Skip to content
Log In

DBN-6300 NDM Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000169-NDM-000257

    Group
    Show

  • If multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one special character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-APP-000173-NDM-000260

    Group
    Show

  • The DBN-6300 must enforce 24 hours/1 day as the minimum password lifetime.

    Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. Restricting this setting limits the user's ability to...
    Rule Medium Severity
    Show

  • SRG-APP-000174-NDM-000261

    Group
    Show

  • SRG-APP-000190-NDM-000267

    Group
    Show

  • SRG-APP-000267-NDM-000273

    Group
    Show

  • The DBN-6300 must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account informatio...
    Rule Medium Severity
    Show

  • SRG-APP-000268-NDM-000274

    Group
    Show

  • The DBN-6300 must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.

    Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue ...
    Rule Medium Severity
    Show

  • SRG-APP-000295-NDM-000279

    Group
    Show

  • SRG-APP-000319-NDM-000283

    Group
    Show

  • The DBN-6300 must automatically audit account enabling actions.

    Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...
    Rule Medium Severity
    Show

  • SRG-APP-000343-NDM-000289

    Group
    Show

  • The DBN-6300 must audit the execution of privileged functions.

    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...
    Rule Medium Severity
    Show

  • SRG-APP-000353-NDM-000292

    Group
    Show

  • The DBN-6300 must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near real time.

    If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important ...
    Rule Low Severity
    Show

  • SRG-APP-000371-NDM-000296

    Group
    Show

  • The DBN-6300 must compare internal information system clocks at least every 24 hours with an authoritative time server.

    Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...
    Rule Medium Severity
    Show

  • SRG-APP-000374-NDM-000299

    Group
    Show

  • The DBN-6300 must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).

    If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
    Rule Medium Severity
    Show

  • SRG-APP-000375-NDM-000300

    Group
    Show

  • The DBN-6300 must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.

    Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granula...
    Rule Medium Severity
    Show

  • SRG-APP-000381-NDM-000305

    Group
    Show

  • The DBN-6300 must audit the enforcement actions used to restrict access associated with changes to the device.

    Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for...
    Rule Medium Severity
    Show

  • SRG-APP-000411-NDM-000330

    Group
    Show

  • Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

    This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryp...
    Rule Medium Severity
    Show

  • SRG-APP-000412-NDM-000331

    Group
    Show

  • SRG-APP-000495-NDM-000318

    Group
    Show

  • SRG-APP-000499-NDM-000319

    Group
    Show

  • The DBN-6300 must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-APP-000503-NDM-000320

    Group
    Show

  • The DBN-6300 must generate audit records when successful/unsuccessful logon attempts occur.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-APP-000504-NDM-000321

    Group
    Show

  • SRG-APP-000505-NDM-000322

    Group
    Show

  • Accounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.

    Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With r...
    Rule Medium Severity
    Show

  • SRG-APP-000516-NDM-000344

    Group
    Show

  • SRG-APP-000506-NDM-000323

    Group
    Show

  • The DBN-6300 must generate audit records when concurrent logons from different workstations occur.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-APP-000509-NDM-000324

    Group
    Show

  • The DBN-6300 must generate audit records for all account creation, modification, disabling, and termination events.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-APP-000515-NDM-000325

    Group
    Show

  • SRG-APP-000516-NDM-000317

    Group
    Show

  • The DBN-6300 must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.

    Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create...
    Rule High Severity
    Show

  • SRG-APP-000516-NDM-000336

    Group
    Show

  • The DBN-6300 must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

    For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure...
    Rule Medium Severity
    Show

  • The DBN-6300 must automatically audit account creation.

    Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. This con...
    Rule Medium Severity
    Show

  • The DBN-6300 must automatically audit account modification.

    Upon gaining access to a network device, an attacker will often attempt to create a persistent method of reestablishing access. One way to accomplish this is to modify an account. This control does...
    Rule Medium Severity
    Show

  • The DBN-6300 must be compliant with at least one IETF Internet standard authentication protocol.

    Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission. In dis...
    Rule Medium Severity
    Show

  • The DBN-6300 must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. It is possible to set a time-to-re...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules