11:["$","div",null,{"className":"mx-auto max-w-7xl p-6","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-brand text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-4 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold","children":"VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide"}],false,["$","$L1b",null,{}]]}],["$","section",null,{"className":"mb-8 rounded-lg border border-gray-200 bg-white p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","4"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Dec 16, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-xs text-gray-500","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"VMW_vSphere_7-0_vCA_Photon_OS_STIG","children":"VMW_vSphere_7-0_vCA_Photon_OS_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":113}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","vmware",{"className":"rounded-full bg-gray-100 px-2 py-0.5 text-xs text-gray-700","children":"vmware"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"rounded bg-red-100 px-3 py-1 text-sm font-medium text-red-800","children":["CAT I: ",1]}],["$","span",null,{"className":"rounded bg-yellow-100 px-3 py-1 text-sm font-medium text-yellow-800","children":["CAT II: ",110]}],["$","span",null,{"className":"rounded bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800","children":["CAT III: ",2]}]]}],["$","p",null,{"className":"mt-4 text-sm text-gray-600","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=VMware%20vSphere%207.0%20vCenter%20Appliance%20Photon%20OS%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=VMware%20vSphere%207.0%20vCenter%20Appliance%20Photon%20OS%20Security%20Technical%20Implementation%20Guide&format=csv","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=VMware%20vSphere%207.0%20vCenter%20Appliance%20Photon%20OS%20Security%20Technical%20Implementation%20Guide&format=json","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y25M04_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-brand/10 text-brand hover:bg-brand/20 border-brand/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1c",null,{"checks":[{"id":"be8a70c3-950d-4ce8-bca3-7f4b38f238a9","vulnId":"V-256478","severity":"medium","ruleTitle":"The Photon operating system must audit all account creations.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep -E \"(useradd|groupadd)\"\n\nExpected result:\n\n-w /usr/sbin/useradd -p x -k useradd\n-w /usr/sbin/groupadd -p x -k groupadd\n\nIf either \"useradd\" or \"groupadd\" are not listed with a permissions filter of at least \"x\", this is a finding.\n\nNote: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd or update the following lines:\n\n-w /usr/sbin/useradd -p x -k useradd\n-w /usr/sbin/groupadd -p x -k groupadd\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"214e6380-4e8e-45aa-bfaa-7c8088c1dad0","vulnId":"V-256479","severity":"medium","ruleTitle":"The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128","checkContent":"At the command line, run the following commands:\n\n# grep pam_tally2 /etc/pam.d/system-auth\n\nExpected result:\n\nauth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300\n\n# grep pam_tally2 /etc/pam.d/system-account\n\nExpected result:\n\naccount required pam_tally2.so onerr=fail audit\n\nIf the output does not list the \"pam_tally2\" options as configured in the expected results, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-auth\n\nRemove any existing \"pam_tally2.so\" line and add the following line after the \"pam_unix.so\" statement:\n\nauth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300\n\nNavigate to and open:\n\n/etc/pam.d/system-account\n\nRemove any existing \"pam_tally2.so\" line and add the following line after the \"pam_unix.so\" statement:\n\naccount required pam_tally2.so onerr=fail audit\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"38f21f71-cd44-48af-9bf9-e6dbb3ae6643","vulnId":"V-256480","severity":"medium","ruleTitle":"The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting Secure Shell (SSH) access.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088","checkContent":"$1d","fixText":"$1e"},{"id":"59e329bc-a078-4298-a0fe-cd5cdb38b60f","vulnId":"V-256481","severity":"medium","ruleTitle":"The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.","description":"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service attacks.","checkContent":"At the command line, run the following command:\n\n# grep \"^[^#].*maxlogins.*\" /etc/security/limits.conf\n\nExpected result:\n\n* hard maxlogins 10\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The expected result may be repeated multiple times.","fixText":"At the command line, run the following command:\n\n# echo '* hard maxlogins 10' >> /etc/security/limits.conf"},{"id":"903a98b0-5546-44e1-9a96-3563a0016c6f","vulnId":"V-256482","severity":"medium","ruleTitle":"The Photon operating system must set a session inactivity timeout of 15 minutes or less.","description":"A session timeout is an action taken when a session goes idle for any reason. Rather than relying on the user to manually disconnect their session prior to going idle, the Photon operating system must be able to identify when a session has idled and take action to terminate the session.\n\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000279-GPOS-00109, SRG-OS-000126-GPOS-00066","checkContent":"At the command line, run the following command:\n\n# cat /etc/profile.d/tmout.sh\n\nExpected result:\n\nTMOUT=900\nreadonly TMOUT \nexport TMOUT\nmesg n 2>/dev/null\n\nIf the file \"tmout.sh\" does not exist or the output does not look like the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/profile.d/tmout.sh\n\nSet its content to the following: \n\nTMOUT=900\nreadonly TMOUT \nexport TMOUT\nmesg n 2>/dev/null"},{"id":"ebccedcc-0944-43a8-8d9f-5bb3608e050e","vulnId":"V-256483","severity":"medium","ruleTitle":"The Photon operating system must have the sshd SyslogFacility set to \"authpriv\".","description":"Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i SyslogFacility\n\nExpected result:\n\nsyslogfacility AUTHPRIV\n\nIf there is no output or if the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"SyslogFacility\" line is uncommented and set to the following:\n\nSyslogFacility AUTHPRIV\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"31121332-7ee2-46c3-866d-32ea603080a8","vulnId":"V-256484","severity":"medium","ruleTitle":"The Photon operating system must have sshd authentication logging enabled.","description":"Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.\n\nShipping sshd authentication events to syslog allows organizations to use their log aggregators to correlate forensic activities among multiple systems.","checkContent":"At the command line, run the following command:\n\n# grep \"^authpriv\" /etc/rsyslog.conf\n\nExpected result should be similar to the following:\n\nauthpriv.* /var/log/auth.log\n\nIf \"authpriv\" is not configured to be logged, this is a finding.","fixText":"Navigate to and open:\n\n/etc/rsyslog.conf\n\nAdd the following line:\n\nauthpriv.* /var/log/auth.log\n\nNote: The path can be substituted for another suitable log destination.\n\nAt the command line, run the following command:\n\n# systemctl restart rsyslog.service"},{"id":"6208f4da-30a3-4ebb-a5e3-33aa756a2942","vulnId":"V-256485","severity":"medium","ruleTitle":"The Photon operating system must have the sshd LogLevel set to \"INFO\".","description":"Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.\n\nThe INFO LogLevel is required, at least, to ensure the capturing of failed login events.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i LogLevel\n\nExpected result:\n\nLogLevel INFO\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"LogLevel\" line is uncommented and set to the following:\n\nLogLevel INFO\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"68ac7822-e0b1-4a98-88b6-144127b2d1de","vulnId":"V-256486","severity":"low","ruleTitle":"The Photon operating system must configure sshd to use approved encryption algorithms.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nOpenSSH on the Photon operating system is compiled with a FIPS-validated cryptographic module. The \"FipsMode\" setting controls whether this module is initialized and used in FIPS 140-2 mode.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000393-GPOS-00173, SRG-OS-000396-GPOS-00176, SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i FipsMode\n\nExpected result:\n\nFipsMode yes\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"FipsMode\" line is uncommented and set to the following:\n\nFipsMode yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"853e1510-6d28-416c-890e-83c44ec2b57f","vulnId":"V-256487","severity":"medium","ruleTitle":"The Photon operating system must configure auditd to log to disk.","description":"Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content must be shipped to a central location, but it must also be logged locally.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019","checkContent":"At the command line, run the following command:\n\n# grep \"^write_logs\" /etc/audit/auditd.conf\n\nExpected result:\n\nwrite_logs = yes\n\nIf there is no output, this is not a finding.\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the \"write_logs\" line is uncommented and set to the following:\n\nwrite_logs = yes\n\nAt the command line, run the following command:\n\n# killproc auditd -TERM\n# systemctl start auditd"},{"id":"2757904f-8a20-4a6c-89ee-21750b86a90e","vulnId":"V-256488","severity":"medium","ruleTitle":"The Photon operating system must configure auditd to use the correct log format.","description":"To compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know exact, unfiltered details of the event in question.","checkContent":"At the command line, run the following command:\n\n# grep \"^log_format\" /etc/audit/auditd.conf\n\nExpected result:\n\nlog_format = RAW\n\nIf there is no output, this is not a finding.