VMware vSphere 6.7 Photon OS STIG
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide. Version v1 r3, released April 27, 2022.
PHTN-67-000009: The Photon operating system must configure sshd to use approved encryption algorithms.
At the command line, execute the following command: # sshd -T|&grep -i FipsMode Expected result: fipsmode yes If the output does not match the expected result, this is a finding.
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. OpenSSH on the Photon operating system is compiled with a FIPS-validated cryptographic module. The "FipsMode" setting controls whether this module is initialized and used in FIPS 140-2 mode. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "FipsMode" line is uncommented and set to the following: FipsMode yes At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
PHTN-67-000007: The Photon operating system must have sshd authentication logging enabled.
At the command line, execute the following command: # grep "^authpriv" /etc/rsyslog.conf Expected result: authpriv.* /var/log/audit/sshinfo.log If the command does not return any output, this is a finding.
Discussion
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. Shipping sshd authentication events to syslog allows organizations to use their log aggregators to correlate forensic activities among multiple systems.
Fix
Open /etc/rsyslog.conf with a text editor and locate the following line: $IncludeConfig /etc/vmware-syslog/syslog.conf Ensure that the following entry is put beneath the stated line and before the "# vmware services" line. authpriv.* /var/log/audit/sshinfo.log If the following line is at the end of the file, it must be removed or commented out: auth.* /var/log/auth.log At the command line, execute the following command: # systemctl restart syslog # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000092: The Photon operating system must configure sshd to ignore user-specific trusted hosts lists.
At the command line, execute the following command: # sshd -T|&grep -i IgnoreRhosts Expected result: IgnoreRhosts yes If the output does not match the expected result, this is a finding.
Discussion
SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "IgnoreRhosts" line is uncommented and set to the following: IgnoreRhosts yes At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000003: The Photon operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting SSH access.
At the command line, execute the following command: # sshd -T|&grep -i Banner Expected result: banner /etc/issue If the output does not match the expected result, this is a finding. Open /etc/issue with a text editor. If the file does not contain the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
Discussion
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
Fix
At the command line, execute the following commands: # cp /etc/issue.DoD /etc/issue Open /etc/ssh/sshd_config with a text editor and ensure that the "Banner" line is uncommented and set to the following: Banner /etc/issue Open /etc/issue with a text editor. Ensure that the file contains the Standard Mandatory DoD Notice and Consent Banner: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000034: The Photon operating system must not have Duplicate User IDs (UIDs).
At the command line, execute the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If any lines are returned, this is a finding.
Discussion
To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and provide for non-repudiation.
Fix
Open /etc/passwd with a text editor. Configure each user account that has a duplicate UID with a unique UID.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000066: The Photon operating system must prohibit the use of cached authenticators after one day.
At the command line, execute the following command: # /opt/likewise/bin/lwregshell list_values "HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory"|grep "CacheEntryExpiry" If the value returned is not 14400 or less, this is a finding.
Discussion
If cached authentication information is out of date, the validity of the authentication information may be questionable.
Fix
At the command line, execute the following command: # /opt/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]" CacheEntryExpiry 14400
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000071: The Photon operating system must generate audit records when the sudo command is used.
At the command line, execute the following command: # auditctl -l | grep sudo Expected result: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=1 -k privileged OR -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000082: The Photon operating system must configure a secure umask for all shells.
At the command line, execute the following command: # cat /etc/profile.d/umask.sh Expected result: # By default, the umask should be set. if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then umask 002 else umask 027 fi If the output does not match the expected result, this is a finding.
Discussion
A user's umask influences the permissions assigned to files that a user creates. Setting an appropriate umask is important to make sure that information is not exposed to unprivileged users.
Fix
Open /etc/profile.d/umask.sh with a text editor. Set the contents as follows: # By default, the umask should be set. if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then umask 002 else umask 027 fi
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000065: The Photon operating system must require users to reauthenticate for privilege escalation.
At the command line, execute the following commands: # grep -ihs nopasswd /etc/sudoers /etc/sudoers.d/*|grep -v "^#"|grep -v "^%"|awk '{print $1}' # awk -F: '($2 != "x" && $2 != "!") {print $1}' /etc/shadow If any account listed in the first output is also listed in the second output, this is a finding.
Discussion
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Fix
Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: # visudo OR # visudo -f /etc/sudoers.d/<file name> Remove any occurrences of "NOPASSWD" tags associated with user accounts with a password hash.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000073: The Photon operating system must audit the insmod module.
At the command line, execute the following command: # auditctl -l | grep "/sbin/insmod" Expected result: -w /sbin/insmod -p x If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /sbin/insmod -p x At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000070: The Photon operating system must remove all software components after updated versions have been installed.
At the command line, execute the following command: # grep -i "^clean_requirements_on_remove" /etc/tdnf/tdnf.conf Expected result: clean_requirements_on_remove=true If the output does not match the expected result, this is a finding.
Discussion
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Fix
Open /etc/tdnf/tdnf.conf with a text editor. Remove any existing "clean_requirements_on_remove" line and ensure the following line is present: clean_requirements_on_remove=true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000120: The Photon operating system must protect all sysctl configuration files from unauthorized access.
At the command line, execute the following command: # find /etc/sysctl.conf /etc/sysctl.d/* -xdev -type f -a '(' -not -perm 600 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.
Discussion
The sysctl configuration file specifies values for kernel parameters to be set on boot. Incorrect or malicious configuration of these parameters can have a negative effect on system security.
Fix
At the command line, execute the following commands for each returned file: # chmod 600 <file> # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000055: The Photon operating system must configure sshd with a specific ListenAddress.
At the command line, execute the following command: # sshd -T|&grep -i ListenAddress If the ListenAddress is not configured to the VCSA management IP, this is a finding.
Discussion
Without specifying a ListenAddress, sshd will listen on all interfaces. In situations with multiple interfaces, this may not be intended behavior and could lead to offering remote access on an unapproved network.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "ListenAddress" line is uncommented and set to a valid local IP: Example: ListenAddress 169.254.1.2 Replace "169.254.1.2" with the management address of the VCSA. At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000118: The Photon operating system must protect all boot configuration files from unauthorized access.
