{
"stig": {
"date": "2012-11-19",
"description": "The IDPS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
"findings": {
"V-34462": {
"checkid": "C-42527r1_chk",
"checktext": "Verify account management functions (e.g., account creation, termination, updates, and account policy updates) are automatically implemented using automated account management functions.\n\nIf the IDPS components do not provide automatic support for account management functions, this is a finding.",
"description": "Since the accounts in the IDPS are privileged or system level accounts, account management and distribution is vital to the security of the IDPS. If an attacker compromises an account, IDPS components (e.g., sensors, management console/server, and load balancers) are at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels.\n\nAs accounts are created or terminated and privilege levels are updated, the IDPS must be configured such that it automatically recognizes and supports this activity and immediately enforces the current account policy.\n\nIDPS applications do not use specific accounts other than for administrative purposes. This requirement is applicable for temporary accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.",
"fixid": "F-38577r1_fix",
"fixtext": "Configure the IDPS to automatically perform account management functions (e.g., account creation, termination, updates, and account policy updates).",
"iacontrols": null,
"id": "V-34462",
"ruleID": "SV-45181r1_rule",
"severity": "low",
"title": "The IDPS must provide automated support for account management functions.",
"version": "SRG-NET-000001-IDPS-00001"
},
"V-34463": {
"checkid": "C-42532r1_chk",
"checktext": "If the site's security plan does not permit the use of temporary accounts for access to the IDPS, this is not a finding.\nReview the IDPS to ensure the system is configured to automatically terminate temporary accounts after an organizationally defined time period.\n\nIf the IDPS components do not automatically terminate temporary accounts after an organizationally defined time period based on the type of account, this is a finding.",
"description": "Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Temporary accounts are not to be confused with infrequently used accounts (e.g., local login accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates.\n\nIf these accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the IDPS since these accounts have elevated privileges. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.",
"fixid": "F-38579r1_fix",
"fixtext": "Configure the IDPS to automatically terminate temporary accounts after an organizationally defined time period based on the type of account.",
"iacontrols": null,
"id": "V-34463",
"ruleID": "SV-45186r1_rule",
"severity": "medium",
"title": "The IDPS must automatically terminate temporary accounts after an organizationally defined time period for each type of account.",
"version": "SRG-NET-000002-IDPS-00002"
},
"V-34464": {
"checkid": "C-42534r1_chk",
"checktext": "If the site's security plan does not permit the use of emergency accounts for access to the IDPS, this is not a finding.\nReview the IDPS to ensure the system is configured to automatically terminate emergency accounts after an organizationally defined time period.\n\nIf the IDPS components do not automatically terminate emergency accounts after an organizationally defined time period, this is a finding.",
"description": "Emergency accounts are established in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts are not to be confused with infrequently used accounts (e.g., local login accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates.\n\nIf these accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the IDPS since these accounts have elevated privileges. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation.\n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.",
"fixid": "F-38582r1_fix",
"fixtext": "Configure the IDPS to automatically terminate emergency accounts after an organizationally defined time period.",
"iacontrols": null,
"id": "V-34464",
"ruleID": "SV-45188r1_rule",
"severity": "low",
"title": "The IDPS must automatically terminate emergency accounts after an organizationally defined time period.",
"version": "SRG-NET-000003-IDPS-00003"
},
"V-34465": {
"checkid": "C-42536r2_chk",
"checktext": "Review the account settings to determine if the IDPS automatically disables inactive accounts after an organizationally defined time period. \n\nIf the ability to disable inactive accounts is not automated or utilized, this is a finding.",
"description": "Since the accounts in the IDPS are privileged or system level accounts, account management is vital to the security of the IDPS. Inactive accounts could be reactivated or compromised by unauthorized users allowing exploitation of vulnerabilities and undetected access to the IDPS. \n\nThe control does not include emergency administration accounts which are meant for access to the IDPS components in case of network failure. These accounts must not be automatically disabled.\n\nThis requirement is applicable for accounts created or maintained using the IDPS application. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.",
"fixid": "F-38584r1_fix",
"fixtext": "Configure the IDPS to automatically disable inactive accounts after an organizationally defined time period of inactivity.",
"iacontrols": null,
"id": "V-34465",
"ruleID": "SV-45189r1_rule",
"severity": "low",
"title": "The IDPS must automatically disable inactive accounts after an organizationally defined time period of inactivity.",
"version": "SRG-NET-000004-IDPS-00004"
},
"V-34466": {
"checkid": "C-42538r1_chk",
"checktext": "Navigate to the event log configuration or the account creation module on the management console.\nVerify the system is configured to log all account creation events. \n\nIf account creation events are not logged, this is a finding.",
"description": "Since the accounts in the IDPS are privileged or system level accounts, account management is vital to the security of the IDPS. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method and best practice for mitigating this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper security clearance may gain access to critical network nodes. \n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.\n\nTo support this auditing requirement, the IDPS account and audit management functions must be configured to transmit these types of events to the site's central audit server (e.g., SYSLOG server), as required by CCI-000136.",
"fixid": "F-38586r1_fix",
"fixtext": "Configure the IDPS to log all account creation events.",
"iacontrols": null,
"id": "V-34466",
"ruleID": "SV-45191r1_rule",
"severity": "low",
"title": "The IDPS must automatically audit the creation of accounts.",
"version": "SRG-NET-000005-IDPS-00005"
},
"V-34467": {
"checkid": "C-42540r1_chk",
"checktext": "Verify the list of configured alerts includes a notice for account creation. \nVerify the notice is sent to appropriate individuals. \nIf there is not a viewable configurable option, request the administrator create an account and validate that notifications are sent to the appropriate individuals.\n\nIf the system is not configured to notify the appropriate individuals when accounts are created, this is a finding.",
"description": "Because the accounts used to access the IDPS components are privileged or system level accounts, account management is vital to the security of the system. In order to detect and respond to events affecting user accessibility and IDPS service processing, the system must audit account creation and, when required, notify the appropriate individuals, so they can investigate the event to ensure its validity. Such a capability greatly reduces the risk of unauthorized access to the system and provides logging that can be used for forensic purposes.\n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.",
"fixid": "F-38588r1_fix",
"fixtext": "Configure the management console to send a notification message to appropriate individuals (e.g., designated system administrators and/or account holder) when accounts are created.",
"iacontrols": null,
"id": "V-34467",
"ruleID": "SV-45193r1_rule",
"severity": "low",
"title": "The IDPS must notify the appropriate individuals when accounts are created.",
"version": "SRG-NET-000006-IDPS-00006"
},
"V-34468": {
"checkid": "C-42541r1_chk",
"checktext": "Verify the list of configured audit events include a notice for account modification, such as changes to access or privileges.\nIf there is not a viewable, configurable option, request the administrator modify an account and view the logs generated to validate the account modification is logged. \n\nIf account modification events are not logged, this is a finding.",
"description": "Since the accounts in the IDPS are privileged or system level accounts, account management is vital to the security of the IDPS. Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.\n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.\n\nTo support the auditing requirement, the IDPS account and audit management functions must be configured to transmit events to the site's central audit server (e.g., SYSLOG server), as required by CCI-000136.",
"fixid": "F-38589r1_fix",
"fixtext": "Configure the IDPS to log all account modifications (e.g., changes to access or privileges).",
"iacontrols": null,
"id": "V-34468",
"ruleID": "SV-45194r1_rule",
"severity": "low",
"title": "The IDPS must automatically audit account modification.",
"version": "SRG-NET-000007-IDPS-00007"
},
"V-34469": {
"checkid": "C-42542r1_chk",
"checktext": "Verify the list of configured alerts includes a notice for account modification, such as changes to access or privileges.\nIf there is not a viewable, configurable option, request the administrator modify an account and validate that notification is sent to the appropriate individuals.\n\nIf the system is not configured to notify the appropriate individuals when accounts are modified, this is a finding.",
"description": "Because the accounts used to access the IDPS components are privileged or system level accounts, account management is vital to the security of the system. In order to respond to events affecting user accessibility and IDPS service processing, the system must audit account modification and, when required, notify the appropriate individuals, so they can investigate the event to ensure its validity. Such a capability greatly reduces the risk of unauthorized access to the system and provides logging that can be used for forensic purposes.\n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.",
"fixid": "F-38590r1_fix",
"fixtext": "Configure the device to notify appropriate individuals (e.g., designated system administrators and/or account holder) when any modification is made to the account (e.g., changes to account privileges).",
"iacontrols": null,
"id": "V-34469",
"ruleID": "SV-45195r1_rule",
"severity": "low",
"title": "The IDPS must notify the appropriate individuals when accounts are modified.",
"version": "SRG-NET-000008-IDPS-00008"
},
"V-34470": {
"checkid": "C-42543r1_chk",
"checktext": "Verify the list of configured audits includes logging of account disabling events. \nIf there is not a viewable, configurable option, request the administrator disable an account and view the logs generated to validate the account disabling is logged.\n\nIf account disabling events are not logged, this is a finding.",
"description": "Account management, as a whole, ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel. Auditing account disabling actions will support account management procedures. When application accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. \n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.\n\nTo support this auditing requirement, the IDPS account and audit management functions must be configured to transmit these types of events to the site's central audit server (e.g., SYSLOG server), as required by CCI-000136.",
"fixid": "F-38591r1_fix",
"fixtext": "Configure the IDPS to log all account disabling events.",
"iacontrols": null,
"id": "V-34470",
"ruleID": "SV-45196r1_rule",
"severity": "low",
"title": "The IDPS must automatically audit account disabling actions.",
"version": "SRG-NET-000009-IDPS-00009"
},
"V-34471": {
"checkid": "C-42545r1_chk",
"checktext": "Review the IDPS configuration to determine if the system notifies the appropriate individuals when accounts are disabled. \nIf there is not a viewable, configurable option, request the administrator disable an account and verify that a notification is sent to the appropriate individuals. \n\nIf the appropriate individuals are not notified upon account disabling actions, this is a finding.",
"description": "Account management by a designated authority ensures access to the IDPS is controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification, along with an automatic notification to appropriate individuals, will provide the necessary reconciliation that account management procedures are being followed. Disabling of accounts must be monitored to ensure authorized active accounts remain enabled and available for use when required. \n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.\n\nFor the IDPS, notifying designated system administrators and the account owner, will provide an alert, so the account can be enabled if it had been disabled by mistake.",
"fixid": "F-38592r1_fix",
"fixtext": "Configure the management console to send an alert to the appropriate individuals (e.g., designated administrator and/or account owner) when the account is disabled.",
"iacontrols": null,
"id": "V-34471",
"ruleID": "SV-45197r1_rule",
"severity": "low",
"title": "The IDPS must notify the appropriate individuals when the account has been disabled.",
"version": "SRG-NET-000010-IDPS-00010"
},
"V-34472": {
"checkid": "C-42546r1_chk",
"checktext": "Verify the list of configured audit events includes a notice for account termination. \nIf there is not a viewable, configurable option, request the administrator terminate an account and view the logs generated to validate the account termination is logged.\n\nIf account termination events are not logged, this is a finding.",
"description": "Account management, as a whole, ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel. Auditing account termination will support account management procedures. When application accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. \n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.\n\nTo support this auditing requirement, the IDPS account and audit management functions must be configured to transmit these types of events to the site's central audit server (e.g., SYSLOG server), as required by CCI-000136.",
"fixid": "F-38594r1_fix",
"fixtext": "Configure the IDPS to log all account termination events.",
"iacontrols": null,
"id": "V-34472",
"ruleID": "SV-45198r1_rule",
"severity": "low",
"title": "The IDPS must automatically audit account termination.",
"version": "SRG-NET-000011-IDPS-00011"
},
"V-34473": {
"checkid": "C-42547r2_chk",
"checktext": "Verify the list of configured alerts includes a notice for account termination events to appropriate individuals (e.g., system administrator, account owner).\nIf there is not a viewable, configurable option, request the administrator terminate and verify notification is sent to the appropriate individuals. \n\nIf the system is not configured to notify appropriate individuals whose account has been terminated, this is a finding.",
"description": "Account management by a designated authority ensures access to the IDPS is being controlled by granting access only to authorized personnel with the appropriate and necessary privileges. Automatic notification of account termination to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the termination of accounts is monitored to ensure authorized accounts remain active and available for use when required. \n\nThis requirement is applicable for accounts created or maintained using the IDPS application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.\n\nFor the IDPS, notifying designated system administrators and the account owner, will provide an alert, so the account can be enabled if it had been disabled by mistake.",
"fixid": "F-38595r2_fix",
"fixtext": "Configure the management console to send an alert to appropriate individuals (e.g., system administrator, account owner) when accounts are terminated.",
"iacontrols": null,
"id": "V-34473",
"ruleID": "SV-45199r1_rule",
"severity": "low",
"title": "The IDPS must notify the appropriate individuals for account termination.",
"version": "SRG-NET-000012-IDPS-00012"
},
"V-34475": {
"checkid": "C-42587r1_chk",
"checktext": "Review the IDPS audit configuration to determine if an audit log entry is generated that includes account usage information. \n\nIf the IDPS audit configuration parameters are set to log values outside of normal usage, as determined by the configuration management plan, this is a finding.",
"description": "Atypical account usage is behavior that is not part of normal usage cycles (e.g., large amounts of user account activity occurring after hours or on weekends). A comprehensive account management process will ensure an audit trail, which documents the use of application user accounts and as required, notifies administrators and/or application owners, exists. Such a process greatly reduces the risk that compromised user accounts will continue to be used by unauthorized persons and provides logging that can be used for forensic purposes. \n\nSecurity for the operating system or authentication server accounts is beyond the scope of this security guide. This requirement applies to accounts created and managed on or by the IDPS components.",
"fixid": "F-38634r1_fix",
"fixtext": "Configure the IDPS management console/server to monitor for irregular usage of IDPS administrative user accounts.",
"iacontrols": null,
"id": "V-34475",
"ruleID": "SV-45238r1_rule",
"severity": "low",
"title": "The IDPS must monitor for unusual usage of administrative user accounts.",
"version": "SRG-NET-000013-IDPS-00013"
},
"V-34476": {
"checkid": "C-42588r1_chk",
"checktext": "Verify changes to account privileges are configured to dynamically manage account privileges and associated access authorizations. \n\nIf changes to account privileges are not dynamically updated, this is a finding.",
"description": "In contrast to conventional access control methods which use static information system accounts and predefined sets of account privileges, dynamic access control approaches (e.g., service-oriented architectures) rely on run time access control decisions facilitated by dynamic privilege management. While account identities may remain relatively constant over time, account privileges may change more frequently based on ongoing mission/business requirements and operational needs of organizations. \n\nDynamic privilege management includes immediate revocation of privileges (not requiring users terminate and restart the session to reflect changes in privileges). Dynamic privilege management can also refer to mechanisms that change the privileges of users based on dynamic rules, rather than the editing of specific user profiles. Other mechanisms include making automatic adjustments to privileges if accounts are operating out of normal work times, if information systems are under duress, or in emergency maintenance situations. If the IDPS is not configured to dynamically manage account privileges and associated access authorizations to meet security policies, then unauthorized entities may gain access to the information.",
"fixid": "F-38635r1_fix",
"fixtext": "Configure the IDPS to use dynamic privilege management mechanisms.\nEmploy these mechanisms to automatically adjust changes to account privileges and take immediate effect without the need for restarting the session.",
"iacontrols": null,
"id": "V-34476",
"ruleID": "SV-45239r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to dynamically manage account privileges and associated access authorizations.",
"version": "SRG-NET-000014-IDPS-00014"
},
"V-34481": {
"checkid": "C-42603r1_chk",
"checktext": "Verify access to each IDPS component is configured to enforce approved authorizations for logon. \n\nIf IDPS components are not configured to enforce approved authorizations for logical access to each component in accordance with applicable policy, this is a finding.",
"description": "Depending on the implementation, accounts used for administrator access to the IDPS components may be defined in the management console, sensor application, sensor operating system, or the network authentication server. In some systems the account is created on the authentication server; however, privileges for the IDPS are assigned and managed from the IDPS console. Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and functions on the IDPS. A good best practice is to allow emergency and required accounts on the IDPS components. Remaining administrator accounts are then defined on an authentication, authorization, and accounting (AAA) server. By configuring the IDPS to collaborate with an authentication server, it can enforce the appropriate authorization for each administrator. If management of authorizations and privileges are not enforced, it is difficult to track and manage user authorizations and privileges; and there is an increased risk of misconfiguration.\n\nThis requirement applies to account privileges and logical access which are managed and controlled by the IDPS rather than the operating system or network authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.\n\nSecurity for the operating system or authentication server accounts is beyond the scope of this security guide. This requirement does not apply to local emergency accounts which should be used sparingly.",
"fixid": "F-38652r1_fix",
"fixtext": "Configure each IDPS component to enforce account privileges for logical access to the device.\nIf an authentication server is used, special IDPS application privileges and authorizations must either be configured in the authentication server or synchronized once configured on the IDPS.",
"iacontrols": null,
"id": "V-34481",
"ruleID": "SV-45256r1_rule",
"severity": "medium",
"title": "The IDPS must enforce approved authorizations for logical access to IDPS components in accordance with applicable policy.",
"version": "SRG-NET-000015-IDPS-00015"
},
"V-34482": {
"checkid": "C-42605r1_chk",
