| V-279533 | | Nutanix OS must implement DOD-approved encryption to protect the confidentiality of SSH sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-279534 | | Nutanix OS must implement cryptography to protect the integrity of remote access sessions by using only HMACs employing FIPS 140-3-approved algorithms. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-279535 | | Nutanix OS must implement cryptography to protect the integrity of remote access session by setting the systemwide policy to use FIPS mode. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-279536 | | Nutanix OS must implement TLS to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-279537 | | Nutanix OS must implement cryptography to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-279538 | | Nutanix OS must implement cryptography to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-279574 | | Nutanix OS must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-279577 | | Nutanix OS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-279584 | | Nutanix OS must not allow an unattended or automatic logon to the system. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-279604 | | Nutanix OS must store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-279619 | | Nutanix OS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. | Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maint... |
| V-279620 | | Nutanix OS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing s... |
| V-279621 | | Nutanix OS must protect the confidentiality and integrity of all information at rest. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used fo... |
| V-279627 | | Nutanix OS must protect the confidentiality and integrity of communications with wireless peripherals. | Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications ca... |
| V-279686 | | Nutanix AHV must store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-279527 | | Nutanix VMM must be configured to remove ypserv. | It is detrimental for VMMs to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabiliti... |
| V-279529 | | Nutanix OS must set the value of "lock-after-time" to 890 seconds for remote access sessions. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-279530 | | Nutanix OS must configure the ClientAliveInterval to "600" and ClientAliveCountMax to "1". | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that ... |
| V-279531 | | Nutanix OS must monitor SSH access. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-279532 | | Nutanix OS must configure the firewall to control remote access methods. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, i... |
| V-279539 | | Nutanix OS must automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-279540 | | Nutanix OS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-279541 | | Nutanix OS must audit all account change actions. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-279542 | | Nutanix VMM must encrypt the boot password for root. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-279543 | | Nutanix OS must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks. | DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the obj... |
| V-279544 | | Nutanix OS must enable kernel parameters to enforce discretionary access control on symlinks. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-279545 | | Nutanix OS must audit the execution of privileged functions. | Misusing privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised... |
| V-279546 | | Nutanix OS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-279547 | | Nutanix OS must display the Standard Mandatory DOD Notice and Consent Banner for SSH access. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-279549 | | Nutanix OS must provide audit record generation capability for DOD-defined auditable events for account changes. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279550 | | Nutanix OS must configure /etc/audit/audit.rules to generate audit records for account access actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279551 | | Nutanix OS must configure /etc/audit/audit.rules to generate audit records for account deletion actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279552 | | Nutanix OS must provide audit record generation for successful and unsuccessful uses of the init_module and finit_module system calls. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279553 | | Nutanix OS must provide audit record generation for successful and unsuccessful attempts to move, remove, or delete files and directories. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279554 | | Nutanix OS must generate audit records when successful/unsuccessful attempts to access security objects occur. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279555 | | Nutanix OS must provide audit record generation capability for all account actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279556 | | Nutanix OS must provide audit record generation capability for DOD-defined auditable events for all kernel module load, unload, and restart actions. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-279557 | | Nutanix OS must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-279558 | | Nutanix OS must generate audit records when successful/unsuccessful attempts to modify security objects and categories of information (e.g., classification levels) occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-279559 | | Nutanix OS must generate audit records when successful/unsuccessful logon attempts occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-279560 | | Nutanix OS must generate audit records for privileged activities or other system-level access. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-279561 | | The audit system must be configured to audit the loading and unloading of dynamic kernel modules. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-279562 | | Nutanix OS must generate audit records when concurrent logons to the same account occur from different sources. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-279563 | | Nutanix OS must generate audit records for all account creations, modifications, disabling, and termination events. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-279564 | | Nutanix OS must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-279565 | | Nutanix OS must have the audit.x86_64 package installed. | If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state... |
| V-279569 | | Nutanix OS must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-279570 | | Nutanix AHV must disable network management of the chrony daemon. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-279571 | | Nutanix AHV must disable the chrony daemon from acting like a server. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-279572 | | Nutanix AHV must disable the use or cramfs kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-279575 | | Nutanix OS must configure audit log permissions for 0600 or less. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-279576 | | Nutanix OS must configure the audit log files to be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-279578 | | Nutanix OS must prevent SSH from permitting Generic Security Service Application Program Interface (GSSAPI) authentication. | Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of... |
