Security Technical Implementation Guide (STIG)
Security Technical Implementation Guide (STIG) is a set of guidelines by DISA to secure computer systems for the Department of Defense, ensuring adherence to strict security standards and configurations to mitigate vulnerabilities and enhance cybersecurity.
The vast majority of VMware STIG rules are applied out of the box in all the Tanzu Application Catalog containers based on PhotonOS. If you’re curious about the details, there is a script at /opt/bitnami/scripts/vmware-stig.sh with the different controls which is automatically executed at build time.
How Tanzu Application Catalog meets STIG rules
In this section you will learn how Tanzu Application Catalog Photon-based containers are compliant with the following STIG rules:
Rules with active measures applied
Rules for which there is a measure that is directly responsible of its success.
| Control ID | NIST | SRG ID | CCI | Title | Severity |
|---|---|---|---|---|---|
| PTNC-40-000004 | AC-7 a | SRG-OS-000021-GPOS-00005 | CCI-000044 | The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period | Cat II |
| PTNC-40-000007 | AC-10 | SRG-OS-000027-GPOS-00008 | CCI-000054 | The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types | Cat II |
| PTNC-40-000035 | IA-5 (1) (a) | SRG-OS-000069-GPOS-00037 | CCI-000192 | The Photon operating system must enforce password complexity by requiring that at least one upper-case character be used | Cat II |
| PTNC-40-000036 | IA-5 (1) (a) | SRG-OS-000070-GPOS-00038 | CCI-000193 | The Photon operating system must enforce password complexity by requiring that at least one lower-case character be used | Cat II |
| PTNC-40-000037 | IA-5 (1) (a) | SRG-OS-000071-GPOS-00039 | CCI-000194 | The Photon operating system must enforce password complexity by requiring that at least one numeric character be used | Cat II |
| PTNC-40-000038 | IA-5 (1) (b) | SRG-OS-000072-GPOS-00040 | CCI-000195 | The Photon operating system must require the change of at 8 characters when passwords are changed | Cat II |
| PTNC-40-000039 | IA-5 (1) (c) | SRG-OS-000073-GPOS-00041 | CCI-000196 | The operating system must store only encrypted representations of passwords | Cat II |
| PTNC-40-000043 | IA-5 (1) (e) | SRG-OS-000077-GPOS-00045 | CCI-000200 | The Photon operating system must prohibit password reuse for a minimum of five generations | Cat II |
| PTNC-40-000044 | IA-5 (1) (a) | SRG-OS-000078-GPOS-00046 | CCI-000205 | The Photon operating system must enforce a minimum 15-character password length | Cat II |
| PTNC-40-000059 | IA-7 | SRG-OS-000120-GPOS-00061 | CCI-000803 | The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module | Cat II |
| PTNC-40-000074 | SI-11 b | SRG-OS-000206-GPOS-00084 | CCI-001314 | The Photon operating system /var/log directory must be owned by root | Cat II |
| PTNC-40-000085 | CM-5 (6) | SRG-OS-000259-GPOS-00100 | CCI-001499 | The Photon operating system must limit privileges to change software resident within software libraries | Cat II |
| PTNC-40-000086 | IA-5 (1) (a) | SRG-OS-000266-GPOS-00101 | CCI-001619 | The Photon operating system must enforce password complexity by requiring that at least one special character be used | Cat II |
| PTNC-40-000108 | AC-7 b | SRG-OS-000329-GPOS-00128 | CCI-002238 | The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur | Cat II |
| PTNC-40-000184 | CM-6 b | SRG-OS-000480-GPOS-00225 | CCI-000366 | The Photon operating system must prevent the use of dictionary words for passwords | Cat II |
| PTNC-40-000185 | CM-6 b | SRG-OS-000480-GPOS-00226 | CCI-000366 | The Photon operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt in login defs | Cat II |
| PTNC-40-000187 | CM-6 b | SRG-OS-000480-GPOS-00228 | CCI-000366 | The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files | Cat II |