\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the \"log_format\" line is uncommented and set to the following:\n\nlog_format = RAW\n\nAt the command line, run the following command:\n\n# killproc auditd -TERM\n# systemctl start auditd"},{"id":"27a45b82-0843-496d-8f07-e3a8700a20e6","vulnId":"V-256489","severity":"medium","ruleTitle":"The Photon operating system must be configured to audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing all actions by superusers is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep execve\n\nExpected result:\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following lines:\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"281e0fd7-a0cb-456d-b2e8-57cbac58a4d8","vulnId":"V-256490","severity":"medium","ruleTitle":"The Photon operating system must have the auditd service running.","description":"Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). They also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.\n\nSatisfies: SRG-OS-000042-GPOS-00021, SRG-OS-000062-GPOS-00031, SRG-OS-000255-GPOS-00096, SRG-OS-000363-GPOS-00150, SRG-OS-000365-GPOS-00152, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000461-GPOS-00205, SRG-OS-000467-GPOS-00211, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220","checkContent":"At the command line, run the following command:\n\n# systemctl status auditd\n\nIf the service is not running, this is a finding.","fixText":"At the command line, run the following commands:\n\n# systemctl enable auditd\n# systemctl start auditd"},{"id":"fd2c6692-e73f-41d6-b467-c822524f47d3","vulnId":"V-256491","severity":"medium","ruleTitle":"The Photon operating system audit log must log space limit problems to syslog.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000344-GPOS-00135","checkContent":"At the command line, run the following command:\n\n# grep \"^space_left_action\" /etc/audit/auditd.conf\n\nExpected result:\n\nspace_left_action = SYSLOG\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the \"space_left_action\" line is uncommented and set to the following:\n\nspace_left_action = SYSLOG\n\nAt the command line, run the following commands:\n\n# killproc auditd -TERM\n# systemctl start auditd"},{"id":"45566439-4391-4144-afb6-ade01d21ad44","vulnId":"V-256492","severity":"medium","ruleTitle":"The Photon operating system audit log must attempt to log audit failures to syslog.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.","checkContent":"At the command line, run the following command:\n\n# grep -E \"^disk_full_action|^disk_error_action|^admin_space_left_action\" /etc/audit/auditd.conf\n\nIf any of the above parameters are not set to \"SYSLOG\" or are missing, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the following lines are present, not duplicated, and not commented:\n\ndisk_full_action = SYSLOG\ndisk_error_action = SYSLOG\nadmin_space_left_action = SYSLOG\n\nAt the command line, run the following commands:\n\n# killproc auditd -TERM\n# systemctl start auditd"},{"id":"c6848a43-aded-4eb5-8331-41a889253d38","vulnId":"V-256493","severity":"medium","ruleTitle":"The Photon operating system audit log must have correct permissions.","description":"Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nUnauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.","checkContent":"At the command line, run the following command:\n\n# (audit_log_file=$(grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//) && if [ -f \"${audit_log_file}\" ] ; then printf \"Log(s) found in \"${audit_log_file%/*}\":\\n\"; stat -c \"%n permissions are %a\" ${audit_log_file%}*; else printf \"audit log file(s) not found\\n\"; fi)\n\nIf the permissions on any audit log file are more permissive than \"0600\", this is a finding.","fixText":"At the command line, run the following command:\n\n# chmod 0600 \n\nReplace with the log files more permissive than 0600."},{"id":"dc1b12ef-ef25-4f42-96bd-3eeca5b4f20c","vulnId":"V-256494","severity":"medium","ruleTitle":"The Photon operating system audit log must be owned by root.","description":"Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nUnauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.","checkContent":"At the command line, run the following command:\n\n# (audit_log_file=$(grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//) && if [ -f \"${audit_log_file}\" ] ; then printf \"Log(s) found in \"${audit_log_file%/*}\":\\n\"; stat -c \"%n is owned by %U\" ${audit_log_file%}*; else printf \"audit log file(s) not found\\n\"; fi)\n\nIf any audit log file is not owned by root, this is a finding.","fixText":"At the command line, run the following command:\n\n# chown root:root \n\nReplace with the log files not owned by root."},{"id":"f03704d9-dd76-4052-a65d-c21dcb623027","vulnId":"V-256495","severity":"medium","ruleTitle":"The Photon operating system audit log must be group-owned by root.","description":"Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nUnauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.","checkContent":"At the command line, run the following command:\n\n# (audit_log_file=$(grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//) && if [ -f \"${audit_log_file}\" ] ; then printf \"Log(s) found in \"${audit_log_file%/*}\":\\n\"; stat -c \"%n is group owned by %G\" ${audit_log_file%}*; else printf \"audit log file(s) not found\\n\"; fi)\n\nIf any audit log file is not group owned by root, this is a finding.","fixText":"At the command line, run the following command:\n\n# chown root:root \n\nReplace with the log files not group owned by root."},{"id":"47f771f2-8636-4d68-b246-fe09d95d923d","vulnId":"V-256496","severity":"medium","ruleTitle":"The Photon operating system must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"At the command line, run the following command:\n\n# find /etc/audit/* -type f -exec stat -c \"%n permissions are %a\" {} $1\\;\n\nIf the permissions of any files are more permissive than \"640\", this is a finding.","fixText":"At the command line, run the following command:\n\n# chmod 640 \n\nReplace with any file with incorrect permissions."},{"id":"f77659fb-8831-48e4-95e6-b606537d07c0","vulnId":"V-256497","severity":"medium","ruleTitle":"The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.","description":"Audit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep chmod\n\nExpected result:\n\n-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod\n\n-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod\n\n-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The auid!= parameter may display as 4294967295 or -1, which are equivalent.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"$1f"},{"id":"0c19c8a5-c645-4dc8-ab0a-5635caf4b2a2","vulnId":"V-256498","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password|grep --color=always \"ucredit=..\"\n\nExpected result:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nIf the output does not include ucredit= <= -1, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"25334ab7-5d1a-420c-960b-34139e55b1ee","vulnId":"V-256499","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password|grep --color=always \"lcredit=..\"\n\nExpected result:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nIf the output does not include lcredit= <= -1, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"837bb208-d2cc-439f-b2e1-e9b85f255aa9","vulnId":"V-256500","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password|grep --color=always \"dcredit=..\"\n\nExpected result:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nIf the output does not include dcredit= <= -1, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"c7e1a7c1-83d3-493f-b42d-b88480a00f2b","vulnId":"V-256501","severity":"medium","ruleTitle":"The Photon operating system must require that new passwords are at least four characters different from the old password.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password|grep --color=always \"difok=.\"\n\nExpected result:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nIf the output does not include difok >= 4, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"72be2c5e-9c39-46e4-aa9c-9b945e35a254","vulnId":"V-256502","severity":"medium","ruleTitle":"The Photon operating system must store only encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"At the command line, run the following command:\n\n# grep SHA512 /etc/login.defs|grep -v \"#\"\n\nExpected result:\n\nENCRYPT_METHOD SHA512\n\nIf there is no output or if the output does match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd or replace the ENCRYPT_METHOD line as follows:\n\nENCRYPT_METHOD SHA512"},{"id":"6e0d659e-3145-4a10-b6c1-079150dbad80","vulnId":"V-256503","severity":"medium","ruleTitle":"The Photon operating system must use an OpenSSH server version that does not support protocol 1.","description":"A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nA privileged account is any information system account with authorizations of a privileged user.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.\n\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000395-GPOS-00175, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190","checkContent":"At the command line, run the following command:\n\n# rpm -qa|grep openssh\n\nIf there is no output or openssh is not >= version 7.4, this is a finding.","fixText":"Installing openssh manually is not supported by VMware for appliances. Revert to a previous backup or redeploy the appliance."},{"id":"c1c7d173-a5e4-4baf-ace6-cb11441d7312","vulnId":"V-256504","severity":"medium","ruleTitle":"The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.","description":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"At the command line, run the following command:\n\n# grep \"^PASS_MIN_DAYS\" /etc/login.defs\n\nIf \"PASS_MIN_DAYS\" is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nModify the \"PASS_MIN_DAYS\" line to the following: \n\nPASS_MIN_DAYS 1"},{"id":"68b124b4-5beb-4bbf-971a-c5528ce2dc14","vulnId":"V-256505","severity":"medium","ruleTitle":"The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.","checkContent":"At the command line, run the following command:\n\n# grep \"^PASS_MAX_DAYS\" /etc/login.defs\n\nIf the value of \"PASS_MAX_DAYS\" is greater than \"90\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.def\n\nModify the \"PASS_MAX_DAYS\" line to the following: \n\nPASS_MAX_DAYS 90"},{"id":"c3f6d783-47af-4733-a77d-7ef437ad00e6","vulnId":"V-256506","severity":"medium","ruleTitle":"The Photon operating system must prohibit password reuse for a minimum of five generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed per policy requirements.","checkContent":"At the command line, run the following command:\n\n# grep pam_pwhistory /etc/pam.d/system-password|grep --color=always \"remember=.\"\n\nExpected result:\n\npassword requisite pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3\n\nIf the output does not include the \"remember=5\" setting as shown in the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following line after the \"password requisite pam_cracklib.so\" statement:\n\npassword requisite pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"2b043cd3-330f-403f-970d-b1b20cf9cd6a","vulnId":"V-256507","severity":"medium","ruleTitle":"The Photon operating system must enforce a minimum eight-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password|grep --color=always \"minlen=..\"\n\nExample result:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nIf the output does not include minlen >= 8, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"9411cc34-2e5a-431d-89b1-1f9f2564dd67","vulnId":"V-256508","severity":"high","ruleTitle":"The Photon operating system must require authentication upon booting into single-user and maintenance modes.","description":"If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all files on the system. GRUB2 is the boot loader for Photon OS and can be configured to require a password to boot into single-user mode or make modifications to the boot menu.\n\nNote: Photon does not support building grub changes via grub2-mkconfig.","checkContent":"At the command line, run the following command:\n\n# grep -i ^password_pbkdf2 /boot/grub2/grub.cfg\n\nIf there is not output, this is a finding.\n\nIf the output does not begin with \"password_pbkdf2 root\", this is a finding.","fixText":"$20"},{"id":"52f600cb-09e1-4d94-9b20-edf0a6a652de","vulnId":"V-256509","severity":"medium","ruleTitle":"The Photon operating system must disable the loading of unnecessary kernel modules.","description":"To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product.\n\nSatisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059","checkContent":"At the command line, run the following command:\n\n# modprobe --showconfig | grep \"^install\" | grep \"/bin\"\n\nExpected result:\n\ninstall sctp /bin/false\ninstall dccp /bin/false\ninstall dccp_ipv4 /bin/false\ninstall dccp_ipv6 /bin/false\ninstall ipx /bin/false\ninstall appletalk /bin/false\ninstall decnet /bin/false\ninstall rds /bin/false\ninstall tipc /bin/false\ninstall bluetooth /bin/false\ninstall usb_storage /bin/false\ninstall ieee1394 /bin/false\ninstall cramfs /bin/false\ninstall freevxfs /bin/false\ninstall jffs2 /bin/false\ninstall hfs /bin/false\ninstall hfsplus /bin/false\ninstall squashfs /bin/false\ninstall udf /bin/false\n\nThe output may include other statements outside of the expected result.\n\nIf the output does not include at least every statement in the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/modprobe.d/modprobe.conf\n\nSet the contents as follows:\n\ninstall sctp /bin/false\ninstall dccp /bin/false\ninstall dccp_ipv4 /bin/false\ninstall dccp_ipv6 /bin/false\ninstall ipx /bin/false\ninstall appletalk /bin/false\ninstall decnet /bin/false\ninstall rds /bin/false\ninstall tipc /bin/false\ninstall bluetooth /bin/false\ninstall usb_storage /bin/false\ninstall ieee1394 /bin/false\ninstall cramfs /bin/false\ninstall freevxfs /bin/false\ninstall jffs2 /bin/false\ninstall hfs /bin/false\ninstall hfsplus /bin/false\ninstall squashfs /bin/false\ninstall udf /bin/false"},{"id":"b635f62b-72e7-4bc0-acea-d0d76876a5a7","vulnId":"V-256510","severity":"medium","ruleTitle":"The Photon operating system must not have duplicate User IDs (UIDs).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and provide for nonrepudiation.","checkContent":"At the command line, run the following command:\n\n# awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf any lines are returned, this is a finding.","fixText":"Navigate to and open:\n\n/etc/passwd\n\nConfigure each user account that has a duplicate UID with a unique UID."},{"id":"cf559fb7-f67d-4dcc-844c-c1fc28d091b5","vulnId":"V-256511","severity":"medium","ruleTitle":"The Photon operating system must disable new accounts immediately upon password expiration.","description":"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nDisabling inactive accounts ensures accounts that may not have been responsibly removed are not available to attackers who may have compromised their credentials.","checkContent":"At the command line, run the following command:\n\n# grep INACTIVE /etc/default/useradd\n\nExpected result:\n\nINACTIVE=0\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/default/useradd\n\nRemove an existing \"INACTIVE\" line and add the following line:\n\nINACTIVE=0"},{"id":"b36e4dce-624d-44db-9b0a-adafcbbb7f82","vulnId":"V-256512","severity":"medium","ruleTitle":"The Photon operating system must use Transmission Control Protocol (TCP) syncookies.","description":"A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected and enables the system to continue servicing valid connection requests.\n\nSatisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000420-GPOS-00186","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern tcp_syncookies\n\nExpected result:\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# sed -i -e \"/^net.ipv4.tcp_syncookies/d\" /etc/sysctl.conf\n# echo net.ipv4.tcp_syncookies=1>>/etc/sysctl.conf\n# /sbin/sysctl --load"},{"id":"6ff56b4a-b6ba-43fe-9b3d-61816f24d6a0","vulnId":"V-256513","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on a console or console port that has been left unattended.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i ClientAliveInterval\n\nExpected result:\n\nClientAliveInterval 900\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"ClientAliveInterval\" line is uncommented and set to the following:\n\nClientAliveInterval 900\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"0cc1f58d-334e-4ce9-8f67-e21a36ab39d6","vulnId":"V-256514","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on a console or console port that has been left unattended.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i ClientAliveCountMax\n\nExpected result:\n\nClientAliveCountMax 0\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"ClientAliveCountMax\" line is uncommented and set to the following:\n\nClientAliveCountMax 0\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"db25608b-1982-42ed-830b-17a778fc719e","vulnId":"V-256515","severity":"medium","ruleTitle":"The Photon operating system \"/var/log\" directory must be owned by root.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n is owned by %U and group owned by %G\" /var/log \n\nIf the \"/var/log directory\" is not owned by root, this is a finding.","fixText":"At the command line, run the following command:\n\n# chown root:root /var/log"},{"id":"70058726-4701-4eb0-aaa7-cfa6e54f91bb","vulnId":"V-256516","severity":"medium","ruleTitle":"The Photon operating system messages file must have the correct ownership and file permissions.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n is owned by %U and group owned by %G with %a permissions\" /var/log/messages\n\nIf the \"/var/log/messages\" directory is not owned by root or not group owned by root, or the file permissions are more permission than \"640\", this is a finding.","fixText":"At the command line, run the following commands:\n\n# chown root:root /var/log/messages\n\n# chmod 0640 /var/log/messages"},{"id":"678ccb4c-0c1b-4484-98fc-8ed5f62f169b","vulnId":"V-256517","severity":"medium","ruleTitle":"The Photon operating system must audit all account modifications.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes.","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep -E \"(usermod|groupmod)\"\n\nExpected result:\n\n-w /usr/sbin/usermod -p x -k usermod\n-w /usr/sbin/groupmod -p x -k groupmod\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following lines:\n\n-w /usr/sbin/usermod -p x -k usermod\n-w /usr/sbin/groupmod -p x -k groupmod\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"11de12c2-750e-45d6-b001-60ed07dd59ad","vulnId":"V-256518","severity":"medium","ruleTitle":"The Photon operating system must audit all account modifications.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes.\n\nSatisfies: SRG-OS-000239-GPOS-00089, SRG-OS-000303-GPOS-00120","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep -E \"(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)\"\n\nExpected result:\n\n-w /etc/passwd -p wa -k passwd\n-w /etc/shadow -p wa -k shadow\n-w /etc/group -p wa -k group\n-w /etc/gshadow -p wa -k gshadow\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following lines:\n\n-w /etc/passwd -p wa -k passwd\n-w /etc/shadow -p wa -k shadow\n-w /etc/group -p wa -k group\n-w /etc/gshadow -p wa -k gshadow\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"d28f16c2-42fa-4642-a04b-88696012830a","vulnId":"V-256519","severity":"medium","ruleTitle":"The Photon operating system must audit all account disabling actions.","description":"When operating system accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or operating system processes. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions.","checkContent":"At the command line, run the following command:\n \n # auditctl -l | grep \"w /usr/bin/passwd\" \n \n Expected result:\n \n -w /usr/bin/passwd -p x -k passwd\n \nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following lines:\n \n-w /usr/bin/passwd -p x -k passwd\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"337bbc15-eb37-47ee-8e0f-fbf0a954839a","vulnId":"V-256520","severity":"medium","ruleTitle":"The Photon operating system must audit all account removal actions.","description":"When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or operating system processes. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions.","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep -E \"(userdel|groupdel)\"\n\nExpected result:\n\n-w /usr/sbin/userdel -p x -k userdel\n-w /usr/sbin/groupdel -p x -k groupdel\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following lines:\n\n-w /usr/sbin/userdel -p x -k userdel\n-w /usr/sbin/groupdel -p x -k groupdel\n\nAt the command line, run the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"cda66a25-f1bb-41b0-b9db-b37eda1c8bc2","vulnId":"V-256521","severity":"medium","ruleTitle":"The Photon operating system must initiate auditing as part of the boot process.","description":"Each process on the system carries an \"auditable\" flag, which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes that launch after it starts, adding the kernel argument ensures the flag is set at boot for every process on the system. This includes processes created before auditd starts.","checkContent":"At the command line, run the following command:\n\n# grep \"audit=1\" /proc/cmdline\n\nIf no results are returned, this is a finding.","fixText":"Navigate to and open:\n\n/boot/grub2/grub.cfg\n\nLocate the boot command line arguments. An example follows:\n\nlinux /$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline\n\nAdd \"audit=1\" to the end of the line so it reads as follows:\n\nlinux /$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1\n\nNote: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append \"audit=1\" to it.\n\nReboot the system for the change to take effect."},{"id":"d2cb1254-cde5-4976-a7b0-39fc2fb011b4","vulnId":"V-256522","severity":"medium","ruleTitle":"The Photon operating system audit files and directories must have correct permissions.","description":"Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n is owned by %U and group owned by %G\" /etc/audit/auditd.conf\n\nIf \"auditd.conf\" is not owned by root and group owned by root, this is a finding.","fixText":"At the command line, run the following command:\n\n# chown root:root /etc/audit/auditd.conf"},{"id":"e8869c62-7f55-412c-b282-62c559c9b0ec","vulnId":"V-256523","severity":"medium","ruleTitle":"The Photon operating system must protect audit tools from unauthorized modification and deletion.","description":"Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.\n\nSatisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n is owned by %U and group owned by %G and permissions are %a\" /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace\n\nIf any file is not owned by root or group-owned by root or permissions are more permissive than \"750\", this is a finding.","fixText":"At the command line, run the following command for each file returned for user and group ownership:\n\n# chown root:root \n\nAt the command line, run the following command for each file returned for file permissions:\n\n# chmod 750 "},{"id":"6685bded-4f4b-45ab-914c-9f6ef1f2bf60","vulnId":"V-256524","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password|grep --color=always \"ocredit=..\"\n\nExpected result:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nIf the output does not include ocredit= <= -1, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"8aaa9319-35bd-4d20-bad7-9068ceefc359","vulnId":"V-256525","severity":"medium","ruleTitle":"The Photon operating system package files must not be modified.","description":"Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nWithout confidence in the integrity of the auditing system and tools, the information it provides cannot be trusted.","checkContent":"Use the verification capability of rpm to check the MD5 hashes of the audit files on disk versus the expected ones from the installation package.\n\nAt the command line, run the following command:\n\n# rpm -V audit | grep \"^..5\" | grep -v \"^...........c\"\n\nIf there is any output, this is a finding.","fixText":"If the audit system binaries have been altered, the system must be taken offline and the information system security manager (ISSM) notified immediately.\n\nReinstalling the audit tools is not supported. The appliance should be restored from a backup or redeployed once the root cause is remediated."},{"id":"8905f838-6b84-42f6-a118-32323376d95b","vulnId":"V-256526","severity":"medium","ruleTitle":"The Photon operating system must audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\nSatisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215","checkContent":"At the command line, run the following command to obtain a list of setuid files:\n\n# find / -xdev -path /var/lib/containerd -prune -o \$ -perm -4000 -type f -o -perm -2000 \$ -type f -print | sort\n\nRun the following command for each setuid file found in the first command:\n\n# auditctl -l | grep \n\nReplace with each path found in the first command.\n\nIf each does not have a corresponding line in the audit rules, this is a finding. \n\nA typical corresponding line will look like the following:\n\n-a always,exit -S all -F path= -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged\n\nNote: The auid!= parameter may display as 4294967295 or -1, which are equivalent.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"At the command line, run the following command to obtain a list of setuid files:\n\n# find / -xdev -perm -4000 -type f -o -perm -2000 -type f | sort\n\nExecute the following for each setuid file found in the first command that does not have a corresponding line in the audit rules:\n\nNavigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following line:\n\n-a always,exit -F path= -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n\nExecute the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"f4ffc815-a1fe-487a-8933-908af4287717","vulnId":"V-256527","severity":"medium","ruleTitle":"The Photon operating system must configure auditd to keep five rotated log files.","description":"Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep, and configuring auditd to not rotate the logs on its own. This ensures audit logs are accessible to the information system security officer (ISSO) in the event of a central log processing failure.","checkContent":"At the command line, run the following command:\n\n# grep \"^num_logs\" /etc/audit/auditd.conf\n\nExpected result:\n\nnum_logs = 5\n\nIf the output of the command does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nAdd or change the \"num_logs\" line as follows:\n\nnum_logs = 5\n\nAt the command line, run the following commands:\n\n# killproc auditd -TERM\n# systemctl start auditd"},{"id":"46c11515-d1a4-4d88-8cb5-1d60e313fb7c","vulnId":"V-256528","severity":"medium","ruleTitle":"The Photon operating system must configure auditd to keep logging in the event max log file size is reached.","description":"Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep, and configuring auditd to not rotate the logs on its own. This ensures audit logs are accessible to the information system security officer (ISSO) in the event of a central log processing failure.\n\nIf another solution is not used to rotate auditd logs, auditd can be configured to rotate logs.","checkContent":"At the command line, run the following command:\n\n# grep \"^max_log_file_action\" /etc/audit/auditd.conf\n\nExample result:\n\nmax_log_file_action = IGNORE\n\nIf logs are rotated outside of auditd with a tool such as logrotated, and this setting is not set to \"IGNORE\", this is a finding.\n\nIf logs are NOT rotated outside of auditd, and this setting is not set to \"ROTATE\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nAdd or change the \"max_log_file_action\" line as follows:\n\nmax_log_file_action = IGNORE\n\nNote: This can also be set to \"ROTATE\" if another tool is not used to rotate auditd logs.\n\nAt the command line, run the following commands:\n\n# killproc auditd -TERM\n# systemctl start auditd"},{"id":"f900fcb2-9972-47a8-82b4-f0d5d32d206b","vulnId":"V-256529","severity":"medium","ruleTitle":"The Photon operating system must configure auditd to log space limit problems to syslog.","description":"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.","checkContent":"At the command line, run the following command:\n\n# grep \"^space_left \" /etc/audit/auditd.conf\n\nExpected result:\n\nspace_left = 75\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the \"space_left\" line is uncommented and set to the following:\n\nspace_left = 75\n\nAt the command line, run the following commands:\n\n# killproc auditd -TERM\n# systemctl start auditd"},{"id":"0422f15b-010f-4b67-8a88-8a1da32369e6","vulnId":"V-256530","severity":"medium","ruleTitle":"The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.","description":"Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.","checkContent":"At the command line, run the following command:\n\n# grep -s nosignature /usr/lib/rpm/rpmrc /etc/rpmrc ~root/.rpmrc\n\nIf the command returns any output, this is a finding.","fixText":"Open the file containing \"nosignature\" with a text editor and remove the option."},{"id":"aecda68f-5005-4890-8ce3-d7117f787848","vulnId":"V-256531","severity":"medium","ruleTitle":"The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.","description":"Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Cryptographically verifying the authenticity of all software packages during installation ensures the software has not been tampered with and has been provided by a trusted vendor.","checkContent":"At the command line, run the following command:\n\n# grep \"^gpgcheck\" /etc/tdnf/tdnf.conf\n\nIf \"gpgcheck\" is not set to \"1\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/tdnf/tdnf.conf\n\nRemove any existing \"gpgcheck\" setting and add the following line:\n\ngpgcheck=1"},{"id":"ea25818d-e7fb-4bcc-83d8-0de0e55e438b","vulnId":"V-256532","severity":"medium","ruleTitle":"The Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation.","description":"Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Cryptographically verifying the authenticity of all software packages during installation ensures the software has not been tampered with and has been provided by a trusted vendor.","checkContent":"At the command line, run the following command:\n\n# grep gpgcheck /etc/yum.repos.d/*\n\nIf \"gpgcheck\" is not set to \"1\" in any returned file, this is a finding.","fixText":"Open the file where \"gpgcheck\" is not set to \"1\" with a text editor.