UCF STIG Viewer Logo

DBN-6300 NDM Security Technical Implementation Guide


Overview

Date Finding Count (58)
2017-09-15 CAT I (High): 4 CAT II (Med): 42 CAT III (Low): 12
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-76951 High The DBN-6300 must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
V-64975 High The DBN-6300 must provide automated support for account management functions.
V-76975 High The DBN-6300 must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-77019 High The DBN-6300 must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
V-76955 Medium The DBN-6300 must use multifactor authentication for local access to privileged accounts.
V-76999 Medium Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
V-76957 Medium The DBN-6300 must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-76953 Medium The DBN-6300 must use multifactor authentication for network access (remote and nonlocal) to privileged accounts.
V-76991 Medium The DBN-6300 must synchronize its internal system clock to the NTP server when the time difference is greater than one second.
V-76993 Medium The DBN-6300 must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).
V-76959 Medium The DBN-6300 must enforce a minimum 15-character password length.
V-76997 Medium The DBN-6300 must audit the enforcement actions used to restrict access associated with changes to the device.
V-76973 Medium The DBN-6300 must enforce a 60-day maximum password lifetime restriction.
V-76971 Medium The DBN-6300 must enforce 24 hours/1 day as the minimum password lifetime.
V-76977 Medium The DBN-6300 must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
V-64989 Medium The DBN-6300 must automatically audit account removal actions.
V-76929 Medium The DBN-6300 must generate log records when successful attempts to access privileges occur.
V-77017 Medium The DBN-6300 must off-load audit records onto a different system or media than the system being audited.
V-77015 Medium The DBN-6300 must generate audit records for all account creation, modification, disabling, and termination events.
V-76985 Medium The DBN-6300 must audit the execution of privileged functions.
V-77013 Medium The DBN-6300 must generate audit records when concurrent logons from different workstations occur.
V-77011 Medium The DBN-6300 must generate audit records showing starting and ending time for administrator access to the system.
V-76981 Medium The DBN-6300 must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
V-64983 Medium The DBN-6300 must automatically audit account creation.
V-64985 Medium The DBN-6300 must automatically audit account modification.
V-64987 Medium The DBN-6300 must be compliant with at least one IETF Internet standard authentication protocol.
V-76983 Medium The DBN-6300 must automatically audit account enabling actions.
V-76947 Medium The DBN-6300 must use internal system clocks to generate time stamps for audit records.
V-76995 Medium The DBN-6300 must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-76969 Medium If multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one special character be used.
V-76961 Medium The DBN-6300 must prohibit password reuse for a minimum of five generations.
V-76963 Medium If multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one upper-case character be used.
V-76965 Medium If multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one lower-case character be used.
V-76967 Medium If multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one numeric character be used.
V-64997 Medium The DBN-6300 must provide audit record generation capability for DoD-defined auditable events within the DBN-6300.
V-64995 Medium The DBN-6300 must generate audit log events for a locally developed list of auditable events.
V-64991 Medium The DBN-6300 must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-76979 Medium The DBN-6300 must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
V-77001 Medium Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
V-77005 Medium The DBN-6300 must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
V-77007 Medium The DBN-6300 must generate audit records when successful/unsuccessful logon attempts occur.
V-77003 Medium The DBN-6300 must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
V-77009 Medium The DBN-6300 must generate audit records for privileged activities or other system-level access.
V-76989 Medium The DBN-6300 must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-77023 Medium The DBN-6300 must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-77021 Medium Accounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.
V-76937 Low The DBN-6300 must produce audit records containing information to establish where the events occurred.
V-76935 Low The DBN-6300 must produce audit records containing information to establish when (date and time) the events occurred.
V-76933 Low The DBN-6300 must produce audit log records containing sufficient information to establish what type of event occurred.
V-76931 Low The DBN-6300 must initiate session auditing upon startup.
V-76939 Low The DBN-6300 must produce audit log records containing information to establish the source of events.
V-76987 Low The DBN-6300 must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near real time.
V-76943 Low The DBN-6300 must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-76941 Low The DBN-6300 must produce audit records that contain information to establish the outcome of the event.
V-76945 Low The DBN-6300 must generate audit records containing the full-text recording of privileged commands.
V-76949 Low The DBN-6300 must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-76927 Low The DBN-6300 must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the audit log.
V-64993 Low The DBN-6300 must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.