At the command line, execute the following command: # find /boot/*.cfg -xdev -type f -a '(' -not -perm 600 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.
Discussion
Boot configuration files control how the system boots, including single-user mode, auditing, log levels, etc. Improper or malicious configurations can negatively affect system security and availability.
Fix
At the command line, execute the following commands for each returned file: # chmod 600 <file> # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000094: The Photon operating system must configure sshd to limit the number of allowed login attempts per connection.
At the command line, execute the following command: # sshd -T|&grep -i MaxAuthTries Expected result: MaxAuthTries 2 If the output does not match the expected result, this is a finding.
Discussion
By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "MaxAuthTries" line is uncommented and set to the following: MaxAuthTries 2 At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000038: The Photon operating system must configure sshd to disconnect idle SSH sessions.
At the command line, execute the following command: # sshd -T|&grep -i ClientAliveInterval Expected result: ClientAliveInterval 900 If the output does not match the expected result, this is a finding.
Discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "ClientAliveInterval" line is uncommented and set to the following: ClientAliveInterval 900 At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000015: The Photon operating system audit log must have correct permissions.
At the command line, execute the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n permissions are %a" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If the permissions on any audit log file is more permissive than 0600, this is a finding.
Discussion
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Fix
At the command line, execute the following command: # chmod 0600 <audit log file> Replace <audit log file> with the log files more permissive than 0600.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000056: The Photon operating system must audit the execution of privileged functions.
At the command line, execute the following command to obtain a list of setuid files: # find / -xdev -perm -4000 -type f -o -perm -2000 -type f Execute the following command for each setuid file found in the first command: # grep <setuid_path> /etc/audit/audit.rules Replace <setuid_path> with each path found in the first command. If each <setuid_path> does not have a corresponding line in the audit rules, this is a finding. A typical corresponding line will look like the following: -a always,exit -F path=<setuid_path> -F perm=x -F auid>=1000 -F auid!=-1 -k privileged Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215
Fix
At the command line, execute the following command to obtain a list of setuid files: # find / -xdev -perm -4000 -type f -o -perm -2000 -type f Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following line: Replace <setuid_path> with each path found in the first command. -a always,exit -F path=<setuid_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000117: The Photon operating system must enforce password complexity on the root account.
At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "enforce_for_root" Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.
Discussion
Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_cracklib does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000122: The Photon operating system must set the UMASK parameter correctly.
At the command line, execute the following command: # grep UMASK /etc/login.defs Expected result: UMASK 077 If the output does not match the expected result, this a finding.
Discussion
The umask value influences the permissions assigned to files when they are created. The umask setting in login.defs controls the permissions for a new user's home directory. By setting the proper umask, home directories will only allow the new user to read and write files there. Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230
Fix
Open /etc/login.defs with a text editor. Ensure that the "UMASK" line is uncommented and set to the following: UMASK 077
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000016: The Photon operating system audit log must be owned by root.
At the command line, execute the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n is owned by %U" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by root, this is a finding.
Discussion
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Fix
At the command line, execute the following command: # chown root:root <audit log file> Replace <audit log file> with the log files not owned by root.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000083: The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.
At the command line, execute the following command: # sshd -T|&grep -i GSSAPIAuthentication Expected result: GSSAPIAuthentication no If the output does not match the expected result, this is a finding.
Discussion
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "GSSAPIAuthentication" line is uncommented and set to the following: GSSAPIAuthentication no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000006: The Photon operating system must have the sshd SyslogFacility set to "authpriv".
At the command line, execute the following command: # sshd -T|&grep -i SyslogFacility Expected result: syslogfacility AUTHPRIV If there is no output or if the output does not match expected result, this is a finding.
Discussion
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "SyslogFacility" line is uncommented and set to the following: SyslogFacility AUTHPRIV At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000081: The Photon operating system must disable the debug-shell service.
At the command line, execute the following command: # systemctl status debug-shell.service|grep -E --color=always disabled If the debug-shell service is not disabled, this is a finding.
Discussion
The debug-shell service is intended to diagnose system-related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.
Fix
At the command line, execute the following commands: # systemctl stop debug-shell.service # systemctl disable debug-shell.service Reboot for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000103: The Photon operating system must be configured so that all cron paths are protected from unauthorized modification.
At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly Expected result: /etc/cron.d permissions are 755 and owned by root:root /etc/cron.daily permissions are 755 and owned by root:root /etc/cron.hourly permissions are 755 and owned by root:root /etc/cron.monthly permissions are 755 and owned by root:root /etc/cron.weekly permissions are 755 and owned by root:root If the output does not match the expected result, this is a finding.
Discussion
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.
Fix
At the command line, execute the following commands for each returned file: # chmod 755 <path> # chown root:root <path>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000002: The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
At the command line, execute the following command: # grep pam_tally2 /etc/pam.d/system-auth|grep --color=always "deny=." Expected result: auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 If the output does not match the expected result, this is a finding.
Discussion
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Fix
Open /etc/pam.d/system-auth with a text editor. Add the following line after the last auth statement: auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000113: The Photon operating system must send TCP timestamps.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.tcp_timestamps$" Expected result: net.ipv4.tcp_timestamps = 1 If the output does not match the expected result, this is a finding.
Discussion
TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can help a bad actor in determining likely patch levels for vulnerabilities.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.tcp_timestamps = 1 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000019: The Photon operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
At the command line, execute the following command: # find /etc/audit/* -type f -exec stat -c "%n permissions are %a" {} $1\; If the permissions of any files are more permissive than 640, this is a finding.
Discussion
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Fix
At the command line, execute the following command: # chmod 640 <file> Replace <file> with any file with incorrect permissions.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000093: The Photon operating system must configure sshd to ignore user-specific known_host files.
At the command line, execute the following command: # sshd -T|&grep -i IgnoreUserKnownHosts Expected result: IgnoreUserKnownHosts yes If the output does not match the expected result, this is a finding.