"checktext": "Inspect the management console configuration. Verify the settings enabling dual authorization are configured. Verify these settings cannot be disabled without dual authorization.\n\nIf the IDPS settings to enable dual authorization are not enabled, this is a finding.",
"description": "Dual authorization mechanisms require two forms of approval to execute. An organization may determine certain commands or IDPS configuration changes require dual authorization before being activated. However, an organization should not employ dual authorization mechanisms when an immediate response is necessary to ensure public and environmental safety. If dual authorization is not automatically enforced by the system, system administrators would be able to change the system configuration without oversight from a second administrator when required by the site security policy.\n\nIf dual authorization is a requirement for the site, this control applies to the IDPS sensor logs and other files.",
"fixid": "F-38654r1_fix",
"fixtext": "Enable IDPS settings to require dual authorization for organizationally defined privileged commands.",
"iacontrols": null,
"id": "V-34482",
"ruleID": "SV-45258r1_rule",
"severity": "medium",
"title": "The IDPS must enforce dual authorization based on organizational policies and procedures for organizationally defined privileged commands.",
"version": "SRG-NET-000016-IDPS-00016"
},
"V-34483": {
"checkid": "C-42606r1_chk",
"checktext": "Verify the management console is configured to implement access control by assigning rights and permissions to users and resources.\n\nIf the IDPS is not configured with rights and permissions for users and resources, this is a finding.",
"description": "When nondiscretionary access control mechanisms are implemented, security labels are assigned to securable objects and users are granted access to the objects only if their level of access matches that required by the security label. Types of nondiscretionary access control include Attribute-Based Access Control, Mandatory Access Control, and Originator Controlled Access Control. Without these security policies, security labels on restricted objects stored on the IDPS may be accessed or changed by unauthorized users.",
"fixid": "F-38655r1_fix",
"fixtext": "Configure the IDPS components using nondiscretionary access control as required by organizationally defined policies.",
"iacontrols": null,
"id": "V-34483",
"ruleID": "SV-45259r1_rule",
"severity": "low",
"title": "The IDPS must implement organizationally defined nondiscretionary access control policies over organizationally defined users and resources.",
"version": "SRG-NET-000017-IDPS-00017"
},
"V-34484": {
"checkid": "C-42607r1_chk",
"checktext": "View the documentation for each component. Verify any configuration requirements that are needed to support internal flow control mechanisms implemented.\n\nIf the IDPS is not configured to enforce internal information flow based on approved authorizations in accordance with applicable policy restrictions, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel. This control applies to the flow of information within individual IDPS components. Internal component communication, such as between the sensors and management server, is not included in this control. The IDPS components must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components causing corruption or other conditions. \n\nExamples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the IDPS components.\n\nFor most IDPS components, internal information flow control is a product of system design. However, this control can also be mitigated with a policy to control and prevent the installation of unauthorized tools.",
"fixid": "F-38656r1_fix",
"fixtext": "Configure the IDPS to enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy.",
"iacontrols": null,
"id": "V-34484",
"ruleID": "SV-45260r1_rule",
"severity": "medium",
"title": "The IDPS must enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy.",
"version": "SRG-NET-000018-IDPS-00018"
},
"V-34485": {
"checkid": "C-42609r1_chk",
"checktext": "View each IDPS component's configuration. Verify communication between the sensors and other network elements are configured to allow only explicitly authorized devices to access, monitor, or modify the IDPS components.\n\nIf the IDPS is not configured to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy, this is a finding.",
"description": "Information flow controls are mechanisms which regulates where information is allowed to travel between interconnected systems. This control applies to the flow of information between IDPS components, such as the management console, sensors, and other network devices. Information flow varies based on the specific implementation of the IDPS. The flow of all traffic to and from IDPS components must be monitored and controlled, so this information does not introduce any unacceptable risk to the network or the IDPS.\n\nExample: An IPS sensor may detect an event and update the network firewall ACLs. Also, the sensors periodically transmit sensor event logs to the management console.",
"fixid": "F-38658r1_fix",
"fixtext": "Remove configuration information for unauthorized network devices from the communication functionality of the IDPS components.\nExplicitly configure authorized devices in the communication functionality of the IDPS components.",
"iacontrols": null,
"id": "V-34485",
"ruleID": "SV-45262r1_rule",
"severity": "medium",
"title": "The IDPS must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.",
"version": "SRG-NET-000019-IDPS-00019"
},
"V-34486": {
"checkid": "C-42611r1_chk",
"checktext": "Verify the IDPS is configured with an ACL which lists the allowed IP addresses from which management sessions are permitted.\nVerify the ACL is set for deny-by-default for all management console connections not explicitly allowed.\nVerify the allowed IP addresses are from the internal network.\n\nIf in-band management is allowed from IP addresses which are not explicitly identified, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device account and password information. \n\nAlthough in-band management sessions are not recommended, there may be operationally essential reasons for allowing this practice. When allowed, restricting in-band management to authorized IP addresses only, limits the sources of potential risks to approved systems.\n\nWith intercepted information, an attacker could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.",
"fixid": "F-38660r1_fix",
"fixtext": "Configure the IDPS sensors to allow only in-band remote management connections.\nConfigure an ACL listing for allowed IP addresses for non-local management console access.\nConfigure the ACL for deny-by-default.",
"iacontrols": null,
"id": "V-34486",
"ruleID": "SV-45264r1_rule",
"severity": "medium",
"title": "The IDPS must allow in-band management sessions from authorized IP addresses within the internal trusted network.",
"version": "SRG-NET-000019-IDPS-00020"
},
"V-34487": {
"checkid": "C-42613r1_chk",
"checktext": "Verify the IP address of the IDPS console is on the management network.\n\nIf the IP address for the management console is not on the management network, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address is known as correlation. Management servers are available as both appliance and software-only products. \n\nSome small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. If the management console is placed on a user segment, management information may be intercepted.",
"fixid": "F-38662r1_fix",
"fixtext": "Move the IDPS servers, databases and consoles to the management network.\nReconfigure the interfaces with an IP address that is in the management network range.",
"iacontrols": null,
"id": "V-34487",
"ruleID": "SV-45266r1_rule",
"severity": "medium",
"title": "The IDPS management console, management server, or data management console server must reside in the management network.",
"version": "SRG-NET-000019-IDPS-00021"
},
"V-34488": {
"checkid": "C-42615r1_chk",
"checktext": "Examine the configuration on the IDPS. \nVerify source and destination IP addresses are used as a basis for information flow between IDPS components or communications with other network elements.\n\nIf non-explicit attributes are used for information flow control, this is a finding. If source and destination IP addresses are not used, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on source and destination IP addresses, as well as the ports and services being requested. This requirement should enforce the deny-by-default policy whereby only the known and accepted traffic will be allowed outbound and inbound. \n\nFor IDPS implementation, this control applies to communications with other IDPS components and other network elements. These communications may include sensor log aggregation, software updates, and firewall ACL updates. Non-explicit attributes may include MAC addresses or other easily changed device information.",
"fixid": "F-38664r1_fix",
"fixtext": "Configure the network configuration on the sensors for external communications using source and destination IP addresses.",
"iacontrols": null,
"id": "V-34488",
"ruleID": "SV-45268r1_rule",
"severity": "medium",
"title": "The IDPS must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.",
"version": "SRG-NET-000020-IDPS-00022"
},
"V-34491": {
"checkid": "C-42652r1_chk",
"checktext": "Verify only authorized IDPS administrators have accounts capable of enabling or disabling rules and signatures.\n\nIf users who are not system administrators are permitted access to the sensors or other components, this is a finding. If audit or other restricted administrators have access to enable and disable rules and signatures, this is a finding.",
"description": "Organizationally defined security policy filters include, dirty word filters, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters.\n\nConfiguration and enforcement of administrator privileges ensures only authorized users have access to certain commands and functions on the IDPS. This control can be met by assigning the privilege to enable or disable security policy filters to privilege groups and then assigning users to these groups. Authorization to add, modify, or delete security policy filters must require the highest privilege level. If system administrators cannot be configured with different security privileges, then need-to-know cannot be enforced.",
"fixid": "F-38700r1_fix",
"fixtext": "Assign the privileges to enable and disable organizationally defined security policy filters to security groups. Assign only administrators who are authorized to perform enabling and disabling of security policy filters to these security groups.",
"iacontrols": null,
"id": "V-34491",
"ruleID": "SV-45304r1_rule",
"severity": "medium",
"title": "The IDPS must allow authorized administrators to enable/disable organizationally defined security policy filters.",
"version": "SRG-NET-000021-IDPS-00023"
},
"V-34492": {
"checkid": "C-42656r2_chk",
"checktext": "Verify the IDPS management console provides the system administrators the ability to configure security policy filters (e.g., creating groups with different authorizations and privileges).\nVerify the system has the capability to assign security levels to groups and individual users as needed.\n\nIf the IDPS does not provide the capability to configure security policy filters, this is a finding.",
"description": "The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to configure security policies must require the highest privilege level which can be implemented by simply assigning privilege levels may be performed using the account functions on the IDPS or through configuration of an authentication server (i.e., AAA server). The access control configuration must provide the capability to assign IDPS administrators to tiered groups containing required privilege levels. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.",
"fixid": "F-38704r1_fix",
"fixtext": "Create security policy filters by creating security groups or use pre-existing groups.\nAssign privileges to each group based on varying need-for-access.\nAssign system administrators as group members to each group based on level of access required.",
"iacontrols": null,
"id": "V-34492",
"ruleID": "SV-45307r1_rule",
"severity": "medium",
"title": "The IDPS must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.",
"version": "SRG-NET-000022-IDPS-00024"
},
"V-34493": {
"checkid": "C-42657r1_chk",
"checktext": "Inspect the rules and signatures configured to monitor, block and or redirect network traffic based on detected events between interconnected systems.\nVerify the IDPS is configured to enforce the security policies between interconnected systems. \n\nIf the IDPS is not configured to enforce security policies regarding information on interconnected systems, this is a finding.",
"description": "Transferring information between interconnected information systems of differing security policies introduces the risk of the transfers violating one or more policies. It is imperative for policy guidance from information owners be implemented at the policy enforcement point between the interconnected systems. This requirement applies to IPS (rather than IDS systems) implementations only because it requires the enforcement of security policy. If the IPS is configured to transfer threat information to the firewall or other devices do not adhere to the security policy of the other device, the network security posture for devices interconnected with the IDPS could be compromised. \n\nEnforcement is done by an IPS and is not a function of an IDS. If the IDPS is configured to update other network devices (e.g., firewall ACL) and the update process violates the access control policy of the updated device, this is an issue which must be resolved. However, the IDPS must also be configured to monitor and enforce the security policies between other interconnected systems.",
"fixid": "F-38705r1_fix",
"fixtext": "Configure the IDPS and other devices with which it interconnects, so the security policy on all devices is not by-passed. Configure the IDPS to enforce security policies regarding information on interconnected systems.",
"iacontrols": null,
"id": "V-34493",
"ruleID": "SV-45310r1_rule",
"severity": "medium",
"title": "The IDPS must enforce security policies regarding information on interconnected systems.",
"version": "SRG-NET-000023-IDPS-00025"
},
"V-34494": {
"checkid": "C-42660r1_chk",
"checktext": "Verify the IDPS uses a unique identifier (e.g., IP address) for source domain to track and log information transfer sessions between the sensors and other network elements.\nView log entries to verify the information tracked includes a unique identifier for each IDPS component (e.g., management server, sensors, or other network elements involved in information transfer).\n\n\nIf a unique identifier for each component is not logged for information transfer sessions, this is a finding.",
"description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element distinguishes between information systems and organizations, and between specific system components or individuals involved in sending and receiving information. \n\nExamples of information transfer for the IDPS are the sensor log updating the base, sensor alerts, or commands to update the firewall or router ACLs. Without unique identifiers, the audit records of these information transfers would not be useful to tracking possible violations.",
"fixid": "F-38708r1_fix",
"fixtext": "Configure the IDPS management console to log information transfer events. Configure the system, so each event record contains a unique identifier for component identification and session.",
"iacontrols": null,
"id": "V-34494",
"ruleID": "SV-45312r1_rule",
"severity": "medium",
"title": "The IDPS must uniquely identify source domains for information transfer.",
"version": "SRG-NET-000024-IDPS-00026"
},
"V-34495": {
"checkid": "C-42661r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in sending information. \n\nAuthenticating source domain for information transfer is not an IDPS function.",
"fixid": "F-38709r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34495",
"ruleID": "SV-45313r1_rule",
"severity": "medium",
"title": "The network element must uniquely authenticate source domains for information transfer.",
"version": "SRG-NET-000025-IDPS-NA"
},
"V-34496": {
"checkid": "C-42663r1_chk",
"checktext": "Verify the IDPS uses a unique identifier for the destination domain (e.g., IP address) of information transfer sessions. \nView log entries to verify the information tracked includes destination domain information for the base, sensors, or other network elements involved in information transfer.\n\nIf the unique identifier for the destination domain is not logged for information transfer sessions, this is a finding.",
"description": "Identifying source and destination domain addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the IDPS distinguishes between information systems and organizations, and between specific system components or individuals involved in sending and receiving information.\n\nExamples of information transfer for the IDPS is the sensor log updating the base, sensor alerts, or commands to update the firewall or router ACLs. Without unique identifiers, the audit records of these information transfers would not be useful to tracking possible violations.",
"fixid": "F-38711r1_fix",
"fixtext": "Configure the IDPS management console to log information transfer events. Configure the event entry to include destination domain unique identifier (e.g., IP address).",
"iacontrols": null,
"id": "V-34496",
"ruleID": "SV-45315r1_rule",
"severity": "medium",
"title": "The IDPS must uniquely identify destination domains for information transfer.",
"version": "SRG-NET-000026-IDPS-00027"
},
"V-34497": {
"checkid": "C-42664r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in receiving information.\n\nThe IDPS does not authenticate domains.",
"fixid": "F-38712r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34497",
"ruleID": "SV-45316r1_rule",
"severity": "medium",
"title": "The network element must uniquely authenticate destination domains for information transfer.",
"version": "SRG-NET-000027-IDPS-NA"
},
"V-34498": {
"checkid": "C-42665r1_chk",
"checktext": "If this functionality if provided by another network element, this is not a finding.\nVerify security zones are being used.\nVerify zones are created to reflect the various protection levels as needed by the organization to monitor traffic flow and respond to anomalies.\n\nIf the IDPS does not implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce unacceptable risks to the network infrastructure or data. Restrictions can be enforced using security zones at various protection levels as a basis for flow control decisions.\n\nUsually flow control is not a primary function of the IDPS implementation. However, many products are able to support flow control decisions or affect the flow more directly.",
"fixid": "F-38713r1_fix",
"fixtext": "Configure the management console to implement security policies for all traffic flows being monitored by the sensors.\nCreate security zones as needed to reflect various protection levels as a basis for flow control decisions.",
"iacontrols": null,
"id": "V-34498",
"ruleID": "SV-45317r1_rule",
"severity": "medium",
"title": "The IDPS must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.",
"version": "SRG-NET-000028-IDPS-00028"
},
"V-34499": {
"checkid": "C-42668r1_chk",
"checktext": "Verify changes in traffic flow controls are added/updated to the IDPS rules.\nWhen changes are made, these changes must take effect immediately and the sensors should begin monitoring using the updated rule set.\n\nIf the IDPS is not configured to enforce restrictions for traffic flow based on types and level of traffic, this is a finding. If the policy is not based on changing threat conditions or operational environment, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. \n\nIDPS rules allowing or disallowing traffic based upon traffic types or rates is an example of enforcing this requirement. Rules may be triggered by a changes in organizational risk tolerance based on the operational environment, mission needs, threat conditions, or detection of potentially harmful events.",
"fixid": "F-38716r1_fix",
"fixtext": "Create and implement IDPS rules to dynamically enforce information flow control policy. Rules must dynamically adjust flow based on changes to the operational environment or threat conditions.",
"iacontrols": null,
"id": "V-34499",
"ruleID": "SV-45320r1_rule",
"severity": "medium",
"title": "The IDPS must enforce dynamic traffic flow control based on policy that allows/disallows information flows based on changing threat conditions or operational environment.",
"version": "SRG-NET-000029-IDPS-00029"
},
"V-34500": {
"checkid": "C-42670r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Allowing traffic to bypass the security checkpoints, such as firewalls and intrusion detection systems, puts the network infrastructure and critical data at risk. Malicious traffic could enter the network undetected and attack a key IDPS or the server farm. Hence, it is imperative all encrypted traffic entering the network is decrypted prior to the content checking devices. \n\nEncryption and decryption of traffic for filtering is not a function of IDPS. This is a network architecture best practice and does not require a configuration setting in the IDPS components.",
"fixid": "F-38718r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34500",
"ruleID": "SV-45322r1_rule",
"severity": "medium",
"title": "All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.",
"version": "SRG-NET-000030-IDPS-NA"
},
"V-34501": {
"checkid": "C-42673r1_chk",
"checktext": "Verify rules exist to enforce network traffic for violations of the organizationally defined limited for encapsulation layers (e.g., tunnels within tunnels).\n\nIf the IDPS does not enforce organizationally defined limitations on the embedding of data types within other data types, this is a finding.",
"description": "Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. This control requires limits be set on the number of layers of encapsulation of information. With too many layers, it becomes increasingly difficult to inspect the information for malicious code. \n\nPossible enforcement mechanism for IDPS is to create a rule to monitor for and enforce organizationally defined limitations on tunneling and other encapsulation methods.",
"fixid": "F-38721r1_fix",
