I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000120
Group -
The network device must protect audit information from unauthorized deletion.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. If audit data were to become compromis...Rule Medium Severity -
SRG-APP-000121
Group -
The network device must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
SRG-APP-000122
Group -
The network device must protect audit tools from unauthorized modification.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
SRG-APP-000123
Group -
The network device must protect audit tools from unauthorized deletion.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on a...Rule Medium Severity -
SRG-APP-000131
Group -
The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is r...Rule Medium Severity -
SRG-APP-000133
Group -
The network device must limit privileges to change the software resident within software libraries.
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed ...Rule Medium Severity -
SRG-APP-000142
Group -
The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule High Severity -
SRG-APP-000148
Group -
The network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server i...Rule Medium Severity -
SRG-APP-000153
Group -
The network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
To ensure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator i...Rule Medium Severity -
SRG-APP-000156
Group -
The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...Rule Medium Severity -
SRG-APP-000164
Group -
The network device must enforce a minimum 15-character password length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to d...Rule Medium Severity -
SRG-APP-000166
Group -
The network device must enforce password complexity by requiring that at least one uppercase character be used.
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisti...Rule Medium Severity -
SRG-APP-000167
Group -
The network device must enforce password complexity by requiring that at least one lowercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000168
Group -
The network device must enforce password complexity by requiring that at least one numeric character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000169
Group -
The network device must enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000170
Group -
The network device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at ...Rule Medium Severity -
SRG-APP-000171
Group -
The network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule High Severity -
SRG-APP-000172
Group -
The network device must transmit only encrypted representations of passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule High Severity -
SRG-APP-000178
Group -
The network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the network device must not provide any information that would allow a...Rule High Severity -
SRG-APP-000179
Group -
The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be...Rule High Severity -
SRG-APP-000190
Group -
The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule High Severity -
SRG-APP-000220
Group -
The network device must invalidate session identifiers upon administrator logout or other session termination.
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries to capture and to continue to employ previously valid session IDs. This requirement is app...Rule Medium Severity -
SRG-APP-000223
Group -
The network device must recognize only system-generated session identifiers.
Network device management web interfaces utilize sessions and session identifiers to control management interface behavior and administrator access. If an attacker can guess the session identifier ...Rule Medium Severity -
SRG-APP-000224
Group -
The network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force att...Rule Medium Severity -
SRG-APP-000231
Group -
The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network de...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.