Discussion
SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines which must also be ignored while disabling host-based authentication generally.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "IgnoreUserKnownHosts" line is uncommented and set to the following: IgnoreUserKnownHosts yes At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000048: The Photon operating system must initiate auditing as part of the boot process.
At the command line, execute the following command: # grep "audit=1" /proc/cmdline If no results are returned, this is a finding.
Discussion
Each process on the system carries an "auditable" flag, which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes that launch after it starts, adding the kernel argument ensures the flag is set at boot for every process on the system. This includes processes created before auditd starts.
Fix
Open /boot/grub2/grub.cfg with a text editor and locate the boot command line arguments. An example follows: linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 Add "audit=1" to the end of the line so it reads as follows: linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 audit=1 Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append "audit=1" to it. Reboot the system for the change to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000064: The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
At the command line, execute the following command: # grep gpgcheck /etc/yum.repos.d/* If "gpgcheck" is not set to "1" in any returned file, this is a finding.
Discussion
Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.
Fix
Open the file where gpgcheck is not set to "1" with a text editor. Remove any existing gpgcheck setting and add the following line at the end of the file: gpgcheck=1
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000005: The Photon operating system must set a session inactivity timeout of 15 minutes or less.
At the command line, execute the following command: # cat /etc/profile.d/tmout.sh Expected result: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null If the file "tmout.sh" does not exist or the output does not look like the expected result, this is a finding.
Discussion
A session timeout is an action taken when a session goes idle for any reason. Rather than relying on the user to manually disconnect their session prior to going idle, the Photon operating system must be able to identify when a session has idled and take action to terminate the session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109
Fix
Open /etc/profile.d/tmout.sh with a text editor and set its content to the following: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000049: The Photon operating system audit files and directories must have correct permissions.
At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /etc/audit/auditd.conf If auditd.conf is not owned by root and group owned by root, this is a finding.
Discussion
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
Fix
At the command line, execute the following command: # chown root:root /etc/audit/auditd.conf
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000042: The Photon operating system messages file must be owned by root.
At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /var/log/vmware/messages If /var/log/vmware/messages is not owned by root or not group owned by root, this is a finding.
Discussion
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.
Fix
At the command line, execute the following command: # chown root:root /var/log/vmware/messages
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000013: The Photon operating system audit log must log space limit problems to syslog.
At the command line, execute the following command: # grep "^space_left_action" /etc/audit/auditd.conf Expected result: space_left_action = SYSLOG If the output does not match the expected result, this is a finding.
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000344-GPOS-00135
Fix
Open /etc/audit/auditd.conf with a text editor. Ensure that the "space_left_action" line is uncommented and set to the following: space_left_action = SYSLOG At the command line, execute the following command: # service auditd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000076: The Photon operating system must set the FAIL_DELAY parameter.
At the command line, execute the following command: # grep FAIL_DELAY /etc/login.defs Expected result: FAIL_DELAY 4 If the output does not match the expected result, this is a finding.
Discussion
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Fix
Open /etc/login.defs with a text editor. Add the following line after the last auth statement: FAIL_DELAY 4
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000039: The Photon operating system must configure sshd to disconnect idle SSH sessions.
At the command line, execute the following command: # sshd -T|&grep -i ClientAliveCountMax Expected result: ClientAliveCountMax 0 If the output does not match the expected result, this is a finding.
Discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "ClientAliveCountMax" line is uncommented and set to the following: ClientAliveCountMax 0 At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000108: The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).send_redirects" Expected result: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".
Discussion
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000004: The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
At the command line, execute the following command: # grep "^[^#].*maxlogins.*" /etc/security/limits.conf Expected result: * hard maxlogins 10 If the output does not match the expected result, this is a finding. Note: The expected result may be repeated multiple times.
Discussion
Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service attacks.
Fix
At the command line, execute the following command: # echo '* hard maxlogins 10' >> /etc/security/limits.conf
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000017: The Photon operating system audit log must be group-owned by root.
At the command line, execute the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; stat -c "%n is group owned by %G" ${audit_log_file%}*; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group-owned by root, this is a finding.
Discussion
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Fix
At the command line, execute the following command: # chown root:root <audit log file> Replace <audit log file> with the log files not group owned by root.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000088: The Photon operating system must configure sshd to use privilege separation.
At the command line, execute the following command: # sshd -T|&grep -i UsePrivilegeSeparation Expected result: UsePrivilegeSeparation yes If the output does not match the expected result, this is a finding.
Discussion
Privilege separation in sshd causes the process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "UsePrivilegeSeparation" line is uncommented and set to the following: UsePrivilegeSeparation yes At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000096: The Photon operating system must be configured so that the /etc/skel default scripts are protected from unauthorized modification.
At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/skel/.[^.]* Expected result: /etc/skel/.bash_logout permissions are 750 and owned by root:root /etc/skel/.bash_profile permissions are 644 and owned by root:root /etc/skel/.bashrc permissions are 750 and owned by root:root If the output does not match the expected result, this is a finding.
Discussion
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
Fix
At the command line, execute the following commands: # chmod 750 /etc/skel/.bash_logout # chmod 644 /etc/skel/.bash_profile # chmod 750 /etc/skel/.bashrc # chown root:root /etc/skel/.bash_logout # chown root:root /etc/skel/.bash_profile # chown root:root /etc/skel/.bashrc
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000045: The Photon operating system must audit all account modifications.
At the command line, execute the following command: # auditctl -l | grep -E "(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)" Expected result: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. Satisfies: SRG-OS-000239-GPOS-00089, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000027: The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime.
At the command line, execute the following command: # grep "^PASS_MIN_DAYS" /etc/login.defs If PASS_MIN_DAYS is not set to 1, this is a finding.
Discussion
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix
Open /etc/login.defs with a text editor. Modify the PASS_MIN_DAYS line to the following: PASS_MIN_DAYS 1
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000114: The Photon OS must not have the xinetd service enabled.
At the command line, execute the following command: # systemctl is-enabled xinetd.service Expected result: disabled If the output does not match the expected result, this is a finding.
Discussion
The xinetd service is not required for normal appliance operation and must be disabled.
Fix
At the command line, execute the following commands: # service xinetd stop # systemctl disable xinetd.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000043: The Photon operating system messages file must have mode 0640 or less permissive.
At the command line, execute the following command: # stat -c "%n permissions are %a" /var/log/vmware/messages If the permissions on the file are more permissive than 0640, this is a finding.
Discussion
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.
Fix
At the command line, execute the following command: # chmod 0640 /var/log/vmware/messages
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000090: The Photon operating system must configure sshd to disallow compression of the encrypted session stream.
At the command line, execute the following command: # sshd -T|&grep -i Compression Expected result: Compression no If the output does not match the expected result, this is a finding.
Discussion
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "Compression" line is uncommented and set to the following: Compression no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000051: The Photon operating system must protect audit tools from unauthorized modification.
At the command line, execute the following command: # stat -c "%n permissions are %a" /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace If any file is more permissive than 750, this is a finding.
Discussion
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Fix
At the command line, execute the following command for each file returned: # chmod 750 <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000061: The Photon operating system must be configured to synchronize with an approved DoD time source.
At the command line, execute the following command: # grep -E '^\s*(server|peer|multicastclient)' /etc/ntp.conf Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. DoD source. If no lines are returned or a non-local/non-authoritative time server is used, this is a finding. OR Navigate to https://<hostname>:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Time". If no appropriate time server is specified, this is a finding.
Discussion
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
Fix
Open /etc/ntp.conf with a text editor and set its contents to the following: tinker panic 0 restrict default kod nomodify notrap nopeer restrict 127.0.0.1 restrict -6 ::1 driftfile /var/lib/ntp/drift/ntp.drift server <site-specific-time-source-IP> At the command line, execute the following commands: # chkconfig ntpd on # systemctl start ntp OR Navigate to https://<hostname>:5480 to access the VAMI. Authenticate and navigate to "Time". Click "Edit" in the top right and configure at least one appropriate NTP server. Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000022: The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.
At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "lcredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000067: The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
At the command line, execute the following command: # sshd -T|&grep -i Ciphers Expected result: ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr If the output does not match the expected result, this is a finding.
Discussion
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The operating system can meet this requirement through leveraging a cryptographic module. Satisfies: SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "Ciphers" line is uncommented and set to the following: Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
PHTN-67-000109: The Photon operating system must log IPv4 packets with impossible addresses.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).log_martians" Expected result: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "1".
Discussion
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000102: The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification.
At the command line, execute the following command: # find /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.monthly/ /etc/cron.weekly/ -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.
Discussion
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.
Fix
At the command line, execute the following commands for each returned file: # chmod o-w <file> # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000085: The Photon operating system must configure sshd to disable X11 forwarding.
At the command line, execute the following command: # sshd -T|&grep -i X11Forwarding Expected result: X11Forwarding no If the output does not match the expected result, this is a finding.
Discussion
X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "X11Forwarding" line is uncommented and set to the following: X11Forwarding no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000074: The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events.
At the command line, execute the following command: # auditctl -l | grep -E /etc/security/opasswd If any of these are not listed with a permissions filter of at least "w", this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /etc/security/opasswd -p wa -k opasswd At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000101: The Photon operating system must be configured so that the /etc/cron.allow file is protected from unauthorized modification.
At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/cron.allow Expected result: /etc/cron.allow permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.
Discussion
If cron files and folders are accessible to unauthorized users, malicious jobs may be created.
Fix
At the command line, execute the following commands: # chmod 600 /etc/cron.allow # chown root:root /etc/cron.allow
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000032: The Photon operating system must only allow installation of packages signed by VMware.
At the command line, execute the following command: # rpm -qa gpg-pubkey --qf "%{version}-%{release} %{summary}\n"|grep -v "66fd4949-4803fe57" If there is any output, an unsupported package has been installed and this is a finding.
Discussion
Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by VMware.
Fix
Confirm with VMware support that this package is not supported (for potential package additions after STIG publication). At the command line, execute the following command: # rpm -e <package-name-from-check>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000035: The Photon operating system must configure sshd to disallow root logins.
At the command line, execute the following command: # sshd -T|&grep -i PermitRootLogin Expected result: permitrootlogin no If the output does not match the expected result, this is a finding.
Discussion
Logging on with a user-specific account provides individual accountability for actions performed on the system. Users must log in with their individual accounts and elevate to root as necessary. Disallowing root SSH login also reduces the distribution of the root password to users who may not otherwise need that level of privilege.
Fix
Open /etc/ssh/sshd_config with a text editor and ensure that the "PermitRootLogin" line is uncommented and set to the following: PermitRootLogin no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000086: The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files.
At the command line, execute the following command: # sshd -T|&grep -i StrictModes Expected result: StrictModes yes If the output does not match the expected result, this is a finding.
Discussion
If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "StrictModes" line is uncommented and set to the following: StrictModes yes At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000077: The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
At the command line, execute the following command: # grep pam_faildelay /etc/pam.d/system-auth|grep --color=always "delay=" Expected result: auth optional pam_faildelay.so delay=4000000 If the output does not match the expected result, this is a finding.
Discussion
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Fix
Open /etc/pam.d/system-auth with a text editor. Remove any existing "pam_faildelay" line and add the following line at the end of the file: auth optional pam_faildelay.so delay=4000000
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000075: The Photon operating system must use the pam_cracklib module.
At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password If the output does not return at least "password requisite pam_cracklib.so", this is a finding.
Discussion
If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000025: The Photon operating system must store only encrypted representations of passwords.
At the command line, execute the following command: # grep password /etc/pam.d/system-password|grep --color=always "sha512" If the output does not include "sha512", this is a finding.
Discussion
Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. If they are encrypted with a weak cipher, those passwords are much more vulnerable to offline brute forcing attacks.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Add the following argument (sha512) to the password line: password required pam_unix.so sha512 shadow try_first_pass Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000060: The Photon operating system must configure auditd to log space limit problems to syslog.
