Check: PHTN-67-000068
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000068
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must use OpenSSH for remote maintenance sessions. (Cat II impact)
Discussion
If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when nonlocal maintenance sessions have been terminated and are no longer available for use. Satisfies: SRG-OS-000395-GPOS-00175, SRG-OS-000074-GPOS-00042, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Check Content
At the command line, execute the following command: # rpm -qa|grep openssh If there is no output, this is a finding.
Fix Text
Installing openssh manually is not supported by VMware. Revert to a previous backup or redeploy the VCSA.
Additional Identifiers
Rule ID: SV-239139r856057_rule
Vulnerability ID: V-239139
Group Title: SRG-OS-000395-GPOS-00175
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-000877 |
The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
CCI-002891 |
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions. |
Controls
Number | Title |
---|---|
IA-2 (8) |
Network Access To Privileged Accounts - Replay Resistant |
IA-2 (9) |
Network Access To Non-Privileged Accounts - Replay Resistant |
IA-5 (1) |
Password-Based Authentication |
IA-7 |
Cryptographic Module Authentication |
MA-4 |
Nonlocal Maintenance |
MA-4 (7) |
Remote Disconnect Verification |
SC-8 (2) |
Pre / Post Transmission Handling |