STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Nutanix Acropolis GPOS Security Technical Implementation Guide

Version

V1R1

Release Date

Feb 24, 2026

SCAP Benchmark ID

NTNX_Acropolis_GPOS_STIG

Total Checks

106

Tags

other

CAT I: 15CAT II: 85CAT III: 6

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (106)

V-279527MEDIUMNutanix VMM must be configured to remove ypserv.V-279528LOWNutanix OS must limit the number of concurrent sessions to 10 for all accounts and/or account types.V-279529MEDIUMNutanix OS must set the value of "lock-after-time" to 890 seconds for remote access sessions.V-279530MEDIUMNutanix OS must configure the ClientAliveInterval to "600" and ClientAliveCountMax to "1".V-279531MEDIUMNutanix OS must monitor SSH access.V-279532MEDIUMNutanix OS must configure the firewall to control remote access methods.V-279533HIGHNutanix OS must implement DOD-approved encryption to protect the confidentiality of SSH sessions.V-279534HIGHNutanix OS must implement cryptography to protect the integrity of remote access sessions by using only HMACs employing FIPS 140-3-approved algorithms.V-279535HIGHNutanix OS must implement cryptography to protect the integrity of remote access session by setting the systemwide policy to use FIPS mode.V-279536HIGHNutanix OS must implement TLS to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions.V-279537HIGHNutanix OS must implement cryptography to protect the integrity of remote access sessions.V-279538HIGHNutanix OS must implement cryptography to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions.V-279539MEDIUMNutanix OS must automatically remove or disable temporary user accounts after 72 hours.V-279540MEDIUMNutanix OS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-279541MEDIUMNutanix OS must audit all account change actions.V-279542MEDIUMNutanix VMM must encrypt the boot password for root.V-279543MEDIUMNutanix OS must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.V-279544MEDIUMNutanix OS must enable kernel parameters to enforce discretionary access control on symlinks.V-279545MEDIUMNutanix OS must audit the execution of privileged functions.V-279546MEDIUMNutanix OS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-279547MEDIUMNutanix OS must display the Standard Mandatory DOD Notice and Consent Banner for SSH access.V-279548LOWNutanix OS must display the Standard Mandatory DOD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.V-279549MEDIUMNutanix OS must provide audit record generation capability for DOD-defined auditable events for account changes.V-279550MEDIUMNutanix OS must configure /etc/audit/audit.rules to generate audit records for account access actions.V-279551MEDIUMNutanix OS must configure /etc/audit/audit.rules to generate audit records for account deletion actions.V-279552MEDIUMNutanix OS must provide audit record generation for successful and unsuccessful uses of the init_module and finit_module system calls.V-279553MEDIUMNutanix OS must provide audit record generation for successful and unsuccessful attempts to move, remove, or delete files and directories.V-279554MEDIUMNutanix OS must generate audit records when successful/unsuccessful attempts to access security objects occur.V-279555MEDIUMNutanix OS must provide audit record generation capability for all account actions.V-279556MEDIUMNutanix OS must provide audit record generation capability for DOD-defined auditable events for all kernel module load, unload, and restart actions.V-279557MEDIUMNutanix OS must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-279558MEDIUMNutanix OS must generate audit records when successful/unsuccessful attempts to modify security objects and categories of information (e.g., classification levels) occur.V-279559MEDIUMNutanix OS must generate audit records when successful/unsuccessful logon attempts occur.V-279560MEDIUMNutanix OS must generate audit records for privileged activities or other system-level access.V-279561MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.V-279562MEDIUMNutanix OS must generate audit records when concurrent logons to the same account occur from different sources.V-279563MEDIUMNutanix OS must generate audit records for all account creations, modifications, disabling, and termination events.V-279564MEDIUMNutanix OS must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.V-279565MEDIUMNutanix OS must have the audit.x86_64 package installed.V-279566LOWNutanix OS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.V-279567LOWNutanix OS must be configured to send audit records to a site-specific remote syslog server.V-279568LOWNutanix OS must immediately notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.V-279569MEDIUMNutanix OS must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.V-279570MEDIUMNutanix AHV must disable network management of the chrony daemon.V-279571MEDIUMNutanix AHV must disable the chrony daemon from acting like a server.V-279572MEDIUMNutanix AHV must disable the use or cramfs kernel module.V-279573LOWNutanix OS must configure redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).V-279574HIGHNutanix OS must use cryptographic mechanisms to protect the integrity of audit tools.V-279575MEDIUMNutanix OS must