General Purpose Operating System Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...Rule Medium Severity -
SRG-OS-000358
<GroupDescription></GroupDescription>Group -
The operating system must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.
<VulnDiscussion>Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records....Rule Medium Severity -
SRG-OS-000359
<GroupDescription></GroupDescription>Group -
The operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analys...Rule Low Severity -
SRG-OS-000360
<GroupDescription></GroupDescription>Group -
The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.
<VulnDiscussion>An authorized user may intentionally or accidentally move or delete audit records without those specific actions being author...Rule Medium Severity -
SRG-OS-000362
<GroupDescription></GroupDescription>Group -
The operating system must prohibit user installation of system software without explicit privileged status.
<VulnDiscussion>Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malici...Rule Medium Severity -
SRG-OS-000363
<GroupDescription></GroupDescription>Group -
The operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner.
<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized ...Rule Medium Severity -
SRG-OS-000364
<GroupDescription></GroupDescription>Group -
The operating system must enforce access restrictions.
<VulnDiscussion>Failure to provide logical access restrictions associated with changes to system configuration may have significant effects o...Rule Medium Severity -
SRG-OS-000365
<GroupDescription></GroupDescription>Group -
The operating system must audit the enforcement actions used to restrict access associated with changes to the system.
<VulnDiscussion>Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficul...Rule Medium Severity -
The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This require...Rule High Severity -
SRG-OS-000368
<GroupDescription></GroupDescription>Group -
The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.
<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may pr...Rule Medium Severity -
SRG-OS-000370
<GroupDescription></GroupDescription>Group -
The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
<VulnDiscussion>Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Usin...Rule Medium Severity -
SRG-OS-000375
<GroupDescription></GroupDescription>Group -
The operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
<VulnDiscussion>Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ens...Rule Medium Severity -
SRG-OS-000376
<GroupDescription></GroupDescription>Group -
The operating system must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. B...Rule Medium Severity -
SRG-OS-000383
<GroupDescription></GroupDescription>Group -
The operating system must prohibit the use of cached authenticators after one day.
<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</...Rule Medium Severity -
SRG-OS-000384
<GroupDescription></GroupDescription>Group -
The operating system, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
<VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer autho...Rule Medium Severity -
SRG-OS-000392
<GroupDescription></GroupDescription>Group -
The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions.
<VulnDiscussion>If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing an...Rule Medium Severity -
SRG-OS-000393
<GroupDescription></GroupDescription>Group -
The operating system must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.
<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that se...Rule Medium Severity -
SRG-OS-000404
<GroupDescription></GroupDescription>Group -
The operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
<VulnDiscussion>Privileged access contains control and configuration information and is particularly sensitive, so additional protections are...Rule High Severity -
SRG-OS-000394
<GroupDescription></GroupDescription>Group -
The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
<VulnDiscussion>Privileged access contains control and configuration information and is particularly sensitive, so additional protections are...Rule High Severity -
SRG-OS-000395
<GroupDescription></GroupDescription>Group -
The operating system must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions.
<VulnDiscussion>If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; t...Rule Medium Severity -
SRG-OS-000396
<GroupDescription></GroupDescription>Group -
The operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating ...Rule High Severity -
SRG-OS-000403
<GroupDescription></GroupDescription>Group -
The operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components.
<VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthor...Rule High Severity -
SRG-OS-000405
<GroupDescription></GroupDescription>Group -
The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components.
<VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthor...Rule High Severity -
SRG-OS-000420
<GroupDescription></GroupDescription>Group -
The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot ac...Rule Medium Severity -
SRG-OS-000423
<GroupDescription></GroupDescription>Group -
The operating system must protect the confidentiality and integrity of transmitted information.
<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected commu...Rule High Severity -
SRG-OS-000424
<GroupDescription></GroupDescription>Group -
The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
<VulnDiscussion>Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mec...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.