The IDPS must be configured to automatically disable itself if any of the organizationally defined lists of security events are detected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000037-IDPS-000157 | SRG-NET-000037-IDPS-000157 | SRG-NET-000037-IDPS-000157_rule | Medium |
| Description |
|---|
| To reduce or eliminate the risk to the network, the IDPS must be configured to disable itself and its components if the IDPS itself is compromised. A list of known attacks to the IDPS system must be included in the rules. Since the IDPS is a major part of the network's protection and defense system, a compromised IDPS may allow malicious attacks to bypass the network's controls. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43297_chk ) |
|---|
| View the IDPS configuration. Determine if it is configured to automatically disable or block devices using anomaly detection, misuse detection (signature detection), or target monitoring. If the IDPS is not configured to disable itself upon detecting an organizationally defined list of security events, this is a finding. |
| Fix Text (F-43297_fix) |
|---|
| Configure the IDPS to disable itself if organizationally defined events which indicate the system itself has been compromised are detected. |