By default, all Tanzu Platform for Cloud Foundry 10.x virtual machines (VMs) run Ubuntu v22.04 based stemcell. The stemcells are hardened by default to some STIG specification.
Tanzu Application Service is now called Tanzu Platform for Cloud Foundry (Tanzu Platform for CF). The current version of Tanzu Platform for Cloud Foundry is 10.0.
Ubuntu 22.04 STIG hardening results
The STIG hardening process for Ubuntu stemcell changes the compliance scans for Tanzu Application Service (TAS for VMs) v10.0 VMs.
The following checklist file aligns to VMware security best practices:
The following screen captures show the scan results for TAS for VMs VMs after hardening.
Scan results for hardened Tanzu Platform for Cloud Foundry v10.0:
STIG results and exceptions for Ubuntu 22.04 stemcell
Some Ubuntu processes/features are not hardened. The following table lists the hardening results and exceptions. The table also provides an explanation for the exception and a resolution.
| VID | Finding Title | Exception / Explanation |
|---|---|---|
| V-260468 | Ubuntu 22.04 LTS must deploy an Endpoint Security Solution. | VMware recommends installing Anti-Virus for VMware Tanzu for endpoint protection. Other Endpoint protection products provided by partener services include Prisma Cloud for VMware Tanzu, Aqua Security Enforcer for VMware Tanzu, Aqua Security Scanner for VMware Tanzu. |
| V-260478 | Ubuntu 22.04 LTS must have the libpam-pwquality package installed. | Stemcell uses pam_cracklib, so to enforce password complexity. Additionally, BOSH SSH users are ephemeral. They use key-based login and not password-based login. |
| V-260484 | Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest. | Disk encryption is handled by the IaaS. |
| V-260488 | Ubuntu 22.04 LTS must configure the /var/log directory to have mode 755 or less permissive. | Group vcap requires write permission on /var/log. |
| V-260489 | Ubuntu 22.04 LTS must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | File /var/log/sysstat/sa has group write and global read for sysstat’s system activity report (sar) to function. |
| V-260511 | Ubuntu 22.04 LTS must configure the /var/log/syslog file to be group-owned by adm. | /var/log/syslog is group-owned by syslog. |
| V-260513 | Ubuntu 22.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. | On worker (TKGi), container files (/var/vcap/data/kubelet/pods/) fail this test due to kubernetes architecture. |
| V-260514 | Ubuntu 22.04 LTS must have an application firewall installed in order to control remote access methods. | Because IP addresses are dynamic in Tanzu Platform for CF, Uncomplicated Firewall (UFW) cannot be used to limit traffic between the hosts within Tanzu Platform for CF. Application Security Groups (ASGs) and perimeter firewalls for the Tanzu Platform for CF subnet are used instead. iptables is used where necessary. |
| V-260515 | Ubuntu 22.04 LTS must enable and run the Uncomplicated Firewall (ufw). | Because IP addresses are dynamic in Tanzu Platform for CF, Uncomplicated Firewall (UFW) cannot be used to limit traffic between the hosts within Tanzu Platform for CF. Application Security Groups (ASGs) and perimeter firewalls for the Tanzu Platform for CF subnet are used instead. iptables is used where necessary. |
| V-260516 | Ubuntu 22.04 LTS must have an application firewall enabled. | Because IP addresses are dynamic in Tanzu Platform for CF, Uncomplicated Firewall (UFW) cannot be used to limit traffic between the hosts within Tanzu Platform for CF. Application Security Groups (ASGs) and perimeter firewalls for the Tanzu Platform for CF subnet are used instead. iptables is used where necessary. |
| V-260517 | Ubuntu 22.04 LTS must configure the Uncomplicated Firewall (ufw) to rate-limit impacted network interfaces. | Because IP addresses are dynamic in Tanzu Platform for CF, Uncomplicated Firewall (UFW) cannot be used to limit traffic between the hosts within Tanzu Platform for CF. Application Security Groups (ASGs) and perimeter firewalls for the Tanzu Platform for CF subnet are used instead. iptables is used where necessary. |
| V-260518 | Ubuntu 22.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | Because IP addresses are dynamic in Tanzu Platform for CF, Uncomplicated Firewall (UFW) cannot be used to limit traffic between the hosts within Tanzu Platform for CF. Application Security Groups (ASGs) and perimeter firewalls for the Tanzu Platform for CF subnet are used instead. iptables is used where necessary. |
| V-260519 | Ubuntu 22.04 LTS must, for networked systems, compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | Default maxpoll for chrony.conf is 10. The polling interval is 2^10 seconds. Time sources are defined in /etc/chrony/sources.d/bosh.sources. |
| V-260530 | Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display. | X11UseLocalhost is not set. The default value for X11UseLocalhost is yes. Ref: https://manpages.ubuntu.com/manpages/jammy/man5/sshd_config.5.html. |