"fixtext": "Create or install a rule which monitors for and enforces violations of the organizationally defined encapsulated limitations.",
"iacontrols": null,
"id": "V-34501",
"ruleID": "SV-45325r1_rule",
"severity": "medium",
"title": "The IDPS must enforce organizationally defined limitations on the embedding of data types within other data types.",
"version": "SRG-NET-000031-IDPS-00030"
},
"V-34502": {
"checkid": "C-42676r1_chk",
"checktext": "If this is an IDS only implementation, this is not a finding. \nExamine the network configuration on the sensors. \nVerify restrictions are based on security filters, such as source and destination IP, application or services used as a basis for information flow.\n\nIf non-explicit items like server name or MAC addresses are used for information flow control, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on source and destination IP addresses, as well as the ports and services being requested using security policy filters. \n\nThis functionality is usually a firewall function; however, new generations of IPS devices are capable of performing this function. This control is applicable to IPS installations because it requires the enforcement (rather than just monitoring) of traffic flows.",
"fixid": "F-38724r1_fix",
"fixtext": "Configure the IPS to enforce information flow control based on IP address or port/service used.",
"iacontrols": null,
"id": "V-34502",
"ruleID": "SV-45327r1_rule",
"severity": "medium",
"title": "The IDPS must enforce information flow control using organizationally defined security policy filters as a basis for flow control decisions.",
"version": "SRG-NET-000033-IDPS-00032"
},
"V-34503": {
"checkid": "C-42678r1_chk",
"checktext": "Review the IDPS configuration to verify the system is configured to assign administrator privileges based on assigned duties, with only the permissions required to support their role. \n(For example, groups may be defined such as auditors, backup operators, and IDPS administrators.)\n\nIf accounts are not assigned privileges based on assigned duties and authorizations, this is a finding.",
"description": "Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. An example of separation of duties within the IDPS implementation may be accomplished by allowing only the IDPS administrator to manage the IDPS platform and associated configuration files, yet not be a member of the \"\"auditors\"\" group. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions.",
"fixid": "F-38726r1_fix",
"fixtext": "Configure the IDPS to use the separation of duties model and require separate accounts based on the minimum privileges needed to perform the required function.",
"iacontrols": null,
"id": "V-34503",
"ruleID": "SV-45329r1_rule",
"severity": "low",
"title": "The IDPS must implement separation of duties through assigned information system access authorizations.",
"version": "SRG-NET-000034-IDPS-00033"
},
"V-34504": {
"checkid": "C-42696r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Accounts used to perform security-related functions on the IDPS components must not be used to perform non-privileged functions on the IDPS. Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. \n\nNon-privileged security functions are not authorized on the IDPS components regardless of configuration.",
"fixid": "F-38742r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34504",
"ruleID": "SV-45346r1_rule",
"severity": "medium",
"title": "The network element must require users of information system accounts, or roles, with access to\norganizationally defined security functions or security relevant information, use non-privileged\naccounts or roles, when accessing non-security functions.",
"version": "SRG-NET-000035-IDPS-NA"
},
"V-34505": {
"checkid": "C-42697r1_chk",
"checktext": "View the account security policy functionality using the management console. Verify security policies exist that use security filters for managing account privileges and restrictions for administrator access to the management console and sensors.\n\nIf the system does not have the capability to allow the use of security policy filters to support the security policies, this is a finding.",
"description": "Each account should grant access to only those privileges the system administrator is authorized for. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. Network disruptions or outages could be caused by mistakes made by inexperienced system administrators. Monitoring account usage will reduce the risk of a privilege account being exploited by unauthorized persons and provides logging to be used for forensic investigation. Only accounts with the highest privilege level should have the authorization to configure security policy filters.",
"fixid": "F-38743r1_fix",
"fixtext": "Configure the system to provide the capability to configure organizationally defined security policy filters which can be used when creating security policies for user access control and privilege levels.",
"iacontrols": null,
"id": "V-34505",
"ruleID": "SV-45347r1_rule",
"severity": "medium",
"title": "The IDPS must provide the capability for a privileged administrator to configure organizationally defined security policy filters to support different security policies.",
"version": "SRG-NET-000036-IDPS-00034"
},
"V-34506": {
"checkid": "C-42698r1_chk",
"checktext": "Review the IDPS configuration to determine if the system automatically disables the network or any monitored device identified for this action based on an organizationally defined list of security violations. \n\nIf the IDPS is not configured to disable the network or monitored device upon detecting events identified on an organizationally defined list of security events, this is a finding.",
"description": "Incident related information can be obtained from a variety of sources including network monitoring. To reduce or eliminate the risk to the network, the IDPS must be configured to disable the network or monitored devices when an organizationally defined list of events is detected. Monitored devices may include workstations, hosts, or other devices registered with the IDPS. Since the IDPS is a major part of the network's protection and defense system, a compromised IDPS may allow malicious attacks to bypass the network's controls.\n\nFor the purpose of this requirement, disabling is not considered the same as blocking or dropping of the traffic to or from the device. Disabling the network or monitored device is one action that may be selected when implementing CCI-001670.",
"fixid": "F-38744r1_fix",
"fixtext": "Configure the IDPS to automatically disable the network or monitored device if any of the organizationally defined lists of security violations are detected.",
"iacontrols": null,
"id": "V-34506",
"ruleID": "SV-45348r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to automatically disable the monitored device if any of the organizationally defined lists of security violations are detected.",
"version": "SRG-NET-000037-IDPS-00035"
},
"V-34507": {
"checkid": "C-42699r1_chk",
"checktext": "Review the IDPS configuration to determine if there is a defined limit on invalid account access requests within an organizationally defined time period. \n\nIf the system is not configured to enforce the organizationally defined limit of consecutive invalid access attempts by a user during an organizationally defined time period, this is a finding.",
"description": "One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. To reduce the risk of malicious access attempts being successful, the IDPS must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period.\n\nBy limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute force attack, is reduced.",
"fixid": "F-38745r1_fix",
"fixtext": "Configure the IDPS to limit the number of invalid access attempts to within an organizationally defined time period.",
"iacontrols": null,
"id": "V-34507",
"ruleID": "SV-45349r1_rule",
"severity": "medium",
"title": "The IDPS must enforce the organizationally defined limit of consecutive invalid access attempts by a user during the organizationally defined time period.",
"version": "SRG-NET-000038-IDPS-00036"
},
"V-34508": {
"checkid": "C-42700r2_chk",
"checktext": "Verify the IDPS is configured to enforce the organizationally defined time period during which the limit of consecutive invalid access attempts by a user is counted.\n\nIf the IDPS is not configured with an organizationally defined time period during which the number of consecutive invalid access attempts is counted, this is a finding.",
"description": "One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. To reduce the risk of malicious access attempts being successful, the IDPS implementation must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period, and subsequently lock that account when the maximum number has been reached. By limiting the number of failed login attempts within a specified time period, the risk of unauthorized system access via user password guessing, otherwise known as brute force attack, is reduced.",
"fixid": "F-38746r2_fix",
"fixtext": "Configure the IDPS to count the number of consecutive failed access attempts occurring during an organizationally defined time period.",
"iacontrols": null,
"id": "V-34508",
"ruleID": "SV-45350r1_rule",
"severity": "medium",
"title": "The IDPS must enforce the organizationally defined time period during which the limit of consecutive invalid access attempts by a user is counted.",
"version": "SRG-NET-000039-IDPS-00037"
},
"V-34509": {
"checkid": "C-42701r1_chk",
"checktext": "Verify the setting for account lockout time release is set so the lockout remains in place for an organizationally defined time period or until a system administrator takes action to unlock the account.\n\nIf the account lockout time is not set to release after an organizationally defined time delay; or when the system administrator takes action to unlock the account, this is a finding.",
"description": "The IDPS must delay the next login prompt using an organizationally defined delay algorithm when the maximum number of unsuccessful access attempts is exceeded. The system must automatically lock the account/node for an organizationally defined time period or lock the account/node until released by an administrator according to organizational policy. Locking out an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing. Usually, the configuration allows settings rather than one or the other.",
"fixid": "F-38747r2_fix",
"fixtext": "Configure the lockout time setting for accounts used for accessing IDPS. Configure the account lockout to release only when the administrator takes action to unlock the account, or for an organizationally defined time period.",
"iacontrols": null,
"id": "V-34509",
"ruleID": "SV-45351r1_rule",
"severity": "medium",
"title": "The IDPS must automatically lock out an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.",
"version": "SRG-NET-000040-IDPS-00038"
},
"V-34510": {
"checkid": "C-42702r1_chk",
"checktext": "Verify an approved system use notification appears upon attempted login to the SSH or GUI interface to the sensors or management console.\n\nIf a warning banner is not displayed prior to allowing user access to IDPS management console and sensors, this is a finding.",
"description": "All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required login warning banner prior to logon attempts will limit the ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA\u2019s ability to monitor the device\u2019s usage is limited unless a proper warning banner is displayed.",
"fixid": "F-38748r1_fix",
"fixtext": "Configure the IDPS management console GUI and SSH to display the authorized DoD warning banner text on or before the login page.",
"iacontrols": null,
"id": "V-34510",
"ruleID": "SV-45352r1_rule",
"severity": "low",
"title": "The IDPS must display an approved system use notification message (or banner) before granting access to the system.",
"version": "SRG-NET-000041-IDPS-00039"
},
"V-34511": {
"checkid": "C-42703r1_chk",
"checktext": "Verify the user notification message remains on the screen until the administrator presses enter, logs in, or takes some other explicit action.\n\nIf the warning banner is not displayed until the administrator takes explicit action, this is a finding.",
"description": "All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should be acknowledged by the user prior to allowing the user access to the system. This provides assurance that the user has seen the message and accepted the conditions for access. If the warning banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.",
"fixid": "F-38749r1_fix",
"fixtext": "Configure the system to display the notification message on the system screen until the administrator either presses enter or takes action to login.",
"iacontrols": null,
"id": "V-34511",
"ruleID": "SV-45353r1_rule",
"severity": "low",
"title": "The IDPS must display the notification message on the screen until the administrator takes explicit action to acknowledge the message.",
"version": "SRG-NET-000042-IDPS-00040"
},
"V-34514": {
"checkid": "C-42704r1_chk",
"checktext": "Compare notification banner presented upon attempted login to the GUI and the SSH interfaces to the text of the approved user notification message. Verify the text matches exactly.\n\nIf the warning banner is not displayed prior to allowing user access to IDPS management console and sensors, this is a finding.",
"description": "All network devices must present a DoD approved warning banner before granting access to the device. The banner shall be formatted in accordance with the DoD policy \"\"Use of DoD Information Systems - Standard Consent and User Agreement\"\". If the warning banner is not displayed, DoD will not be in compliance with system use notifications required by law. Use the following verbiage. \n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nFor sensors with severe character limitations on the display screen, use the following verbiage:\n\n\"\"I've read & consent to terms in IS user agreem't.\"\"",
"fixid": "F-38752r1_fix",
"fixtext": "Configure all management ports and interfaces to the network device to display the DoD mandated warning banner verbiage at login regardless of the means of connection or communication. Use the following verbiage. \n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided\nfor USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the\nfollowing conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes\nincluding, but not limited to, penetration testing, COMSEC monitoring, network\noperations and defense, personnel misconduct (PM), law enforcement (LE), and\ncounterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine\nmonitoring, interception, and search, and may be disclosed or used for any USG authorized\npurpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect\nUSG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI\ninvestigative searching or monitoring of the content of privileged communications, or\nwork product, related to personal representation or services by attorneys,\npsychotherapists, or clergy, and their assistants. Such communications and work product\nare private and confidential. See User Agreement for details.\nFor sensors with severe character limitations on the display screen, use the following verbiage:\n\n\"\"I've read & consent to terms in IS user agreem't.\"\"",
"iacontrols": null,
"id": "V-34514",
"ruleID": "SV-45356r1_rule",
"severity": "low",
"title": "The IDPS must display a DoD approved system use notification message or banner before granting access to the device.",
"version": "SRG-NET-000043-IDPS-00041"
},
"V-34515": {
"checkid": "C-42705r1_chk",
"checktext": "Connect to the management console using the GUI. Note if the date and time of last login is displayed.\nConnect to the maintenance console using the SSH interface. Note if the date and time of last login is displayed.\nRepeat the above steps for each sensor.\n\nIf the date and time of the last login of the user is not displayed for both the GUI and SSH interface, this is a finding.",
"description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. Control applies to classified systems.",
"fixid": "F-38753r1_fix",
"fixtext": "Configure the IDPS management console GUI and SSH interface to display the date and time of the last login by the user.",
"iacontrols": null,
"id": "V-34515",
"ruleID": "SV-45357r1_rule",
"severity": "low",
"title": "Upon successful logon, the IDPS must display the date and time of the last logon of the user.",
"version": "SRG-NET-000048-IDPS-00042"
},
"V-34516": {
"checkid": "C-42706r1_chk",
"checktext": "Initiate a failed logon attempt using the target user's account followed by a successful attempt for the same user account.\n\nIf the number of unsuccessful logon attempts since the last successful logon is not displayed, this is a finding.",
"description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. Without this information, the user may not become aware that unauthorized activity has occurred.",
"fixid": "F-38754r1_fix",
"fixtext": "Configure the IDPS management console GUI and SSH interface to display the number of unsuccessful logon attempts since the last successful logon.",
"iacontrols": null,
"id": "V-34516",
"ruleID": "SV-45358r1_rule",
"severity": "low",
"title": "Upon successful logon, the IDPS must display, to the user, the number of unsuccessful logon attempts since the last successful logon.",
"version": "SRG-NET-000049-IDPS-00043"
},
"V-34517": {
"checkid": "C-42707r1_chk",
"checktext": "Initiate a failed logon attempt using the target user's account followed by a successful attempt for the same user account.\n\nIf the number of successful login attempts to the local device that happens during an organizationally defined time period is not displayed, this is a finding.",
"description": "Users must be aware of access activity regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
"fixid": "F-38755r1_fix",
"fixtext": "Configure the IDPS management console to display the number of successful login attempts to the local device occurring during an organizationally defined time period.",
"iacontrols": null,
"id": "V-34517",
"ruleID": "SV-45359r1_rule",
"severity": "low",
"title": "The IDPS must notify the user of the number of successful login attempts occurring during an organizationally defined time period.",
"version": "SRG-NET-000050-IDPS-00044"
},
"V-34518": {
"checkid": "C-42708r1_chk",
"checktext": "Connect to the management console. Note the number of unsuccessful logon attempts occurring during organizationally defined time period.\nRepeat the above steps for each sensor.\n\nIf the number of unsuccessful logon attempts that happens during an organizationally defined time period is displayed, this is a finding.",
"description": "Providing users with information regarding the number of unsuccessful logon attempts to the local device that has occurred over an organizationally defined time period. Without this information, the user may not become aware that unauthorized activity has occurred.",
"fixid": "F-38756r1_fix",
"fixtext": "Configure the IDPS management console to display the number of unsuccessful logon attempts occurring during organizationally defined time period.",
"iacontrols": null,
"id": "V-34518",
"ruleID": "SV-45360r1_rule",
"severity": "low",
"title": "The IDPS must notify the user of the number of unsuccessful login attempts occurring during organizationally defined time period.",
"version": "SRG-NET-000051-IDPS-00045"
},
"V-34519": {
"checkid": "C-42709r1_chk",
"checktext": "Verify the system is configured to notify the user of organizationally defined security related changes to the user\u2019s account occurring during the organizationally defined time period by logging on to the management console.\n\nIf the system does not notify the user of organizationally defined security related changes to the user\u2019s account occurring during the organizationally defined time period, this is a finding.",
"description": "Providing users with information regarding organizationally defined security related changes to the user\u2019s account occurring during the organizationally defined time period, allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. Changes to the user account during a specific time period could be an indication of the account being compromised. Hence, without notification to the user, the compromise could go undetected.",
"fixid": "F-38757r1_fix",
"fixtext": "Configure the IDPS management console to display the organizationally defined security-related changes to the user\u2019s account occurring during the organizationally defined time period.",
"iacontrols": null,
"id": "V-34519",
"ruleID": "SV-45361r1_rule",
"severity": "low",
"title": "The IDPS must notify the user of organizationally defined security related changes to the users account occurring during the organizationally defined time period.",
"version": "SRG-NET-000052-IDPS-00046"
},
"V-34520": {
"checkid": "C-42710r1_chk",
"checktext": "View the user account management screens.\nVerify the number of concurrent sessions setting is not set to unlimited. \nVerify the number of concurrent sessions is set to an organizationally defined value.\n\nIf the number of concurrent sessions for accounts is set to unlimited, this is a finding. If the number of concurrent sessions is not set to an organizationally defined value, this is a finding.",
"description": "This requirement addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple accounts. In many products, this value defaults to unlimited which leaves the device open to DoS attacks. An organizationally defined value should be configured.\n\nLimiting the number of concurrent sessions to the device per any given account mitigates the risk associated with a Denial of Service (DoS) attack.",
"fixid": "F-38758r1_fix",
"fixtext": "Set the default concurrent sessions for user accounts to an organizationally defined value.",
"iacontrols": null,
"id": "V-34520",
"ruleID": "SV-45362r1_rule",
"severity": "low",
"title": "The IDPS must limit the number of concurrent sessions for each account to an organizationally defined number.",
"version": "SRG-NET-000053-IDPS-00047"
},
"V-34521": {
"checkid": "C-42711r1_chk",
