| V-258801 | | The Photon operating system must audit all account creations. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-258802 | | The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-258803 | | The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-258805 | | The Photon operating system must monitor remote access logins. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-258807 | | The Photon operating system must configure auditd to log to disk. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-258808 | | The Photon operating system must enable the auditd service. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-258809 | | The Photon operating system must be configured to audit the execution of privileged functions. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-258810 | | The Photon operating system must alert the ISSO and SA in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-258811 | | The Photon operating system must protect audit logs from unauthorized access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-258812 | | The Photon operating system must allow only authorized users to configure the auditd service. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-258813 | | The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing D... |
| V-258814 | | The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258815 | | The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258816 | | The Photon operating system must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258817 | | The Photon operating system must require the change of at least eight characters when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by i... |
| V-258820 | | The Photon operating system must enforce one day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-258821 | | The Photon operating systems must enforce a 90-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-258822 | | The Photon operating system must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-258823 | | The Photon operating system must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-258824 | | The Photon operating system must require authentication upon booting into single-user and maintenance modes. | If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all... |
| V-258825 | | The Photon operating system must disable unnecessary kernel modules. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-258826 | | The Photon operating system must not have duplicate User IDs (UIDs). | To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential m... |
| V-258827 | | The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-258828 | | The Photon operating system must restrict access to the kernel message buffer. | Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a no... |
| V-258829 | | The Photon operating system must be configured to use TCP syncookies. | A TCP SYN flood attack can cause a Denial of Service (DOS) by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncooki... |
| V-258830 | | The Photon operating system must terminate idle Secure Shell (SSH) sessions after 15 minutes. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-258831 | | The Photon operating system /var/log directory must be restricted. | Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error ... |
| V-258832 | | The Photon operating system must reveal error messages only to authorized users. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-258833 | | The Photon operating system must audit all account modifications. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-258834 | | The Photon operating system must audit all account removal actions. | When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying ... |
| V-258836 | | The Photon operating system must initiate session audits at system startup. | If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state i... |
| V-258837 | | The Photon operating system must protect audit tools from unauthorized access. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-258838 | | The Photon operating system must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure o... |
| V-258840 | | The operating system must automatically terminate a user session after inactivity time-outs have expired. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that ... |
| V-258842 | | The Photon operating system must audit the execution of privileged functions. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-258843 | | The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-258847 | | The Photon operating system must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the c... |
| V-258848 | | The Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-258849 | | The Photon operating system must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-258850 | | The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258851 | | The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258853 | | The Photon operating system must prevent the use of dictionary words for passwords. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by incre... |
| V-258854 | | The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt in login.defs. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-258855 | | The Photon operating system must ensure audit events are flushed to disk at proper intervals. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-258856 | | The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.... |
| V-258858 | | The Photon operating system must be configured to use the pam_faillock.so module. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-258859 | | The Photon operating system must prevent leaking information of the existence of a user account. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-258860 | | The Photon operating system must audit logon attempts for unknown users. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-258861 | | The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-258862 | | The Photon operating system must persist lockouts between system reboots. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-258863 | | The Photon operating system must be configured to use the pam_pwquality.so module. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258865 | | The Photon operating system must configure the Secure Shell (SSH) SyslogFacility. | Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies b... |
| V-258866 | | The Photon operating system must enable Secure Shell (SSH) authentication logging. | Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies b... |
| V-258867 | | The Photon operating system must terminate idle Secure Shell (SSH) sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-258868 | | The Photon operating system must audit all account modifications. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-258869 | | The Photon operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-258872 | | The Photon operating system must create a home directory for all new local interactive user accounts. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-258873 | | The Photon operating system must disable the debug-shell service. | The debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboo... |
| V-258874 | | The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SS... |
| V-258875 | | The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding. | X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack sur... |
| V-258876 | | The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.... |
| V-258877 | | The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication. | If Kerberos is enabled through SSH, sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos ... |
| V-258878 | | The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the ... |
| V-258879 | | The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication. | Providing users with feedback on the last time they logged on via SSH facilitates user recognition and reporting of unauthorized account use.... |
| V-258880 | | The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists. | SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a l... |
| V-258881 | | The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files. | SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a l... |
| V-258882 | | The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection. | By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectivene... |
| V-258883 | | The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding. | While enabling TCP tunnels is a valuable function of sshd, this feature is not appropriate for use on single purpose appliances.... |
| V-258884 | | The Photon operating system must configure Secure Shell (SSH) to restrict LoginGraceTime. | By default, SSH unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login w... |
| V-258885 | | The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line. | When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accident... |
| V-258886 | | The Photon operating system must not forward IPv4 or IPv6 source-routed packets. | Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the ... |
| V-258887 | | The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.... |
| V-258888 | | The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-258889 | | The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-258890 | | The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-258891 | | The Photon operating system must log IPv4 packets with impossible addresses. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign o... |
| V-258892 | | The Photon operating system must use a reverse-path filter for IPv4 network traffic. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received ... |
| V-258893 | | The Photon operating system must not perform IPv4 packet forwarding. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-258894 | | The Photon operating system must send TCP timestamps. | TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing... |
| V-258895 | | The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.... |
| V-258896 | | The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-258897 | | The Photon operating system must enforce password complexity on the root account. | Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_pwquality does n... |
| V-258898 | | The Photon operating system must disable systemd fallback DNS. | Systemd contains an ability to set fallback DNS servers, which is used for DNS lookups in the event no system level DNS servers are configured or othe... |
| V-258899 | | The Photon operating system must generate audit records for all access and modifications to the opasswd file. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-258901 | | The Photon operating system must enable the rsyslog service. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information sy... |
| V-258902 | | The Photon operating system must be configured to use the pam_pwhistory.so module. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-258903 | | The Photon operating system must enable hardlink access control protection in the kernel. | By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hard... |
| V-258904 | | The Photon operating system must restrict core dumps. | By enabling the fs.suid_dumpable kernel parameter, core dumps are not generated for setuid or otherwise protected/tainted binaries. This prevents user... |
| V-258804 | | The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the numbe... |
| V-258844 | | The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility. | Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and sett... |
| V-258845 | | The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-258806 | | The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
OpenSSH... |
| V-258818 | | The operating system must store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-258819 | | The Photon operating system must not have the telnet package installed. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-258835 | | The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-258839 | | The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-258841 | | The Photon operating system must enable symlink access control protection in the kernel. | By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable director... |
| V-258846 | | The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation. | Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall s... |
| V-258852 | | The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cry... |
| V-258857 | | The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication. | SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.... |
| V-258864 | | The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos. | Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall s... |
| V-258870 | | The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password. | Blank passwords are one of the first things an attacker checks for when probing a system. Even if the user somehow has a blank password on the OS, SSH... |
| V-258871 | | The Photon operating system must configure Secure Shell (SSH) to disable user environment processing. | Enabling user environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.... |
| V-258900 | | The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