At the command line, execute the following command: # grep "^space_left " /etc/audit/auditd.conf Expected result: space_left = 75 If the output does not match the expected result, this is a finding.
Discussion
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.
Fix
Open /etc/audit/auditd.conf with a text editor. Ensure that the "space_left" line is uncommented and set to the following: space_left = 75 At the command line, execute the following command: # service auditd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000036: The Photon operating system must disable new accounts immediately upon password expiration.
At the command line, execute the following command: # grep INACTIVE /etc/default/useradd Expected result: INACTIVE=0 If the output does not match the expected result, this is a finding.
Discussion
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Disabling inactive accounts ensures that accounts that may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Fix
Open /etc/default/useradd with a text editor. Remove any existing "INACTIVE" line and add the following line: INACTIVE=0
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000046: The Photon operating system must audit all account disabling actions.
At the command line, execute the following command: # auditctl -l | grep "^-w /usr/bin/passwd" Expected result: -w /usr/bin/passwd -p x -k passwd If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
When operating system accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or the operating system processes themselves. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions.
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/bin/passwd -p x -k passwd At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000069: The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
At the command line, execute the following command: # cat /proc/sys/kernel/randomize_va_space If the value of "randomize_va_space" is not "2", this is a finding.
Discussion
ASLR makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code to repurpose it using return-oriented programming techniques.
Fix
Open /etc/sysctl.d/50-security-hardening.conf with a text editor. Ensure that the "randomize_va_space" is uncommented and set to the following: kernel.randomize_va_space=2 At the command line, execute the following command: # sysctl --system
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000001: The Photon operating system must audit all account creations.
At the command line, execute the following command: # auditctl -l | grep -E "(useradd|groupadd)" Expected result: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000097: The Photon operating system must be configured so that the /root path is protected from unauthorized access.
At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /root Expected result: /root permissions are 700 and owned by root:root If the output does not match the expected result, this is a finding.
Discussion
If the /root path is accessible from users other than root, unauthorized users could change the root partitions files.
Fix
At the command line, execute the following commands: # chmod 700 /root # chown root:root /root
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000030: The Photon operating system must ensure old passwords are being stored.
At the command line, execute the following command: # ls -al /etc/security/opasswd If "/etc/security/opasswd" does not exist, this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Fix
At the command line, execute the following commands: # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000008: The Photon operating system must have the sshd LogLevel set to "INFO".
At the command line, execute the following command: # sshd -T|&grep -i LogLevel Expected result: LogLevel INFO If the output does not match the expected result, this is a finding.
Discussion
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. The INFO LogLevel is required, at least, to ensure the capturing of failed login events.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "LogLevel" line is uncommented and set to the following: LogLevel INFO At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000111: The Photon operating system must not perform multicast packet forwarding.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv[4|6].conf.(all|default|eth.*).mc_forwarding" Expected result: net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".
Discussion
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000119: The Photon operating system must protect sshd configuration from unauthorized access.
At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/sshd_config Expected result: /etc/ssh/sshd_config permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.
Discussion
The sshd_config file contains all the configuration items for sshd. Incorrect or malicious configuration of sshd can allow unauthorized access to the system, insecure communication, limited forensic trail, etc.
Fix
At the command line, execute the following commands: # chmod 600 /etc/ssh/sshd_config # chown root:root /etc/ssh/sshd_config
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000115: The Photon operating system must be configured to protect the SSH public host key from unauthorized modification.
At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key.pub Expected result: /etc/ssh/ssh_host_dsa_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_ecdsa_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_ed25519_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_rsa_key.pub permissions are 644 and owned by root:root If the output does not match the expected result, this is a finding.
Discussion
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Fix
At the command line, execute the following commands for each returned file: # chmod 644 <file> # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000014: The Photon operating system audit log must attempt to log audit failures to syslog.
At the command line, execute the following commands: # grep -E "^disk_full_action|^disk_error_action|^admin_space_left_action" /etc/audit/auditd.conf If any of the above parameters are not set to SYSLOG or are missing, this is a finding.
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
Fix
Open /etc/audit/auditd.conf with a text editor. Ensure that the following lines are present, not duplicated, and not commented: disk_full_action = SYSLOG disk_error_action = SYSLOG admin_space_left_action = SYSLOG At the command line, execute the following command: # service auditd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000037: The Photon operating system must use TCP syncookies.
At the command line, execute the following command: # /sbin/sysctl -a --pattern tcp_syncookies Expected result: net.ipv4.tcp_syncookies = 1 If the output does not match the expected result, this is a finding.
Discussion
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected and enables the system to continue servicing valid connection requests. Satisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000420-GPOS-00186
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.tcp_syncookies=1 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000062: The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
At the command line, execute the following command: # grep -s nosignature /usr/lib/rpm/rpmrc /etc/rpmrc ~root/.rpmrc If the command returns any output, this is a finding.
Discussion
Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Fix
Open the file containing "nosignature" with a text editor and remove the option.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000123: The Photon operating system must configure sshd to disallow HostbasedAuthentication.
At the command line, execute the following command: # sshd -T|&grep -i HostbasedAuthentication Expected result: hostbasedauthentication no If the output does not match the expected result, this is a finding.
Discussion
SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "HostbasedAuthentication" line is uncommented and set to the following: HostbasedAuthentication no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000099: The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification.
At the command line, execute the following command: # find /etc/rc.d/* -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.
Discussion
If system startup scripts are accessible to unauthorized modification, this could compromise the system on startup.
Fix
At the command line, execute the following commands for each returned file: # chmod o-w <file> # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000106: The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).accept_redirects" Expected result: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".
Discussion
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000068: The Photon operating system must use OpenSSH for remote maintenance sessions.
At the command line, execute the following command: # rpm -qa|grep openssh If there is no output, this is a finding.
