II - Mission Support Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000142-GPOS-00071
Group -
SLEM 5 must be configured to use TCP syncookies.
Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
SRG-OS-000423-GPOS-00187
Group -
SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirem...Rule High Severity -
SRG-OS-000423-GPOS-00187
Group -
SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requireme...Rule High Severity -
SRG-OS-000023-GPOS-00006
Group -
SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.
Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executiv...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
Group -
SLEM 5 must not allow unattended or automatic logon via SSH.
Failure to restrict system access via SSH to authenticated users negatively impacts SLEM 5 security.Rule High Severity -
SRG-OS-000163-GPOS-00072
Group -
SLEM 5 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or con...Rule Medium Severity -
SRG-OS-000126-GPOS-00066
Group -
SLEM 5 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or con...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
Group -
SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information s...Rule High Severity -
SRG-OS-000125-GPOS-00065
Group -
SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an auth...Rule High Severity -
SRG-OS-000250-GPOS-00093
Group -
SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.
Without cryptographic integrity protections provided by FIPS 140-2/140-3 validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The syst...Rule High Severity -
SRG-OS-000109-GPOS-00056
Group -
SLEM 5 must deny direct logons to the root account using remote access via SSH.
To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by mult...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
Group -
SLEM 5 must log SSH connection attempts and failures to the server.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access man...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.