat /proc/sys/kernel/randomize_va_space\n\nIf the value of \"randomize_va_space\" is not \"2\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nkernel.randomize_va_space=2\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-002824"]},{"vulnId":"V-258849","ruleId":"SV-258849r933608_rule","severity":"medium","ruleTitle":"The Photon operating system must remove all software components after updated versions have been installed.","description":"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.","checkContent":"At the command line, run the following command:\n\n# grep -i '^clean_requirements_on_remove' /etc/tdnf/tdnf.conf\n\nExample result:\n\nclean_requirements_on_remove=1\n\nIf \"clean_requirements_on_remove\" is not set to \"true\", \"1\", or \"yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/tdnf/tdnf.conf\n\nAdd or update the following line:\n\nclean_requirements_on_remove=1","ccis":["CCI-002617"]},{"vulnId":"V-258850","ruleId":"SV-258850r933611_rule","severity":"medium","ruleTitle":"The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"At the command line, run the following command to verify an audit rule exists to audit logon attempts:\n\n# auditctl -l | grep -E \"faillog|lastlog|tallylog\"\n\nExpected result:\n\n-w /var/log/faillog -p wa -k logons\n-w /var/log/lastlog -p wa -k logons\n-w /var/log/tallylog -p wa -k logons\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-w /var/log/faillog -p wa -k logons\n-w /var/log/lastlog -p wa -k logons\n-w /var/log/tallylog -p wa -k logons\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000172"]},{"vulnId":"V-258851","ruleId":"SV-258851r933614_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222","checkContent":"At the command line, run the following command to verify an audit rule exists to audit kernel modules:\n\n# auditctl -l | grep init_module\n\nExpected result:\n\n-a always,exit -F arch=b32 -S init_module -F key=modules\n-a always,exit -F arch=b64 -S init_module -F key=modules\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-a always,exit -F arch=b32 -S init_module -F key=modules\n-a always,exit -F arch=b64 -S init_module -F key=modules\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000172"]},{"vulnId":"V-258852","ruleId":"SV-258852r933617_rule","severity":"high","ruleTitle":"The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nSatisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176","checkContent":"At the command line, run the following command to verify FIPS is enabled for the OS:\n\n# cat /proc/sys/crypto/fips_enabled\n\nExample result:\n\n1\n\nIf \"fips_enabled\" is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/boot/grub2/grub.cfg\n\nLocate the boot command line arguments. An example follows:\n\nlinux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline\n\nAdd \"fips=1\" to the end of the line so it reads as follows:\n\nlinux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline fips=1\n\nNote: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append \"fips=1\" to it.\n\nReboot the system for the change to take effect.","ccis":["CCI-002450"]},{"vulnId":"V-258853","ruleId":"SV-258853r933620_rule","severity":"medium","ruleTitle":"The Photon operating system must prevent the use of dictionary words for passwords.","description":"If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"At the command line, run the following command to verify passwords do not match dictionary words:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"dictcheck\" option is not set to 1, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"dictcheck\" option set to \"1\" as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000366"]},{"vulnId":"V-258854","ruleId":"SV-258854r933623_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"At the command line, run the following command to verify a four second delay is configured between logon attempts:\n\n# grep '^FAIL_DELAY' /etc/login.defs\n\nExample result:\n\nFAIL_DELAY 4\n\nIf the \"FAIL_DELAY\" option is not set to 4 or more, is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd or update the following line:\n\nFAIL_DELAY 4","ccis":["CCI-000366"]},{"vulnId":"V-258855","ruleId":"SV-258855r933626_rule","severity":"medium","ruleTitle":"The Photon operating system must ensure audit events are flushed to disk at proper intervals.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times.","checkContent":"At the command line, run the following command to verify auditd is configured to flush audit events to disk regularly:\n\n# grep -E \"freq|flush\" /etc/audit/auditd.conf\n\nExample result:\n\nflush = INCREMENTAL_ASYNC\nfreq = 50\n\nIf \"flush\" is not set to \"INCREMENTAL_ASYNC\", this is a finding.\nIf \"freq\" is not set to \"50\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nAdd or update the following lines:\n\nflush = INCREMENTAL_ASYNC\nfreq = 50\n\nAt the command line, run the following command:\n\n# pkill -SIGHUP auditd","ccis":["CCI-000366"]},{"vulnId":"V-258856","ruleId":"SV-258856r933629_rule","severity":"medium","ruleTitle":"The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.","description":"Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.","checkContent":"At the command line, run the following command to verify the default umask configuration:\n\n# grep '^UMASK' /etc/login.defs\n\nExpected result:\n\nUMASK 077\n\nIf the \"UMASK\" option is not set to \"077\", is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd or update the following line:\n\nUMASK 077","ccis":["CCI-000366"]},{"vulnId":"V-258857","ruleId":"SV-258857r933632_rule","severity":"high","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication.","description":"SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i HostbasedAuthentication\n\nExample result:\n\nhostbasedauthentication no\n\nIf \"HostbasedAuthentication\" is not set to \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"HostbasedAuthentication\" line is uncommented and set to the following:\n\nHostbasedAuthentication no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258858","ruleId":"SV-258858r933635_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to use the pam_faillock.so module.