AAA Services Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000023
Group -
SRG-APP-000024
Group -
AAA Services must be configured to automatically remove temporary user accounts after 72 hours.
When temporary user accounts remain active after no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of...Rule Medium Severity -
SRG-APP-000024
Group -
AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.
When temporary user accounts remain active after no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of...Rule Medium Severity -
SRG-APP-000025
Group -
SRG-APP-000026
Group -
AAA Services must be configured to automatically audit account creation.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create ...Rule Medium Severity -
SRG-APP-000027
Group -
SRG-APP-000028
Group -
AAA Services must be configured to automatically audit account disabling actions.
When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt ...Rule Medium Severity -
SRG-APP-000029
Group -
AAA Services must be configured to automatically audit account removal actions.
When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt se...Rule Medium Severity -
SRG-APP-000065
Group -
AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
SRG-APP-000089
Group -
AAA Services must be configured to audit each authentication and authorization transaction.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit r...Rule Medium Severity -
SRG-APP-000095
Group -
SRG-APP-000096
Group -
AAA Services configuration audit records must identify when (date and time) the events occurred.
Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident. In order to compile an accurate risk assessment, and provid...Rule Medium Severity -
SRG-APP-000097
Group -
AAA Services configuration audit records must identify where the events occurred.
Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident. In order to compile an accurate risk assessment, and provi...Rule Medium Severity -
SRG-APP-000098
Group -
AAA Services configuration audit records must identify the source of the events.
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In addition to logging where events occur with...Rule Medium Severity -
SRG-APP-000099
Group -
AAA Services configuration audit records must identify the outcome of the events.
Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the sy...Rule Medium Severity -
SRG-APP-000100
Group -
SRG-APP-000108
Group -
SRG-APP-000116
Group -
AAA Services must be configured to use internal system clocks to generate time stamps for audit records.
Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct tim...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000142
Group -
AAA Services must be configured to use secure protocols when connecting to directory services.
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protect...Rule High Severity -
SRG-APP-000142
Group -
SRG-APP-000142
Group -
SRG-APP-000148
Group -
AAA Services must be configured to uniquely identify and authenticate organizational users.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational use...Rule High Severity -
SRG-APP-000149
Group -
AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentica...Rule Medium Severity -
SRG-APP-000150
Group -
SRG-APP-000158
Group -
AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the d...Rule Medium Severity -
SRG-APP-000164
Group -
AAA Services must be configured to enforce a minimum 15-character password length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to d...Rule Medium Severity -
SRG-APP-000166
Group -
AAA Services must be configured to enforce password complexity by requiring that at least one uppercase character be used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity -
SRG-APP-000167
Group -
AAA Services must be configured to enforce password complexity by requiring that at least one lowercase character be used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity -
SRG-APP-000168
Group -
AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.