III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-NET-000512-ALG-000062
<GroupDescription></GroupDescription>Group -
The ALG must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.
<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures...Rule Medium Severity -
SRG-NET-000512-ALG-000064
<GroupDescription></GroupDescription>Group -
The ALG that provides intermediary services for SMTP must inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies.
<VulnDiscussion>Application protocol anomaly detection examines application layer protocols such as SMTP to identify attacks based on observe...Rule Medium Severity -
SRG-NET-000512-ALG-000065
<GroupDescription></GroupDescription>Group -
The ALG that intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
<VulnDiscussion>Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed...Rule Medium Severity -
SRG-NET-000512-ALG-000066
<GroupDescription></GroupDescription>Group -
The ALG that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
<VulnDiscussion>Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observe...Rule Medium Severity -
SRG-NET-000323-ALG-000067
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.
<VulnDiscussion>If information flow is not enforced based on approved authorizations, the system may become compromised. A mechanism to dete...Rule Medium Severity -
SRG-NET-000021-ALG-000068
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must allow privileged administrators to enable/disable all security policy filters used to enforce information flow control.
<VulnDiscussion>A crucial part of any information flow control solution is the ability to enable and disable policy filters in order to respo...Rule Medium Severity -
SRG-NET-000022-ALG-000069
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must allow privileged administrators to configure and make changes to all security policy filters that are used to enforce information flow control.
<VulnDiscussion>The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. The c...Rule Medium Severity -
SRG-NET-000324-ALG-000070
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS, when transferring information between different security domains, must use organization-defined data type identifiers to validate data essential for information flow decisions.
<VulnDiscussion>Information flow decisions based on invalid data may allow unintended and unauthorized data flows, and therefore risk the con...Rule Medium Severity -
SRG-NET-000282-ALG-000071
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must decompose information into organization-defined, policy-relevant subcomponents for submission to policy enforcement mechanisms before transferring information between different security domains.
<VulnDiscussion>Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of ...Rule Medium Severity -
SRG-NET-000283-ALG-000072
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS, when transferring information between different security domains, must implement organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.
<VulnDiscussion>Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain t...Rule Medium Severity -
SRG-NET-000284-ALG-000073
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS, when transferring information between different security domains, must examine the information for the presence of organization-defined unsanctioned information.
<VulnDiscussion>Without the capability to examine information, there is no means to determine the presence of information not authorized for ...Rule Medium Severity -
SRG-NET-000285-ALG-000074
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
<VulnDiscussion>The ability to prohibit information transfer is fundamentally necessary to prevent unintended and unauthorized data flows. Fa...Rule Medium Severity -
SRG-NET-000325-ALG-000075
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.
<VulnDiscussion>Attribution is a critical component of a security concept of operations. The ability to identify source and destination point...Rule Medium Severity -
SRG-NET-000326-ALG-000076
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must uniquely identify and authenticate destination by organization, system, application, and/or individual for information transfer.
<VulnDiscussion>Attribution is a critical component of a security concept of operations. The ability to identify source and destination point...Rule Medium Severity -
SRG-NET-000327-ALG-000077
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must bind security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement.
<VulnDiscussion>If security attributes are not associated with the information being transmitted between systems, then access control policie...Rule Medium Severity -
SRG-NET-000328-ALG-000078
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS, when transferring information between different security domains, must apply the same security policy filtering to metadata as it applies to data payloads.
<VulnDiscussion>Subjecting metadata to the same filtering and inspection policies as payload data helps to mitigate the risk of data compromi...Rule Medium Severity -
SRG-NET-000029-ALG-000079
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must enforce dynamic traffic flow control based on organization-defined policies.
<VulnDiscussion>Information flow policies regarding dynamic information flow control include allowing or disallowing information flows based ...Rule Medium Severity -
SRG-NET-000280-ALG-000080
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must enforce information flow control based on organization-defined metadata.
<VulnDiscussion>Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Metadata is informatio...Rule Medium Severity -
SRG-NET-000280-ALG-000081
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must block the transfer of data with malformed security attribute metadata structures.
<VulnDiscussion>Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Metadata is informatio...Rule Medium Severity -
SRG-NET-000032-ALG-000082
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must enforce organization-defined one-way information flows using hardware mechanisms.
<VulnDiscussion>Information flow control regulates where information is allowed to travel within a network and between interconnected network...Rule Medium Severity -
SRG-NET-000033-ALG-000083
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.
<VulnDiscussion>The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. Conf...Rule Medium Severity -
SRG-NET-000329-ALG-000084
<GroupDescription></GroupDescription>Group -
The ALG that is part of a CDS must enforce the use of human reviews for organization-defined information flows under organization-defined conditions.
<VulnDiscussion>Without network element enforcement of human reviews, security policy filters may have false positives and false negatives in...Rule Medium Severity -
SRG-NET-000131-ALG-000085
<GroupDescription></GroupDescription>Group -
The ALG must not have unnecessary services and functions enabled.
<VulnDiscussion>Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of th...Rule Medium Severity -
SRG-NET-000131-ALG-000086
<GroupDescription></GroupDescription>Group -
The ALG must be configured to remove or disable unrelated or unneeded application proxy services.
<VulnDiscussion>Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Mult...Rule Medium Severity -
SRG-NET-000132-ALG-000087
<GroupDescription></GroupDescription>Group -
The ALG must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.