"checktext": "Ask the site representative if all individuals with an account on the IDPS have the same rights to files on the management console and sensors.\nIf rights to files are assigned per user, then verify the IDPS supports this requirement.\nIf this capability to view the permissions for the event log files, application software, and senor logs is available, then verify the permissions are set to allow only authorized users.\n\nIf there is an organizationally defined requirement for granular security attributes, but this capability does not exist or is not implemented, this is a finding.",
"description": "Security attribute assignments (e.g., metadata, classification, subject categories, nationality, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. \n\nTypically, the security attributes used for data stored on the management console or sensors is not granular. The sensors are configured to send data to a management console using IP addresses or other network identifiers. While the data is in storage on the sensors, the system will limit user access based on assigned user account permissions. If the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information.\n\nThis requirement applies to the event log files and IDPS application files stored on the IDPS management console and sensors.",
"fixid": "F-38759r1_fix",
"fixtext": "Configure the management console and sensors to restrict access to the sensor logs to users and entities based on access privileges.",
"iacontrols": null,
"id": "V-34521",
"ruleID": "SV-45363r1_rule",
"severity": "medium",
"title": "The IDPS must support and maintain the binding of organizationally defined security attributes to information in storage.",
"version": "SRG-NET-000054-IDPS-00048"
},
"V-34522": {
"checkid": "C-42712r1_chk",
"checktext": "Verify the IDPS is capable of setting security attributes to configure security policies and access control privileges on the system. \n\nIf the IDPS does not support and maintain the binding of organizationally defined security attributes to information in process, this is a finding.",
"description": "Security attribute assignments (e.g., metadata, classification, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. \n\nSecurity attributes and labels must be leveraged to protect stored information, as well as information flowing to external devices. Information stored, processed, and transmitted by the IDPS include sensors event logs, local audit logs, and application files. Security attributes and labels must also be leveraged to protect communications between sensors, the management console, non-local management computers, firewalls, routers, and other network elements. \n\nIf the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information.\n\nExamples of possible IDPS security attributes that may be used by the organization to implement security policy include: session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification; subnet or Virtual Local Area Network (VLAN) identification.",
"fixid": "F-38760r1_fix",
"fixtext": "Configure the IDPS management console to support and maintain the binding of organizationally defined security attributes to information while it is being processed by the sensors and management console.",
"iacontrols": null,
"id": "V-34522",
"ruleID": "SV-45364r1_rule",
"severity": "medium",
"title": "The IDPS must support and maintain the binding of organizationally defined security attributes to information in process.",
"version": "SRG-NET-000055-IDPS-00049"
},
"V-34523": {
"checkid": "C-42714r1_chk",
"checktext": "Verify a reboot or reset is not needed when security attributes are changed (e.g., configuration changes that alter flow control information, user rights, or security labels).\nVerify changes to attributes immediately take effect by changing an attribute and testing to see if the change has taken effect.\nVerify that when information is created or combined, the security policy is applied to the new files or information (e.g., user restrictions apply).\n\nIf configuration changes to security attributes are not dynamically updated, this is a finding.",
"description": "Security attribute assignments are representations of the properties or characteristics of an entity. Thus, if a security policy is changed or data is created or changed, the system will dynamically reconfigure and apply security attributes in accordance with the security policy.\n\nSecurity attributes and labels should be leveraged to protect stored information as well as information flowing to external devices. Information stored and processed by the IDPS includes sensors event logs, local audit logs, and application files. Security attributes and labels must also be leveraged to protect communications between sensors, the management console, non-local management computers, firewalls, routers, and other network elements. \n\nThe IDPS must have the capability to dynamically reconfigure security attributes as information is created or combined, thus ensuring the correct attributes are assigned to the resulting data as part of this process. If changes to the security attributes are not reconfigured dynamically to meet security policies, then unauthorized entities may gain access to the information.",
"fixid": "F-38762r1_fix",
"fixtext": "Configure the IDPS to dynamically reconfigure security attributes in accordance with the organizationally defined security policy.",
"iacontrols": null,
"id": "V-34523",
"ruleID": "SV-45365r1_rule",
"severity": "medium",
"title": "The IDPS must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.",
"version": "SRG-NET-000057-IDPS-00051"
},
"V-34524": {
"checkid": "C-42715r1_chk",
"checktext": "Obtain a list of authorized IDPS administrators.\nAsk the site representative if all system administrators have the same access privileges (authorization levels).\nReview the user groups in the user account management function.\nVerify only authorized IDPS administrators have privileges to change security attributes for users, sensors, and system files.\n\nIf unauthorized users have access to the IDPS management console or sensors, this is a finding.",
"description": "System administrators of the IDPS can reconfigure the rules and redirect traffic. If an unauthorized user gains access and then modifies the configuration, this could adversely impact the operation and availability of the entire network and all users. Malicious configuration changes may cause the sensors to miss critical attacks. If unauthorized individuals have permission to change security attributes, then unauthorized individuals may compromise information flow and access control attributes, thus adversely impacting network availability or gaining unauthorized access to the information.",
"fixid": "F-38763r1_fix",
"fixtext": "Configure rights and permissions for system administrators so only authorized IDPS administrators can change security attributes.\nLimit system administrators authorized to change security attributes (e.g., session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification based on QoS markings for preferred treatment; or VLAN identification) to just the access needed to perform their duties.",
"iacontrols": null,
"id": "V-34524",
"ruleID": "SV-45366r1_rule",
"severity": "high",
"title": "The IDPS must allow only authorized administrators to change security attributes.",
"version": "SRG-NET-000058-IDPS-00052"
},
"V-34525": {
"checkid": "C-42716r1_chk",
"checktext": "Verify the system allows security attributes to be used to implement user access control decisions to the IDPS, create IDPS sensor rules for network monitoring, and control information transmissions to external devices, such as event log updates and communications to other network elements. \n\nIf security attributes cannot be used as part of the automated security policy for flow and access control, this is a finding.",
"description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the IDPS and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nExamples of automated policy actions include automated access control decisions (e.g., Mandatory Access Control decisions), or decisions to release (or not release) information (e.g., information flows via cross domain systems).\n\nIf the attribute to information binding does have a high assurance, then information security policies based on these attributes may allow unauthorized subjects or entities to gain access to the information or network.",
"fixid": "F-38764r1_fix",
"fixtext": "Configure the IDPS to allow configuration of access control and information flow based on organizationally defined attributes.\nConfigure security attributes to bind to the information using trusted processes.",
"iacontrols": null,
"id": "V-34525",
"ruleID": "SV-45367r1_rule",
"severity": "medium",
"title": "The IDPS must maintain the binding of security attributes to information with sufficient assurance that the information to attribute association can be used as the basis for automated policy actions.",
"version": "SRG-NET-000059-IDPS-00053"
},
"V-34526": {
"checkid": "C-42717r1_chk",
"checktext": "Obtain a list of authorized IDPS administrators.\nAsk the site representative if all system administrators have the same access privileges.\nReview the user groups in the user account management function.\nVerify only authorized IDPS administrators have privileges to change attribute-information associations for users, sensors, and system files.\nVerify root access is limited to authorized system administrators only.\n\nIf the IDPS does not allow authorized system administrators to associate security attributes with information, this is a finding.",
"description": "System administrators of the IDPS can reconfigure the rules and redirect traffic. If an unauthorized user gains access and then modifies the configuration, this could adversely impact the operation and availability of the entire network and all users. Malicious configuration changes may cause the sensors to miss critical attacks.\n\nIf unauthorized individuals have permission to change security attribute-information associations, these individuals may compromise information flow and access control attributes, thus adversely impacting network availability or gaining unauthorized access to the information.",
"fixid": "F-38765r1_fix",
"fixtext": "Configure rights and permissions for system administrators, so only authorized IDPS administrators can change security attributes-information associations.\nLimit system administrators not authorized to change security attributes (e.g., session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification based on QoS markings for preferred treatment; or VLAN identification) to just the access needed to perform their duties.",
"iacontrols": null,
"id": "V-34526",
"ruleID": "SV-45368r1_rule",
"severity": "high",
"title": "The IDPS must allow authorized system administrators to associate security attributes with information.",
"version": "SRG-NET-000060-IDPS-00054"
},
"V-34527": {
"checkid": "C-42718r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. \n\nUnless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Monitoring will ensure unauthorized access to the enclave\u2019s resources and data will not go undetected. However, monitoring and control of remote access methods is not a function of the IDPS.",
"fixid": "F-38766r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34527",
"ruleID": "SV-45369r1_rule",
"severity": "medium",
"title": "The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods.",
"version": "SRG-NET-000061-IDPS-NA"
},
"V-34528": {
"checkid": "C-42719r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Remote access sessions must use encryption to protect the confidentiality of information traveling through a public network such as the Internet. Requiring remote access sessions to the enclave to traverse an encrypted tunnel, authorized on a per client basis, makes the session difficult to snoop or spoof.\n\nProtecting the confidentiality of remote access sessions is not a function of the IDPS. If needed, remote management sessions to the IDPS must traverse the network remote access infrastructure before accessing the IDPS.",
"fixid": "F-38767r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34528",
"ruleID": "SV-45370r1_rule",
"severity": "medium",
"title": "The network element must use approved cryptography to protect the confidentiality of remote access sessions.",
"version": "SRG-NET-000062-IDPS-NA"
},
"V-34529": {
"checkid": "C-42720r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Remote access sessions must use encryption to protect the integrity of information traveling through a public network, such as the Internet. Requiring remote access sessions to the enclave to traverse an encrypted tunnel makes the session difficult to alter the content.\n\nProtecting the integrity of remote access sessions is not a function of the IDPS. If needed, remote management sessions to the IDPS must traverse the network remote access infrastructure before accessing the IDPS.",
"fixid": "F-38768r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34529",
"ruleID": "SV-45371r1_rule",
"severity": "medium",
"title": "The network element must be configured to use cryptography to protect the integrity of remote access sessions.",
"version": "SRG-NET-000063-IDPS-NA"
},
"V-34530": {
"checkid": "C-42721r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless of the backbone networks used for transit between the user end-point and the remote access server (VPN appliance or firewall), remote connections must be secured and must not be given direct access to the private network. Traffic between the remote access server and the private network must be secured. Therefore, the remote access server must forward traffic destined to the private network to the firewall interface inspecting all private network ingress traffic. \n\nRouting remote access traffic through managed access control points is not a function of the IDPS.",
"fixid": "F-38769r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34530",
"ruleID": "SV-45372r1_rule",
"severity": "medium",
"title": "The network element must route all remote access traffic through managed access control points.",
"version": "SRG-NET-000064-IDPS-NA"
},
"V-34531": {
"checkid": "C-42722r1_chk",
"checktext": "Verify the IDPS sensors are configured with rules to monitor for remote access traffic, to ensure traffic from the communications gateway is monitored by the IDPS.\n\nIf the IDPS is not configured to monitor remote access traffic, this is a finding. If monitoring is not performed on an organizationally defined frequency, this is a finding.",
"description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. Monitoring will ensure unauthorized access to the enclave\u2019s resources and data will not go undetected. \n",
"fixid": "F-38770r1_fix",
"fixtext": "Configure the IDPS sensors to monitor for unauthorized remote access traffic on an organizationally defined frequency.",
"iacontrols": null,
"id": "V-34531",
"ruleID": "SV-45373r1_rule",
"severity": "medium",
"title": "The IDPS must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency.",
"version": "SRG-NET-000065-IDPS-00055"
},
"V-34532": {
"checkid": "C-42723r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. \n\nUnless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Auditing will ensure unauthorized access to the enclave\u2019s resources and data will not go undetected.\n\nAuditing of remote access sessions is performed by the remote access server, not the IDPS.",
"fixid": "F-38771r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34532",
"ruleID": "SV-45374r1_rule",
"severity": "low",
"title": "The network element must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information.",
"version": "SRG-NET-000066-IDPS-NA"
},
"V-34533": {
"checkid": "C-42724r1_chk",
"checktext": "Verify networking protocols which are not allowed in accordance with organizationally defined policies are disabled.\n\nIf networking protocols, which are not allowed in accordance with organizationally defined policies, are not disabled, this is a finding.",
"description": "Some networking protocols that allow remote access may not meet the security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or management console the security decision on the assessment of other entities.\n\nUnsecure protocols must be turned off at the device level or the IDPS components may be using these protocols. These protocols are often enabled by default; therefore the system administrator must utilize an explicit command to disable the disallowed protocols.",
"fixid": "F-38772r1_fix",
"fixtext": "In the device configuration, disable protocols which are disallowed based on organizationally defined policy.",
"iacontrols": null,
"id": "V-34533",
"ruleID": "SV-45375r1_rule",
"severity": "medium",
"title": "The IDPS must disable use of organizationally defined networking protocols (on the IDPS components) deemed nonsecure, except for explicitly identified components in support of specific operational requirements.",
"version": "SRG-NET-000067-IDPS-00056"
},
"V-34534": {
"checkid": "C-42725r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. Enabling access to the network from outside introduces security risks which must be addressed through implementation of strict controls and procedures, such as authentication and defining what resources can be accessed. \n\nEnforcing requirements for remote connections to the network is not a function of the IDPS.",
"fixid": "F-38773r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34534",
"ruleID": "SV-45376r1_rule",
"severity": "medium",
"title": "The network element must enforce requirements for remote connections to the network.",
"version": "SRG-NET-000068-IDPS-NA"
},
"V-34535": {
"checkid": "C-42726r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DoD network enclave. \n\nWireless network authentication is not the function of the IDPS.",
"fixid": "F-38774r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34535",
"ruleID": "SV-45377r1_rule",
"severity": "medium",
"title": "The network element must protect wireless access to the network using authentication.",
"version": "SRG-NET-000069-IDPS-NA"
},
"V-34536": {
"checkid": "C-42727r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The security boundary of a WLAN extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DoD network enclave.\n\nProtecting wireless access to the network using encryption mobile devices is outside the scope of the IDPS.",
"fixid": "F-38775r2_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34536",
"ruleID": "SV-45378r1_rule",
"severity": "medium",
"title": "The network element must protect wireless access to the network using encryption.",
"version": "SRG-NET-000070-IDPS-NA"
},
"V-34537": {
"checkid": "C-42728r1_chk",
"checktext": "Verify rules exist to monitor for unauthorized mobile devices. Mobile devices include: USB memory sticks, external hard disk drives, notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices.\n\nIf rules do not exist that monitor for mobile devices, this is a finding.",
"description": "This control requires access control for portable and mobile devices. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). Unless restrictions are put in place, a user connecting to the enclave via a mobile device can access/perform everything they could access/perform as those connected via Ethernet. Monitoring will ensure unauthorized access to the enclave\u2019s resources and data will not go undetected.\n\nSome IDPS sensors may be able to monitor for device IDs or other markers of various mobile devices.",
"fixid": "F-38776r1_fix",
"fixtext": "Create rules to monitor for mobile device IDs or other markers of mobile devices.",
"iacontrols": null,
"id": "V-34537",
"ruleID": "SV-45379r1_rule",
"severity": "medium",
"title": "The IDPS must monitor for unauthorized connections of mobile devices to information systems.",
"version": "SRG-NET-000071-IDPS-00057"
},
"V-34538": {
"checkid": "C-42729r1_chk",
"checktext": "Verify rules exist to detect, block, or redirect transmissions from unauthorized mobile devices. Mobile devices include: USB memory sticks, external hard disk drives, notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices.\n\nIf rules do not exist that monitor for mobile devices, this is a finding.",
"description": "This control requires access control for portable and mobile devices. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Unless restrictions are put in place, a user connecting to the enclave via a mobile device can access/perform everything they could access/perform as those connected via Ethernet.",
"fixid": "F-38777r1_fix",
"fixtext": "Create rules to monitor for mobile device IDs or other markers of mobile devices. Upon detection of unauthorized devices, an action to notify an administrator or block the traffic must be implemented.",
"iacontrols": null,
"id": "V-34538",
"ruleID": "SV-45380r1_rule",
"severity": "medium",
"title": "The IDPS must enforce requirements for the connection of mobile devices to organizational information systems.",
"version": "SRG-NET-000072-IDPS-00058"
},
"V-34539": {
"checkid": "C-42730r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auto execution vulnerabilities can result in malicious programs being executed that can be used to cause a denial of service on the device and hence disrupt network services. \nExamples of information system functionality that provide the capability for automatic execution of code are Auto Run and AutoPlay. \n\nDisabling applications on mobile devices is outside the scope of the IDPS.",
"fixid": "F-38778r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34539",
"ruleID": "SV-45381r1_rule",
"severity": "low",
"title": "The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.",
"version": "SRG-NET-000073-IDPS-NA"
},
"V-34540": {
"checkid": "C-42731r1_chk",
"checktext": "Examine the audit log configuration on the IDPS components (including the sensors) or view several alert records on the organization's central audit log server.\nVerify the entries sent to the audit log include sufficient information to determine the type or category for each audit event recorded in the audit log.\n\nIf the audit log event records do not include enough information to determine the type or category of events, this is a finding.",
"description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom, in order to compile an accurate risk assessment. Associating event types with detected events in the sensor and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured IDPS. Without this capability, it will be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nTo support the auditing requirement, the IDPS account and audit management functions must be configured to transmit the required audit events to the site's central audit server (e.g., SYSLOG server), as required by CCI-000136.",