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nThis module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications.","checkContent":"At the command line, run the following commands to verify the pam_faillock.so module is used:\n\n# grep '^auth' /etc/pam.d/system-auth\n\nExample result:\n\nauth required pam_faillock.so preauth\nauth required pam_unix.so\nauth required pam_faillock.so authfail\n\nIf the pam_faillock.so module is not present with the \"preauth\" line listed before pam_unix.so, this is a finding.\nIf the pam_faillock.so module is not present with the \"authfail\" line listed after pam_unix.so, this is a finding.\n\n# grep '^account' /etc/pam.d/system-account\n\nExample result:\n\naccount required pam_faillock.so\naccount required pam_unix.so\n\nIf the pam_faillock.so module is not present and listed before pam_unix.so, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-auth\n\nAdd or update the following lines making sure to place the preauth line before the pam_unix.so module:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\n\nNavigate to and open:\n\n/etc/pam.d/system-account\n\nAdd or update the following lines making sure to place the line before the pam_unix.so module:\n\naccount required pam_faillock.so\n\nNote: The lines shown assume the /etc/security/faillock.conf file is used to configure pam_faillock.\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000044"]},{"vulnId":"V-258859","ruleId":"SV-258859r933638_rule","severity":"medium","ruleTitle":"The Photon operating system must prevent leaking information of the existence of a user account.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIf the pam_faillock.so module is not configured to use the silent flag it could leak information about the existence or nonexistence of a user account.","checkContent":"At the command line, run the following command to verify account information is not leaked during the login process:\n\n# grep '^silent' /etc/security/faillock.conf\n\nExample result:\n\nsilent\n\nIf the \"silent\" option is not set, is missing or commented out, this is a finding.\n\nNote: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.","fixText":"Navigate to and open:\n\n/etc/security/faillock.conf\n\nAdd or update the following lines:\n\nsilent\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000044"]},{"vulnId":"V-258860","ruleId":"SV-258860r933641_rule","severity":"medium","ruleTitle":"The Photon operating system must audit logon attempts for unknown users.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.","checkContent":"At the command line, run the following command to verify that audit logon attempts for unknown users is performed:\n\n# grep '^audit' /etc/security/faillock.conf\n\nExample result:\n\naudit\n\nIf the \"audit\" option is not set, is missing or commented out, this is a finding.\n\nNote: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.","fixText":"Navigate to and open:\n\n/etc/security/faillock.conf\n\nAdd or update the following lines:\n\naudit\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000044"]},{"vulnId":"V-258861","ruleId":"SV-258861r933644_rule","severity":"medium","ruleTitle":"The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nUnless specified the root account is not included in the default faillock module options and should be included.","checkContent":"At the command line, run the following command to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period includes the root account:\n\n# grep '^even_deny_root' /etc/security/faillock.conf\n\nExample result:\n\neven_deny_root\n\nIf the \"even_deny_root\" option is not set, is missing or commented out, this is a finding.\n\nNote: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.","fixText":"Navigate to and open:\n\n/etc/security/faillock.conf\n\nAdd or update the following lines:\n\neven_deny_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000044"]},{"vulnId":"V-258862","ruleId":"SV-258862r933647_rule","severity":"medium","ruleTitle":"The Photon operating system must persist lockouts between system reboots.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nBy default, account lockout information is stored under /var/run/faillock and is not persistent between reboots.","checkContent":"At the command line, run the following command to verify account locking persists lockouts between system reboots:\n\n# grep '^dir' /etc/security/faillock.conf\n\nExample result:\n\ndir = /var/log/faillock\n\nIf the \"dir\" option is set to \"/var/run/faillock\", this is a finding.\nIf the \"dir\" option is not set to a persistent documented faillock directory, is missing or commented out, this is a finding.\n\nNote: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.","fixText":"Navigate to and open:\n\n/etc/security/faillock.conf\n\nAdd or update the following lines:\n\ndir = /var/log/faillock\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000044"]},{"vulnId":"V-258863","ruleId":"SV-258863r933650_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to use the pam_pwquality.so module.