Discussion
If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when nonlocal maintenance sessions have been terminated and are no longer available for use. Satisfies: SRG-OS-000395-GPOS-00175, SRG-OS-000074-GPOS-00042, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Fix
Installing openssh manually is not supported by VMware. Revert to a previous backup or redeploy the VCSA.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000079: The Photon operating system must ensure root $PATH entries are appropriate.
At the command line, execute the following command: # echo $PATH Expected result: /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/java/jre-vmware/bin:/opt/vmware/bin If the output does not match the expected result, this is a finding.
Discussion
The $PATH variable contains a semicolon-delimited set of directories that allows root to not specify the full path for a limited set of binaries. Having unexpected directories in $PATH can lead to root running a binary other than the one intended.
Fix
At the command line, execute the following command: # export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/java/jre-vmware/bin:/opt/vmware/bin
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000010: The Photon operating system must configure auditd to log to disk.
At the command line, execute the following command: # grep "^write_logs" /etc/audit/auditd.conf Expected result: write_logs = yes If there is no output, this is not a finding. If the output does not match the expected result, this is a finding.
Discussion
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content must be shipped to a central location, but it must also be logged locally. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019
Fix
Open /etc/audit/auditd.conf with a text editor. Ensure that the "write_logs" line is uncommented and set to the following: write_logs = yes At the command line, execute the following command: # service auditd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000078: The Photon operating system must ensure audit events are flushed to disk at proper intervals.
At the command line, execute the following command: # grep -E "freq|flush" /etc/audit/auditd.conf Expected result: flush = INCREMENTAL_ASYNC freq = 50 If the output does not match the expected result, this is a finding.
Discussion
Without setting a balance between performance and ensuring all audit events are written to disk, performance of the system may suffer or the risk of missing audit entries may be too high.
Fix
Open /etc/audit/auditd.conf with a text editor. Ensure that the line below is present and any existing "flush" and "freq" settings are removed. flush = INCREMENTAL_ASYNC freq = 50
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000063: The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
At the command line, execute the following command: # grep "^gpgcheck" /etc/tdnf/tdnf.conf If "gpgcheck" is not set to "1", this is a finding.
Discussion
Installation of any non-trusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.
Fix
Open /etc/tdnf/tdnf.conf with a text editor. Remove any existing gpgcheck setting and add the following line: gpgcheck=1
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000023: The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.
At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "dcredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000012: The Photon operating system must be configured to audit the execution of privileged functions.
At the command line, execute the following command: # auditctl -l | grep execve Expected result: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 execpriv If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing all actions by superusers is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000080: The Photon operating system must create a home directory for all new local interactive user accounts.
At the command line, execute the following command: # grep -i "^create_home" /etc/login.defs If there is no output or the output does not equal "CREATE_HOME yes", this is a finding.
Discussion
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Fix
Open /etc/login.defs with a text editor. Ensure that the following is present and any existing CREATE_HOME line is removed: CREATE_HOME yes
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000052: The Photon operating system must enforce password complexity by requiring that at least one special character be used.
At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "ocredit=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000091: The Photon operating system must configure sshd to display the last login immediately after authentication.
At the command line, execute the following command: # sshd -T|&grep -i PrintLastLog Expected result: PrintLastLog yes If the output does not match the expected result, this is a finding.
Discussion
Providing users with feedback on the last time they logged on via SSH facilitates user recognition and reporting of unauthorized account use.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "PrintLastLog" line is uncommented and set to the following: PrintLastLog yes At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000040: The Photon operating system must configure rsyslog to offload system logs to a central server.
At the command line, execute the following command: # cat /etc/vmware-syslog/syslog.conf The output should be similar to the following (*.* or AO approved logging events): *.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding. OR Navigate to https://<hostname>:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration". If no site-specific syslog server is configured, this is a finding.
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs. Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224
Fix
Open /etc/vmware-syslog/syslog.conf with a text editor. Remove any existing content and create a new remote server configuration line. For UDP (*.* or AO approved logging events): *.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format For TCP (*.* or AO approved logging events): *.* @@<syslog server>:port;RSYSLOG_syslogProtocol23Format OR Navigate to https://<hostname>:5480 to access the VAMI. Authenticate and navigate to "Syslog Configuration". Click "Edit" in the top right. Configure a remote syslog server and click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000095: The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
At the command line, execute the following command: # systemctl status ctrl-alt-del.target Expected result: ctrl-alt-del.target Loaded: masked (/dev/null; bad) Active: inactive (dead) If the output does not match the expected result, this is a finding.
Discussion
When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of systems availability due to unintentional reboot.
Fix
At the command line, execute the following command: # systemctl mask ctrl-alt-del.target
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000057: The Photon operating system must configure auditd to keep five rotated log files.
At the command line, execute the following command: # grep "^num_logs" /etc/audit/auditd.conf Expected result: num_logs = 5 If the output of the command does not match the expected result, this is a finding.
Discussion
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.
Fix
Open /etc/audit/auditd.conf with a text editor. Add or change the "num_logs" line as follows: num_logs = 5 At the command line, execute the following command: # service auditd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000047: The Photon operating system must audit all account removal actions.
At the command line, execute the following command: # auditctl -l | grep -E "(userdel|groupdel)" Expected result: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or the operating system processes themselves. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions.
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000044: The Photon operating system must audit all account modifications.
At the command line, execute the following command: # auditctl -l | grep -E "(usermod|groupmod)" Expected result: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes.
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000020: The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
At the command line, execute the following command: # auditctl -l | grep chmod Expected result: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -k perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -k perm_mod At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000084: The Photon operating system must configure sshd to disable environment processing.
At the command line, execute the following command: sshd -T|&grep -i PermitUserEnvironment Expected result: PermitUserEnvironment no If the output does not match the expected result, this is a finding.
Discussion
Enabling environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "PermitUserEnvironment" line is uncommented and set to the following: PermitUserEnvironment no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000116: The Photon operating system must be configured to protect the SSH private host key from unauthorized access.
At the command line, execute the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key Expected result: /etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root If the output does not match the expected result, this is a finding.
