I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000353-NDM-000292
Group -
CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals.
If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important ...Rule Medium Severity -
SRG-APP-000395-NDM-000310
Group -
CounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the...Rule Medium Severity -
SRG-APP-000395-NDM-000310
Group -
CounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the...Rule High Severity -
SRG-APP-000148-NDM-000346
Group -
In the event the authentication server is unavailable, one local account must be created for use as the account of last resort.
Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on CounterACT's local database for use in an emergency, such as when th...Rule Medium Severity -
SRG-APP-000345-NDM-000290
Group -
CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
SRG-APP-000317-NDM-000282
Group -
The network device must terminate shared/group account credentials when members leave the group.
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are no...Rule Medium Severity -
SRG-APP-000516-NDM-000338
Group -
The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrato...Rule Low Severity -
SRG-APP-000069-NDM-000216
Group -
CounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
The administrator must acknowledge the banner prior to CounterACT allowing the administrator access to CounterACT. This provides assurance that the administrator has seen the message and accepted t...Rule Low Severity -
SRG-APP-000371-NDM-000296
Group -
CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
SRG-APP-000516-NDM-000336
Group -
Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrato...Rule Medium Severity -
SRG-APP-000166-NDM-000254
Group -
If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used.
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisti...Rule Medium Severity -
SRG-APP-000167-NDM-000255
Group -
If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used.
Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticat...Rule Medium Severity -
SRG-APP-000001-NDM-000200
Group -
CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type.
Network device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per a...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.