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"At the command line, run the following command to verify the pam_pwquality.so module is used:\n\n# grep '^password' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\npassword required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok\npassword required pam_unix.so sha512 use_authtok shadow try_first_pass\n\nIf the pam_pwquality.so module is not present, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd or update the pam_pwquality.so module line as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: The line must be configured before pam_pwhistory.so.\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000192"]},{"vulnId":"V-258864","ruleId":"SV-258864r933653_rule","severity":"high","ruleTitle":"The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.","description":"Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.","checkContent":"At the command line, run the following command to verify software packages are cryptographically verified during installation:\n\n# grep gpgcheck /etc/yum.repos.d/*\n\nIf \"gpgcheck\" is not set to \"1\" in any returned file, this is a finding.","fixText":"Open the file where \"gpgcheck\" is not set to 1 with a text editor.\n\nAdd or update the following line:\n\ngpgcheck=1","ccis":["CCI-001749"]},{"vulnId":"V-258865","ruleId":"SV-258865r933656_rule","severity":"medium","ruleTitle":"The Photon operating system must configure the Secure Shell (SSH) SyslogFacility.","description":"Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.\n\nShipping sshd authentication events to syslog allows organizations to use their log aggregators to correlate forensic activities among multiple systems.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i SyslogFacility\n\nExample result:\n\nsyslogfacility AUTHPRIV\n\nIf \"syslogfacility\" is not set to \"AUTH\" or \"AUTHPRIV\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"SyslogFacility\" line is uncommented and set to the following:\n\nSyslogFacility AUTHPRIV\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000067"]},{"vulnId":"V-258866","ruleId":"SV-258866r933659_rule","severity":"medium","ruleTitle":"The Photon operating system must enable Secure Shell (SSH) authentication logging.","description":"Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.\n\nThe INFO LogLevel is required, at least, to ensure the capturing of failed login events.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i LogLevel\n\nExample result:\n\nloglevel INFO\n\nIf \"LogLevel\" is not set to \"INFO\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"LogLevel\" line is uncommented and set to the following:\n\nLogLevel INFO\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000067"]},{"vulnId":"V-258867","ruleId":"SV-258867r933662_rule","severity":"medium","ruleTitle":"The Photon operating system must terminate idle Secure Shell (SSH) sessions.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i ClientAliveCountMax\n\nExpected result:\n\nclientalivecountmax 0\n\nIf \"ClientAliveCountMax\" is not set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"ClientAliveCountMax\" line is uncommented and set to the following:\n\nClientAliveCountMax 0\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-001133"]},{"vulnId":"V-258868","ruleId":"SV-258868r933665_rule","severity":"medium","ruleTitle":"The Photon operating system must audit all account modifications.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000239-GPOS-00089, SRG-OS-000303-GPOS-00120, SRG-OS-000467-GPOS-00211","checkContent":"At the command line, run the following command to verify an audit rule exists to audit account modifications:\n\n# auditctl -l | grep -E \"(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)\"\n\nExpected result:\n\n-w /etc/passwd -p wa -k passwd\n-w /etc/shadow -p wa -k shadow\n-w /etc/group -p wa -k group\n-w /etc/gshadow -p wa -k gshadow\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-w /etc/passwd -p wa -k passwd\n-w /etc/shadow -p wa -k shadow\n-w /etc/group -p wa -k group\n-w /etc/gshadow -p wa -k gshadow\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000172","CCI-001403","CCI-002130"]},{"vulnId":"V-258869","ruleId":"SV-258869r933668_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"At the command line, run the following command to verify the pam_faildelay.so module is used:\n\n# grep '^auth' /etc/pam.d/system-auth\n\nExample result:\n\nauth required pam_faillock.so preauth\nauth required pam_unix.so\nauth required pam_faillock.so authfail\nauth optional pam_faildelay.so delay=4000000\n\nIf the pam_faildelay.so module is not present with the delay set to at least four seconds, this is a finding.\n\nNote: The delay is configured in milliseconds.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-auth\n\nAdd or update the following line:\n\nauth optional pam_faildelay.so delay=4000000\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000366"]},{"vulnId":"V-258870","ruleId":"SV-258870r933671_rule","severity":"high","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password.","description":"Blank passwords are one of the first things an attacker checks for when probing a system. Even if the user somehow has a blank password on the OS, SSH must not allow that user to log in.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i PermitEmptyPasswords\n\nExample result:\n\npermitemptypasswords no\n\nIf \"PermitEmptyPasswords\" is not set to \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"PermitEmptyPasswords\" line is uncommented and set to the following:\n\nPermitEmptyPasswords no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258871","ruleId":"SV-258871r933674_rule","severity":"high","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.","description":"Enabling user environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i PermitUserEnvironment\n\nExample result:\n\npermituserenvironment no\n\nIf \"PermitUserEnvironment\" is not set to \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"PermitUserEnvironment\" line is uncommented and set to the following:\n\nPermitUserEnvironment no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258872","ruleId":"SV-258872r933677_rule","severity":"medium","ruleTitle":"The Photon operating system must create a home directory for all new local interactive user accounts.","description":"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.","checkContent":"At the command line, run the following command to verify a home directory is created for all new user accounts:\n\n# grep '^CREATE_HOME' /etc/login.defs\n\nExample result:\n\nCREATE_HOME yes\n\nIf the \"CREATE_HOME\" option is not set to \"yes\", is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd or update the following line:\n\nCREATE_HOME yes","ccis":["CCI-000366"]},{"vulnId":"V-258873","ruleId":"SV-258873r933680_rule","severity":"medium","ruleTitle":"The Photon operating system must disable the debug-shell service.","description":"The debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.","checkContent":"At the command line, run the following command to verify the debug-shell service is disabled:\n\n# systemctl status debug-shell.service\n\nIf the debug-shell service is not stopped and disabled, this is a finding.","fixText":"At the command line, run the following commands:\n\n# systemctl stop debug-shell.service\n# systemctl disable debug-shell.service","ccis":["CCI-000366"]},{"vulnId":"V-258874","ruleId":"SV-258874r933683_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.","description":"GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SSH) exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i GSSAPIAuthentication\n\nExample result:\n\ngssapiauthentication no\n\nIf \"GSSAPIAuthentication\" is not set to \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"GSSAPIAuthentication\" line is uncommented and set to the following:\n\nGSSAPIAuthentication no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258875","ruleId":"SV-258875r933686_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.","description":"X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i X11Forwarding\n\nExample result:\n\nx11forwarding no\n\nIf \"X11Forwarding\" is not set to \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"X11Forwarding\" line is uncommented and set to the following:\n\nX11Forwarding no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258876","ruleId":"SV-258876r933689_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.","description":"If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i StrictModes\n\nExample result:\n\nstrictmodes yes\n\nIf \"StrictModes\" is not set to \"yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"StrictModes\" line is uncommented and set to the following:\n\nStrictModes yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258877","ruleId":"SV-258877r933692_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication.","description":"If Kerberos is enabled through SSH, sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i KerberosAuthentication\n\nExample result:\n\nkerberosauthentication no\n\nIf \"KerberosAuthentication\" is not set to \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"KerberosAuthentication\" line is uncommented and set to the following:\n\nKerberosAuthentication no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258878","ruleId":"SV-258878r933695_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.","description":"If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i Compression\n\nExample result:\n\ncompression no\n\nIf there is no output or if \"Compression\" is not set to \"delayed\" or \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"Compression\" line is uncommented and set to the following:\n\nCompression no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258879","ruleId":"SV-258879r933698_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.","description":"Providing users with feedback on the last time they logged on via SSH facilitates user recognition and reporting of unauthorized account use.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i PrintLastLog\n\nExample result:\n\nprintlastlog yes\n\nIf \"PrintLastLog\" is not set to \"yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"PrintLastLog\" line is uncommented and set to the following:\n\nPrintLastLog yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258880","ruleId":"SV-258880r933701_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.","description":"SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i IgnoreRhosts\n\nExample result:\n\nignorerhosts yes\n\nIf \"IgnoreRhosts\" is not set to \"yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"IgnoreRhosts\" line is uncommented and set to the following:\n\nIgnoreRhosts yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258881","ruleId":"SV-258881r935567_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.","description":"SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i IgnoreUserKnownHosts\n\nExpected result:\n\nignoreuserknownhosts yes\n\nIf \"IgnoreUserKnownHosts\" is not set to \"yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"IgnoreUserKnownHosts\" line is uncommented and set to the following:\n\nIgnoreUserKnownHosts yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258882","ruleId":"SV-258882r933707_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.","description":"By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i MaxAuthTries\n\nExample result:\n\nmaxauthtries 6\n\nIf \"MaxAuthTries\" is not set to \"6\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"MaxAuthTries\" line is uncommented and set to the following:\n\nMaxAuthTries 6\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258883","ruleId":"SV-258883r933710_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding.","description":"While enabling TCP tunnels is a valuable function of sshd, this feature is not appropriate for use on single purpose appliances.