General Purpose Operating System Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The operating system must authenticate peripherals before establishing a connection.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drive...Rule Medium Severity -
SRG-OS-000379
Group -
SRG-OS-000383
Group -
The operating system must prohibit the use of cached authenticators after one day.
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.Rule Medium Severity -
SRG-OS-000384
Group -
The operating system, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).Rule Medium Severity -
SRG-OS-000392
Group -
The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions.
If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addres...Rule Medium Severity -
SRG-OS-000393
Group -
SRG-OS-000394
Group -
The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as...Rule High Severity -
SRG-OS-000395
Group -
SRG-OS-000396
Group -
The operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher stand...Rule High Severity -
SRG-OS-000403
Group -
SRG-OS-000404
Group -
SRG-OS-000405
Group -
SRG-OS-000420
Group -
SRG-OS-000423
Group -
SRG-OS-000424
Group -
SRG-OS-000425
Group -
The operating system must maintain the confidentiality and integrity of information during preparation for transmission.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during pa...Rule Medium Severity -
SRG-OS-000426
Group -
SRG-OS-000432
Group -
The operating system must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
A common vulnerability of operating system is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs...Rule Medium Severity -
SRG-OS-000433
Group -
SRG-OS-000433
Group -
The operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory incl...Rule Medium Severity -
SRG-OS-000437
Group -
SRG-OS-000445
Group -
SRG-OS-000446
Group -
The operating system must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmwar...Rule Medium Severity -
SRG-OS-000447
Group -
The operating system must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible fo...Rule Medium Severity -
SRG-OS-000458
Group -
The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000461
Group -
SRG-OS-000462
Group -
The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000463
Group -
The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000465
Group -
The operating system must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000466
Group -
The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000467
Group -
The operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000468
Group -
SRG-OS-000470
Group -
The operating system must generate audit records when successful/unsuccessful logon attempts occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.