I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-NDM-000350
Group -
The ICS must be configured to send admin log data to a redundant central log server.
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in se...Rule High Severity -
SRG-APP-000340-NDM-000288
Group -
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privilege...Rule High Severity -
SRG-APP-000343-NDM-000289
Group -
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
SRG-APP-000395-NDM-000310
Group -
If SNMP is used, the ICS must be configured to use SNMPv3 with FIPS-140-2/3 validated Keyed-Hash Message Authentication Code (HMAC).
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the...Rule Medium Severity -
SRG-APP-000395-NDM-000347
Group -
The ICS must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will mak...Rule Medium Severity -
SRG-APP-000374-NDM-000299
Group -
The ICS must be configured to record time stamps for audit records that can be mapped to Greenwich Mean Time (GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Tim...Rule Medium Severity -
SRG-APP-000357-NDM-000293
Group -
The ICS must be configured to allocate local audit record storage capacity in accordance with organization-defined audit record storage requirements.
In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit ...Rule Medium Severity -
SRG-APP-000169-NDM-000257
Group -
The ICS must be configured to enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000148-NDM-000346
Group -
The ICS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server i...Rule Medium Severity -
SRG-APP-000190-NDM-000267
Group -
The ICS must be configured to terminate after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule High Severity -
SRG-APP-000149-NDM-000247
Group -
The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.
MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e....Rule High Severity -
SRG-APP-000373-NDM-000298
Group -
The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources.
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other ...Rule Medium Severity -
SRG-APP-000516-NDM-000344
Group -
The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
For user certificates, each organization obtains certificates from an approved and shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastruct...Rule Medium Severity -
SRG-APP-000516-NDM-000341
Group -
The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation.
Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configur...Rule Medium Severity -
SRG-APP-000516-NDM-000351
Group -
The ICS must be configured to run an operating system release that is currently supported by Ivanti.
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.Rule High Severity -
SRG-APP-000164-NDM-000252
Group -
The ICS must be configured to enforce a minimum 15-character password length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to d...Rule Medium Severity -
SRG-APP-000172-NDM-000259
Group -
The ICS must be configured to transmit only encrypted representations of passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule High Severity -
SRG-APP-000170-NDM-000329
Group -
The ICS must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at ...Rule Medium Severity -
SRG-APP-000168-NDM-000256
Group -
The ICS must be configured to enforce password complexity by requiring that at least one numeric character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000167-NDM-000255
Group -
The ICS must be configured to enforce password complexity by requiring that at least one lowercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000166-NDM-000254
Group -
The ICS must be configured to enforce password complexity by requiring that at least one uppercase character be used.
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisti...Rule Medium Severity -
SRG-APP-000175-NDM-000262
Group -
The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three years or shorter within the DOD. However, there are many reasons a certif...Rule High Severity -
SRG-APP-000091-NDM-000223
Group -
The ICS must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000001-NDM-000200
Group -
The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administr...Rule Medium Severity -
SRG-APP-000068-NDM-000215
Group -
The ICS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to manage the device.
Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executi...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.