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i AllowTcpForwarding\n\nExample result:\n\nallowtcpforwarding no\n\nIf \"AllowTcpForwarding\" is not set to \"no\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"AllowTcpForwarding\" line is uncommented and set to the following:\n\nAllowTcpForwarding no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258884","ruleId":"SV-258884r933713_rule","severity":"medium","ruleTitle":"The Photon operating system must configure Secure Shell (SSH) to restrict LoginGraceTime.","description":"By default, SSH unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login would need such an amount of time to complete a login. Quickly terminating idle or incomplete login attempts will free up resources and reduce the exposure any partial logon attempts may create.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i LoginGraceTime\n\nExample result:\n\nlogingracetime 30\n\nIf \"LoginGraceTime\" is not set to \"30\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"LoginGraceTime\" line is uncommented and set to the following:\n\nLoginGraceTime 30\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258885","ruleId":"SV-258885r933716_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.","description":"When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of systems availability due to unintentional reboot.","checkContent":"At the command line, run the following command to verify the ctrl-alt-del target is disabled and masked:\n\n# systemctl status ctrl-alt-del.target --no-pager\n\nExample output:\n\nctrl-alt-del.target\n Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\n Active: inactive (dead)\n\nIf the \"ctrl-alt-del.target\" is not \"inactive\" and \"masked\", this is a finding.","fixText":"At the command line, run the following commands:\n\n# systemctl disable ctrl-alt-del.target\n# systemctl mask ctrl-alt-del.target\n# systemctl daemon-reload","ccis":["CCI-000366"]},{"vulnId":"V-258886","ruleId":"SV-258886r933719_rule","severity":"medium","ruleTitle":"The Photon operating system must not forward IPv4 or IPv6 source-routed packets.","description":"Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the packet must take. There is also an option to record the hops as the route is traversed.\n\nThe list of hops taken, the \"route record\", provides the destination with a return path to the source. This allows the source (the sending host) to specify the route, loosely or strictly, ignoring the routing tables of some or all of the routers. It can allow a user to redirect network traffic for malicious purposes and should therefore be disabled.","checkContent":"At the command line, run the following command to verify source-routed packets are not forwarded:\n\n# /sbin/sysctl -a --pattern \"net.ipv[4|6].conf.(all|default).accept_source_route\"\n\nExpected result:\n\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the \"accept_source_route\" kernel parameters are not set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following lines:\n\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258887","ruleId":"SV-258887r933722_rule","severity":"medium","ruleTitle":"The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.","description":"Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.","checkContent":"At the command line, run the following command to verify ICMP echoes sent to a broadcast address are ignored:\n\n# /sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nExample result:\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the \"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258888","ruleId":"SV-258888r933725_rule","severity":"medium","ruleTitle":"The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"At the command line, run the following command to verify ICMP redirects are not accepted:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).accept_redirects\"\n\nExpected result:\n\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the \"accept_redirects\" kernel parameters are not set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following lines:\n\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258889","ruleId":"SV-258889r933728_rule","severity":"medium","ruleTitle":"The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"At the command line, run the following command to verify ICMP secure redirects are not accepted:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).secure_redirects\"\n\nExpected result:\n\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\n\nIf the \"secure_redirects\" kernel parameters are not set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following lines:\n\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258890","ruleId":"SV-258890r933731_rule","severity":"medium","ruleTitle":"The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.","checkContent":"At the command line, run the following command to verify ICMP send redirects are not accepted:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).send_redirects\"\n\nExpected result:\n\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\n\nIf the \"send_redirects\" kernel parameters are not set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following lines:\n\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258891","ruleId":"SV-258891r933734_rule","severity":"medium","ruleTitle":"The Photon operating system must log IPv4 packets with impossible addresses.","description":"The presence of \"martian\" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.","checkContent":"At the command line, run the following command to verify martian packets are logged:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).log_martians\"\n\nExpected result:\n\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\n\nIf the \"log_martians\" kernel parameters are not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following lines:\n\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258892","ruleId":"SV-258892r933737_rule","severity":"medium","ruleTitle":"The Photon operating system must use a reverse-path filter for IPv4 network traffic.","description":"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.","checkContent":"At the command line, run the following command to verify IPv4 traffic is using a reverse path filter:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).rp_filter\"\n\nExpected result:\n\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\n\nIf the \"rp_filter\" kernel parameters are not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following lines:\n\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258893","ruleId":"SV-258893r933740_rule","severity":"medium","ruleTitle":"The Photon operating system must not perform IPv4 packet forwarding.","description":"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.","checkContent":"If IP forwarding is required, for example if Kubernetes is installed, this is Not Applicable.\n\nAt the command line, run the following command to verify packet forwarding it disabled:\n\n# /sbin/sysctl net.ipv4.ip_forward\n\nExpected result:\n\nnet.ipv4.ip_forward = 0\n\nIf the \"net.ipv4.ip_forward\" kernel parameter is not set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nnet.ipv4.ip_forward = 0\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258894","ruleId":"SV-258894r933743_rule","severity":"medium","ruleTitle":"The Photon operating system must send TCP timestamps.","description":"TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can help a bad actor in determining likely patch levels for vulnerabilities.","checkContent":"At the command line, run the following command to verify TCP timestamps are enabled:\n\n# /sbin/sysctl net.ipv4.tcp_timestamps\n\nExpected result:\n\nnet.ipv4.tcp_timestamps = 1\n\nIf the \"net.ipv4.tcp_timestamps\" kernel parameter is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nnet.ipv4.tcp_timestamps = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258895","ruleId":"SV-258895r933746_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.","description":"If a public host key file is modified by an unauthorized user, the SSH service may be compromised.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/ssh/*key.pub\n\nExample result:\n\n/etc/ssh/ssh_host_dsa_key.pub permissions are 644 and owned by root:root\n/etc/ssh/ssh_host_ecdsa_key.pub permissions are 644 and owned by root:root\n/etc/ssh/ssh_host_ed25519_key.pub permissions are 644 and owned by root:root\n/etc/ssh/ssh_host_rsa_key.pub permissions are 644 and owned by root:root\n\nIf any \"key.pub\" file listed is not owned by root or not group owned by root or does not have permissions of \"0644\", this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 644 \n# chown root:root \n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258896","ruleId":"SV-258896r933749_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.","description":"If an unauthorized user obtains the private SSH host key file, the host could be impersonated.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/ssh/*key\n\nExample result:\n\n/etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root\n/etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root\n/etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root\n/etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root\n\nIf any key file listed is not owned by root or not group owned by root or does not have permissions of \"0600\", this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 600 \n# chown root:root \n# systemctl restart sshd.service","ccis":["CCI-000366"]},{"vulnId":"V-258897","ruleId":"SV-258897r933752_rule","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity on the root account.","description":"Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_pwquality does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.","checkContent":"At the command line, run the following command to verify password complexity is enforced for the root account:\n\n# grep '^password.