"fixid": "F-38779r1_fix",
"fixtext": "Configure the IDPS components (including the sensors) to ensure entries sent to the audit log include sufficient information to determine the type or category for each audit event recorded in the audit log.",
"iacontrols": null,
"id": "V-34540",
"ruleID": "SV-45382r1_rule",
"severity": "low",
"title": "The IDPS must produce audit log records that contain sufficient information to establish what type of event occurred.",
"version": "SRG-NET-000074-IDPS-00059"
},
"V-34541": {
"checkid": "C-42732r1_chk",
"checktext": "Examine the audit log configuration on the IDPS components (including the sensors) or view several alert records on the organization's central audit log server.\nVerify the entries sent to the audit log include the date and time of each event.\n\nIf the audit log event records do not include the date and time the events occurred, this is a finding.",
"description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the date and time of each detected event provides a means to investigate an attack; recognize resource utilization or capacity thresholds; or to identify an improperly configured IDPS. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.",
"fixid": "F-38780r1_fix",
"fixtext": "Configure the IDPS components to ensure entries sent to the audit log include the date and time of the event.",
"iacontrols": null,
"id": "V-34541",
"ruleID": "SV-45383r1_rule",
"severity": "low",
"title": "The IDPS must produce audit log records containing sufficient information to establish when the events occurred.",
"version": "SRG-NET-000075-IDPS-00060"
},
"V-34542": {
"checkid": "C-42733r1_chk",
"checktext": "Examine the audit log configuration on the IDPS components (including the sensors) or view several alert records on organization's central audit log server.\nVerify the entries sent to the audit log include the location of each event (e.g., network name, network subnet, network segment, or organization).\n\nIf the audit log events do not include the event location, this is a finding.",
"description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging network location information for each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured IDPS. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the source or object of the log record is recorded in all log records.",
"fixid": "F-38781r1_fix",
"fixtext": "Configure the IDPS components to ensure entries sent to the audit log include the location of each event (e.g., network name, network subnet, network segment, or organization).",
"iacontrols": null,
"id": "V-34542",
"ruleID": "SV-45384r1_rule",
"severity": "low",
"title": "The IDPS must produce audit log records containing sufficient information to establish where the events occurred.",
"version": "SRG-NET-000076-IDPS-00061"
},
"V-34543": {
"checkid": "C-42734r1_chk",
"checktext": "Examine the audit log configuration on the IDPS components (including the sensors) or view several alert records on organization's central audit log server.\nVerify the entries sent to the audit log include sufficient information to ascertain the source of the events (e.g., IP address, session or packet ID).\n\nIf the audit log event records do not include sufficient information to ascertain the source of the events, this is a finding.",
"description": "It is essential for security personnel to know what is being done, what attempted to be done, when and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. If the originator of the log record is not recorded, it will be difficult to establish and correlate the series of events leading up to an outage or attack.",
"fixid": "F-38782r1_fix",
"fixtext": "Configure the IDPS components to ensure entries sent to the audit log include sufficient information to ascertain the source of each audit event (e.g., IP address, session or packet ID).",
"iacontrols": null,
"id": "V-34543",
"ruleID": "SV-45385r1_rule",
"severity": "low",
"title": "The IDPS must produce audit log records containing sufficient information to establish the source of the event.",
"version": "SRG-NET-000077-IDPS-00062"
},
"V-34544": {
"checkid": "C-42735r1_chk",
"checktext": "Examine the audit log configuration on the IDPS components (including the sensors) or view several alert records on organization's central audit log server.\nVerify the entries sent to the audit log include sufficient information to ascertain success or failure of the action or request (e.g., login, permission changes) of each event.\n\nIf the audit log event records do not include sufficient information to ascertain success or failure of the action/request of the event, this is a finding.",
"description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Denied traffic must be logged. There may also be some instances where a packet that was permitted or other successful event (i.e., logon) should be logged to establish and correlate the series of events leading up to an outage or attack. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS.",
"fixid": "F-38783r1_fix",
"fixtext": "Configure the IDPS components to ensure entries sent to the audit log include the success/failure of the action or request (e.g., login, permission changes).",
"iacontrols": null,
"id": "V-34544",
"ruleID": "SV-45386r1_rule",
"severity": "low",
"title": "The IDPS must produce audit log records containing sufficient information to determine if the event was a success or failure.",
"version": "SRG-NET-000078-IDPS-00063"
},
"V-34545": {
"checkid": "C-42736r1_chk",
"checktext": "Examine the audit log configuration on the IDPS components (including the sensors) or view several alert records on organization's central audit log server.\nSearch for events showing some or all of the following: timestamps, source and destination addresses, user/process identifiers, event descriptions, success or failure indications, file names involved, and access control or flow control rules invoked.\n\nIf the audit log event records do not include sufficient information to establish the identity of any user accounts associated with the event, this is a finding.",
"description": "Log record content that may be necessary to satisfy this requirement includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.",
"fixid": "F-38784r1_fix",
"fixtext": "Configure the IDPS components, to ensure entries sent to the audit log include sufficient information to establish the identity of any user accounts associated with the event (e.g., timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked).",
"iacontrols": null,
"id": "V-34545",
"ruleID": "SV-45387r1_rule",
"severity": "low",
"title": "The IDPS must capture and log sufficient information to establish the identity of user accounts associated with the audit event.",
"version": "SRG-NET-000079-IDPS-00064"
},
"V-34546": {
"checkid": "C-42737r1_chk",
"checktext": "If the organization does not require organizationally defined additional information to be captured in the audit log from the IDPS, this is not a finding.\nExamine the audit log configuration on the IDPS components (including the sensors) or view several alert records on organization's central audit log server.\nVerify the entries sent to the audit log include organizationally defined additional information.\n\nIf the audit log event records do not include organizationally defined additional information, this is a finding.",
"description": "Audit record content that may be necessary to satisfy this requirement includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.",
"fixid": "F-38785r1_fix",
"fixtext": "Configure the IDPS components, to ensure entries sent to the audit log include organizationally defined additional information. Organizational requirements for what audit events are required may be defined by type, location, or subject.",
"iacontrols": null,
"id": "V-34546",
"ruleID": "SV-45388r1_rule",
"severity": "low",
"title": "The IDPS must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events.",
"version": "SRG-NET-000080-IDPS-00065"
},
"V-34547": {
"checkid": "C-42738r1_chk",
"checktext": "Examine the audit log configuration on the IDPS components (including the sensors).\nVerify the IDPS components are configured to send audit events to the organization's central audit log server. \n\nIf the IDPS components are not configured to send audit events to the organization's central audit log server, this is a finding.",
"description": "The organization must centrally manage the content of audit records generated by organizationally defined IDPS components. Centrally managing audit data captured by the central management console and sensors provides for easier management of these events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of audit data can facilitate troubleshooting when problems are encountered and can assist in performing root cause analysis. A repository of audit data can also be correlated in real time to identify suspicious behavior or be archived for review at a later time for research and analysis. Without the ability to centrally manage events, troubleshooting and correlation of suspicious behavior will be difficult and may lead to or prolong the attack.\n\nTo support the auditing requirement, the IDPS account and audit management functions must be configured to transmit the audit events to the site's central audit server (e.g., SYSLOG server).",
"fixid": "F-38786r1_fix",
"fixtext": "Configure the IDPS components, to ensure audit events are transmitted to the organizations central audit log server (e.g., SYSLOG server).",
"iacontrols": null,
"id": "V-34547",
"ruleID": "SV-45389r1_rule",
"severity": "low",
"title": "IDPS audit events must be transmitted to the organizations central audit log server.",
"version": "SRG-NET-000081-IDPS-00066"
},
"V-34548": {
"checkid": "C-42739r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The network element must allocate storage capacity to contain audit log records. Log records are critical because if space is not available the sensor may malfunction. The site would lose valuable data needed for investigating security incidents.\n\nThe central audit server configuration must include an allocation of space sufficient for the IDPS audit trail log. This configuration and allocation is not performed on the IDPS, thus this requirement is not applicable.",
"fixid": "F-38787r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34548",
"ruleID": "SV-45390r1_rule",
"severity": "low",
"title": "The network element allocates audit record storage capacity.",
"version": "SRG-NET-000082-IDPS-NA"
},
"V-34549": {
"checkid": "C-42740r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the network element is configured to allocate enough log record storage capacity that will not become exhausted. Without this capability, the site could lose valuable data needed for investigating security incidents.\n\nThe central audit server configuration must include an allocation of space sufficient for the IDPS audit trail log. This configuration is not performed on the IDPS, thus this requirement is not applicable.",
"fixid": "F-38788r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34549",
"ruleID": "SV-45391r1_rule",
"severity": "low",
"title": "The network element logging function must be configured to reduce the likelihood of audit log record capacity being exceeded.",
"version": "SRG-NET-000083-IDPS-NA"
},
"V-34550": {
"checkid": "C-42741r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The central audit server configuration must include an allocation of space sufficient for the network element audit trail log. The audit server must generate an alert when the capacity reaches an organizationally defined threshold. Without this notification, the system administrators may be unaware of an impending failure of the audit capability and system operation may be adversely affected.\n\nThe warning notice that the space allocated for IDPS audit trail storage is reaching maximum capacity must be sent to the administrators for both the organization's audit server and the IDPS. This configuration is not performed on the IDPS, thus this requirement is not applicable.",
"fixid": "F-38789r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34550",
"ruleID": "SV-45392r1_rule",
"severity": "low",
"title": "The network element must provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum allocated audit record storage capacity.",
"version": "SRG-NET-000084-IDPS-NA"
},
"V-34551": {
"checkid": "C-42742r1_chk",
"checktext": "View the list of alerts configured on the sensors. Determine if a real time alert is generated and sent to appropriate personnel upon audit log failure.\n\nIf the system does not provide a real-time alert when organizationally defined audit failure events occur, this is a finding.",
"description": "Auditing and logging are key components of any security architecture. System administrators need to be notified as soon as possible of possible events which may have adverse security implications. If auditing of user actions cannot occur because of an audit failure, forensic evidence provided by this critical part of the audit trail will be lost. \n\nThe warning notice that the space allocated for IDPS audit trail storage is reaching maximum capacity must be sent to the administrators for both the organization's audit log server and the IDPS. Because there can be a delay between the update of the central audit server and the IDPS application event, a good best practice is to configure this alert to generate directly from the IDPS component. However, an alert from the organization's central audit log server is also acceptable providing it is real-time.",
"fixid": "F-38790r1_fix",
"fixtext": "Configure the IDPS to provide a real-time alert (e.g., via email) for organizationally defined audit failure events.",
"iacontrols": null,
"id": "V-34551",
"ruleID": "SV-45393r1_rule",
"severity": "low",
"title": "The IDPS must provide a real-time alert when organizationally defined audit failure events occur.",
"version": "SRG-NET-000085-IDPS-00067"
},
"V-34552": {
"checkid": "C-42743r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThe central audit server configuration must provide methods for preventing audit processing failures, such as traffic congestion and threshold management mechanisms. If the network element is compromised, the attack could involve sending a large volume of audit event messages in an attempt to overwhelm the audit server or other network elements. If this happens, the log server must be configured to detect excessive traffic volume from the network or the network element itself and take action. \n\nThis configuration is performed on the central audit logging server and is not applicable to the IDPS.",
"fixid": "F-38791r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34552",
"ruleID": "SV-45394r1_rule",
"severity": "low",
"title": "The network element must enforce configurable traffic volume thresholds representing audit logging capacity for network traffic to be logged.",
"version": "SRG-NET-000086-IDPS-NA"
},
"V-34553": {
"checkid": "C-42744r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis control addresses the response of the audit logging function to audit processing failures. Traffic volume thresholds must be configured for the audit logs so traffic destined for the logs do not overwhelm the central logging server. \n\nPreventing audit processing failures for the central audit logging by rejecting or delaying network traffic is not the function of the IDPS, thus this requirement is not applicable.",
"fixid": "F-38792r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34553",
"ruleID": "SV-45395r1_rule",
"severity": "low",
"title": "The network element must reject or delay network traffic generated above configurable traffic volume thresholds, as defined by the organization.",
"version": "SRG-NET-000087-IDPS-NA"
},
"V-34554": {
"checkid": "C-42745r1_chk",
"checktext": "View the list of configured alerts.\nVerify an alert is sent to designated personnel when the IDPS is unable to write to the central audit log server. \n\nIf the system does not send an alert to designated personnel when an audit processing failure occurs, this is a finding.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nIt is imperative that the IDPS is configured to generate an alarm which should notify system administrators of the audit processing failure. Possible audit processing failures include the inability of IDPS to write to the central audit log.",
"fixid": "F-38793r1_fix",
"fixtext": "Configure the IDPS to provide an alert to designated personnel when an audit processing failure is detected.",
"iacontrols": null,
"id": "V-34554",
"ruleID": "SV-45396r1_rule",
"severity": "low",
"title": "The IDPS must be configured to send an alert to designated personnel in the event of an audit processing failure.",
"version": "SRG-NET-000088-IDPS-00068"
},
"V-34555": {
"checkid": "C-42746r1_chk",
"checktext": "Review the IDPS configuration to determine if specific actions, as defined by the organization, are taken when an audit process fails. \n\nIf specific actions are not taken upon audit failure, this is a finding.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nTo preserve recent audit information, if an audit failure occurs, the IDPS must stop producing audit records, overwrite older records, or purge the oldest records.",
"fixid": "F-38794r1_fix",
"fixtext": "Configure the IDPS components to take specific actions, as defined by the organization, when an audit process fails.",
"iacontrols": null,
"id": "V-34555",
"ruleID": "SV-45397r1_rule",
"severity": "low",
"title": "The IDPS must be capable of taking organizationally defined actions upon audit failure.",
"version": "SRG-NET-000089-IDPS-00069"
},
"V-34556": {
"checkid": "C-42747r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nIn order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple IDPS to acquire a clear understanding as to what happened or is happening. \n\nCollecting audit log data and presenting that data in a single, consolidated view achieves this objective. However, audit log analysis and review is not a function of the IDPS.",
"fixid": "F-38795r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34556",
"ruleID": "SV-45398r1_rule",
"severity": "low",
"title": "The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.",
"version": "SRG-NET-000090-IDPS-NA"
},
"V-34557": {
"checkid": "C-42748r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nIn order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple IDPS to acquire a clear understanding as to what happened or is happening. \n\nCollecting the audit log data and presenting the data in a single, consolidated view achieves this objective. However, this is not a function of the IDPS with regards to the audit log.",
"fixid": "F-38796r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34557",
"ruleID": "SV-45399r1_rule",
"severity": "low",
"title": "The network element must centralize the review and analysis of audit records from multiple network elements within the network.",
"version": "SRG-NET-000091-IDPS-NA"
},
"V-34558": {
"checkid": "C-42749r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. By immediately displaying an alarm message, potential security violations can be identified more immediately, even when administrators are not logged into the network element \n\nAlerting is based on an anomaly analysis of the IDPS application audit log on the organization's central log server, thus this is not a function performed by the IDPS itself.",
"fixid": "F-38797r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34558",
"ruleID": "SV-45400r1_rule",
"severity": "low",
"title": "The network element must use automated mechanisms to alert security personnel to an organizationally defined list of inappropriate or unusual activities with security implications.",
"version": "SRG-NET-000092-IDPS-NA"
},
"V-34559": {
"checkid": "C-42751r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Log reduction is the capability of a system to consolidate, archive, and compress audit logs. This process saves space when saving these logs over a long time period. Log entries must not be removed from the log in order to reduce the size; however, the file may be compressed.\n\nAudit log reduction is configured on the IDPS application audit log on the organization's central log server, thus this is not a function performed by the IDPS itself.",
"fixid": "F-38799r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34559",
"ruleID": "SV-45402r1_rule",
"severity": "low",
"title": "Audit log reduction must be enabled on the network element.",
"version": "SRG-NET-000093-IDPS-NA"
},
"V-34560": {
"checkid": "C-42753r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. \n\nCollecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. Audit report generation should be performed on the IDPS application audit log on the organization's central log server, thus this is not a function performed by the IDPS itself.",
"fixid": "F-38801r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34560",
"ruleID": "SV-45404r1_rule",
"severity": "low",
"title": "The network element must provide a report generation capability for the audit log.",
"version": "SRG-NET-000094-IDPS-NA"
},
"V-34561": {
"checkid": "C-42754r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. \n\nCollecting log data and enabling personnel to filter the data based on selection criteria to produce a meaningful view achieves this objective. Audit report generation should be performed on the IDPS application audit log on the organization's central log server, thus this is not a function performed by the IDPS itself.",
"fixid": "F-38802r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34561",
"ruleID": "SV-45405r1_rule",
"severity": "low",
"title": "The network element must provide the capability to automatically process audit log records for events of interest based upon selectable event criteria.",
"version": "SRG-NET-000095-IDPS-NA"
},
"V-34562": {
"checkid": "C-42759r2_chk",
"checktext": "Verify the IP address of the IDPS management console is on the management subnet.\n\nIf the IDPS central management console is not installed on the management network, this is a finding.",
"description": "The central management console (sometimes known as the management server or the database server) provides a central location to store, view, analyze, and produce detailed reports on alerts. This IDPS component must be installed on a protected network segment to limit access to normal user traffic.",
"fixid": "F-38807r2_fix",
"fixtext": "Move the IDPS central management console to the management network.",
"iacontrols": null,
"id": "V-34562",
"ruleID": "SV-45411r1_rule",
"severity": "medium",
"title": "The IDPS management console must be logically installed on the management network.",
"version": "SRG-NET-999999-IDPS-00238"
},
"V-34563": {
"checkid": "C-42761r2_chk",
"checktext": "Verify a management server is installed as part of the IDPS.\nVerify the sensors are configured to transmit logs to the management server.\n\nIf a centralized management server that compiles data from the agents and sensors is not used, this is a finding.",
"description": "Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation. Management servers are available as both appliance and software-only products. Some small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. Centralized audit and log records are essential for quickly investigating network attacks.",
"fixid": "F-38809r1_fix",
"fixtext": "Install and configure an IDPS centralized management server.",
"iacontrols": null,
"id": "V-34563",
"ruleID": "SV-45412r1_rule",
"severity": "medium",
"title": "The IDPS must provide a centralized management console/server that consolidates sensor logs from the agents and sensors.",
"version": "SRG-NET-999999-IDPS-00237"
},
"V-34564": {
"checkid": "C-42762r1_chk",
"checktext": "If the site does not have a WIDS installed, this is a finding.\n\nVerify the WIDS is configured to monitor the entire spectrum for unauthorized (rogue) devices.\n\nIf the site does not have a wireless IDPS configured to monitor the radio frequency spectrum for unauthorized WLAN devices, this is a finding.",
"description": "Unauthorized WLAN devices threaten the network in a variety of ways. If an unauthorized access point is installed on the network, people may use it to access network resources, thus bypassing perimeter security controls. If an unauthorized access point is installed in the site\u2019s vicinity, even if not connected to a DoD network, then users may unknowingly or inadvertently connect. Once this connection occurs, the user\u2019s traffic may be diverted to spoofed web sites and other servers to capture authentication credentials and restricted data. Finally, if an unauthorized WLAN client is operating inside or near the site, it may improperly connect to the site\u2019s WLAN infrastructure or other network devices with improperly configured Wi-Fi interfaces.\n\nDoDD 8100.2 requires all DoD networks use a wireless IDPS to monitor for unauthorized wireless devices. The policy for installing a wireless sensor is an architecture requirement which is out of scope for the technical STIG. However, this control requires the configuration of the wireless sensors to include the entire radio spectrum, not just the authorized wireless frequencies. The wireless monitoring must cover all WLAN frequencies. The WLAN frequency band can vary by country and the WIDS must cover all channels being used in a country the equipment is being used in. For example, the allowed WLAN channels are different in the U.S., Japan, and many European countries.",
"fixid": "F-38810r1_fix",
"fixtext": "Install and operate a wireless sensor(s). Configure the IDPS to monitor the entire radio spectrum for unauthorized wireless access points and other wireless devices.",
"iacontrols": null,
"id": "V-34564",
"ruleID": "SV-45413r1_rule",
"severity": "medium",
"title": "The site must monitor the radio frequency spectrum for unauthorized WLAN devices.",
"version": "SRG-NET-999999-IDPS-00236"
},
"V-34565": {
"checkid": "C-42763r1_chk",
"checktext": "Verify the IDPS is included in the site backup plan.\nVerify files are periodically backed-up in accordance with an organizationally defined schedule.\nVerify the backup job is scheduled to perform automatically without system administrator intervention.\nVerify the backup is configured to a different system or off-line media.\n\nIf the system is not configured to backup log records at an organizationally defined frequency onto a different system or media, this is a finding.",
"description": "Sensor event logging is a key component of any security architecture. An attack may cause corruption or delete the active events log. Maintaining a backup of the logs will minimize the loss of data needed for incident investigation, forensics analysis, or operational trend analysis.",
"fixid": "F-38811r1_fix",
"fixtext": "Configure a backup job to automatically backup the configuration files for all components periodically on a schedule identified by the DAA or designated representative.\nVerify the backup is configured to direct the sensor log files to a different system or off-line media.",
"iacontrols": null,
"id": "V-34565",
"ruleID": "SV-45414r1_rule",
"severity": "low",
"title": "The IDPS must backup system level and sensor event log records at an organizationally defined frequency onto a different system or media.",
"version": "SRG-NET-999999-IDPS-00235"
},
"V-34566": {
"checkid": "C-42765r1_chk",
"checktext": "Verify only authorized system administrators have permission to access the audit tool functionality on the IDPS and components. \n\nIf users who are not authorized IDPS administrators have permission to access the audit tools, this is a finding.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. It is imperative the auditing tools be secured and can only be accessed by authorized personnel.",
"fixid": "F-38813r1_fix",
"fixtext": "Configure the IDPS permissions and groups, so only authorized system administrators have permission to access audit tools and functionality installed on the IDPS and components.",
"iacontrols": null,
"id": "V-34566",
"ruleID": "SV-45416r1_rule",
"severity": "low",
"title": "The IDPS must protect audit tools installed on the IDPS components from unauthorized access.",
"version": "SRG-NET-999999-IDPS-00234"
},
"V-34567": {
"checkid": "C-42767r1_chk",
"checktext": "Verify a security policy for the sensor event logs is in place which allows only system administrators with the proper authorization to delete the sensor log on the sensors and management console.\n\nIf event logs are not protected from unauthorized deletion, this is a finding.",
"description": "Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Sensor event log data must be protected from unauthorized access, including from legitimate administrators who do not need for this type of access. Unauthorized deletion of logs or events may obfuscate evidence of an attack. Event log and sensor log entries should not be deleted without a clear audit trail and an approval process.\n\nSensor log deletion, when performed directly by system administrators, must generate an audit log entry in compliance with CCI-000172.",
"fixid": "F-38814r1_fix",
"fixtext": "Create and implement an access control security policy to prevent unauthorized deletion of the sensor event logs on the management console and sensors.",
"iacontrols": null,
"id": "V-34567",
"ruleID": "SV-45418r1_rule",
"severity": "medium",
"title": "The IDPS must protect sensor event logs from unauthorized deletion.",
"version": "SRG-NET-999999-IDPS-00233"
},
"V-34568": {
"checkid": "C-42769r1_chk",
"checktext": "Verify a security policy for the sensor event logs is in place which allows only system administrators with the proper authorization to modify the sensor log on the sensors and management console.\n\nIf event logs are not protected from unauthorized modification, this is a finding.",
"description": "Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Event log data must be protected from unauthorized access, including from legitimate administrators who do not need this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment is possible.\n\nDirect sensor log modification is not recommended. If it becomes necessary for operational or mission essential reasons, the modification action must generate an audit log entry in compliance with CCI-000172.",
"fixid": "F-38816r1_fix",
"fixtext": "Create and implement an access control security policy to prevent unauthorized modification of the sensor event logs on the management console and sensors.",
"iacontrols": null,
"id": "V-34568",
"ruleID": "SV-45419r1_rule",
"severity": "medium",
"title": "The IDPS must protect the sensor event log information from unauthorized modification.",
"version": "SRG-NET-999999-IDPS-00232"
},
"V-34569": {
"checkid": "C-42771r1_chk",
"checktext": "Verify a security policy for the sensor event logs is in place which allows only system administrators with the proper authorization to read the sensor log on the sensors and management console.\n\nIf sensor event logs are not protected from unauthorized read access, this is a finding.",
"description": "Event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Event log data must be protected from unauthorized access, including from legitimate administrators who do not need this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment is possible.",
"fixid": "F-38819r1_fix",
"fixtext": "Create and implement an access control security policy to prevent unauthorized read access of the sensor event logs on the management console and sensors.",
"iacontrols": null,
"id": "V-34569",
"ruleID": "SV-45422r1_rule",
"severity": "medium",
"title": "The IDPS must protect sensor event log information from unauthorized read access.",
"version": "SRG-NET-999999-IDPS-00231"
},
"V-34570": {
"checkid": "C-42773r1_chk",
"checktext": "Inspect each sensor. Verify the sensors are configured to use the internal system clock to generate the date/timestamp included with the event log entry.\n\nIf the system is not configured to use internal system clocks to generate timestamps for sensor event records, this is a finding.",
"description": "Sensor event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from the IDPS to acquire a clear understanding as to what happened or is happening. In order to correlate, timestamps are needed on all of the log records.",
"fixid": "F-38821r1_fix",
"fixtext": "For each sensor, configure the device to use the internal system clock to generate the date/timestamp included with the event log entry.",
"iacontrols": null,
"id": "V-34570",
"ruleID": "SV-45424r1_rule",
"severity": "low",
"title": "The IDPS must use internal system clocks to generate timestamps for sensor event records.",
"version": "SRG-NET-999999-IDPS-00230"
},
"V-34571": {
"checkid": "C-42775r1_chk",
"checktext": "Verify the IDPS components, including sensors, are configured to use the internal system clock to generate the date/timestamp included with the audit log entry.\n\nIf IDPS components are not configured to use internal system clocks to generate timestamps for audit records, this is a finding.",
"description": "In order to determine what is happening within the network infrastructure or to resolve and trace an attack, the IDPS must support the organization's capability to correlate the audit log data from multiple IDPS components to acquire a clear understanding of events. In order to correlate auditable events, timestamps are needed on all of the log records.",
"fixid": "F-38822r1_fix",
"fixtext": "Configure all IDPS components, including sensors, to use the internal system clock to generate the date/timestamp included with the audit log entry.",
"iacontrols": null,
"id": "V-34571",
"ruleID": "SV-45425r1_rule",
"severity": "low",
"title": "The IDPS must use internal system clocks to generate timestamps for audit records.",
"version": "SRG-NET-000096-IDPS-00070"
},
"V-34572": {
"checkid": "C-42776r1_chk",
"checktext": "Verify two NTP servers have been defined by checking the IDPS configuration. View the configuration and verify time synchronization occurs.\n\nIf the IDPS does not synchronize internal system clocks on an organizationally defined frequency with an NTP server, this is a finding.",
"description": "The various components within the network infrastructure providing the log records must have their clocks synchronized using a common time reference, so the events can be correlated in exact order of time. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If sensor logs cannot be correlated with the routers, switches, and firewalls, it may not be possible to trace all the damage caused by a network breach. \n\nThe IDPS must be configured to use a minimum of two Network Time Protocol (NTP) servers to synchronize time. NTP provides an efficient and scalable method for network elements to synchronize to an accurate time source.",
"fixid": "F-38824r1_fix",
"fixtext": "Specify two NTP server IP addresses on the device in the IDPS configuration.",
"iacontrols": null,
"id": "V-34572",
"ruleID": "SV-45427r1_rule",
"severity": "low",
"title": "The IDPS must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source.",
"version": "SRG-NET-000097-IDPS-00071"
},
"V-34573": {
"checkid": "C-42777r2_chk",
"checktext": "Verify sensor rules (local and vendor-provided) can be configured and/or selected at the sensor level. \nVerify the IDPS sensors have the capability to be configured with separate rule sets.\n\nIf the IDPS does not allow administrators to select which rule sets are to be applied at the sensor level, this is a finding.",
"description": "All sensors of the IDPS must be configurable with the organizationally defined rules. This requirement does not require each sensor be configured with separate rule sets; however, this capability must be available to meet the need to respond to future attack vectors. If administrators do not have granular control of the rule to be applied and logged for later analysis, then malicious attacks may be missed.",
"fixid": "F-38825r1_fix",
"fixtext": "Configure the sensors with rule sets according to the security policy of the network segment or VLAN.",
"iacontrols": null,
"id": "V-34573",
"ruleID": "SV-45428r1_rule",
"severity": "medium",
"title": "The IDPS must allow administrators to select which rule sets are to be applied at the sensor level.",
"version": "SRG-NET-999999-IDPS-00229"
},
"V-34574": {
"checkid": "C-42779r1_chk",
"checktext": "Verify a security policy for the audit logs is in place which allows only system administrators with the proper authorization to read the audit log on the sensors and management console. \n\nIf audit logs are not protected from unauthorized read access, this is a finding.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nAudit event log data must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment.",
"fixid": "F-38827r1_fix",
"fixtext": "Create and implement an access control security policy to prevent unauthorized read access of the audit logs on the management console and sensors.",
"iacontrols": null,
"id": "V-34574",
"ruleID": "SV-45430r1_rule",
"severity": "low",
"title": "The IDPS must protect application audit event log information from unauthorized read access.",
"version": "SRG-NET-000098-IDPS-00072"
},
"V-34575": {
"checkid": "C-42780r1_chk",
"checktext": "Verify the central management server has the capability to set up jobs or automatically generate reports based on organizationally defined criteria.\n\nIf the IDPS management console used cannot be configured to automatically process log records and produce customized reports, this is a finding.",
"description": "Sensor event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative that the data from multiple sensors be correlated Collecting log data and enabling personnel to filter the data based on selection criteria to produce a meaningful view achieves this objective.",
"fixid": "F-38828r1_fix",
"fixtext": "Use an IDPS that has the capability to automatically process log records for events of interest; or install a forensics or aggregation server that provides this service. ",
"iacontrols": null,
"id": "V-34575",
"ruleID": "SV-45431r1_rule",
"severity": "low",
"title": "The IDPS must provide the capability to automatically process sensor log records for events of interest based upon selectable criteria.",
"version": "SRG-NET-999999-IDPS-00228"
},
"V-34576": {
"checkid": "C-42782r1_chk",
"checktext": "Verify a security policy for the audit logs is in place which allows only system administrators with the proper authorization to modify the audit log on the sensors and management console. \n\nIf audit logs are not protected from unauthorized modification, this is a finding.",
"description": "Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Audit and event log data must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Without this protection, a compromise or loss of log data is needed for incident analysis or risk assessment.",
"fixid": "F-38829r1_fix",
"fixtext": "Create and implement an access control security policy to prevent unauthorized modification of the audit logs on the management console and sensors.",
"iacontrols": null,
"id": "V-34576",
"ruleID": "SV-45432r1_rule",
"severity": "low",
"title": "The IDPS must protect application audit log information from unauthorized modification.",
"version": "SRG-NET-000099-IDPS-00073"
},
"V-34577": {
"checkid": "C-42783r1_chk",
"checktext": "Verify the management console has the capability to consolidate, archive and/or compress sensor event logs. Verify this log reduction capability is enabled.\n\nIf the management console does not have sensor log reduction enabled, this is a finding.",
"description": "Log reduction is the capability of a system to consolidate, archive and compress audit logs. This process saves space when saving these logs over a long time period. Log entries must not be removed from the log in order to reduce the size; however, the file may be compressed.",
"fixid": "F-38831r1_fix",
"fixtext": "Enable log reduction on the management console for sensor log storage.",
"iacontrols": null,
"id": "V-34577",
"ruleID": "SV-45434r1_rule",
"severity": "low",
"title": "The IDPS must provide a log reduction capability for the sensor events log.",
"version": "SRG-NET-999999-IDPS-00227"
},
"V-34578": {
"checkid": "C-42785r1_chk",
"checktext": "Verify a security policy for the audit logs is in place which allows only system administrators with the proper authorization to delete the audit log on the sensors and management console. \n\nIf audit logs are not protected from unauthorized deletion, this is a finding.",
"description": "Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Audit and event log data must be protected from unauthorized access, including from legitimate administrators who do not have a need for this type of access. Unauthorized deletion of logs or events may obfuscate evidence of an attack. Event log entries must not be deleted.",
"fixid": "F-38833r1_fix",
"fixtext": "Create and implement an access control security policy to prevent unauthorized deletion of the audit logs on the management console and sensors.",
"iacontrols": null,
"id": "V-34578",
"ruleID": "SV-45436r1_rule",
"severity": "low",
"title": "The IDPS must protect application audit logs from unauthorized deletion.",
"version": "SRG-NET-000100-IDPS-00074"
},
"V-34579": {
"checkid": "C-42786r1_chk",
"checktext": "Inspect the management console. Verify sensor event analysis tools are installed or integrated which provide review, analysis, and reporting.\n\nIf the management console or other IDPS component does not have tools which allow sensor event review, analysis, and reporting of sensor log events, this is a finding.",
"description": "Sensor event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from the IDPS to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting that data in a single, consolidated view achieves this objective.",
"fixid": "F-38834r1_fix",
"fixtext": "Install a management console/server with event tools for sensor event review, analysis, and reporting.",
"iacontrols": null,
"id": "V-34579",
"ruleID": "SV-45437r1_rule",
"severity": "low",
"title": "The IDPS must integrate event review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.",
"version": "SRG-NET-999999-IDPS-00226"
},
"V-34580": {
"checkid": "C-42787r1_chk",
"checktext": "Verify only authorized system administrators have permission to modify audit tools. \n\nIf users who are not authorized IDPS administrators have permission to modify the audit tools, this is a finding.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. It is imperative the auditing tools are secured and can only be accessed by authorized personnel.",
"fixid": "F-38835r1_fix",
"fixtext": "Configure the IDPS permissions and groups so only authorized system administrators have permission to modify audit tools and functionality installed on the IDPS and components.",
"iacontrols": null,
"id": "V-34580",
"ruleID": "SV-45438r1_rule",
"severity": "medium",
"title": "The IDPS must protect audit tools from unauthorized modification.",
"version": "SRG-NET-000102-IDPS-00075"
},
"V-34581": {
"checkid": "C-42789r1_chk",
"checktext": "Verify the management console and sensors are set to either stop generating log records or overwrite the oldest log records when a log failure occurs.\n\nIf the system is not configured to either stop generating log records or overwrite the oldest log records when a log failure occurs, this is a finding.",
"description": "Sensor event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. To preserve recent log information, if an audit failure occurs, the IDPS must either stop producing audit records to overwrite or purge the oldest records.",
"fixid": "F-38837r1_fix",
"fixtext": "Configure the IDPS components to either stop generating log records or overwrite the oldest log records when a sensor log failure occurs.",
"iacontrols": null,
"id": "V-34581",
"ruleID": "SV-45440r1_rule",
"severity": "low",
"title": "The IDPS must be configured to stop generating sensor log records or overwrite the oldest log records when a log failure occurs.",
"version": "SRG-NET-999999-IDPS-00225"
},
"V-34582": {
"checkid": "C-42791r1_chk",
"checktext": "Verify only authorized system administrators have permission to delete audit tools. \n\nIf users who are not authorized IDPS administrators are able to delete the audit tools, this is a finding.",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are compromised it could provide attackers with the capability to manipulate log data. It is imperative for audit tools to be controlled and protected from unauthorized modification. Audit tools include, but are not limited to, OS provided audit tools, vendor provided audit tools and open source audit tools needed to successfully view and manipulate audit information system activity and records.",
"fixid": "F-38838r1_fix",
"fixtext": "Configure the IDPS permissions and groups, so only authorized system administrators have permission to delete audit tools and functionality installed on the IDPS and components.",
