| V-256478 | | The Photon operating system must audit all account creations. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-256479 | | The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-256480 | | The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting Secure Shell (SSH) access. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-256481 | | The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the numbe... |
| V-256482 | | The Photon operating system must set a session inactivity timeout of 15 minutes or less. | A session timeout is an action taken when a session goes idle for any reason. Rather than relying on the user to manually disconnect their session pri... |
| V-256483 | | The Photon operating system must have the sshd SyslogFacility set to "authpriv". | Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies b... |
| V-256484 | | The Photon operating system must have sshd authentication logging enabled. | Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies b... |
| V-256485 | | The Photon operating system must have the sshd LogLevel set to "INFO". | Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies b... |
| V-256487 | | The Photon operating system must configure auditd to log to disk. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-256488 | | The Photon operating system must configure auditd to use the correct log format. | To compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know exact, unfiltered details of the ... |
| V-256489 | | The Photon operating system must be configured to audit the execution of privileged functions. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-256490 | | The Photon operating system must have the auditd service running. | Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after... |
| V-256491 | | The Photon operating system audit log must log space limit problems to syslog. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-256492 | | The Photon operating system audit log must attempt to log audit failures to syslog. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-256493 | | The Photon operating system audit log must have correct permissions. | Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity... |
| V-256494 | | The Photon operating system audit log must be owned by root. | Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity... |
| V-256495 | | The Photon operating system audit log must be group-owned by root. | Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity... |
| V-256496 | | The Photon operating system must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-256497 | | The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. | Audit records can be generated from various components within the information system (e.g., module or policy filter).
Satisfies: SRG-OS-000064-GPOS-0... |
| V-256498 | | The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256499 | | The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256500 | | The Photon operating system must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256501 | | The Photon operating system must require that new passwords are at least four characters different from the old password. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256502 | | The Photon operating system must store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-256503 | | The Photon operating system must use an OpenSSH server version that does not support protocol 1. | A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the oper... |
| V-256504 | | The Photon operating system must be configured so that passwords for new users are restricted to a 24-hour minimum lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-256505 | | The Photon operating system must be configured so that passwords for new users are restricted to a 90-day maximum lifetime. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-256506 | | The Photon operating system must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-256507 | | The Photon operating system must enforce a minimum eight-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-256509 | | The Photon operating system must disable the loading of unnecessary kernel modules. | To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of ... |
| V-256510 | | The Photon operating system must not have duplicate User IDs (UIDs). | To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential m... |
| V-256511 | | The Photon operating system must disable new accounts immediately upon password expiration. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-256512 | | The Photon operating system must use Transmission Control Protocol (TCP) syncookies. | A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can... |
| V-256513 | | The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-256514 | | The Photon operating system must configure sshd to disconnect idle Secure Shell (SSH) sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-256515 | | The Photon operating system "/var/log" directory must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-256516 | | The Photon operating system messages file must have the correct ownership and file permissions. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-256517 | | The Photon operating system must audit all account modifications. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-256518 | | The Photon operating system must audit all account modifications. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-256519 | | The Photon operating system must audit all account disabling actions. | When operating system accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or operating system pr... |
| V-256520 | | The Photon operating system must audit all account removal actions. | When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or operating system pro... |
| V-256521 | | The Photon operating system must initiate auditing as part of the boot process. | Each process on the system carries an "auditable" flag, which indicates whether its activities can be audited. Although auditd takes care of enabling ... |
| V-256522 | | The Photon operating system audit files and directories must have correct permissions. | Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ... |
| V-256523 | | The Photon operating system must protect audit tools from unauthorized modification and deletion. | Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ... |
| V-256524 | | The Photon operating system must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256525 | | The Photon operating system package files must not be modified. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-256526 | | The Photon operating system must audit the execution of privileged functions. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-256527 | | The Photon operating system must configure auditd to keep five rotated log files. | Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job... |
| V-256528 | | The Photon operating system must configure auditd to keep logging in the event max log file size is reached. | Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job... |
| V-256529 | | The Photon operating system must configure auditd to log space limit problems to syslog. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-256530 | | The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation. | Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall s... |
| V-256531 | | The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation. | Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall s... |
| V-256532 | | The Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation. | Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall s... |
| V-256533 | | The Photon operating system must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the c... |
| V-256535 | | The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an atte... |
| V-256536 | | The Photon operating system must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-256537 | | The Photon operating system must generate audit records when the sudo command is used. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-256538 | | The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-256539 | | The Photon operating system must audit the "insmod" module. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-256540 | | The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-256541 | | The Photon operating system must use the "pam_cracklib" module. | If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing... |
| V-256542 | | The Photon operating system must set the "FAIL_DELAY" parameter. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-256543 | | The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-256544 | | The Photon operating system must ensure audit events are flushed to disk at proper intervals. | Without setting a balance between performance and ensuring all audit events are written to disk, performance of the system may suffer or the risk of m... |