*pam_pwquality.so' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nIf the \"enforce_for_root\" option is missing or commented out, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nConfigure the pam_pwquality.so line to have the \"enforce_for_root\" option present as follows:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000366"]},{"vulnId":"V-258898","ruleId":"SV-258898r935569_rule","severity":"medium","ruleTitle":"The Photon operating system must disable systemd fallback DNS.","description":"Systemd contains an ability to set fallback DNS servers, which is used for DNS lookups in the event no system level DNS servers are configured or other DNS servers are specified in the Systemd resolved.conf file. If uncommented, this configuration contains Google DNS servers by default and could result in DNS leaking info unknowingly in the event DNS is absent or misconfigured at the system level.","checkContent":"At the command line, run the following command to verify systemd fallback DNS is disabled:\n\n# resolvectl status | grep '^Fallback DNS'\n\nIf the output indicates that Fallback DNS servers are configured, this is a finding.","fixText":"Navigate to and open:\n\n/etc/systemd/resolved.conf\n\nAdd or update the \"FallbackDNS\" entry to the following:\n\nFallbackDNS=\n\nRestart the Systemd resolved service by running the following command:\n\n# systemctl restart systemd-resolved\n\nNote: If this option is not given, a compiled-in list of DNS servers is used instead, which is undesirable.","ccis":["CCI-000366"]},{"vulnId":"V-258899","ruleId":"SV-258899r933758_rule","severity":"medium","ruleTitle":"The Photon operating system must generate audit records for all access and modifications to the opasswd file.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"At the command line, run the following command to verify an audit rule exists to audit the opasswd file:\n\n# auditctl -l | grep -E /etc/security/opasswd\n\nExpected result:\n\n-w /etc/security/opasswd -p wa -k opasswd\n\nIf the opasswd file is not monitored for access or writes, this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-w /etc/security/opasswd -p wa -k opasswd\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.","ccis":["CCI-000366"]},{"vulnId":"V-258900","ruleId":"SV-258900r933761_rule","severity":"high","ruleTitle":"The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.","checkContent":"At the command line, run the following command to verify the running configuration of sshd:\n\n# sshd -T|&grep -i MACs\n\nExample result:\n\nmacs hmac-sha2-512,hmac-sha2-256\n\nIf the output matches the macs in the example result or a subset thereof, this is not a finding.\n\nIf the output contains any macs not listed in the example result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"MACs\" line is uncommented and set to the following:\n\nMACs hmac-sha2-512,hmac-sha2-256\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service","ccis":["CCI-001453"]},{"vulnId":"V-258901","ruleId":"SV-258901r933764_rule","severity":"medium","ruleTitle":"The Photon operating system must enable the rsyslog service.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.","checkContent":"If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable.\n\nAt the command line, run the following command to verify rsyslog is enabled and running:\n\n# systemctl status rsyslog\n\nIf the rsyslog service is not enabled and running, this is a finding.","fixText":"At the command line, run the following commands:\n\n# systemctl enable rsyslog\n# systemctl start rsyslog","ccis":["CCI-000366"]},{"vulnId":"V-258902","ruleId":"SV-258902r933767_rule","severity":"medium","ruleTitle":"The Photon operating system must be configured to use the pam_pwhistory.so module.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.","checkContent":"At the command line, run the following command to verify the pam_pwhistory.so module is used:\n\n# grep '^password' /etc/pam.d/system-password\n\nExample result:\n\npassword requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1\npassword required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok\npassword required pam_unix.so sha512 use_authtok shadow try_first_pass\n\nIf the \"pam_pwhistory.so\" module is not present, this is a finding.\nIf \"use_authtok\" is not present for the \"pam_pwhistory.so\" module, this is a finding.\nIf \"conf\" or \"file\" are present for the \"pam_pwhistory.so\" module, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd or update the pam_pwhistory.so module line as follows:\n\npassword required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok\n\nNote: The line must be configured after pam_pwquality.so.\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot.","ccis":["CCI-000200"]},{"vulnId":"V-258903","ruleId":"SV-258903r933770_rule","severity":"medium","ruleTitle":"The Photon operating system must enable hardlink access control protection in the kernel.","description":"By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().","checkContent":"At the command line, run the following command to verify hardlink protection is enabled:\n\n# /sbin/sysctl fs.protected_hardlinks\n\nExample result:\n\nfs.protected_hardlinks = 1\n\nIf the \"fs.protected_hardlinks\" kernel parameter is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nfs.protected_hardlinks = 1\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]},{"vulnId":"V-258904","ruleId":"SV-258904r933773_rule","severity":"medium","ruleTitle":"The Photon operating system must restrict core dumps.","description":"By enabling the fs.suid_dumpable kernel parameter, core dumps are not generated for setuid or otherwise protected/tainted binaries. This prevents users from potentially accessing core dumps with privileged information they would otherwise not have access to read.","checkContent":"At the command line, run the following command to verify core dumps are restricted:\n\n# /sbin/sysctl fs.suid_dumpable\n\nExample result:\n\nfs.suid_dumpable = 0\n\nIf the \"fs.suid_dumpable\" kernel parameter is not set to \"0\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/zz-stig-hardening.conf\n\nAdd or update the following line:\n\nfs.suid_dumpable = 0\n\nAt the command line, run the following command to load the new configuration:\n\n# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf\n\nNote: If the file zz-stig-hardening.conf does not exist, it must be created.","ccis":["CCI-000366"]}]}