Discussion
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Fix
At the command line, execute the following commands for each returned file: # chmod 600 <file> # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000124: The Photon operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
At the command line, execute the following command: # grep -i ^password_pbkdf2 /boot/grub2/grub.cfg If there is no output, this is a finding. If the output does not begin with "password_pbkdf2 root", this is a finding.
Discussion
If the system does not require authentication before it boots into single-user mode, anyone with vCenter console rights to the VCSA can trivially access all files on the system. GRUB2 is the boot loader for Photon OS and can be configured to require a password to boot into single-user mode or make modifications to the boot menu. Note: The VCSA does not support building grub changes via grub2-mkconfig.
Fix
At the command line, execute the following command: # grub2-mkpasswd-pbkdf2 Enter a secure password and ensure this password is stored for break-glass situations. The vCenter root account cannot be recovered without knowing this separate password. Copy the resulting encrypted string. An example string follows: grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 Open /boot/grub2/grub.cfg with a text editor. Find the line that begins with "set rootpartition". Below this line, paste the following on its own line: set superusers="root" Below this, paste the following, substituting your own encrypted string from the steps above: password_pbkdf2 root <YOUR-LONG-STRING-FROM-ABOVE> The VCSA ships with one "menuentry" block by default. Copy that entire block and paste it right below that block. Example: menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } Modify the first menuentry block to add the "--unrestricted" option as follows: menuentry "Photon" --unrestricted { Modify the second menuentry block to add the allowed user as follows: menuentry "Recover Photon" --users root { This concludes the fix. To verify, following is an example grub.cfg snippet: ... set rootpartition=PARTUUID=326e5b0f-42fb-471a-8209-18964c4a2ed3 set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 menuentry "Photon" --unrestricted { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Recover Photon" --users root { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi }
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000054: The Photon operating system must set an inactivity timeout value for non-interactive sessions.
At the command line, execute the following command: # grep TMOUT /etc/bash.bashrc Expected result: TMOUT=900 readonly TMOUT export TMOUT If the file does not exist or the output does not match the expected result, this is a finding.
Discussion
A session timeout is an action taken when a session goes idle for any reason. Rather than relying on the user to manually disconnect their session prior to going idle, the Photon operating system must be able to identify when a session has idled and take action to terminate the session.
Fix
Open /etc/bash.bashrc with a text editor and add the following to the end: TMOUT=900 readonly TMOUT export TMOUT
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000028: The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime.
At the command line, execute the following command: # grep "^PASS_MAX_DAYS" /etc/login.defs If the value of PASS_MAX_DAYS is greater than 90, this is a finding.
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Fix
Open /etc/login.defs with a text editor. Modify the PASS_MAX_DAYS line to the following: PASS_MAX_DAYS 90
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000089: The Photon operating system must configure sshd to disallow authentication with an empty password.
At the command line, execute the following command: # sshd -T|&grep -i PermitEmptyPasswords Expected result: PermitEmptyPasswords no If the output does not match the expected result, this is a finding.
Discussion
Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blank password on the OS, sshd must not allow that user to log in.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "PermitEmptyPasswords" line is uncommented and set to the following: PermitEmptyPasswords no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000110: The Photon operating system must use a reverse-path filter for IPv4 network traffic.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*)\.rp_filter" Expected result: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "1".
Discussion
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000033: The Photon operating system must disable the loading of unnecessary kernel modules.
At the command line, execute the following command: # modprobe --showconfig | grep "^install" | grep "/bin" Expected result: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb-storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false The output may include other statements outside of the expected result. This is acceptable. If the output does not include at least every statement in the expected result, this is a finding.
Discussion
To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059
Fix
Open /etc/modprobe.d/modprobe.conf with a text editor and set the contents as follows: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb-storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000129: The Photon operating system must be configured to offload audit logs to a syslog server.
At the command prompt, execute the following command: # grep -v "^#" /etc/vmware-syslog/stig-services-auditd.conf Expected result: input(type="imfile" File="/var/log/audit/audit.log" Tag="auditd" Severity="info" Facility="local0") If the file does not exist, this is a finding. If the output of the command does not match the expected result above, this is a finding.
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000447-GPOS-00201
Fix
Open /etc/vmware-syslog/stig-services-auditd.conf with a text editor. Create the file if it does not exist. Set the contents of the file as follows: input(type="imfile" File="/var/log/audit/audit.log" Tag="auditd" Severity="info" Facility="local0")
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000107: The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).secure_redirects" Expected result: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.eth0.secure_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".
Discussion
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.eth0.secure_redirects = 0 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000011: The Photon operating system must configure auditd to use the correct log format.
At the command line, execute the following command: # grep "^log_format" /etc/audit/auditd.conf Expected result: log_format = RAW If there is no output, this is not a finding. If the output does not match the expected result, this is a finding.
Discussion
To compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know exact, unfiltered details of the event in question.
Fix
Open /etc/audit/auditd.conf with a text editor. Ensure that the "log_format" line is uncommented and set to the following: log_format = RAW At the command line, execute the following command: # service auditd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000087: The Photon operating system must configure sshd to disallow Kerberos authentication.
At the command line, execute the following command: # sshd -T|&grep -i KerberosAuthentication Expected result: KerberosAuthentication no If the output does not match the expected result, this is a finding.
Discussion
If Kerberos is enabled through SSH, sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled.
Fix
Open /etc/ssh/sshd_config with a text editor. Ensure that the "KerberosAuthentication" line is uncommented and set to the following: KerberosAuthentication no At the command line, execute the following command: # service sshd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000112: The Photon operating system must not perform IPv4 packet forwarding.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.ip_forward$" Expected result: net.ipv4.ip_forward = 0 If the system is intended to operate as a router, this is N/A. If the output does not match the expected result, this is a finding.
Discussion
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.ip_forward = 0 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000026: The Photon operating system must store only encrypted representations of passwords.
At the command line, execute the following command: # grep SHA512 /etc/login.defs|grep -v "#" Expected result: ENCRYPT_METHOD SHA512 If there is no output or if the output does match the expected result, this is a finding.