configure audit log permissions for 0600 or less.V-279576MEDIUMNutanix OS must configure the audit log files to be owned by root.V-279577HIGHNutanix OS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.V-279578MEDIUMNutanix OS must prevent SSH from permitting Generic Security Service Application Program Interface (GSSAPI) authentication.V-279579MEDIUMNutanix AHV must not be configured to allow Kerberos authentication.V-279580MEDIUMNutanix OS must prevent using dictionary words for passwords.V-279581MEDIUMNutanix OS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-279582MEDIUMNutanix OS must set the SCMA framework to check the baseline daily.V-279583MEDIUMNutanix OS must define default permissions for all authenticated users so the user can only read and modify their own files.V-279584HIGHNutanix OS must not allow an unattended or automatic logon to the system.V-279585MEDIUMNutanix OS must limit the ability of nonprivileged users to grant other users direct access to the contents of their home directories/folders.V-279586MEDIUMNutanix OS must enable an application firewall.V-279587MEDIUMNutanix OS must mount /dev/shm with secure options.V-279588MEDIUMNutanix OS must mount /tmp with secure options.V-279589MEDIUMNutanix OS must mount /var/log/audit with secure options.V-279590MEDIUMNutanix OS must mount /var/tmp with secure options.V-279591MEDIUMNutanix OS must mount /var/log with secure options.V-279592MEDIUMNutanix OS must have the fapolicyd.service installed and active.V-279593MEDIUMNutanix OS must be configured to remove rsh-server.V-279594MEDIUMNutanix OS must be configured to remove telnet-server.V-279595MEDIUMNutanix OS must be configured to remove abrt.V-279596MEDIUMNutanix OS must be configured to remove sendmail.V-279597MEDIUMNutanix OS must be configured to prohibit or restrict using functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.V-279598MEDIUMNutanix OS must require users to reauthenticate for privilege escalation.V-279599MEDIUMNutanix OS must require users to reauthenticate for privilege escalation.V-279600MEDIUMNutanix OS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-279601MEDIUMNutanix OS must not install autofs.service.V-279602MEDIUMNutanix OS must disable the ability to use USB mass storage devices.V-279603MEDIUMNutanix VMM must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords.V-279604HIGHNutanix OS must store only encrypted representations of passwords.V-279605MEDIUMNutanix OS must enforce password complexity by requiring that at least one uppercase character be used.V-279606MEDIUMNutanix OS must enforce password complexity by requiring at least one lowercase character be used.V-279607MEDIUMNutanix OS must enforce password complexity by requiring that at least one numeric character be used.V-279608MEDIUMNutanix OS must require the change of at least 50 percent of the total number of characters when passwords are changed.V-279609MEDIUMOperating systems must enforce 24 hours/1 day as the minimum password lifetime.V-279610MEDIUMOperating systems must enforce a 60-day maximum password lifetime restriction.V-279611MEDIUMNutanix OS must enforce a minimum 15-character password length.V-279612MEDIUMNutanix OS must enforce password complexity by requiring that at least one special character be used.V-279613MEDIUMNutanix OS must configure pam_uni.so module to use SHA-512 for authentication to a cryptographic module.V-279614MEDIUMNutanix OS must audit all activities performed during nonlocal maintenance and diagnostic sessions.V-279619HIGHNutanix OS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.V-279620HIGHNutanix OS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.V-279621HIGHNutanix OS must protect the confidentiality and integrity of all information at rest.V-279622MEDIUMNutanix OS must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.V-279623MEDIUMNutanix OS must isolate security functions from nonsecurity functions.V-279624MEDIUMOperating systems must prevent unauthorized and unintended information transfer via shared system resources.V-279625MEDIUMNutanix OS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.V-279626MEDIUMNutanix OS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.V-279627HIGHNutanix OS must protect the confidentiality and integrity of communications with wireless peripherals.V-279628MEDIUMNutanix OS must install and use SSH for remote access.V-279629MEDIUMNutanix OS must restrict the message log access permissions to reveal error messages only to authorized users.V-279630MEDIUMNutanix OS must restrict the /var/log directory access permissions to reveal error messages only to authorized users.V-279631MEDIUMNutanix OS must implement nonexecutable data to protect its memory from unauthorized code execution.V-279632MEDIUMNutanix OS must implement address space layout randomization to protect its memory from unauthorized code execution.V-279633MEDIUMNutanix OS must remove all software components after updated versions have been installed.V-279667MEDIUMNutanix AHV must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-279685MEDIUMNutanix AHV must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.V-279686HIGHNutanix AHV must store only encrypted representations of passwords.