Network Device Management Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000166
Group -
SRG-APP-000167
Group -
The network device must enforce password complexity by requiring that at least one lowercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000168
Group -
SRG-APP-000169
Group -
The network device must enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000171
Group -
SRG-APP-000172
Group -
The network device must transmit only encrypted representations of passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule High Severity -
SRG-APP-000178
Group -
The network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the network device must not provide any information that would allow a...Rule High Severity -
SRG-APP-000179
Group -
SRG-APP-000220
Group -
The network device must invalidate session identifiers upon administrator logout or other session termination.
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries to capture and to continue to employ previously valid session IDs. This requirement is app...Rule Medium Severity -
SRG-APP-000223
Group -
The network device must recognize only system-generated session identifiers.
Network device management web interfaces utilize sessions and session identifiers to control management interface behavior and administrator access. If an attacker can guess the session identifier ...Rule Medium Severity -
SRG-APP-000224
Group -
The network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force att...Rule Medium Severity -
SRG-APP-000231
Group -
The network device must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000296
Group -
The network device must be configured to provide a logout mechanism for administrator-initiated communication sessions.
If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.Rule Medium Severity -
SRG-APP-000297
Group -
SRG-APP-000317
Group -
The network device must terminate shared/group account credentials when members leave the group.
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are no...Rule Medium Severity -
SRG-APP-000319
Group -
The network device must automatically audit account enabling actions.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
SRG-APP-000328
Group -
SRG-APP-000329
Group -
If the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organ...Rule Medium Severity -
SRG-APP-000340
Group -
The network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privile...Rule High Severity -
SRG-APP-000343
Group -
The network device must audit the execution of privileged functions.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
SRG-APP-000357
Group -
The network device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit...Rule Medium Severity -
SRG-APP-000360
Group -
SRG-APP-000374
Group -
The network device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Tim...Rule Medium Severity -
SRG-APP-000375
Group -
SRG-APP-000378
Group -
The network device must prohibit installation of software without explicit privileged status.
Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code ...Rule Medium Severity -
SRG-APP-000380
Group -
The network device must enforce access restrictions associated with changes to device configuration.
Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restric...Rule Medium Severity -
SRG-APP-000381
Group -
SRG-APP-000499
Group -
SRG-APP-000395
Group -
The network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the...Rule Medium Severity -
SRG-APP-000395
Group -
The network device must authenticate Network Time Protocol sources using authentication that is cryptographically based.
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will mak...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.