STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Nutanix AOS 5.20.x OS Security Technical Implementation Guide

Version

V1R2

Release Date

Jun 18, 2024

SCAP Benchmark ID

Nutanix_AOS_5-20-x_OS_STIG

Total Checks

119

Tags

other

CAT I: 6CAT II: 107CAT III: 6

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (119)

V-254120MEDIUMNutanix AOS must limit the number of concurrent sessions to ten for all accounts and/or account types.V-254121MEDIUMNutanix AOS must disconnect a session after 15 minutes of idle time for all connection types.V-254122MEDIUMNutanix AOS must automatically terminate a user session after inactivity time-outs have expired or at shutdown.V-254123MEDIUMNutanix AOS must monitor remote access methods.V-254124MEDIUMNutanix AOS must control remote access methods.V-254125HIGHNutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.V-254126LOWNutanix AOS must automatically remove or disable temporary user accounts after 72 hours.V-254127MEDIUMNutanix AOS must audit all account actions.V-254128LOWNutanix AOS must be configured with an encrypted boot password for root.V-254129MEDIUMNutanix AOS must enforce discretionary access control on symlinks and hardlinks.V-254130MEDIUMNutanix AOS must audit the execution of privileged functions.V-254131MEDIUMNutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-254132LOWNutanix AOS must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access.V-254133MEDIUMAny publicly accessible connection to Nutanix AOS must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.V-254134MEDIUMNutanix AOS must provide audit record generation capability for DoD-defined auditable events for successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).V-254135MEDIUMNutanix AOS must provide audit record generation capability for DoD-defined auditable events for system and account management actions.V-254136MEDIUMNutanix AOS must provide audit record generation capability for DoD-defined auditable events for file attribute management actions.V-254137MEDIUMNutanix AOS must provide audit record generation capability for DoD-defined auditable events for system module management actions.V-254138MEDIUMNutanix AOS must provide audit record generation capability for DoD-defined auditable events for directory and permissions management actions.V-254139MEDIUMNutanix AOS must provide audit record generation capability for DoD-defined auditable events for file management actions.V-254140MEDIUMNutanix AOS must provide audit record generation capability for DoD-defined auditable events for all account creations, modifications, disabling, and terminations.V-254141MEDIUMNutanix AOS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-254142MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the chown privileged commands.V-254143MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the creat privileged commands.V-254144MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the open-related privileged commands.V-254145MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the truncate-related privileged commands.V-254146MEDIUMNutanix AOS must generate audit records for file access actions.V-254147MEDIUMNutanix AOS must generate audit records for file ownership actions.V-254148MEDIUMNutanix AOS must generate audit records for file permission actions.V-254149MEDIUMNutanix AOS must generate audit records for file extended attribute actions.V-254150MEDIUMNutanix AOS must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.V-254151MEDIUMNutanix AOS must generate audit records when successful/unsuccessful attempts to modify privileges occur.V-254152MEDIUMNutanix AOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-254153MEDIUMNutanix AOS must generate audit records when successful/unsuccessful attempts to modify categories of information occur.V-254154MEDIUMNutanix AOS must audit attempts to modify or delete security objects.V-254155MEDIUMNutanix AOS must generate audit records when successful/unsuccessful logon attempts occur.V-254156MEDIUMNutanix AOS must generate audit records for privileged security activities.V-254157MEDIUMNutanix AOS must generate audit records for privileged account activities.V-254158MEDIUMNutanix AOS must be configured to audit the loading and unloading of dynamic kernel modules.V-254159MEDIUMNutanix AOS must generate audit records when concurrent logons to the same account occur from different sources.V-254160MEDIUMNutanix AOS must generate audit records when successful/unsuccessful accesses to objects occur.V-254161MEDIUMNutanix AOS must generate audit records for all direct access to the information system.V-254162MEDIUMNutanix AOS must generate audit records for all account creations, modifications, disabling, and termination events.V-254163MEDIUMNutanix AOS must initiate session audits at system start-up.V-254164MEDIUMNutanix AOS must produce audit records containing information to establish what type of events occurred.V-254165MEDIUMNutanix AOS must produce audit records containing information to establish when events occurred.V-254166MEDIUMNutanix AOS must produce audit records containing information to establish where events occurred.V-254167MEDIUMNutanix AOS must produce audit records containing information to establish the source of events.V-254168MEDIUMNutanix AOS must produce audit records containing information to establish the outcome of events.V-254169MEDIUMNutanix AOS must produce audit records containing information to establish the identity of any individual or process associated with the event.V-254170MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the passwd/gpasswd/unix-chkpwd privileged commands.V-254171MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the chage privileged command.V-254172MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the userhelper privileged command.V-254173MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the mount and umount privileged