Skip to content

I - Mission Critical Sensitive

Rules and Groups employed by this XCCDF Profile

  • DRAG-OT-000650

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must configure local password policies.

    &lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is comprom...
    Rule Medium Severity
  • DRAG-OT-000370

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must have notification and audit services installed.

    &lt;VulnDiscussion&gt;Installing the Knowledge Pack(s) is essential for the Dragos Platform to provide comprehensive security monitoring, complianc...
    Rule Medium Severity
  • DRAG-OT-000500

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must have disk encryption enabled on a virtual machines (VMs).

    &lt;VulnDiscussion&gt;Enabling disk encryption on VMs running the Dragos Platform is a critical security measure to protect sensitive data, ensure ...
    Rule Medium Severity
  • DRAG-OT-001010

    <GroupDescription></GroupDescription>
    Group
  • Dragos must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of application configuration files and user-generated data stored or aggregated on the device.

    &lt;VulnDiscussion&gt;Confidentiality and integrity protections are intended to address the confidentiality and integrity of system information at ...
    Rule Medium Severity
  • DRAG-OT-001430

    <GroupDescription></GroupDescription>
    Group
  • Dragos Platform must allocate audit record storage retention length.

    &lt;VulnDiscussion&gt;In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be ...
    Rule Medium Severity
  • DRAG-OT-000610

    <GroupDescription></GroupDescription>
    Group
  • Dragos must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.

    &lt;VulnDiscussion&gt;Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to pr...
    Rule Medium Severity
  • DRAG-OT-001910

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.

    &lt;VulnDiscussion&gt;Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that se...
    Rule Medium Severity
  • DRAG-OT-000090

    <GroupDescription></GroupDescription>
    Group
  • Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.

    &lt;VulnDiscussion&gt;Enterprise environments make application account management challenging and complex. A manual process for account management ...
    Rule Medium Severity
  • DRAG-OT-001630

    <GroupDescription></GroupDescription>
    Group
  • The Syslog client must use TCP connections.

    &lt;VulnDiscussion&gt;Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of de...
    Rule Medium Severity
  • DRAG-OT-000240

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must only allow local administrative and service user accounts.

    &lt;VulnDiscussion&gt;Only two default accounts facilitate the initial setup and configuration of the Platform. These accounts provide immediate ac...
    Rule Medium Severity
  • DRAG-OT-002480

    <GroupDescription></GroupDescription>
    Group
  • Before establishing a network connection with a Network Time Protocol (NTP) server, Dragos Platform must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server.

    &lt;VulnDiscussion&gt;Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authenticati...
    Rule Medium Severity
  • DRAG-OT-000020

    <GroupDescription></GroupDescription>
    Group
  • Dragos must configure idle timeouts at 10 minutes.

    &lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinit...
    Rule Medium Severity
  • DRAG-OT-000520

    <GroupDescription></GroupDescription>
    Group
  • Dragos Platforms must limit privileges and not allow the ability to run shell.

    &lt;VulnDiscussion&gt;If Dragos Platform were to allow any user to make changes to software libraries, then those changes might be implemented with...
    Rule High Severity
  • DRAG-OT-001750

    <GroupDescription></GroupDescription>
    Group
  • Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.

    &lt;VulnDiscussion&gt;The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized ...
    Rule Medium Severity
  • DRAG-OT-000220

    <GroupDescription></GroupDescription>
    Group
  • The publicly accessible Dragos Platform application must display the Standard Mandatory DOD Notice and Consent Banner before granting access to Dragos Platform.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible application ensures...
    Rule Medium Severity
  • DRAG-OT-000200

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...
    Rule Medium Severity
  • DRAG-OT-000490

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must be configured to send backup audit records.

    &lt;VulnDiscussion&gt;Configuring the Dragos Platform to send out backup audit records is a critical best practice for ensuring the security, integ...
    Rule Medium Severity
  • DRAG-OT-001190

    <GroupDescription></GroupDescription>
    Group
  • The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.

    &lt;VulnDiscussion&gt;Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules