I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000158
Group -
AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the d...Rule Medium Severity -
SRG-APP-000164
Group -
AAA Services must be configured to enforce a minimum 15-character password length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to d...Rule Medium Severity -
SRG-APP-000166
Group -
AAA Services must be configured to enforce password complexity by requiring that at least one uppercase character be used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity -
SRG-APP-000167
Group -
AAA Services must be configured to enforce password complexity by requiring that at least one lowercase character be used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity -
SRG-APP-000168
Group -
AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity -
SRG-APP-000169
Group -
AAA Services must be configured to enforce password complexity by requiring that at least one special character be used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity -
SRG-APP-000170
Group -
AAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and...Rule Medium Severity -
SRG-APP-000171
Group -
For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
SRG-APP-000172
Group -
AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.
Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily co...Rule High Severity -
SRG-APP-000173
Group -
AAA Services must be configured to enforce 24 hours as the minimum password lifetime.
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. Restricting this setting limits the user's ability to...Rule Medium Severity -
SRG-APP-000174
Group -
AAA Services must be configured to enforce a 60-day maximum password lifetime restriction.
Any password, no matter how complex, can eventually be cracked; therefore, passwords must be changed at specific intervals. One method of minimizing this risk is to use complex passwords and peri...Rule Medium Severity -
SRG-APP-000175
Group -
AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...Rule High Severity -
SRG-APP-000175
Group -
AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...Rule High Severity -
SRG-APP-000176
Group -
AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key use...Rule Medium Severity -
SRG-APP-000177
Group -
AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.Rule Medium Severity -
SRG-APP-000231
Group -
AAA Services must be configured to protect the confidentiality and integrity of all information at rest.
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices...Rule High Severity -
SRG-APP-000234
Group -
AAA Services must be configured to prevent automatically removing emergency accounts.
Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation ...Rule Medium Severity -
SRG-APP-000234
Group -
AAA Services must be configured to prevent automatically disabling emergency accounts.
Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation ...Rule Low Severity -
SRG-APP-000291
Group -
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are created.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply ...Rule Medium Severity -
SRG-APP-000292
Group -
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are modified.
When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notif...Rule Medium Severity -
SRG-APP-000293
Group -
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account disabling actions.
When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notif...Rule Medium Severity -
SRG-APP-000294
Group -
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account removal actions.
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of a...Rule Medium Severity -
SRG-APP-000319
Group -
AAA Services must be configured to automatically audit account enabling actions.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply e...Rule Medium Severity -
SRG-APP-000320
Group -
AAA Services must be configured to notify system administrators (SAs) and information system security officer (ISSO) of account enabling actions.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply e...Rule Medium Severity -
SRG-APP-000345
Group -
AAA Services must be configured to maintain locks on user accounts until released by an administrator.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.