"iacontrols": null,
"id": "V-34582",
"ruleID": "SV-45441r1_rule",
"severity": "medium",
"title": "The IDPS must protect audit tools from unauthorized deletion.",
"version": "SRG-NET-000103-IDPS-00076"
},
"V-34583": {
"checkid": "C-42792r1_chk",
"checktext": "Verify the IDPS components are set to send an email or other alert if the log becomes full and new log entries cannot be written.\n\nIf the system is not configured to send an alert to designated personnel in the event of an audit processing failure, this is a finding.",
"description": "Sensor event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an IDPS that has been configured improperly. It is imperative that the IDPS is configured to generate an alarm when an audit failure occurs.",
"fixid": "F-38840r1_fix",
"fixtext": "Configure the IDPS components to send an email or other alert if new log entries cannot be written to the log.",
"iacontrols": null,
"id": "V-34583",
"ruleID": "SV-45443r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to send an alert to designated personnel in the event the sensor log fails to function.",
"version": "SRG-NET-999999-IDPS-00224"
},
"V-34584": {
"checkid": "C-42793r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "It is imperative the collected log data from the various the network element is secured and stored on write-once media for safekeeping.\n\nThis is not applicable for IDPS. Sensor logs are aggregated onto a separate partition on the management console and are then backed-up in accordance with CCI-000537 and CCI-001348.",
"fixid": "F-38841r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34584",
"ruleID": "SV-45444r1_rule",
"severity": "low",
"title": "The network element must produce audit records on hardware-enforced write-once media.",
"version": "SRG-NET-000104-IDPS-NA"
},
"V-34585": {
"checkid": "C-42795r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element.\n\nBackup of the audit log is not a function of the IDPS.",
"fixid": "F-38843r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34585",
"ruleID": "SV-45446r1_rule",
"severity": "low",
"title": "The network element must backup system level audit event log records on an organizationally defined frequency onto a different system or media.",
"version": "SRG-NET-000105-IDPS-NA"
},
"V-34586": {
"checkid": "C-42797r1_chk",
"checktext": "Examine the cryptographic module used for storing and transmitting event audit logs.\nVerify the cryptographic module is configured to use an asymmetric hashing algorithm which uses asymmetric cryptography (e.g., SHA-2 or MD5).\n\nIf audit logs are not configured to use hashing algorithms which use asymmetric cryptography, this is a finding.",
"description": "Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network monitoring. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself.\n\nThis control requires the configuration of a cryptographic module with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module. Use of FIPS-validated or NSA-approved cryptography as required by CCI- 001144 will ensure compliance. \n\nEncryption of active log files (collection) is not a common capability, especially on systems that generate large volumes of events such as an IDPS. This requirement is only applicable if cryptography is required by the data owner or organizational policy.",
"fixid": "F-38845r1_fix",
"fixtext": "Configure audit logs to use hashing algorithms which use asymmetric cryptography in storage and during transmission.",
"iacontrols": null,
"id": "V-34586",
"ruleID": "SV-45448r1_rule",
"severity": "medium",
"title": "The IDPS must use cryptographic mechanisms to protect the integrity of audit log information.",
"version": "SRG-NET-000106-IDPS-00077"
},
"V-34587": {
"checkid": "C-42799r2_chk",
"checktext": "If audit tools are not installed on the IDPS, this is not a finding.\n\nExamine the configuration of audit tools installed on the management console.\nVerify the cryptographic module is configured to use an asymmetric hashing algorithm which uses asymmetric cryptography (e.g., SHA-2 or MD5) for audit tools.\n\nIf audit tools installed on the management console are not configured to use hashing algorithms which use asymmetric cryptography, this is a finding.",
"description": "Audit tools provide services, such as audit reduction, reporting, or analysis. Without mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected data garnered from these tools is not fully protected. Mechanisms, such as a signed hash using asymmetric cryptography, must be used to protect the integrity of the audit tools used for audit reduction and reporting.\n\nAudit tools integrated into the IDPS must use cryptographic mechanisms to protect and store audit information transmitted or stored by these tools.",
"fixid": "F-38847r1_fix",
"fixtext": "Configure audit tools installed on the IDPS management console/server to use hashing algorithms which use asymmetric cryptography for audit tools.",
"iacontrols": null,
"id": "V-34587",
"ruleID": "SV-45450r1_rule",
"severity": "low",
"title": "The IDPS must use cryptography to protect the integrity of audit tools.",
"version": "SRG-NET-000107-IDPS-00078"
},
"V-34588": {
"checkid": "C-42801r1_chk",
"checktext": "View the audit log for the IDPS management console.\nPerform a search to verify the existence of log entries showing administrative user logins for the sensors and management console interfaces.\nPerform a search for examples of IDPS configuration changes in the existing log entries.\n\nIf system administrator logins and changes to the IDPS are not captured, this is a finding.",
"description": "This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes to the IDPS are logged; and system administrators authenticate with 2-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement.\n\nTo meet this requirement, the IDPS must log administrator access and activity.",
"fixid": "F-38849r1_fix",
"fixtext": "Configure the audit log to capture system administrator login events.\nConfigure the audit log to capture configuration changes to the IDPS application.",
"iacontrols": null,
"id": "V-34588",
"ruleID": "SV-45452r1_rule",
"severity": "low",
"title": "The IDPS protects against an individual falsely denying having performed a particular action.",
"version": "SRG-NET-000108-IDPS-00079"
},
"V-34589": {
"checkid": "C-42802r1_chk",
"checktext": "Identify how the IDPS is configured for this notification. Verify the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in. Verify the device is capable of generating the alarm or alert and notification as described.\n\nIf the system does not provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum capacity, this is a finding.",
"description": "It is imperative the IDPS be configured to allocate storage capacity to contain sensor event log records and an alert be generated when the capacity reaches an organizationally defined threshold. Without this capability, the site could lose valuable data needed for investigating security incidents.",
"fixid": "F-38850r1_fix",
"fixtext": "Configure the IDPS to alert when the sensor event log reaches an organizationally defined capacity.",
"iacontrols": null,
"id": "V-34589",
"ruleID": "SV-45453r1_rule",
"severity": "low",
"title": "The IDPS must provide a warning when the sensor event logging storage capacity reaches an organizationally defined maximum capacity.",
"version": "SRG-NET-999999-IDPS-00223"
},
"V-34591": {
"checkid": "C-42804r1_chk",
"checktext": "Verify a mechanism controlling the spooling of IDPS sensor event log data to a central log server. Verify spooling is configured to move the data from the sensor's event log to the central log before the sensor log capacity is exceeded.\n\nIf the logging function is not configured to reduce the risk of exceeding log capacity, this is a finding.",
"description": "Event logging is a key function of the IDPS. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the IDPS is configured to allocate enough log record storage capacity that will not become exhausted. Without this capability, the site could lose valuable data needed for investigating security incidents.",
"fixid": "F-38852r1_fix",
"fixtext": "Configure the sensors to spool the log data before data overflow occurs.",
"iacontrols": null,
"id": "V-34591",
"ruleID": "SV-45455r1_rule",
"severity": "low",
"title": "The IDPS sensor event logging function must reduce the likelihood of log record capacity being exceeded.",
"version": "SRG-NET-999999-IDPS-00222"
},
"V-34592": {
"checkid": "C-42805r1_chk",
"checktext": "Verify a management server (base) is installed as part of the IDPS.\nVerify the sensors are configured to transmit audit logs either directly to the organization's central log server or to the central management server.\n\nIf a centralized management server that compiles data from the agents and sensors is not used, this is a finding.",
"description": "Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation. Management servers are available as both appliance and software-only products. Some small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. Centralized audit and log records are essential for quickly investigating network attacks.\n\nThe IDPS must compile audit event data from the agents and sensors.",
"fixid": "F-38853r1_fix",
"fixtext": "Install and configure a centralized management server.",
"iacontrols": null,
"id": "V-34592",
"ruleID": "SV-45456r1_rule",
"severity": "low",
"title": "The IDPS must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within organizationally defined level of tolerance for relationship between timestamps of individual records in the audit trail.",
"version": "SRG-NET-000110-IDPS-00080"
},
"V-34593": {
"checkid": "C-42806r1_chk",
"checktext": "If the organization's central log server provides the aggregation and formatting of the audit log (rather than an IDPS management console), this is not a finding.\n\nExamine the management console or server where the system-wide application audit trail is aggregated. (Ideally, this will be the site's silo server; however it can be the management console or another database).\nVerify audit log uses a standardized format or protocol (e.g., SYSLOG or well-known database).\n\nIf IDPS does not produce a system-wide audit trail for the application audit logs, this is a finding. If the IDPS log is not produced by the system in a standard industry format, this is a finding.",
"description": "Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the IDPS becomes unable to write events to the audit log, this is known as an audit processing failure. Audit processing failures include software and hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThe IDPS consists of a management console/server which aggregates the application audit trail log from the sensors and management server. The audit trail log is the application log rather than the sensor events log. The IDPS will also aggregate the sensor event logs from all the sensors onto the management console/server. Centralized audit and log records are essential for quickly investigating network attacks.",
"fixid": "F-38854r1_fix",
"fixtext": "Configure the audit log settings to produce a system-wide, aggregated application audit log.\nSelect an industry standard format for the audit log.",
"iacontrols": null,
"id": "V-34593",
"ruleID": "SV-45457r1_rule",
"severity": "low",
"title": "The IDPS must produce a system-wide audit trail composed of log records in a standardized format.",
"version": "SRG-NET-000112-IDPS-00081"
},
"V-34594": {
"checkid": "C-42808r1_chk",
"checktext": "Obtain a list of organizationally defined events which should be logged.\nSearch for a sampling of these events in the audit log entries.\n\nIf the IDPS audit log records do not show audit events for the organizationally defined events, this is a finding.",
"description": "Centrally logging the sensor information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Many events such as configuration changes and login success or failure are mandated by this control; however organizations may also define additional events for logging.",
"fixid": "F-38855r1_fix",
"fixtext": "Create a list of organizationally defined audit events which should be logged.\nConfigure the IDPS components to log the required events.",
"iacontrols": null,
"id": "V-34594",
"ruleID": "SV-45458r1_rule",
"severity": "low",
"title": "The IDPS must provide audit record generation capability for organizationally defined auditable events occurring within IDPS.",
"version": "SRG-NET-000113-IDPS-00082"
},
"V-34595": {
"checkid": "C-42809r1_chk",
"checktext": "Examine the sensor log configuration.\nVerify a dedicated amount of space has been allocated for the sensor events log and this space is not usable by other applications or processes.\n\nIf the system is not configured to allocate sensor events log record storage capacity, this is a finding.",
"description": "The IDPS must allocate enough storage capacity to contain log records. Log records on the sensors are critical. If the log storage capacity is exceeded, the sensor may malfunction or shutdown. The site would lose valuable data needed for investigating security incidents.",
"fixid": "F-38857r1_fix",
"fixtext": "Configure the IDPS to allocated space that is dedicated to sensor log record storage.",
"iacontrols": null,
"id": "V-34595",
"ruleID": "SV-45460r1_rule",
"severity": "low",
"title": "The IDPS must allocate sensor log record storage capacity.",
"version": "SRG-NET-999999-IDPS-00221"
},
"V-34596": {
"checkid": "C-42811r1_chk",
"checktext": "Obtain a list of organizationally defined events which should be logged.\nVerify this list of events is configured for logging by viewing the IDPS event alert functionality.\n\nIf the IDPS does not allow administrators to select which auditable events are logged, this is a finding.",
"description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. All sensors of the IDPS must be configurable with the organizationally defined rules. \n\nThis requirement does not require each sensor be configured with separate rule sets; however, this capability must be available to meet the need to respond to future attack vectors. If administrators do not have granular control of the rule to be applied and logged for later analysis, then malicious attacks may be missed.",
"fixid": "F-38858r1_fix",
"fixtext": "Configure the IDPS with organizationally defined audit events.",
"iacontrols": null,
"id": "V-34596",
"ruleID": "SV-45461r1_rule",
"severity": "low",
"title": "The IDPS must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.",
"version": "SRG-NET-000114-IDPS-00083"
},
"V-34597": {
"checkid": "C-42813r1_chk",
"checktext": "Verify a management console or server is used to manage the configuration and events logs for all sensors. \n\nIf sensor configuration and events cannot be managed centrally, this is a finding.",
"description": "Centrally managing data captured by the various sensors provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of event data can facilitate troubleshooting when problems are encountered and can assist in performing root cause analysis. A repository of data can also be correlated in real time to identify suspicious behavior or to be archived for review at a later time for research and analysis.\n\nIDPS sensors are managed from a maintenance console or server installed on the management network. Configuration and management of the sensor configuration, except for initial network configuration, must be performed through accessing the management console. Without the ability to centrally manage events, troubleshooting and correlation of suspicious behavior will be difficult and may lead to or prolong an attack.",
"fixid": "F-38860r1_fix",
"fixtext": "Install and configure a management console to provide central management of sensor events.",
"iacontrols": null,
"id": "V-34597",
"ruleID": "SV-45463r1_rule",
"severity": "medium",
"title": "The IDPS must support the requirement to centrally manage the events from multiple sensor queues. ",
"version": "SRG-NET-999999-IDPS-00220"
},
"V-34598": {
"checkid": "C-42814r1_chk",
"checktext": "Verify log view setting can be reorganized to view the log entries by type, location or subject.\nVerify the sensor logs categorize each event logged by a minimum event type, location, and a description of the event.\n\nIf sensor logs entries do not include a minimum of event type, location, and a description of the event for each event captured, this is a finding.",
"description": "Sensor event logs must be configured to capture all organizationally defined information deemed necessary for possible event investigation and traceability. This additional information may include timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.",
"fixid": "F-38861r1_fix",
"fixtext": "Configure the sensors and central management server to categorize each alert. Alerts will include event type, location, and a description of the event.",
"iacontrols": null,
"id": "V-34598",
"ruleID": "SV-45464r1_rule",
"severity": "low",
"title": "The IDPS must capture and log organizationally defined additional information (identified by type, location, or subject) to the records for sensor events.",
"version": "SRG-NET-999999-IDPS-00219"
},
"V-34599": {
"checkid": "C-42812r1_chk",
"checktext": "Obtain a list of organizationally defined events which must be logged.\nExamine the audit log configuration.\nVerify events are configured based on the specific system component.\n\nIf the IDPS is not configured to generate audit log events for a locally developed list of auditable events, this is a finding.",
"description": "Logging specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Locally developed sensor rules may be developed incorrectly and may not be configured for proper alerting. These rules implement organizationally defined security policies and are used to tailor the IDPS sensors to meet organizational requirements not provided by default vendor rules and updates (e.g., IAVMs).",
"fixid": "F-38862r1_fix",
"fixtext": "Configure the IDPS, so events are audited based on the specific component of the system.",
"iacontrols": null,
"id": "V-34599",
"ruleID": "SV-45465r1_rule",
"severity": "low",
"title": "The IDPS must generate audit log events for a locally developed list of auditable events.",
"version": "SRG-NET-000115-IDPS-00084"
},
"V-34600": {
"checkid": "C-42815r1_chk",
"checktext": "Examine the IDPS central sensor log.\nSearch for events showing some or all of the following is being logged, as applicable, to the exiting entries: timestamps, source and destination addresses, user or process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.\n\nIf sufficient information to establish the identity of any user accounts associated with the event is not captured and logged, this is a finding.",
"description": "Log records content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.",
"fixid": "F-38863r1_fix",
"fixtext": "Configure the IDPS to capture and log the following at a minimum: timestamps, source and destination addresses, user or process identifiers, event descriptions, success or failure indications, file names involved, and access control or flow control rules invoked.",
"iacontrols": null,
"id": "V-34600",
"ruleID": "SV-45466r1_rule",
"severity": "low",
"title": "The IDPS must capture and log sufficient information to establish the identity of any user accounts associated with the sensor log event.",
"version": "SRG-NET-999999-IDPS-00218"
},
"V-34601": {
"checkid": "C-42816r1_chk",
"checktext": "Verify only authorized users have permissions for changes, deletes and updates on the IDPS.\nInspect the maintenance log to verify changes are being made only by the system administrators.\n\nIf unauthorized users are allowed to change the hardware or application software, this is a finding.",
"description": "Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades. This requirement applies to update of the application files, configuration, and signatures.",
"fixid": "F-38864r1_fix",
"fixtext": "Configure the IDPS to enforce access restrictions associated with changes to the system components.",
"iacontrols": null,
"id": "V-34601",
"ruleID": "SV-45467r1_rule",
"severity": "medium",
"title": "The IDPS must enforce access restrictions associated with changes to the system components.",
"version": "SRG-NET-000118-IDPS-00085"
},
"V-34602": {
"checkid": "C-42817r1_chk",
"checktext": "Examine the aggregated sensor event log on the management console.\nView entries for several alerts. \nVerify the events being captured in the sensor logs include the success or failure of the action or request (e.g., login, permission changes) of each event.\n\nIf the log events do not include the success or failure of the action or request (e.g., login, permission changes), this is a finding.",
"description": "Denied traffic must be logged. There may also be some instances where a packet that was permitted or other successful event (i.e., logon) should be logged to establish and correlate the series of events leading up to an outage or attack. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. ",
"fixid": "F-38865r1_fix",
"fixtext": "Configure the sensor event log, so entries in the logs include the success or failure of the action or request (e.g., login, permission changes).",
"iacontrols": null,
"id": "V-34602",
"ruleID": "SV-45468r1_rule",
"severity": "low",
"title": "The IDPS must produce sensor log records containing sufficient information to determine if the event was a success or failure.",
"version": "SRG-NET-999999-IDPS-00217"
},
"V-34603": {
"checkid": "C-42818r1_chk",
"checktext": "Verify automated mechanisms are used to enable access restrictions to the hardware and software for the management console and sensors. \nVerify security group membership is used when assigning permissions to update and change software and on the management console and sensors. \nVerify members of this security group are specifically authorized system administrators with a need for this type of access.\n\nIf the system is not configured to restrict the ability to perform software changes on the IDPS components to authorized system administrators this is a finding.",
"description": "Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades.",
"fixid": "F-38866r1_fix",
"fixtext": "Configure the IDPS components to restrict the ability to perform software changes and updates to authorized system administrators only.",
"iacontrols": null,
"id": "V-34603",
