UCF STIG Viewer Logo

Nutanix AOS 5.20.x OS Security Technical Implementation Guide


Overview

Date Finding Count (118)
2022-08-24 CAT I (High): 5 CAT II (Med): 107 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-254222 High Nutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
V-254224 High Nutanix AOS must enable FIPS mode to implement NIST FIPS-validated cryptography.
V-254217 High Nutanix AOS must store only encrypted representations of passwords.
V-254125 High Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-254187 High Nutanix AOS must use cryptographic mechanisms to protect the integrity of audit tools.
V-254156 Medium Nutanix AOS must generate audit records for privileged security activities.
V-254157 Medium Nutanix AOS must generate audit records for privileged account activities.
V-254154 Medium Nutanix AOS must audit attempts to modify or delete security objects.
V-254155 Medium Nutanix AOS must generate audit records when successful/unsuccessful logon attempts occur.
V-254152 Medium Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-254153 Medium Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify categories of information occur.
V-254150 Medium Nutanix AOS must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
V-254151 Medium Nutanix AOS must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-254220 Medium Nutanix AOS must prohibit password reuse for a minimum of five generations.
V-254221 Medium Nutanix AOS must prohibit the use of cached authenticators.
V-254223 Medium Nutanix AOS must audit all activities performed during nonlocal maintenance and diagnostic sessions.
V-254225 Medium Nutanix AOS must be configured to run SELinux Policies.
V-254158 Medium Nutanix AOS must be configured to audit the loading and unloading of dynamic kernel modules.
V-254159 Medium Nutanix AOS must generate audit records when concurrent logons to the same account occur from different sources.
V-254233 Medium Nutanix AOS must reveal error messages only to authorized users.
V-254232 Medium Nutanix AOS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-254231 Medium Nutanix AOS must maintain the confidentiality and integrity of information during reception.
V-254230 Medium Nutanix AOS must maintain the confidentiality and integrity of information during preparation for transmission.
V-254237 Medium Nutanix AOS must be configured to use SELinux Enforcing mode.
V-254236 Medium Nutanix AOS must remove all software components after updated versions have been installed.
V-254235 Medium Nutanix AOS must implement address space layout randomization to protect its memory from unauthorized code execution.
V-254234 Medium Nutanix AOS must implement nonexecutable data to protect its memory from unauthorized code execution.
V-254226 Medium Nutanix AOS must be configured to restrict public directories.
V-254227 Medium Nutanix AOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
V-254228 Medium Nutanix AOS must be configured to use syncookies to limit denial-of-service (DoS) attacks.
V-254208 Medium Nutanix AOS must enforce password complexity by requiring that at least one uppercase character be used.
V-254209 Medium Nutanix AOS must enforce password complexity by requiring that at least one lowercase character be used.
V-254206 Medium Nutanix AOS must be configured to disable USB mass storage devices.
V-254204 Medium Nutanix AOS must require users to reauthenticate for privilege escalation.
V-254205 Medium Nutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-254202 Medium Nutanix AOS must not have the telnet-server package installed.
V-254203 Medium Nutanix AOS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-254200 Medium Nutanix AOS must not have the rsh-server package installed.
V-254201 Medium Nutanix AOS must not have the ypserv package installed.
V-254229 Medium Nutanix AOS must protect the confidentiality and integrity of transmitted information.
V-254149 Medium Nutanix AOS must generate audit records for file extended attribute actions.
V-254148 Medium Nutanix AOS must generate audit records for file permission actions.
V-254141 Medium Nutanix AOS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-254140 Medium Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for all account creations, modifications, disabling, and terminations.
V-254143 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the creat privileged commands.
V-254142 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the chown privileged commands.
V-254145 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the truncate-related privileged commands.
V-254144 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful uses and variations of the open-related privileged commands.
V-254147 Medium Nutanix AOS must generate audit records for file ownership actions.
V-254146 Medium Nutanix AOS must generate audit records for file access actions.
V-254211 Medium Nutanix AOS must enforce a minimum 15 character password length.
V-254210 Medium Nutanix AOS must enforce password complexity by requiring that at least one numeric character be used.
V-254213 Medium Nutanix AOS must require the change of at least 50 percent of the total number of characters when passwords are changed.
V-254212 Medium Nutanix AOS must enforce password complexity by requiring that at least one special character be used.
V-254215 Medium Nutanix AOS must require the maximum number of repeating characters be limited to three when passwords are changed.
V-254214 Medium Nutanix AOS must require the change of at least four character classes when passwords are changed.
V-254216 Medium Nutanix AOS must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
V-254219 Medium Nutanix AOS must enforce a 60-day maximum password lifetime restriction.
V-254218 Medium Nutanix AOS must enforce 24 hours/1 day as the minimum password lifetime.