\n\nRemove any existing \"gpgcheck\" setting and add the following line at the end of the file:\n\ngpgcheck=1"},{"id":"50fde7fd-6be6-43f7-b3fd-d981e7f05191","vulnId":"V-256533","severity":"medium","ruleTitle":"The Photon operating system must require users to reauthenticate for privilege escalation.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.\n\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158","checkContent":"At the command line, run the following commands:\n\n# grep -ihs nopasswd /etc/sudoers /etc/sudoers.d/*|grep -v \"^#\"|grep -v \"^%\"|awk '{print $1}'\n\n# awk -F: '($2 != \"x\" && $2 != \"!\") {print $1}' /etc/shadow\n\nIf any account listed in the first output is also listed in the second output and is not documented, this is a finding.","fixText":"Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# visudo\n\nOR\n\n# visudo -f /etc/sudoers.d/\n\nRemove any occurrences of \"NOPASSWD\" tags associated with user accounts with a password hash."},{"id":"62925786-e528-4745-b8e0-6ab033b62f00","vulnId":"V-256534","severity":"low","ruleTitle":"The Photon operating system must configure sshd to use FIPS 140-2 ciphers.","description":"$21","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i Ciphers\n\nExpected result:\n\nciphers aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-gcm@openssh.com,aes256-ctr\n\nIf the output matches the ciphers in the expected result or a subset thereof, this is not a finding.\n\nIf the ciphers in the output contain any ciphers not listed in the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"Ciphers\" line is uncommented and set to the following:\n\nCiphers aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-gcm@openssh.com,aes256-ctr\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"26b94ce9-0f13-4011-97cf-d2da10f6168f","vulnId":"V-256535","severity":"medium","ruleTitle":"The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.","description":"ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation.\n\nASLR also makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming (ROP) techniques.","checkContent":"At the command line, run the following command:\n\n# cat /proc/sys/kernel/randomize_va_space\n\nIf the value of \"randomize_va_space\" is not \"2\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/sysctl.d/50-security-hardening.conf\n\nEnsure the \"randomize_va_space\" is uncommented and set to the following:\n\nkernel.randomize_va_space=2\n\nAt the command line, run the following command:\n\n# sysctl --system"},{"id":"3055b808-c501-4704-95d0-0acd5ced76e8","vulnId":"V-256536","severity":"medium","ruleTitle":"The Photon operating system must remove all software components after updated versions have been installed.","description":"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.","checkContent":"At the command line, run the following command:\n\n# grep -i \"^clean_requirements_on_remove\" /etc/tdnf/tdnf.conf\n\nExpected result:\n\nclean_requirements_on_remove=true\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/tdnf/tdnf.conf\n\nRemove any existing \"clean_requirements_on_remove\" line and ensure the following line is present:\n\nclean_requirements_on_remove=true"},{"id":"159ebaca-a90b-4578-999e-e931c790a535","vulnId":"V-256537","severity":"medium","ruleTitle":"The Photon operating system must generate audit records when the sudo command is used.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep sudo\n\nExpected result:\n\n-a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The auid!= parameter may display as 4294967295 or -1, which are equivalent.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following line:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n\nExecute the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"b1877f7f-758e-4310-ba1c-8b80e88f86b3","vulnId":"V-256538","severity":"medium","ruleTitle":"The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep -E \"faillog|lastlog|tallylog\"\n\nExpected result:\n\n-w /var/log/faillog -p wa\n-w /var/log/lastlog -p wa\n-w /var/log/tallylog -p wa\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following lines:\n\n-w /var/log/faillog -p wa\n-w /var/log/lastlog -p wa\n-w /var/log/tallylog -p wa\n\nExecute the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"51de30a1-8afe-47ac-afa4-0bb8e6fab6c8","vulnId":"V-256539","severity":"medium","ruleTitle":"The Photon operating system must audit the \"insmod\" module.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep \"/sbin/insmod\"\n\nExpected result:\n\n-w /sbin/insmod -p x\n\nIf the output does not match the expected result, this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following lines:\n\n-w /sbin/insmod -p x\n\nExecute the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"15ee4ce6-0036-4a10-8473-e87e27fa156f","vulnId":"V-256540","severity":"medium","ruleTitle":"The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"At the command line, run the following command:\n\n# auditctl -l | grep -E /etc/security/opasswd\n\nIf any of these are not listed with a permissions filter of at least \"w\", this is a finding.\n\nNote: This check depends on the auditd service to be in a running state for accurate results. The auditd service is enabled in control PHTN-30-000013.","fixText":"Navigate to and open:\n\n/etc/audit/rules.d/audit.STIG.rules\n\nAdd the following line:\n\n-w /etc/security/opasswd -p wa -k opasswd\n\nExecute the following command to load the new audit rules:\n\n# /sbin/augenrules --load\n\nNote: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.\n\nNote: An older \"audit.STIG.rules\" may exist if the file exists and references older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one."},{"id":"757ff0e5-a088-4911-9f6a-0cc66cbf4474","vulnId":"V-256541","severity":"medium","ruleTitle":"The Photon operating system must use the \"pam_cracklib\" module.","description":"If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password\n\nIf the output does not return at least \"password requisite pam_cracklib.so\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"08a89481-7bbf-4943-aac0-3aece5c76cdc","vulnId":"V-256542","severity":"medium","ruleTitle":"The Photon operating system must set the \"FAIL_DELAY\" parameter.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"At the command line, run the following command:\n\n# grep FAIL_DELAY /etc/login.defs \n\nExpected result:\n\nFAIL_DELAY 4\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nAdd the following line after the last auth statement:\n\nFAIL_DELAY 4"},{"id":"942cd66d-e25d-4ee9-afcb-870227e55eee","vulnId":"V-256543","severity":"medium","ruleTitle":"The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"At the command line, run the following command:\n\n# grep pam_faildelay /etc/pam.d/system-auth|grep --color=always \"delay=\"\n\nExpected result:\n\nauth optional pam_faildelay.so delay=4000000\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-auth\n\nRemove any existing \"pam_faildelay\" line and add the following line at the end of the file:\n\nauth optional pam_faildelay.so delay=4000000\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"aad25796-5539-4aaf-88a7-dc17a39d1d02","vulnId":"V-256544","severity":"medium","ruleTitle":"The Photon operating system must ensure audit events are flushed to disk at proper intervals.","description":"Without setting a balance between performance and ensuring all audit events are written to disk, performance of the system may suffer or the risk of missing audit entries may be too high.","checkContent":"At the command line, run the following command:\n\n# grep -E \"freq|flush\" /etc/audit/auditd.conf\n\nExpected result:\n\nflush = INCREMENTAL_ASYNC\nfreq = 50\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/audit/auditd.conf\n\nEnsure the following line is present and any existing \"flush\" and \"freq\" settings are removed:\n\nflush = INCREMENTAL_ASYNC\nfreq = 50"},{"id":"cd3a551e-5486-4650-8b91-0b9328b80a0a","vulnId":"V-256545","severity":"medium","ruleTitle":"The Photon operating system must create a home directory for all new local interactive user accounts.","description":"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.","checkContent":"At the command line, run the following command:\n\n# grep -i \"^create_home\" /etc/login.defs\n\nIf there is no output or the output does not equal \"CREATE_HOME yes\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nEnsure the following is present and any existing \"CREATE_HOME\" line is removed:\n\nCREATE_HOME yes"},{"id":"f44a0bc8-8e60-49c3-8097-00b68e54a081","vulnId":"V-256546","severity":"medium","ruleTitle":"The Photon operating system must disable the debug-shell service.","description":"The debug-shell service is intended to diagnose systemd-related boot issues with various \"systemctl\" commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.","checkContent":"At the command line, run the following command:\n\n# systemctl status debug-shell.service|grep -E --color=always disabled\n\nIf the debug-shell service is not disabled, this is a finding.","fixText":"At the command line, run the following commands:\n\n# systemctl stop debug-shell.service\n# systemctl disable debug-shell.service\n\nReboot for changes to take effect."