Discussion
Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. If they are encrypted with a weak cipher, those passwords are much more vulnerable to offline brute forcing attacks.
Fix
Open /etc/login.defs with a text editor. Add or replace the ENCRYPT_METHOD line as follows: ENCRYPT_METHOD SHA512
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000058: The Photon operating system must configure auditd to keep five rotated log files.
At the command line, execute the following command: # grep "^max_log_file_action" /etc/audit/auditd.conf Expected result: max_log_file_action = IGNORE If the output of the command does not match the expected result, this is a finding.
Discussion
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.
Fix
Open /etc/audit/auditd.conf with a text editor. Add or change the "max_log_file_action" line as follows: max_log_file_action = IGNORE At the command line, execute the following command: # service auditd reload
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000024: The Photon operating system must require that new passwords are at least four characters different from the old password.
At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "difok=." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000053: The Photon operating system package files must not be modified.
Use the verification capability of rpm to check the MD5 hashes of the audit files on disk versus the expected ones from the installation package. At the command line, execute the following command: # rpm -V audit | grep "^..5" | grep -v "^...........c" If there is output, this is a finding.
Discussion
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Without confidence in the integrity of the auditing system and tools, the information it provides cannot be trusted.
Fix
If the audit system binaries have been altered, the system must be taken offline and the ISSM must be notified immediately. Reinstalling the audit tools is not supported. The appliance should be restored from a backup or a snapshot or redeployed once the root cause is remediated.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000104: The Photon operating system must not forward IPv4 or IPv6 source-routed packets.
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv[4|6].conf.(all|default|eth.*).accept_source_route" Expected result: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.eth0.accept_source_route = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".
Discussion
Source routing is an Internet Protocol (IP) mechanism that allows an IP packet to carry information, a list of addresses, which tells a router the path the packet must take. There is also an option to record the hops as the route is traversed. The list of hops taken, the "route record", provides the destination with a return path to the source. This allows the source (the sending host) to specify the route, loosely or strictly, ignoring the routing tables of some or all of the routers. It can allow a user to redirect network traffic for malicious purposes and should therefore be disabled.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.eth0.accept_source_route = 0 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000021: The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.
At the command line, execute the following command: # grep "^password requisite pam_cracklib.so" /etc/pam.d/system-password|grep --color=always "enforce_for_root" Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000105: The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
At the command line, execute the following command: # /sbin/sysctl -a --pattern ignore_broadcasts Expected result: net.ipv4.icmp_echo_ignore_broadcasts = 1 If the output does not match the expected result, this is a finding.
Discussion
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Fix
Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.icmp_echo_ignore_broadcasts=1 Run the following command to load the new setting: # /sbin/sysctl --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000018: The Photon operating system must have the auditd service running.
At the command line, execute the following command: # service auditd status | grep running If the service is not running, this is a finding.
Discussion
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00021, SRG-OS-000255-GPOS-00096, SRG-OS-000363-GPOS-00150, SRG-OS-000365-GPOS-00152, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000461-GPOS-00205, SRG-OS-000465-GPOS-00209, SRG-OS-000467-GPOS-00211, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220
Fix
At the command line, execute the following command: # systemctl enable auditd.service # service auditd start
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000031: The Photon operating system must enforce a minimum eight-character password length.
At the command line, execute the following command: # grep pam_cracklib /etc/pam.d/system-password|grep --color=always "minlen=.." Expected result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root If the output does not match the expected result, this is a finding.
Discussion
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Comment out any existing "pam_cracklib.so" line and add the following: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000072: The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.
At the command line, execute the following command: # auditctl -l | grep -E "faillog|lastlog|tallylog" Expected result: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa If the output does not match the expected result, this is a finding. Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218
Fix
Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa At the command line, execute the following command: # /sbin/augenrules --load
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000059: The Photon operating system must configure a cron job to rotate auditd logs daily.
At the command line, execute the following command: # cat /etc/cron.daily/audit-rotate Expected result: #!/bin/bash service auditd rotate If the output of the command does not match the expected result, this is a finding.
Discussion
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.
Fix
If /etc/cron.daily/audit-rotate does not exist, run the following commands: # touch /etc/cron.daily/audit-rotate # chown root:root /etc/cron.daily/audit-rotate # chmod 0700 /etc/cron.daily/audit-rotate Open /etc/cron.daily/audit-rotate with a text editor. Set its contents as follows: #!/bin/bash service auditd rotate
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000050: The Photon operating system audit files and directories must have correct permissions.
At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace If any file is not owned by root and group owned by root, this is a finding.
Discussion
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
Fix
At the command line, execute the following command for each file returned: # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000029: The Photon operating system must prohibit password reuse for a minimum of five generations.
At the command line, execute the following command: # grep pam_pwhistory /etc/pam.d/system-password|grep --color=always "remember=." Expected result: password required pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3 If the output does not match the expected result, this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Fix
Open /etc/applmgmt/appliance/system-password with a text editor. Add the following line after the last auth statement: password required pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3 Save and close.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000100: The Photon operating system must be configured so that all files have a valid owner and group owner.
At the command line, execute the following command: # find / -fstype ext4 -nouser -o -nogroup -exec ls -ld {} \; If any files are returned, this is a finding.
Discussion
If files do not have valid user and group owners, unintended access to files could occur.
Fix
At the command line, execute the following command for each returned file: # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000041: The Photon operating system /var/log directory must be owned by root.
At the command line, execute the following command: # stat -c "%n is owned by %U and group owned by %G" /var/log If the /var/log is not owned by root, this is a finding.
Discussion
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state and can provide sensitive information to an unprivileged attacker.
Fix
At the command line, execute the following command: # chown root:root /var/log
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
PHTN-67-000098: The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification.
At the command line, execute the following command: # find /etc/bash.bashrc /etc/profile /etc/profile.d/ -xdev -type f -a '(' -perm -002 -o -not -user root -o -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.
Discussion
Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon login.
Fix
At the command line, execute the following commands for each returned file: # chmod o-w <file> # chown root:root <file>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None