V-254138 Medium Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for directory and permissions management actions.
V-254139 Medium Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file management actions.
V-254134 Medium Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).
V-254135 Medium Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system and account management actions.
V-254136 Medium Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for file attribute management actions.
V-254137 Medium Nutanix AOS must provide audit record generation capability for DoD-defined auditable events for system module management actions.
V-254130 Medium Nutanix AOS must audit the execution of privileged functions.
V-254131 Medium Nutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-254133 Medium Any publicly accessible connection to Nutanix AOS must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-254198 Medium Nutanix AOS must enable an application firewall, if available.
V-254199 Medium Nutanix AOS must be configured with nodev, nosuid, and noexec options for /dev/shm.
V-254192 Medium Nutanix AOS must prevent the use of dictionary words for passwords.
V-254193 Medium Nutanix AOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-254190 Medium Nutanix AOS must not be configured to allow KerberosAuthentication.
V-254191 Medium Nutanix AOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
V-254196 Medium Nutanix AOS must not allow an unattended or automatic logon to the system.
V-254197 Medium Nutanix AOS must be configured so that all local interactive user home directories have mode "0750" or less permissive.
V-254194 Medium Nutanix AOS must be configured to run SCMA daily.
V-254129 Medium Nutanix AOS must enforce discretionary access control on symlinks and hardlinks.
V-254127 Medium Nutanix AOS must audit all account actions.
V-254124 Medium Nutanix AOS must control remote access methods.
V-254123 Medium Nutanix AOS must monitor remote access methods.
V-254122 Medium Nutanix AOS must automatically terminate a user session after inactivity time-outs have expired or at shutdown.
V-254121 Medium Nutanix AOS must disconnect a session after 15 minutes of idle time for all connection types.
V-254120 Medium Nutanix AOS must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-254189 Medium Nutanix AOS must not be configured to allow GSSAPIAuthentication.
V-254188 Medium Nutanix AOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-254185 Medium Nutanix AOS audit tools must be owned by root.
V-254184 Medium Nutanix AOS audit tools must be configured to 0755 or less permissive.
V-254186 Medium Nutanix AOS audit tools must be group-owned by root.
V-254181 Medium Nutanix AOS must provide the capability to centrally review and analyze audit records from multiple components within the system.
V-254180 Medium Nutanix AOS must shut down by default upon audit failure (unless availability is an overriding concern).
V-254183 Medium Nutanix AOS must protect audit information from unauthorized access.
V-254170 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the passwd/gpasswd/unix-chkpwd privileged commands.
V-254171 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the chage privileged command.
V-254172 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the userhelper privileged command.
V-254173 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the mount and umount privileged commands.
V-254174 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the post-related privileged commands.
V-254175 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the opensshrelated privileged commands.
V-254176 Medium Nutanix AOS must produce audit records containing the full-text recording of successful and unsuccessful attempts to execute the crontab-related privileged commands.
V-254177 Medium Nutanix AOS must produce audit records containing the individual identities of group account users.
V-254178 Medium Nutanix AOS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-254179 Medium Nutanix AOS must offload audit records to a syslog server.
V-254163 Medium Nutanix AOS must initiate session audits at system start-up.
V-254162 Medium Nutanix AOS must generate audit records for all account creations, modifications, disabling, and termination events.
V-254161 Medium Nutanix AOS must generate audit records for all direct access to the information system.
V-254160 Medium Nutanix AOS must generate audit records when successful/unsuccessful accesses to objects occur.
V-254167 Medium Nutanix AOS must produce audit records containing information to establish the source of events.
V-254166 Medium Nutanix AOS must produce audit records containing information to establish where events occurred.
V-254165 Medium Nutanix AOS must produce audit records containing information to establish when events occurred.
V-254164 Medium Nutanix AOS must produce audit records containing information to establish what type of events occurred.
V-254169 Medium Nutanix AOS must produce audit records containing information to establish the identity of any individual or process associated with the event.
V-254168 Medium Nutanix AOS must produce audit records containing information to establish the outcome of events.
V-254207 Low Nutanix AOS must be configured to disable user accounts after the password expires.
V-254132 Low Nutanix AOS must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access.
V-254195 Low Nutanix AOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-254128 Low Nutanix AOS must be configured with an encrypted boot password for root.
V-254126 Low Nutanix AOS must automatically remove or disable temporary user accounts after 72 hours.
V-254182 Low Nutanix AOS must compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).