| PTNC-40-000192 | AC-7 a | SRG-OS-000021-GPOS-00005 | CCI-000044 | The Photon operating system must be configured to use the pam_faillock.so module | Cat II |
| PTNC-40-000193 | AC-7 a | SRG-OS-000021-GPOS-00005 | CCI-000044 | The Photon operating system must prevent leaking information of the existence of a user account | Cat II |
| PTNC-40-000195 | AC-7 a | SRG-OS-000021-GPOS-00005 | CCI-000044 | The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period | Cat II |
| PTNC-40-000196 | AC-7 a | SRG-OS-000021-GPOS-00005 | CCI-000044 | The Photon operating system must persist lockouts between system reboots | Cat II |
| PTNC-40-000197 | IA-5 (1) (a) | SRG-OS-000069-GPOS-00037 | CCI-000192 | The Photon operating system must be configured to use the pam_pwquality.so module | Cat II |
| PTNC-40-000202 | IA-5 (1) (e) | SRG-OS-000077-GPOS-00045 | CCI-000200 | The Photon operating system must prohibit password reuse for a minimum of five generations by using a password history file | Cat II |
| PTNC-40-000206 | CM-6 b | SRG-OS-000480-GPOS-00226 | CCI-000366 | The Photon operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt | Cat II |
| PTNC-40-000209 | CM-6 b | SRG-OS-000480-GPOS-00227 | CCI-000366 | The Photon operating system must create a home directory for all new local interactive user accounts | Cat II |
| PTNC-40-000235 | CM-6 b | SRG-OS-000480-GPOS-00227 | CCI-000366 | The Photon operating system must enforce password complexity on the root account | Cat II |
Rules satisfied by default, but with a back-up measure
Rules that were satisfied in the PhotonOS base image by default, but some measures were still applied.
| Control ID | NIST | SRG ID | CCI | Title | Severity |
|---|---|---|---|---|---|
| PTNC-40-000199 | CM-5 (3) | SRG-OS-000366-GPOS-00153 | CCI-001749 | The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos | Cat II |
| PTNC-40-000130 | CM-5 (3) | SRG-OS-000366-GPOS-00153 | CCI-001749 | The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation | Cat II |
| PTNC-40-000161 | SI-2 (6) | SRG-OS-000437-GPOS-00194 | CCI-002617 | The Photon operating system must remove all software components after updated versions have been installed | Cat II |
Rules with NO specific measures implemented, but satisfied out-of-the-box
| Control ID | NIST | SRG ID | CCI | Title | Severity | Comment |
|---|---|---|---|---|---|---|
| PTNC-40-000013 | AC-17 (2) | SRG-OS-000033-GPOS-00014 | CCI-000068 | The Photon operating system must have the OpenSSL FIPS provider installed | Cat II | OpenSSL-FIPS is already installed in every Photon 4 container |
| PTNC-40-000040 | IA-5 (1) (c) | SRG-OS-000074-GPOS-00042 | CCI-000197 | The Photon operating system must not have the telnet package installed | Cat II | Telnet is not added by default. It will be added per application, in case of needs |
| PTNC-40-000047 | CM-7 a | SRG-OS-000095-GPOS-00049 | CCI-000381 | The Photon container operating system must not install SSH | Cat II | SSH is not added by default. It will be added per application, in case of needs |
| PTNC-40-000133 | IA-11 | SRG-OS-000373-GPOS-00156 | CCI-002038 | The Photon operating system must require users to reauthenticate for privilege escalation | Cat II | sudo is neither installed nor expected |
| PTNC-40-000240 | CM-7 a | SRG-OS-000095-GPOS-00049 | CCI-000381 | The Photon container operating system must disable non-essential capabilities | Cat II | Only the minimum, required system-packages are added |
| PTNC-40-000241 | CM-6 b | SRG-OS-000480-GPOS-00227 | CCI-000366 | The Photon container operating system must have all security patches and updates installed | Cat II | Latest upgrades are already retrieved when using the install_packages command |