},{"id":"a765581f-a80b-4d21-939c-e504f7638dc4","vulnId":"V-256547","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.","description":"GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SSH) exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i GSSAPIAuthentication\n\nExpected result:\n\nGSSAPIAuthentication no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"GSSAPIAuthentication\" line is uncommented and set to the following:\n\nGSSAPIAuthentication no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"4a8cf8e1-775c-436c-b0ea-e077d4bb893a","vulnId":"V-256548","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disable environment processing.","description":"Enabling environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.","checkContent":"At the command line, run the following command:\n\n#sshd -T|&grep -i PermitUserEnvironment\n\nExpected result:\n\nPermitUserEnvironment no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"PermitUserEnvironment\" line is uncommented and set to the following:\n\nPermitUserEnvironment no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"bc2dcd9d-7f20-40d3-a868-c589fb91e975","vulnId":"V-256549","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disable X11 forwarding.","description":"X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i X11Forwarding\n\nExpected result:\n\nX11Forwarding no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"X11Forwarding\" line is uncommented and set to the following:\n\nX11Forwarding no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"6fa239a0-3d4b-4ad2-960b-2e1dc9ec319e","vulnId":"V-256550","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.","description":"If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the system as another user.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i StrictModes\n\nExpected result:\n\nStrictModes yes\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"StrictModes\" line is uncommented and set to the following:\n\nStrictModes yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"14223b96-f0ad-4a70-b99f-ba2e5f6357d0","vulnId":"V-256551","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disallow Kerberos authentication.","description":"If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i KerberosAuthentication\n\nExpected result:\n\nKerberosAuthentication no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"KerberosAuthentication\" line is uncommented and set to the following:\n\nKerberosAuthentication no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"30ff37af-a624-4972-ad5f-21380330d628","vulnId":"V-256552","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disallow authentication with an empty password.","description":"Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blank password on the operating system, sshd must not allow that user to log in.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i PermitEmptyPasswords\n\nExpected result:\n\nPermitEmptyPasswords no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"PermitEmptyPasswords\" line is uncommented and set to the following:\n\nPermitEmptyPasswords no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"bf84506f-8527-426c-a67c-2e1fcc125b1c","vulnId":"V-256553","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disallow compression of the encrypted session stream.","description":"If compression is allowed in a Secure Shell (SSH) connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i Compression\n\nExpected result:\n\nCompression no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"Compression\" line is uncommented and set to the following:\n\nCompression no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"00a4c4a0-d68c-40d9-8361-81d1cbcee80f","vulnId":"V-256554","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to display the last login immediately after authentication.","description":"Providing users with feedback on the last time they logged on via Secure Shell (SSH) facilitates user recognition and reporting of unauthorized account use.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i PrintLastLog\n\nExpected result:\n\nPrintLastLog yes\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"PrintLastLog\" line is uncommented and set to the following:\n\nPrintLastLog yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"5f3326b6-7737-4528-bbf1-ffbc8c66aab3","vulnId":"V-256555","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.","description":"Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i IgnoreRhosts\n\nExpected result:\n\nIgnoreRhosts yes\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"IgnoreRhosts\" line is uncommented and set to the following:\n\nIgnoreRhosts yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"75eb0951-0cfc-4604-8798-be0ed565806b","vulnId":"V-256556","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to ignore user-specific \"known_host\" files.","description":"Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines that must also be ignored while disabling host-based authentication generally.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i IgnoreUserKnownHosts\n\nExpected result:\n\nIgnoreUserKnownHosts yes\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"IgnoreUserKnownHosts\" line is uncommented and set to the following:\n\nIgnoreUserKnownHosts yes\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"531cc61f-ee58-42b0-a59e-6101f5904eda","vulnId":"V-256557","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.","description":"By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i MaxAuthTries\n\nExpected result:\n\nMaxAuthTries 6\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"MaxAuthTries\" line is uncommented and set to the following:\n\nMaxAuthTries 6\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"206680d5-4896-4d30-a601-a9bd6dd23638","vulnId":"V-256558","severity":"medium","ruleTitle":"The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.","description":"When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed operating system environment, this can create the risk of short-term loss of systems availability due to unintentional reboot.","checkContent":"At the command line, run the following command:\n\n# systemctl status ctrl-alt-del.target\n\nExpected result:\n\nctrl-alt-del.target\nLoaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\" is not \"inactive\" and \"masked\", this is a finding.","fixText":"At the command line, run the following command:\n\n# systemctl mask ctrl-alt-del.target"},{"id":"cf314c06-9c78-488a-a34b-7d5381d64d87","vulnId":"V-256559","severity":"medium","ruleTitle":"The Photon operating system must be configured so the \"/etc/skel\" default scripts are protected from unauthorized modification.","description":"If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/skel/.[^.]*\n\nExpected result:\n\n/etc/skel/.bash_logout permissions are 750 and owned by root:root\n/etc/skel/.bash_profile permissions are 644 and owned by root:root\n/etc/skel/.bashrc permissions are 750 and owned by root:root\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# chmod 750 /etc/skel/.bash_logout\n# chmod 644 /etc/skel/.bash_profile\n# chmod 750 /etc/skel/.bashrc\n# chown root:root /etc/skel/.bash_logout\n# chown root:root /etc/skel/.bash_profile\n# chown root:root /etc/skel/.bashrc"},{"id":"b5723483-5cb6-4eda-bf6a-78f24abd6932","vulnId":"V-256560","severity":"medium","ruleTitle":"The Photon operating system must be configured so the \"/root\" path is protected from unauthorized access.","description":"If the \"/root\" path is accessible to users other than root, unauthorized users could change the root partitions files.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /root\n\nExpected result:\n\n/root permissions are 700 and owned by root:root\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# chmod 700 /root\n# chown root:root /root"},{"id":"15df0014-5784-4847-aeb9-2dab1819b6ad","vulnId":"V-256561","severity":"medium","ruleTitle":"The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.","description":"Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon login.","checkContent":"At the command line, run the following command:\n\n# find /etc/bash.bashrc /etc/profile /etc/profile.d/ -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \\;\n\nIf any files are returned, this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod o-w \n# chown root:root "},{"id":"5914aa08-f743-4b65-b8da-bdf698451e31","vulnId":"V-256562","severity":"medium","ruleTitle":"The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.","description":"If system startup scripts are accessible to unauthorized modification, this could compromise the system on startup.","checkContent":"At the command line, run the following command:\n\n# find /etc/rc.d/* -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \\;\n\nIf any files are returned, this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod o-w \n# chown root:root "},{"id":"5209587b-3352-4565-9a50-7887b5bdca93","vulnId":"V-256563","severity":"medium","ruleTitle":"The Photon operating system must be configured so that all files have a valid owner and group owner.","description":"If files do not have valid user and group owners, unintended access to files could occur.","checkContent":"At the command line, run the following command:\n\n# find / -fstype ext4 -nouser -o -nogroup -exec ls -ld {} \\; 2>/dev/null\n\nIf any files are returned, this is a finding.","fixText":"At the command line, run the following command for each returned file:\n\n# chown root:root "},{"id":"5bf5aeaa-2376-4677-b39b-b96bb675d014","vulnId":"V-256564","severity":"medium","ruleTitle":"The Photon operating system must be configured so the \"/etc/cron.allow\" file is protected from unauthorized modification.","description":"If cron files and folders are accessible to unauthorized users, malicious jobs may be created.