commands.V-254174MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the post-related privileged commands.V-254175MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the opensshrelated privileged commands.V-254176MEDIUMNutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the crontab-related privileged commands.V-254177MEDIUMNutanix AOS must produce audit records containing the individual identities of group account users.V-254178MEDIUMNutanix AOS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.V-254179MEDIUMNutanix AOS must offload audit records to a syslog server.V-254180MEDIUMNutanix AOS must shut down by default upon audit failure (unless availability is an overriding concern).V-254181MEDIUMNutanix AOS must provide the capability to centrally review and analyze audit records from multiple components within the system.V-254182LOWNutanix AOS must compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).V-254183MEDIUMNutanix AOS must protect audit information from unauthorized access.V-254184MEDIUMNutanix AOS audit tools must be configured to 0755 or less permissive.V-254185MEDIUMNutanix AOS audit tools must be owned by root.V-254186MEDIUMNutanix AOS audit tools must be group-owned by root.V-254187HIGHNutanix AOS must use cryptographic mechanisms to protect the integrity of audit tools.V-254188MEDIUMNutanix AOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.V-254189MEDIUMNutanix AOS must not be configured to allow GSSAPIAuthentication.V-254190MEDIUMNutanix AOS must not be configured to allow KerberosAuthentication.V-254191MEDIUMNutanix AOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.V-254192MEDIUMNutanix AOS must prevent the use of dictionary words for passwords.V-254193MEDIUMNutanix AOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-254194MEDIUMNutanix AOS must be configured to run SCMA daily.V-254195LOWNutanix AOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-254196MEDIUMNutanix AOS must not allow an unattended or automatic logon to the system.V-254197MEDIUMNutanix AOS must be configured so that all local interactive user home directories have mode "0750" or less permissive.V-254198MEDIUMNutanix AOS must enable an application firewall, if available.V-254199MEDIUMNutanix AOS must be configured with nodev, nosuid, and noexec options for /dev/shm.V-254200MEDIUMNutanix AOS must not have the rsh-server package installed.V-254201MEDIUMNutanix AOS must not have the ypserv package installed.V-254202MEDIUMNutanix AOS must not have the telnet-server package installed.V-254203MEDIUMNutanix AOS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-254204MEDIUMNutanix AOS must require users to reauthenticate for privilege escalation.V-254205MEDIUMNutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.V-254206MEDIUMNutanix AOS must be configured to disable USB mass storage devices.V-254207LOWNutanix AOS must be configured to disable user accounts after the password expires.V-254208MEDIUMNutanix AOS must enforce password complexity by requiring that at least one uppercase character be used.V-254209MEDIUMNutanix AOS must enforce password complexity by requiring that at least one lowercase character be used.V-254210MEDIUMNutanix AOS must enforce password complexity by requiring that at least one numeric character be used.V-254211MEDIUMNutanix AOS must enforce a minimum 15 character password length.V-254212MEDIUMNutanix AOS must enforce password complexity by requiring that at least one special character be used.V-254213MEDIUMNutanix AOS must require the change of at least 50 percent of the total number of characters when passwords are changed.V-254214MEDIUMNutanix AOS must require the change of at least four character classes when passwords are changed.V-254215MEDIUMNutanix AOS must require the maximum number of repeating characters be limited to three when passwords are changed.V-254216MEDIUMNutanix AOS must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.V-254217HIGHNutanix AOS must store only encrypted representations of passwords.V-254218MEDIUMNutanix AOS must enforce 24 hours/1 day as the minimum password lifetime.V-254219MEDIUMNutanix AOS must enforce a 60-day maximum password lifetime restriction.V-254220MEDIUMNutanix AOS must prohibit password reuse for a minimum of five generations.V-254221MEDIUMNutanix AOS must prohibit the use of cached authenticators.V-254222HIGHNutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.V-254223MEDIUMNutanix AOS must audit all activities performed during nonlocal maintenance and diagnostic sessions.V-254224HIGHNutanix AOS must enable FIPS mode to implement NIST FIPS-validated cryptography.V-254225MEDIUMNutanix AOS must be configured to run SELinux Policies.V-254226MEDIUMNutanix AOS must be configured to restrict public directories.V-254227MEDIUMNutanix AOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.V-254228MEDIUMNutanix AOS must be configured to use syncookies to limit denial-of-service (DoS) attacks.V-254229MEDIUMNutanix AOS must protect the confidentiality and integrity of transmitted information.V-254230MEDIUMNutanix AOS must maintain the confidentiality and integrity of information during preparation for transmission.V-254231MEDIUMNutanix AOS must maintain the confidentiality and integrity of information during reception.V-254232MEDIUMNutanix AOS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-254233MEDIUMNutanix AOS must reveal error messages only to authorized users.V-254234MEDIUMNutanix AOS must implement nonexecutable data to protect its memory from unauthorized code execution.V-254235MEDIUMNutanix AOS must implement address space layout randomization to protect its memory from unauthorized code execution.V-254236MEDIUMNutanix AOS must remove all software components after updated versions have been installed.V-254237MEDIUMNutanix AOS must be configured to use SELinux Enforcing mode.V-264424HIGHNutanix AOS must be running an operating system release that is currently supported by the vendor.