| V-260535 | Ubuntu 22.04 LTS must enable the graphical user logon banner to display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon. | GNOME is a GUI for Ubuntu. Stemcells do not have GNOME the package installed. |
| V-260536 | Ubuntu 22.04 LTS must display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon. | GNOME is a GUI for Ubuntu. Stemcells do not have GNOME the package installed. |
| V-260537 | Ubuntu 22.04 LTS must retain a user’s session lock until that user reestablishes access using established identification and authentication procedures. | GNOME is a GUI for Ubuntu. Stemcells do not have GNOME the package installed. |
| V-260538 | Ubuntu 22.04 LTS must initiate a graphical session lock after 15 minutes of inactivity. | GNOME is a GUI for Ubuntu. Stemcells do not have GNOME the package installed. |
| V-260539 | Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed. | GNOME is a GUI for Ubuntu. Stemcells do not have GNOME the package installed. |
| V-260541 | Ubuntu 22.04 LTS must disable all wireless network adapters. | Note: If the system does not have any physical wireless network radios, this requirement is not applicable. Customers can install iwconfig to validate that there are no wireless network interfaces. |
| V-260544 | Ubuntu 22.04 LTS must allow the use of a temporary password for system logons with an immediate change to a permanent password. | Stemcells use two system users, root and vcap. All BOSH processes run as vcap. This rule is not applicable because no other users are created on BOSH deployed VMs when using the default stemcell configuration. |
| V-260546 | Ubuntu 22.04 LTS must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction. | BOSH SSH users are ephemeral and use key based-login and not password-based login. |
| V-260547 | Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | BOSH SSH users are ephemeral and use key based-login and not password-based login. |
| V-260548 | Ubuntu 22.04 LTS must automatically expire temporary accounts within 72 hours. | Stemcells do not have temporary accounts. |
| V-260553 | Ubuntu 22.04 LTS must allow users to directly initiate a session lock for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The rule deals with session locks of virtual consoles (using vlock) when accessing a physical machine. This rule is applicable to virtual consoles on a physical machine. End users do not have physical access to a BOSH deployed VM. |
| V-260554 | Ubuntu 22.04 LTS must automatically exit interactive command shell user sessions after 15 minutes of inactivity. | End users cannot initiate a local interactive session because they do not have physical access to a BOSH deployed VM. SSH has a default inactivity timeout of 15 minutes. |
| V-260555 | Ubuntu 22.04 LTS default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files. | The expected umask is 077, the actual is 022. This umask is required for the container runtime runC to function correctly. |
| V-260558 | Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles. | BOSH SSH uses key-based login. SSH users have passwordless sudo privilege. |
| V-260559 | Ubuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group. | BOSH SSH uses key-based login. SSH users have passwordless sudo privilege. |
| V-260560 | Ubuntu 22.04 LTS must enforce password complexity by requiring at least one uppercase character be used. | This setting is in /etc/pam.d/common-password instead of /etc/security/pwquality.conf. |
| V-260561 | Ubuntu 22.04 LTS must enforce password complexity by requiring at least one lowercase character be used. | This setting is in /etc/pam.d/common-password instead of /etc/security/pwquality.conf. |
| V-260562 | Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one numeric character be used. | This setting is in /etc/pam.d/common-password instead of /etc/security/pwquality.conf. |
| V-260563 | Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one special character be used. | This setting is in /etc/pam.d/common-password instead of /etc/security/pwquality.conf. |
| V-260564 | Ubuntu 22.04 LTS must prevent the use of dictionary words for passwords. | This setting is in /etc/pam.d/common-password instead of /etc/security/pwquality.conf. |
| V-260565 | Ubuntu 22.04 LTS must enforce a minimum 15-character password length. | This setting is in /etc/pam.d/common-password instead of /etc/security/pwquality.conf. |
| V-260566 | Ubuntu 22.04 LTS must require the change of at least eight characters when passwords are changed. | This setting is in /etc/pam.d/common-password instead of /etc/security/pwquality.conf. |
| V-260567 | Ubuntu 22.04 LTS must be configured so that when passwords are changed or new passwords are established, pwquality must be used. | Stemcell uses pam_cracklib, so to enforce password complexity. Additionally, BOSH SSH users are ephemeral. They use key-based login and not password-based login. |
| V-260573 | Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. | Stemcells do not support multi-factor authentication. |
| V-260574 | Ubuntu 22.04 LTS must accept personal identity verification (PIV) credentials. | Stemcells do not support multi-factor authentication. |
| V-260575 | Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts. | Stemcells do not support multi-factor authentication. |
| V-260576 | Ubuntu 22.04 LTS must electronically verify personal identity verification (PIV) credentials. | Stemcells do not support multi-factor authentication. |
| V-260577 | Ubuntu 22.04 LTS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Stemcells do not support multi-factor authentication. |
| V-260578 | Ubuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network. | Stemcells do not support multi-factor authentication. |
| V-260579 | Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication. | Stemcells do not support multi-factor authentication. |
| V-260580 | Ubuntu 22.04 LTS must use DOD PKI-established certificate authorities for verification of the establishment of protected sessions. | Stemcells do not support multi-factor authentication. |
| V-260581 | Ubuntu 22.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. | Note: If smart card authentication is not being used on the system, this requirement is not applicable. Stemcells do not support multi-factor authentication. |
| V-260582 | Ubuntu 22.04 LTS must use a file integrity tool to verify correct operation of all security functions. | Advanced Intrusion Detection Environment (AIDE) is not installed or configured on stemcells. VMware recommends installing File Integrity Monitoring for Tanzu (FIM) for file monitoring. |
| V-260583 | Ubuntu 22.04 LTS must configure AIDE to perform file integrity checking on the file system. | Note: If AIDE is not installed, this requirement is not applicable. Advanced Intrusion Detection Environment (AIDE) is not installed or configured on stemcells. VMware recommends installing File Integrity Monitoring for Tanzu (FIM) for file monitoring. |
| V-260584 | Ubuntu 22.04 LTS must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered. | Advanced Intrusion Detection Environment (AIDE) is not installed or configured on stemcells. VMware recommends installing File Integrity Monitoring for Tanzu (FIM) for file monitoring. |
| V-260585 | Ubuntu 22.04 LTS must be configured so that the script that runs each 30 days or less to check file integrity is the default. | Advanced Intrusion Detection Environment (AIDE) is not installed or configured on stemcells. VMware recommends installing File Integrity Monitoring for Tanzu (FIM) for file monitoring. FIM logs in real time. |
| V-260586 | Ubuntu 22.04 LTS must use cryptographic mechanisms to protect the integrity of audit tools. | Advanced Intrusion Detection Environment (AIDE) is not installed or configured on stemcells. VMware recommends installing File Integrity Monitoring for Tanzu (FIM) for file monitoring. FIM is configured to monitor audit tools. |
| V-260587 | Ubuntu 22.04 LTS must have a crontab script running weekly to offload audit events of standalone systems. | Advanced Intrusion Detection Environment (AIDE) is not installed or configured on stemcells. VMware recommends installing File Integrity Monitoring for Tanzu (FIM) for file monitoring. Syslog forwarding can be setup in the FIM tile to offload events to an Enterprise log sink in real time. |
| V-260591 | Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time. | auditd is disabled by default and explicitly started by the bosh-agent on bootstrap. https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/741f485675f13ec3cda19d375b8f30b1aa1c584c/stemcell_builder/stages/bosh_log_audit_start/assets/bosh-start-logging-and-auditinghttps://github.com/cloudfoundry/bosh-agent/blob/e11e56fe8de33c158d2d66ae89a678e6eeaee8af/agent/bootstrap.go#L129 |
| V-260592 | Ubuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited. | VMware recommends that you forward logs to a remote syslog ingestor. The stemcell does not have audit event multiplexor installed. |
| V-260595 | Ubuntu 22.04 LTS must allocate audit record storage capacity to store at least one week’s worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | Because BOSH deployed VMs are ephemeral, VMware recommends that you forward logs to a remote syslog ingestor. |
| V-260605 | Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chacl command. | File /usr/bin/chacl does not exist on stemcells. |
| V-260619 | Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the setfacl command. | File /usr/bin/setfacl does not exist on stemcells. |
| V-260650 | Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Test will fail on an an non-FIPS enabled stemcell. Please create stemcell with Ubuntu Pro token. |
Content feedback and comments