III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000001-AS-000001
<GroupDescription></GroupDescription>Group -
Automation Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
<VulnDiscussion>Application management includes the ability to control the number of sessions that utilize an application by all accounts and...Rule Medium Severity -
SRG-APP-000014-AS-000009
<GroupDescription></GroupDescription>Group -
Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
<VulnDiscussion>Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to...Rule Medium Severity -
SRG-APP-000015-AS-000010
<GroupDescription></GroupDescription>Group -
Automation Controller must implement cryptography mechanisms to protect the integrity of information.
<VulnDiscussion>Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious use...Rule High Severity -
SRG-APP-000068-AS-000035
<GroupDescription></GroupDescription>Group -
The Automation Controller management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
<VulnDiscussion>Automation Controller is required to display the Standard Mandatory DOD Notice and Consent Banner before granting access to t...Rule Medium Severity -
SRG-APP-000080-AS-000045
<GroupDescription></GroupDescription>Group -
Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.
<VulnDiscussion>Automation Controller must be configured to use external logging to compile log records from multiple components within the s...Rule Medium Severity -
SRG-APP-000109-AS-000068
<GroupDescription></GroupDescription>Group -
Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern).
<VulnDiscussion>It is critical that when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure....Rule Medium Severity -
SRG-APP-000109-AS-000070
<GroupDescription></GroupDescription>Group -
Automation Controller must be configured to fail over to another system in the event of log subsystem failure.
<VulnDiscussion>Automation Controller hosts must be capable of failing over to another Automation Controller host which can handle applicatio...Rule Medium Severity -
SRG-APP-000118-AS-000078
<GroupDescription></GroupDescription>Group -
Automation Controller's log files must be accessible by explicitly defined privilege.
<VulnDiscussion>A failure of the confidentiality of Automation Controller log files would enable an attacker to identify key information abou...Rule Medium Severity -
SRG-APP-000133-AS-000093
<GroupDescription></GroupDescription>Group -
Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades.
<VulnDiscussion>Any changes to the components of Automation Controller can have significant effects on the overall security of the system. I...Rule Medium Severity -
SRG-APP-000148-AS-000101
<GroupDescription></GroupDescription>Group -
Automation Controller must be configured to use an enterprise user management system.
<VulnDiscussion>Unauthenticated application servers render the organization subject to exploitation. Therefore, application servers must be u...Rule Medium Severity -
SRG-APP-000153-AS-000104
<GroupDescription></GroupDescription>Group -
Automation Controller must be configured to authenticate users individually, prior to using a group authenticator.
<VulnDiscussion>Default superuser accounts, such as "root", are considered group authenticators. In the case of Automation Controller this is...Rule Medium Severity -
SRG-APP-000172-AS-000121
<GroupDescription></GroupDescription>Group -
Automation Controller must utilize encryption when using LDAP for authentication.
<VulnDiscussion>To avoid access with malicious intent, passwords will need to be protected at all times. This includes transmission where pas...Rule Medium Severity -
SRG-APP-000290-AS-000174
<GroupDescription></GroupDescription>Group -
Automation Controller must use cryptographic mechanisms to protect the integrity of log tools.
<VulnDiscussion>Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log...Rule Medium Severity -
SRG-APP-000371-AS-000077
<GroupDescription></GroupDescription>Group -
Automation Controller must compare internal application server clocks at least every 24 hours with an authoritative time source.
<VulnDiscussion>When conducting forensic analysis and investigating system events, it is critical that timestamps accurately reflect the time...Rule Medium Severity -
SRG-APP-000427-AS-000264
<GroupDescription></GroupDescription>Group -
Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
<VulnDiscussion>An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of co...Rule Medium Severity -
SRG-APP-000456-AS-000266
<GroupDescription></GroupDescription>Group -
Automation Controller must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
<VulnDiscussion>Security relevant software updates must be installed within the timeframes directed by an authoritative source in order to ma...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.