Network Device Management Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000400
Group -
SRG-APP-000408
Group -
Network devices performing maintenance functions must restrict use of these functions to authorized personnel only.
There are security-related issues arising from software brought into the network device specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a device in orde...Rule Medium Severity -
SRG-APP-000411
Group -
SRG-APP-000412
Group -
The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryp...Rule High Severity -
SRG-APP-000435
Group -
SRG-APP-000491
Group -
If the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.
Mandatory access control policies constrain what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects ...Rule Medium Severity -
SRG-APP-000495
Group -
SRG-APP-000503
Group -
The network device must generate audit records when successful/unsuccessful logon attempts occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000504
Group -
The network device must generate audit records for privileged activities or other system-level access.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000505
Group -
The network device must generate audit records showing starting and ending time for administrator access to the system.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000506
Group -
The network device must generate audit records when concurrent logons from different workstations occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000515
Group -
The network device must off-load audit records onto a different system or media than the system being audited.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
The network device must enforce access restrictions associated with changes to the system components.
Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
The network device must be configured to conduct backups of system level information contained in the information system when changes occur.
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execu...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
SRG-APP-000001
Group -
SRG-APP-000516
Group -
The network device must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in se...Rule High Severity -
SRG-APP-000516
Group -
The network device must be running an operating system release that is currently supported by the vendor.
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.Rule High Severity -
SRG-APP-000516
Group -
The network device must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Configuring the network device to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security base...Rule Medium Severity -
SRG-APP-000149
Group -
The network device must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.
Multi-factor authentication (MFA) is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include some...Rule High Severity -
SRG-APP-000175
Group -
The network device must be configured to use DoD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
Once issued by a DoD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for 3 years or shorter within the DoD. However, there are many reasons a certificat...Rule High Severity -
SRG-APP-000177
Group -
SRG-APP-000457
Group -
The network device must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any con...Rule Medium Severity -
SRG-APP-000700
Group -
The network device must be configured to disable accounts when the accounts have expired.
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack surface of the system.Rule Medium Severity -
SRG-APP-000705
Group -
The network device must be configured to disable accounts when the accounts are no longer associated to a user.
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.Rule Medium Severity -
SRG-APP-000795
Group -
The network device must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit log...Rule Medium Severity -
SRG-APP-000820
Group -
SRG-APP-000825
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.