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/cron.allow\n\nExpected result:\n\n/etc/cron.allow permissions are 600 and owned by root:root\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# chmod 600 /etc/cron.allow\n# chown root:root /etc/cron.allow"},{"id":"da3a8e69-59da-466c-bea7-646004d7c806","vulnId":"V-256565","severity":"medium","ruleTitle":"The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.","description":"If cron files and folders are accessible to unauthorized users, malicious jobs may be created.","checkContent":"At the command line, run the following command:\n\n# find /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.monthly/ /etc/cron.weekly/ -xdev -type f -a '(' -perm -022 -o -not -user root ')' -exec ls -ld {} \\;\n\nIf any files are returned, this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 644 \n# chown root "},{"id":"494c300a-cdda-47f7-8822-91892ea23f70","vulnId":"V-256566","severity":"medium","ruleTitle":"The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.","description":"If cron files and folders are accessible to unauthorized users, malicious jobs may be created.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly\n\nExpected result:\n\n/etc/cron.d permissions are 755 and owned by root:root\n/etc/cron.daily permissions are 755 and owned by root:root\n/etc/cron.hourly permissions are 755 and owned by root:root\n/etc/cron.monthly permissions are 755 and owned by root:root\n/etc/cron.weekly permissions are 755 and owned by root:root\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 755 \n# chown root:root "},{"id":"4bb49c33-d470-4e78-859b-ad34150defa7","vulnId":"V-256567","severity":"medium","ruleTitle":"The Photon operating system must not forward IPv4 or IPv6 source-routed packets.","description":"Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the packet must take. There is also an option to record the hops as the route is traversed.\n\nThe list of hops taken, the \"route record\", provides the destination with a return path to the source. This allows the source (the sending host) to specify the route, loosely or strictly, ignoring the routing tables of some or all of the routers. It can allow a user to redirect network traffic for malicious purposes and should therefore be disabled.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv[4|6].conf.(all|default|eth.*).accept_source_route\"\n\nExpected result:\n\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.eth0.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\nnet.ipv6.conf.eth0.accept_source_route = 0\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The number of \"ethx\" lines returned is dependent on the number of interfaces. Every \"ethx\" entry must be set to \"0\".","fixText":"At the command line, run the following command:\n\n# for SETTING in $(/sbin/sysctl -aN --pattern \"net.ipv[4|6].conf.(all|default|eth.*).accept_source_route\"); do sed -i -e \"/^${SETTING}/d\" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done\n# /sbin/sysctl --load"},{"id":"439cd483-aa4e-4ea5-8876-11c2a68d7dd4","vulnId":"V-256568","severity":"medium","ruleTitle":"The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.","description":"Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern ignore_broadcasts\n\nExpected result:\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# sed -i -e \"/^net.ipv4.icmp_echo_ignore_broadcasts/d\" /etc/sysctl.conf\n# echo net.ipv4.icmp_echo_ignore_broadcasts=1>>/etc/sysctl.conf\n# /sbin/sysctl --load"},{"id":"b995b682-5aca-4199-9933-c892bea65b6b","vulnId":"V-256569","severity":"medium","ruleTitle":"The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default|eth.*).accept_redirects\"\n\nExpected result:\n\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.eth0.accept_redirects = 0\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The number of \"ethx\" lines returned is dependent on the number of interfaces. Every \"ethx\" entry must be set to \"0\".","fixText":"At the command line, run the following command:\n\n# for SETTING in $(/sbin/sysctl -aN --pattern \"net.ipv4.conf.(all|default|eth.*).accept_redirects\"); do sed -i -e \"/^${SETTING}/d\" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done\n# /sbin/sysctl --load"},{"id":"c1b1d21d-fb3a-48da-9391-9b0f1ac0b79c","vulnId":"V-256570","severity":"medium","ruleTitle":"The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default|eth.*).secure_redirects\"\n\nExpected result:\n\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.eth0.secure_redirects = 0\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The number of \"ethx\" lines returned is dependent on the number of interfaces. Every \"ethx\" entry must be set to \"0\".","fixText":"At the command line, run the following command:\n\n# for SETTING in $(/sbin/sysctl -aN --pattern \"net.ipv4.conf.(all|default|eth.*).secure_redirects\"); do sed -i -e \"/^${SETTING}/d\" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done\n# /sbin/sysctl --load"},{"id":"5edb48e1-4eb6-41d7-8d94-10174c258872","vulnId":"V-256571","severity":"medium","ruleTitle":"The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default|eth.*).send_redirects\"\n\nExpected result:\n\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.eth0.send_redirects = 0\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The number of \"ethx\" lines returned is dependent on the number of interfaces. Every \"ethx\" entry must be set to \"0\".","fixText":"At the command line, run the following command:\n\n# for SETTING in $(/sbin/sysctl -aN --pattern \"net.ipv4.conf.(all|default|eth.*).send_redirects\"); do sed -i -e \"/^${SETTING}/d\" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done\n# /sbin/sysctl --load"},{"id":"1fe0d567-1b09-44da-9a08-c9fef685eecf","vulnId":"V-256572","severity":"medium","ruleTitle":"The Photon operating system must log IPv4 packets with impossible addresses.","description":"The presence of \"martian\" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default|eth.*).log_martians\"\n\nExpected result:\n\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.eth0.log_martians = 1\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The number of \"ethx\" lines returned is dependent on the number of interfaces. Every \"ethx\" entry must be set to \"1\".","fixText":"At the command line, run the following command:\n\n# for SETTING in $(/sbin/sysctl -aN --pattern \"net.ipv4.conf.(all|default|eth.*).log_martians\"); do sed -i -e \"/^${SETTING}/d\" /etc/sysctl.conf;echo $SETTING=1>>/etc/sysctl.conf; done\n# /sbin/sysctl --load"},{"id":"01e28638-b581-47c4-b7e0-a6aecf791135","vulnId":"V-256573","severity":"medium","ruleTitle":"The Photon operating system must use a reverse-path filter for IPv4 network traffic.","description":"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default|eth.*)\\.rp_filter\"\n\nExpected result:\n\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.conf.eth0.rp_filter = 1\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The number of \"ethx\" lines returned is dependent on the number of interfaces. Every \"ethx\" entry must be set to \"1\".","fixText":"At the command line, run the following command:\n\n# for SETTING in $(/sbin/sysctl -aN --pattern \"net.ipv4.conf.(all|default|eth.*)\\.rp_filter\"); do sed -i -e \"/^${SETTING}/d\" /etc/sysctl.conf;echo $SETTING=1>>/etc/sysctl.conf; done\n# /sbin/sysctl --load"},{"id":"112f49c6-336a-46da-88f3-51db860e4eca","vulnId":"V-256574","severity":"medium","ruleTitle":"The Photon operating system must not perform multicast packet forwarding.","description":"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv[4|6].conf.(all|default|eth.*).mc_forwarding\"\n\nExpected result:\n\nnet.ipv4.conf.all.mc_forwarding = 0\nnet.ipv4.conf.default.mc_forwarding = 0\nnet.ipv4.conf.eth0.mc_forwarding = 0\nnet.ipv6.conf.all.mc_forwarding = 0\nnet.ipv6.conf.default.mc_forwarding = 0\nnet.ipv6.conf.eth0.mc_forwarding = 0\n\nIf the output does not match the expected result, this is a finding.\n\nNote: The number of \"ethx\" lines returned is dependent on the number of interfaces. Every \"ethx\" entry must be set to \"0\".","fixText":"At the command line, run the following command:\n\n# for SETTING in $(/sbin/sysctl -aN --pattern \"net.ipv[4|6].conf.(all|default|eth.*).mc_forwarding\"); do sed -i -e \"/^${SETTING}/d\" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done\n# /sbin/sysctl --load"},{"id":"ece854e7-b566-4786-b414-36868111b6b8","vulnId":"V-256575","severity":"medium","ruleTitle":"The Photon operating system must not perform IPv4 packet forwarding.","description":"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.ip_forward$\"\n\nExpected result:\n\nnet.ipv4.ip_forward = 0\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# sed -i -e \"/^net.ipv4.ip_forward/d\" /etc/sysctl.conf\n# echo net.ipv4.ip_forward=0>>/etc/sysctl.conf\n# /sbin/sysctl --load"},{"id":"3c081fef-143d-4bf2-bf84-b809b6a5734f","vulnId":"V-256576","severity":"medium","ruleTitle":"The Photon operating system must send Transmission Control Protocol (TCP) timestamps.","description":"TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can help a bad actor in determining likely patch levels for vulnerabilities.","checkContent":"At the command line, run the following command:\n\n# /sbin/sysctl -a --pattern \"net.ipv4.tcp_timestamps$\"\n\nExpected result:\n\nnet.ipv4.tcp_timestamps = 1\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# sed -i -e \"/^net.ipv4.tcp_timestamps/d\" /etc/sysctl.conf\n# echo net.ipv4.tcp_timestamps=1>>/etc/sysctl.conf\n# /sbin/sysctl --load"},{"id":"68492082-d559-4b3e-ac3c-0cac2c564776","vulnId":"V-256577","severity":"medium","ruleTitle":"The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.","description":"If a public host key file is modified by an unauthorized user, the SSH service may be compromised.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/ssh/*key.pub\n\nExpected result:\n\n/etc/ssh/ssh_host_ecdsa_key.pub permissions are 644 and owned by root:root\n/etc/ssh/ssh_host_ed25519_key.pub permissions are 644 and owned by root:root\n/etc/ssh/ssh_host_rsa_key.pub permissions are 644 and owned by root:root\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 644 \n# chown root:root "},{"id":"4a5e95b1-aba1-43b5-b762-b2da92feee9e","vulnId":"V-256578","severity":"medium","ruleTitle":"The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access.","description":"If an unauthorized user obtains the private SSH host key file, the host could be impersonated.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/ssh/*key\n\nExpected result:\n\n/etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root\n/etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root\n/etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root\n/etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root\n\nIf any key file listed is not owned by root or not group owned by root or does not have permissions of \"0600\", this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 600 \n# chown root:root "},{"id":"f57e83dd-ac74-41c6-b3f5-7094e3b39469","vulnId":"V-256579","severity":"medium","ruleTitle":"The Photon operating system must enforce password complexity on the root account.","description":"Password complexity rules must apply to all accounts on the system, including root. Without specifying the \"enforce_for_root flag\", \"pam_cracklib\" does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.","checkContent":"At the command line, run the following command:\n\n# grep pam_cracklib /etc/pam.d/system-password|grep --color=always \"enforce_for_root\"\n\nExpected result:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nIf the output does not include \"enforce_for_root\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the following, replacing any existing \"pam_cracklib.so\" line:\n\npassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"5e6d146f-4813-4b6d-bfa6-eee727e29ad1","vulnId":"V-256580","severity":"medium","ruleTitle":"The Photon operating system must protect all boot configuration files from unauthorized modification.","description":"Boot configuration files control how the system boots, including single-user mode, auditing, log levels, etc. Improper or malicious configurations can negatively affect system security and availability.","checkContent":"At the command line, run the following command:\n\n# find /boot/*.cfg -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \\;\n\nIf any files are returned, this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 644 \n# chown root:root "},{"id":"6a5ef22a-292b-476a-8348-415c47ce957d","vulnId":"V-256581","severity":"medium","ruleTitle":"The Photon operating system must protect sshd configuration from unauthorized access.","description":"The \"sshd_config\" file contains all the configuration items for sshd. Incorrect or malicious configuration of sshd can allow unauthorized access to the system, insecure communication, limited forensic trail, etc.","checkContent":"At the command line, run the following command:\n\n# stat -c \"%n permissions are %a and owned by %U:%G\" /etc/ssh/sshd_config\n\nExpected result:\n\n/etc/ssh/sshd_config permissions are 600 and owned by root:root\n\nIf the output does not match the expected result, this is a finding.","fixText":"At the command line, run the following commands:\n\n# chmod 600 /etc/ssh/sshd_config\n# chown root:root /etc/ssh/sshd_config"},{"id":"7b675302-60a3-42ad-a076-091e49e36493","vulnId":"V-256582","severity":"medium","ruleTitle":"The Photon operating system must protect all \"sysctl\" configuration files from unauthorized access.","description":"The \"sysctl\" configuration file specifies values for kernel parameters to be set on boot. Incorrect or malicious configuration of these parameters can have a negative effect on system security.","checkContent":"At the command line, run the following command:\n\n# find /etc/sysctl.conf /etc/sysctl.d/* -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \\;\n\nIf any files are returned, this is a finding.","fixText":"At the command line, run the following commands for each returned file:\n\n# chmod 600 \n# chown root:root "},{"id":"91e8cc05-08c9-4db2-a232-d8e6807592e5","vulnId":"V-256583","severity":"medium","ruleTitle":"The Photon operating system must set the \"umask\" parameter correctly.","description":"The \"umask\" value influences the permissions assigned to files when they are created. The \"umask\" setting in \"login.defs\" controls the permissions for a new user's home directory. By setting the proper \"umask\", home directories will only allow the new user to read and write files there.","checkContent":"At the command line, run the following command:\n\n# grep ^UMASK /etc/login.defs\n\nExample result:\n\nUMASK 077\n\nIf \"UMASK\" is not configured to \"077\", this a finding.\n\nNote: \"UMASK\" should only be specified once in login.defs.","fixText":"Navigate to and open:\n\n/etc/login.defs\n\nEnsure the \"UMASK\" line is uncommented and set to the following:\n\nUMASK 077"},{"id":"9a95b276-20cd-4c5b-90d5-82c6a30891ba","vulnId":"V-256584","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to disallow HostbasedAuthentication.","description":"Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i HostbasedAuthentication\n\nExpected result:\n\nhostbasedauthentication no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"HostbasedAuthentication\" line is uncommented and set to the following:\n\nHostbasedAuthentication no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"c4907f6c-988c-401e-b595-213e56202b05","vulnId":"V-256585","severity":"medium","ruleTitle":"The Photon operating system must store only encrypted representations of passwords.","description":"Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. If they are encrypted with a weak cipher, those passwords are much more vulnerable to offline brute-force attacks.","checkContent":"At the command line, run the following command:\n\n# grep password /etc/pam.d/system-password|grep --color=always \"sha512\"\n\nIf the output does not include \"sha512\", this is a finding.","fixText":"Navigate to and open:\n\n/etc/pam.d/system-password\n\nAdd the argument \"sha512\" to the \"password\" line:\n\npassword required pam_unix.so sha512 shadow try_first_pass\n\nNote: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot."},{"id":"6c20c887-315f-4369-a85b-eeec090c7f26","vulnId":"V-256586","severity":"medium","ruleTitle":"The Photon operating system must ensure the old passwords are being stored.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed per policy requirements.","checkContent":"At the command line, run the following command:\n\n# ls -al /etc/security/opasswd\n\nIf \"/etc/security/opasswd\" does not exist, this is a finding.","fixText":"At the command line, run the following commands:\n\n# touch /etc/security/opasswd\n# chown root:root /etc/security/opasswd\n# chmod 0600 /etc/security/opasswd"},{"id":"e352d66a-2230-4198-9529-c70428dc8176","vulnId":"V-256587","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to restrict AllowTcpForwarding.","description":"While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate for use on single-purpose appliances.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i AllowTcpForwarding\n\nExpected result:\n\nallowtcpforwarding no\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"AllowTcpForwarding\" line is uncommented and set to the following:\n\nAllowTcpForwarding no\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"655e2c23-0113-4c70-88ed-6d230beee2e3","vulnId":"V-256588","severity":"medium","ruleTitle":"The Photon operating system must configure sshd to restrict LoginGraceTime.","description":"By default, sshd unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login would need such an amount of time to complete a login. Quickly terminating idle or incomplete login attempts will free resources and reduce the exposure any partial logon attempts may create.","checkContent":"At the command line, run the following command:\n\n# sshd -T|&grep -i LoginGraceTime\n\nExpected result:\n\nlogingracetime 30\n\nIf the output does not match the expected result, this is a finding.","fixText":"Navigate to and open:\n\n/etc/ssh/sshd_config\n\nEnsure the \"LoginGraceTime\" line is uncommented and set to the following:\n\nLoginGraceTime 30\n\nAt the command line, run the following command:\n\n# systemctl restart sshd.service"},{"id":"be570db7-1da9-4bae-aaeb-2348c6d57d21","vulnId":"V-256589","severity":"medium","ruleTitle":"The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, generate cryptographic hashes, and protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government because this provides assurance they have been tested and validated.","checkContent":"At the command line, run the following command:\n\n# cat /proc/sys/crypto/fips_enabled\n\nIf a value of \"1\" is not returned, this is a finding.","fixText":"Navigate to and open:\n\n/boot/grub2/grub.cfg\n\nLocate the kernel command line, which will start with \"linux\", and add \"fips=1\" to the end. For example:\n\nlinux /$photon_linux audit=1 root=$rootpartition $photon_cmdline coredump_filter=0x37 consoleblank=0 $systemd_cmdline fips=1\n\nReboot the system for the change to take effect.\n\nNote: The \"fipsify\" package must be installed for FIPS mode to work properly."},{"id":"720c428b-01f1-469e-98fc-111d12def7ec","vulnId":"V-256590","severity":"medium","ruleTitle":"The Photon operating system must disable systemd fallback Domain Name System (DNS).","description":"Systemd contains an ability to set fallback DNS servers. This is used for DNS lookups in the event no system-level DNS servers are configured or other DNS servers are specified in the systemd \"resolved.conf\" file. If uncommented, this configuration contains Google DNS servers by default and could result in DNS leaking information unknowingly in the event DNS is absent or misconfigured at the system level.","checkContent":"At the command line, run the following command:\n\n# resolvectl status | grep 'Fallback DNS'\n\nIf the output indicates that fallback DNS servers are configured, this is a finding.","fixText":"Navigate to and open:\n\n/etc/systemd/resolved.conf\n\nAdd or update the \"FallbackDNS\" entry to the following:\n\nFallbackDNS=\n\nRestart the systemd resolved service by running the following command:\n\n# systemctl restart systemd-resolved\n\nNote: If this option is not given, a compiled-in list of DNS servers is used instead, which is undesirable."}]}]]}]

VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide

Checks (113)