| V-279579 | | Nutanix AHV must not be configured to allow Kerberos authentication. | Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of... |
| V-279580 | | Nutanix OS must prevent using dictionary words for passwords. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by incre... |
| V-279581 | | Nutanix OS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-279582 | | Nutanix OS must set the SCMA framework to check the baseline daily. | Configuring the operating system to implement organizationwide security implementation guides and security checklists ensures compliance with federal ... |
| V-279583 | | Nutanix OS must define default permissions for all authenticated users so the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.... |
| V-279585 | | Nutanix OS must limit the ability of nonprivileged users to grant other users direct access to the contents of their home directories/folders. | Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a... |
| V-279586 | | Nutanix OS must enable an application firewall. | Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications ... |
| V-279587 | | Nutanix OS must mount /dev/shm with secure options. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-279588 | | Nutanix OS must mount /tmp with secure options. | Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that ... |
| V-279589 | | Nutanix OS must mount /var/log/audit with secure options. | Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that ... |
| V-279590 | | Nutanix OS must mount /var/tmp with secure options. | Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that ... |
| V-279591 | | Nutanix OS must mount /var/log with secure options. | Controlling program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that ... |
| V-279592 | | Nutanix OS must have the fapolicyd.service installed and active. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-279593 | | Nutanix OS must be configured to remove rsh-server. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-279594 | | Nutanix OS must be configured to remove telnet-server. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-279595 | | Nutanix OS must be configured to remove abrt. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-279596 | | Nutanix OS must be configured to remove sendmail. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-279597 | | Nutanix OS must be configured to prohibit or restrict using functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments. | To prevent unauthorized device connection, unauthorized information transfer, or unauthorized tunneling (i.e., embedding of data types within data typ... |
| V-279598 | | Nutanix OS must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the c... |
| V-279599 | | Nutanix OS must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the c... |
| V-279600 | | Nutanix OS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-279601 | | Nutanix OS must not install autofs.service. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but are... |
| V-279602 | | Nutanix OS must disable the ability to use USB mass storage devices. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but are... |
| V-279603 | | Nutanix VMM must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords ... |
| V-279605 | | Nutanix OS must enforce password complexity by requiring that at least one uppercase character be used. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-279606 | | Nutanix OS must enforce password complexity by requiring at least one lowercase character be used. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-279607 | | Nutanix OS must enforce password complexity by requiring that at least one numeric character be used. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-279608 | | Nutanix OS must require the change of at least 50 percent of the total number of characters when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by i... |
| V-279609 | | Operating systems must enforce 24 hours/1 day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-279610 | | Operating systems must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not... |
| V-279611 | | Nutanix OS must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-279612 | | Nutanix OS must enforce password complexity by requiring that at least one special character be used. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of... |
| V-279613 | | Nutanix OS must configure pam_uni.so module to use SHA-512 for authentication to a cryptographic module. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-279614 | | Nutanix OS must audit all activities performed during nonlocal maintenance and diagnostic sessions. | If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks w... |
| V-279622 | | Nutanix OS must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. | A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.... |
| V-279623 | | Nutanix OS must isolate security functions from nonsecurity functions. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Sec... |
| V-279624 | | Operating systems must prevent unauthorized and unintended information transfer via shared system resources. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-279625 | | Nutanix OS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-279626 | | Nutanix OS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-279628 | | Nutanix OS must install and use SSH for remote access. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, a... |
| V-279629 | | Nutanix OS must restrict the message log access permissions to reveal error messages only to authorized users. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-279630 | | Nutanix OS must restrict the /var/log directory access permissions to reveal error messages only to authorized users. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-279631 | | Nutanix OS must implement nonexecutable data to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-279632 | | Nutanix OS must implement address space layout randomization to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-279633 | | Nutanix OS must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-279667 | | Nutanix AHV must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error ... |
| V-279685 | | Nutanix AHV must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-279528 | | Nutanix OS must limit the number of concurrent sessions to 10 for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the numbe... |
| V-279548 | | Nutanix OS must display the Standard Mandatory DOD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access. | The banner must be acknowledged by the user prior to allowing the user access to the operating system. This provides assurance that the user has seen ... |
| V-279566 | | Nutanix OS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems must be able to allocate audit reco... |
| V-279567 | | Nutanix OS must be configured to send audit records to a site-specific remote syslog server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-0004... |
| V-279568 | | Nutanix OS must immediately notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capa... |
| V-279573 | | Nutanix OS must configure redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | Nutanix OS must compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant USNO time server... |