| V-256545 | | The Photon operating system must create a home directory for all new local interactive user accounts. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-256546 | | The Photon operating system must disable the debug-shell service. | The debug-shell service is intended to diagnose systemd-related boot issues with various "systemctl" commands. Once enabled and following a system reb... |
| V-256547 | | The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SS... |
| V-256548 | | The Photon operating system must configure sshd to disable environment processing. | Enabling environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.... |
| V-256549 | | The Photon operating system must configure sshd to disable X11 forwarding. | X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack sur... |
| V-256550 | | The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the system as another user.... |
| V-256551 | | The Photon operating system must configure sshd to disallow Kerberos authentication. | If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the sys... |
| V-256552 | | The Photon operating system must configure sshd to disallow authentication with an empty password. | Blank passwords are one of the first things an attacker checks for when probing a system. Even is the user somehow has a blank password on the operati... |
| V-256553 | | The Photon operating system must configure sshd to disallow compression of the encrypted session stream. | If compression is allowed in a Secure Shell (SSH) connection prior to authentication, vulnerabilities in the compression software could result in comp... |
| V-256554 | | The Photon operating system must configure sshd to display the last login immediately after authentication. | Providing users with feedback on the last time they logged on via Secure Shell (SSH) facilitates user recognition and reporting of unauthorized accoun... |
| V-256555 | | The Photon operating system must configure sshd to ignore user-specific trusted hosts lists. | Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual use... |
| V-256556 | | The Photon operating system must configure sshd to ignore user-specific "known_host" files. | Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual use... |
| V-256557 | | The Photon operating system must configure sshd to limit the number of allowed login attempts per connection. | By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectivene... |
| V-256558 | | The Photon operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled on the command line. | When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accident... |
| V-256559 | | The Photon operating system must be configured so the "/etc/skel" default scripts are protected from unauthorized modification. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.... |
| V-256560 | | The Photon operating system must be configured so the "/root" path is protected from unauthorized access. | If the "/root" path is accessible to users other than root, unauthorized users could change the root partitions files.... |
| V-256561 | | The Photon operating system must be configured so that all global initialization scripts are protected from unauthorized modification. | Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accou... |
| V-256562 | | The Photon operating system must be configured so that all system startup scripts are protected from unauthorized modification. | If system startup scripts are accessible to unauthorized modification, this could compromise the system on startup.... |
| V-256563 | | The Photon operating system must be configured so that all files have a valid owner and group owner. | If files do not have valid user and group owners, unintended access to files could occur.... |
| V-256564 | | The Photon operating system must be configured so the "/etc/cron.allow" file is protected from unauthorized modification. | If cron files and folders are accessible to unauthorized users, malicious jobs may be created.... |
| V-256565 | | The Photon operating system must be configured so that all cron jobs are protected from unauthorized modification. | If cron files and folders are accessible to unauthorized users, malicious jobs may be created.... |
| V-256566 | | The Photon operating system must be configured so that all cron paths are protected from unauthorized modification. | If cron files and folders are accessible to unauthorized users, malicious jobs may be created.... |
| V-256567 | | The Photon operating system must not forward IPv4 or IPv6 source-routed packets. | Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the ... |
| V-256568 | | The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.... |
| V-256569 | | The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-256570 | | The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-256571 | | The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-256572 | | The Photon operating system must log IPv4 packets with impossible addresses. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign o... |
| V-256573 | | The Photon operating system must use a reverse-path filter for IPv4 network traffic. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received ... |
| V-256574 | | The Photon operating system must not perform multicast packet forwarding. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-256575 | | The Photon operating system must not perform IPv4 packet forwarding. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-256576 | | The Photon operating system must send Transmission Control Protocol (TCP) timestamps. | TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing... |
| V-256577 | | The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.... |
| V-256578 | | The Photon operating system must be configured to protect the Secure Shell ( SSH) private host key from unauthorized access. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-256579 | | The Photon operating system must enforce password complexity on the root account. | Password complexity rules must apply to all accounts on the system, including root. Without specifying the "enforce_for_root flag", "pam_cracklib" doe... |
| V-256580 | | The Photon operating system must protect all boot configuration files from unauthorized modification. | Boot configuration files control how the system boots, including single-user mode, auditing, log levels, etc. Improper or malicious configurations can... |
| V-256581 | | The Photon operating system must protect sshd configuration from unauthorized access. | The "sshd_config" file contains all the configuration items for sshd. Incorrect or malicious configuration of sshd can allow unauthorized access to th... |
| V-256582 | | The Photon operating system must protect all "sysctl" configuration files from unauthorized access. | The "sysctl" configuration file specifies values for kernel parameters to be set on boot. Incorrect or malicious configuration of these parameters can... |
| V-256583 | | The Photon operating system must set the "umask" parameter correctly. | The "umask" value influences the permissions assigned to files when they are created. The "umask" setting in "login.defs" controls the permissions for... |
| V-256584 | | The Photon operating system must configure sshd to disallow HostbasedAuthentication. | Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.... |
| V-256585 | | The Photon operating system must store only encrypted representations of passwords. | Passwords must be protected at all times via strong, one-way encryption. If passwords are not encrypted, they can be plainly read (i.e., clear text) a... |
| V-256586 | | The Photon operating system must ensure the old passwords are being stored. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-256587 | | The Photon operating system must configure sshd to restrict AllowTcpForwarding. | While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate for use on single-purpose a... |
| V-256588 | | The Photon operating system must configure sshd to restrict LoginGraceTime. | By default, sshd unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login ... |
| V-256589 | | The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, generate cryptographic hashes, and protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptog... |
| V-256590 | | The Photon operating system must disable systemd fallback Domain Name System (DNS). | Systemd contains an ability to set fallback DNS servers. This is used for DNS lookups in the event no system-level DNS servers are configured or other... |
| V-256486 | | The Photon operating system must configure sshd to use approved encryption algorithms. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
OpenSSH... |
| V-256534 | | The Photon operating system must configure sshd to use FIPS 140-2 ciphers. | Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maint... |
| V-256508 | | The Photon operating system must require authentication upon booting into single-user and maintenance modes. | If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all... |
