| V-279434 | | Nutanix AOS must use multifactor authentication for access to privileged and nonprivileged accounts by enabling common access card (CAC) authentication. | Multifactor authentication (MFA) is defined as using two or more factors to achieve authentication. MFA creates a layered defense and makes it more di... |
| V-279435 | | Nutanix AOS must use multifactor authentication for local access to privileged accounts. | Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one f... |
| V-279415 | | Nutanix AOS must limit the number of concurrent sessions to 10 for all accounts and/or account types. | Application management includes the ability to control the number of sessions that use an application by all accounts and/or account types. Limiting t... |
| V-279416 | | Nutanix AOS must automatically terminate a user session after a maximum of 15 minutes for nonprivileged users. | An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of op... |
| V-279418 | | Nutanix AOS must have TLS enabled. | Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server v... |
| V-279421 | | Nutanix AOS must configure role mapping. | Strong access controls are critical to securing the application server. Access control policies (e.g., identity-based policies, role-based policies, a... |
| V-279422 | | Nutanix AOS server management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. | Application servers are required to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system management inter... |
| V-279423 | | Nutanix AOS must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation. | Nonrepudiation of actions taken is required to maintain application integrity. Examples of actions include creating information, sending a message, ap... |
| V-279424 | | Nutanix AOS must off-load log records onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-279425 | | Nutanix Cluster Check (NCC) must be configured to provide alerts to the system administrator (SA) and information system security officer (ISSO), immediately when audit storage reaches 75 percent capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs. Log processing failures include software/h... |
| V-279426 | | Nutanix AOS must use internal system clocks to generate time stamps for log records. | Without using an approved and synchronized time source on the systems, events cannot be accurately correlated and analyzed to determine what is transp... |
| V-279427 | | Nutanix AOS must be configured to protect the application server log files from unauthorized access. | If log data is compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, i... |
| V-279430 | | Nutanix AOS must configure the Nutanix Cluster Check (NCC) to alert the information system security officer (ISSO)/information system security manager (ISSM) or designated personnel, at a minimum. | NCC is a diagnostic framework designed to ensure the health and stability of Nutanix clusters. It consists of a collection of scripts and tools that p... |
| V-279431 | | Nutanix AOS must enforce access restrictions associated with changes to configuration and software libraries. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server con... |
| V-279433 | | Nutanix AOS must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically ac... |
| V-279438 | | Nutanix AOS must authenticate users individually prior to using a group authenticator. | To ensure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application serve... |
| V-279439 | | Nutanix AOS must use multifactor authentication (MFA) for access to privileged and nonprivileged accounts by enabling client authentication. | Requiring a device separate from the system to which the user is attempting to gain access for one of the factors during MFA is to reduce the likeliho... |
| V-279440 | | Nutanix AOS must use encryption when using LDAP for authentication. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.
Application servers... |
| V-279441 | | Nutanix VMM must terminate UI network connections associated with a communications session at the end of the session for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. | When the application server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authentic... |
| V-279442 | | Nutanix AOS must perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-279443 | | Nutanix AOS must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials. | Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted.
This requirement typically applies to organizati... |
| V-279444 | | Nutanix AOS must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles. | Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and... |
| V-279445 | | Nutanix AOS must be configured to use DOD PKI-issued certificates. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD syst... |
| V-279446 | | Nutanix AOS must protect the confidentiality and integrity of all information at rest. | When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb ... |
| V-279447 | | Nutanix AOS must employ cryptographic mechanisms to ensure confidentiality and integrity of all information at rest when stored offline. | This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and syst... |
| V-279448 | | Nutanix AOS must implement cryptographic mechanisms to prevent unauthorized access to data at rest. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an appli... |
| V-279450 | | Nutanix AOS must configure Network Time Protocol (NTP). | Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication proc... |
| V-279451 | | Nutanix AOS must restrict error messages only to authorized users. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure... |
| V-279464 | | Nutanix UI must initiate session logging upon startup. | An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key in... |
| V-279486 | | Nutanix VMM must separate user functionality (including user interface services) from VMM management functionality. | VMM management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to acce... |
| V-279526 | | All guest VM network communications must be implemented using virtual network devices provisioned and serviced by the VMM. | Mechanisms to detect and prevent unauthorized communication flow must be configured or provided as part of the VMM design. If information flow control... |