"ruleID": "SV-45469r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to enable automated mechanisms to enforce access restrictions.",
"version": "SRG-NET-000119-IDPS-00086"
},
"V-34604": {
"checkid": "C-42820r1_chk",
"checktext": "Verify automated mechanisms such as logging and restricting configuration changes and updates for both hardware and software are in place.\n\nIf auditing of access control restrictions for hardware and software updates is not enabled, this is a finding.",
"description": "Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals are allowed administrative access to the IDPS for implementing any changes or upgrades. Additionally, maintaining automated log records of access is essential for ensuring configuration change control is being implemented, as intended, and for supporting after-the-fact actions should the organization become aware of an unauthorized change to the information system.",
"fixid": "F-38868r1_fix",
"fixtext": "Enable auditing of access restrictions to hardware and software updates.",
"iacontrols": null,
"id": "V-34604",
"ruleID": "SV-45470r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to enable automated mechanisms to support auditing of the enforcement actions.",
"version": "SRG-NET-000120-IDPS-00087"
},
"V-34605": {
"checkid": "C-42819r1_chk",
"checktext": "Examine the IDPS centralized sensor event log on the management console.\nView entries for several alerts. \nVerify the events in the logs show the source of the events (e.g., IP address, session or packet ID).\n\nIf the sensor event log does not include the source of the event, this is a finding.",
"description": "Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. If the originator of the log record is not recorded, it will be difficult to establish and correlate the series of events leading up to an outage or attack.",
"fixid": "F-38867r1_fix",
"fixtext": "Configure the sensors to capture the source of each event (e.g., IP address, session or packet ID).",
"iacontrols": null,
"id": "V-34605",
"ruleID": "SV-45471r1_rule",
"severity": "medium",
"title": "The IDPS must produce sensor log records containing sufficient information to establish the source of the event.",
"version": "SRG-NET-999999-IDPS-00216"
},
"V-34606": {
"checkid": "C-42821r1_chk",
"checktext": "Examine the aggregated sensor events log on the management console.\nView entries for several alerts. \nVerify the events in the logs show the location of each event (e.g., network name, network subnet, network segment, or organization).\n\nIf the sensor event log records do not include the event location (e.g., network name, network subnet, network segment, or organization), this is a finding.",
"description": "Logging network location information for each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured IDPS. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the source or object of the log record is recorded in all log records.",
"fixid": "F-38869r1_fix",
"fixtext": "Configure the sensors to capture the location of each event (e.g., network name, network subnet, network segment, or organization).",
"iacontrols": null,
"id": "V-34606",
"ruleID": "SV-45472r1_rule",
"severity": "low",
"title": "The IDPS must produce sensor event log records containing sufficient information to establish where the events occurred.",
"version": "SRG-NET-999999-IDPS-00215"
},
"V-34607": {
"checkid": "C-42823r1_chk",
"checktext": "Examine the aggregated sensor event log on the management console.\nView entries for several alerts. \nVerify the events being captured in the sensor logs include the date and time of each event.\n\nIf the events log does not include the date and time the events occurred, this is a finding.",
"description": "Logging the date and time of each detected event provides a means to investigate an attack; recognize resource utilization or capacity thresholds; or identify an improperly configured IDPS. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.",
"fixid": "F-38871r1_fix",
"fixtext": "Configure the sensor event log, so entries in the logs include the date and time of the event.",
"iacontrols": null,
"id": "V-34607",
"ruleID": "SV-45474r1_rule",
"severity": "low",
"title": "The IDPS must produce sensor event log records containing sufficient information to establish when the events occurred.",
"version": "SRG-NET-999999-IDPS-00214"
},
"V-34608": {
"checkid": "C-42825r2_chk",
"checktext": "If verification of the applications and updates is performed on a centralized patch server, this is not a finding.\n\nVerify the IDPS components are configured to prevent the installation of software updates or applications which are not signed by an organizationally approved private key.\n\nIf the IDPS does not prevent the installation of organizationally defined critical applications and updates not digitally signed with an organizationally approved private key, this is a finding.",
"description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. \n\nSoftware must be obtained from a trusted patch server not from the vendor. The IDPS sensors should not have to verify the software again. Self-signed certificates are disallowed by this control. This control does not mandate DoD certificates for this purpose, however, the certificate used to verify the software must be from an approved source.",
"fixid": "F-38873r1_fix",
"fixtext": "Obtain software updated from an approved trusted patch server.\nConfigure the IDPS components to check for signed software programs when installation is attempted. Allow only organizationally approved digital signatures.",
"iacontrols": null,
"id": "V-34608",
"ruleID": "SV-45476r1_rule",
"severity": "medium",
"title": "The IDPS must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.",
"version": "SRG-NET-000121-IDPS-00088"
},
"V-34609": {
"checkid": "C-42827r1_chk",
"checktext": "Review the configuration to verify the settings required to implement two-person rule are enabled.\n\nIf the two-person rule is required and the IDPS has not been configured to automate the requirement, this is a finding.",
"description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades to system components. Enforcing a two-person rule will ensure the changes have been approved.",
"fixid": "F-38874r1_fix",
"fixtext": "Configure the IDPS to require two-person rule for organizationally defined privileged commands.",
"iacontrols": null,
"id": "V-34609",
"ruleID": "SV-45477r1_rule",
"severity": "medium",
"title": "The IDPS must enforce a two-person rule for changes to organizationally defined information system components and system-level information.",
"version": "SRG-NET-000122-IDPS-00089"
},
"V-34611": {
"checkid": "C-42828r1_chk",
"checktext": "Examine the aggregated sensor event log on the management console.\nView entries for several alerts. \nVerify the events being captured in the sensor event logs include the type or category of the events.\n\nIf the sensor event log does not include the type or category of events, this is a finding.",
"description": "Associating event types with detected events in the sensor logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured IDPS. Without this capability, it will be difficult to establish, correlate, and investigate the events leading up to an outage or attack.",
"fixid": "F-38876r1_fix",
"fixtext": "Configure the sensor event log to capture the type or category of each event.",
"iacontrols": null,
"id": "V-34611",
"ruleID": "SV-45479r1_rule",
"severity": "low",
"title": "The IDPS must produce sensor event log records that contain sufficient information to establish what type of event occurred.",
"version": "SRG-NET-999999-IDPS-00213"
},
"V-34612": {
"checkid": "C-42829r1_chk",
"checktext": "This requirement is not applicable if the underlying OS provides safeguards and countermeasures for the IDPS software components.\n\nVerify only qualified and authorized individuals have administrative access to the IDPS for implementing any changes or upgrades.\n\nIf individuals other than the authorized system administrators are allowed to upgrade or change the software, including signature files and rules, this is a finding.",
"description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades. If the IDPS were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing the appropriate testing, validation, and approval.",
"fixid": "F-38877r1_fix",
"fixtext": "Configure a system administrators group with software update and modification privileges.\nConfigure the management console so only members of this group have permission to perform this function.",
"iacontrols": null,
"id": "V-34612",
"ruleID": "SV-45480r1_rule",
"severity": "medium",
"title": "The IDPS must limit privileges to change software resident within software libraries, including privileged programs.",
"version": "SRG-NET-000123-IDPS-00090"
},
"V-34613": {
"checkid": "C-42832r1_chk",
"checktext": "This requirement is not applicable if the underlying OS provides safeguards and countermeasures for the IDPS software components.\n\nVerify organizationally defined prevention measures (safeguards) actions (countermeasures) are configured to occur when unauthorized changes are made to the security functions and mechanisms.\n\nIf organizationally defined safeguards and countermeasures are not configured, this is a finding.",
"description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals are allowed administrative access to the IDPS for implementing any changes or upgrades. In order to ensure a prompt response to unauthorized changes to IDPS security functions, the organizations will define the safeguards the device must undertake in the event these changes occur.",
"fixid": "F-38878r1_fix",
"fixtext": "Configure organizationally defined safeguards and countermeasures (e.g., alerts) to occur when security functions or mechanisms are inappropriately changed.",
"iacontrols": null,
"id": "V-34613",
"ruleID": "SV-45481r1_rule",
"severity": "medium",
"title": "The IDPS must automatically implement organizationally defined safeguards and countermeasures if security functions or mechanisms are changed inappropriately.",
"version": "SRG-NET-000124-IDPS-00091"
},
"V-34614": {
"checkid": "C-42830r1_chk",
"checktext": "Verify there is a rule or signature which monitors for traffic volume thresholds.\nVerify there is a rule for dropping traffic that exceeds these thresholds.\nExamine the traffic priority screens to see if this feature is used by the organization.\n\nIf the IDPS does not reject or delay network traffic based on normal volume thresholds, this is a finding.",
"description": "If the IDPS becomes unable to write events to the sensor events log, a critical resource needed for event analysis would be lost. One method of exploiting this vulnerability is for an attacker to cause an auditable event to occur in rapid succession in an attempt to overwhelm the log capacity.\n\nThe IDPS must provide methods for preventing log processing failures, such as traffic congestion and threshold management mechanisms. The IDPS must have the capability to reject or delay network traffic based on configured threshold levels to prevent overwhelming the sensor log processing capability.",
"fixid": "F-38880r1_fix",
"fixtext": "Configure IDPS to monitor for traffic volume patterns that exceed the norm for the network.\nConfigure the IDPS to notify, alert, drop or delay suspect traffic based on excessive volume.\nConfigure the network with organizationally defined traffic priorities.",
"iacontrols": null,
"id": "V-34614",
"ruleID": "SV-45483r1_rule",
"severity": "medium",
"title": "The IDPS must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.",
"version": "SRG-NET-999999-IDPS-00212"
},
"V-34615": {
"checkid": "C-42833r1_chk",
"checktext": "Verify a management console/server is installed which provides central configuration of sensors.\nVerify system administrators can connect to the sensors from the central management console to configure all sensors.\n\nIf the system is not configured to centrally manage configuration settings, this is a finding.",
"description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
"fixid": "F-38881r1_fix",
"fixtext": "Install and configure a management console on the management network.",
"iacontrols": null,
"id": "V-34615",
"ruleID": "SV-45484r1_rule",
"severity": "medium",
"title": "The IDPS must employ automated mechanisms to centrally manage configuration settings.",
"version": "SRG-NET-000125-IDPS-00092"
},
"V-34616": {
"checkid": "C-42834r2_chk",
"checktext": "Obtain a list of organizationally defined events which must be logged upon detection by the IDPS.\nNavigate to the management server and search for a sampling of these events in the sensor events log.\n\nIf IDPS log records do not show alerts determined by the organization to be significant and relevant to the security of the network infrastructure, this is a finding.",
"description": "Sensor alerts are stored on each sensor and then periodically transferred to a central management or logging server database. Centrally logging the sensor information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing and logging are key components of any security architecture. Logging the actions of specific events provides detailed information about the attack which is invaluable for us in investigating the attack, recognizing resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Many events, such as configuration changes and login success or failure are mandated by this control; however, organizations may also define additional events for logging. The sensor's primary responsibility is to monitor its network segment for suspicious activity. The management console is a central management, auditing, and data storage point for a large number of sensors.",
"fixid": "F-38882r1_fix",
"fixtext": "Obtain a list of organizationally defined events which must be logged upon detection by the IDPS.\nConfigure the IDPS components to log the required events.",
"iacontrols": null,
"id": "V-34616",
"ruleID": "SV-45485r1_rule",
"severity": "medium",
"title": "The IDPS must generate sensor log records for events determined by the organization to be relevant to the security of the network infrastructure.",
"version": "SRG-NET-999999-IDPS-00211"
},
"V-34617": {
"checkid": "C-42836r1_chk",
"checktext": "Verify a management console is installed which provides central configuration of sensors, load balances, and other IDPS components.\nVerify system administrators can connect to the sensors from the central management console.\n\nIf automated mechanisms are not used to centrally apply configuration settings, this is a finding.",
"description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
"fixid": "F-38884r1_fix",
"fixtext": "Install and configure a management console on the management network. Use this console to configure sensors and other components.",
"iacontrols": null,
"id": "V-34617",
"ruleID": "SV-45487r1_rule",
"severity": "low",
"title": "The IDPS must employ automated mechanisms to centrally apply configuration settings.",
"version": "SRG-NET-000126-IDPS-00093"
},
"V-34618": {
"checkid": "C-42837r1_chk",
"checktext": "Verify that a WIDS is installed to monitor the network for unauthorized (rogue) wireless devices or networks.\n\nIf the IDPS does not monitor for unauthorized wireless connections to the information system, this is a finding.",
"description": "The IDPS must monitor for unauthorized connections to the network through use of wireless IDS sensors. Wireless technologies include, for example, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP). In certain situations, wireless signals may radiate beyond the confines of organizationally controlled facilities. Organizations must proactively search for unauthorized wireless connections, including monitoring for unauthorized wireless access points. Monitoring must not be limited to those areas within facilities containing information systems, but must also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems. Organizational response actions may include disabling unauthorized wireless connections. Monitoring may be accomplished on an ongoing basis or by periodic monitoring.",
"fixid": "F-38885r1_fix",
"fixtext": "Install and configure wireless IDPS sensors (or other automated detection method) to monitor for unauthorized wireless access to the network.",
"iacontrols": null,
"id": "V-34618",
"ruleID": "SV-45488r1_rule",
"severity": "medium",
"title": "The IDPS must monitor for unauthorized wireless connections on an organizationally defined frequency.",
"version": "SRG-NET-999999-IDPS-00210"
},
"V-34619": {
"checkid": "C-42841r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Local access to the network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Eliminating unauthorized access to the network is vital to maintaining a secured network.\n\nThe IDPS does not provide physical separation or protection.",
"fixid": "F-38888r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34619",
"ruleID": "SV-45492r1_rule",
"severity": "low",
"title": "The IDPS must protect against unauthorized physical connections across the boundary protections implemented at an organizationally defined list of managed interfaces.",
"version": "SRG-NET-000309-IDPS-NA"
},
"V-34620": {
"checkid": "C-42842r1_chk",
"checktext": "Verify digital signatures used by the IDPS to validate the authenticity of information using either of the following: \n(i) a cryptographic module from the NIST Cryptographic Algorithm Validation Program (CAVP) product lists to determine if FIPS 140-validated cryptography is used (e.g., DoD PKI); or\n(ii) an NSA-approved cryptographic module.\n\nIf NSA-approved or FIPS-validated cryptography is not used to implement digital signatures, this is a finding.",
"description": "Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS-140 validation and NSA approval provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. Similarly, NSA approval of cryptography for classified data and applications is a strict requirement.\n\nTraffic between the management console, sensor, and/or other network elements must be protected by cryptographic mechanisms. Digital signatures must be used to validate the authenticity of information, firmware, or health checks. Digital signatures must be implemented using either of the following: \n(i) FIPS-validated (e.g., DoD PKI) cryptographic module.\n(ii) NSA-approved cryptographic module.",
"fixid": "F-38890r1_fix",
"fixtext": "Install digital signatures that comply with FIPS or NSA certificate requirements.",
"iacontrols": null,
"id": "V-34620",
"ruleID": "SV-45494r1_rule",
"severity": "medium",
"title": "The IDPS must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.",
"version": "SRG-NET-000308-IDPS-00209"
},
"V-34621": {
"checkid": "C-42844r1_chk",
"checktext": "Verify a management console is installed which permits viewing and verification of the configuration of sensors, load balancers, and other IDPS components.\n\nIf automated mechanisms to centrally verify configuration settings are not used, this is a finding.",
"description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
"fixid": "F-38892r1_fix",
"fixtext": "Install and configure a management console on the management network.",
"iacontrols": null,
"id": "V-34621",
"ruleID": "SV-45495r1_rule",
"severity": "medium",
"title": "The IDPS must employ automated mechanisms to centrally verify configuration settings.",
"version": "SRG-NET-000127-IDPS-00094"
},
"V-34622": {
"checkid": "C-42845r1_chk",
"checktext": "Verify the site has configured the IDPS to implement an access control policy that grants access to objects to the granularity of the single user. \n\nIf the system does not enforce a DAC policy that includes or excludes access to the granularity of a single user, this is a finding.",
"description": "Access control policies (e.g., identity-based policies and role-based policies) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, data, and destination addresses) within the network. This applies to locally defined accounts where the user management functionality is part of the IDPS application. This control does not negate the use of security groups for assigning access control to each member. Without granular DAC policies, access control and enforcement mechanisms will not prevent unauthorized access to account information, system logs, and other files.",
"fixid": "F-38893r1_fix",
"fixtext": "Configure the IDPS to use an access control policy that includes or excludes access to the granularity of a single user.",
"iacontrols": null,
"id": "V-34622",
"ruleID": "SV-45496r1_rule",
"severity": "low",
"title": "The IDPS must enforce a DAC policy that includes or excludes access to the granularity of a single user.",
"version": "SRG-NET-000307-IDPS-00208"
},
"V-34623": {
"checkid": "C-42847r3_chk",
"checktext": "Verify the IDPS is configured to alarm or send an alert when unauthorized changes (modifications, updates, or deletions) are made to organizationally defined configuration settings.\n\nIf automated mechanisms are not configured to respond to unauthorized changes to organizationally defined configuration settings, this is a finding.",
"description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and, if necessary, in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to initiate an alert when an unauthorized change has been detected.",
"fixid": "F-38895r3_fix",
"fixtext": "Configure the IDPS to alert when unauthorized changes are made to organizationally defined configuration setting.\nThis may be done by alerting on all changes or by setting a list of organizationally defined alerts.",
"iacontrols": null,
"id": "V-34623",
"ruleID": "SV-45498r1_rule",
"severity": "medium",
"title": "The IDPS must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings.",
"version": "SRG-NET-000128-IDPS-00095"
},
"V-34624": {
"checkid": "C-42848r1_chk",
"checktext": "Verify IDPS sensors log events detected by monitoring based on existing rules, signatures and other monitoring tools. Verify the IDPS logs access control and security policy violations occurring on the IDPS itself, to the application audit log or to the network syslog server.\n\nIf detected unauthorized security-relevant configuration changes are not logged in the sensor log, this is a finding. If access control and other security policy violations are not logged in the application audit log, this is a finding.",
"description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to track detected unauthorized security-relevant configuration changes.",
"fixid": "F-38896r1_fix",
"fixtext": "Configure the IDPS to log events and anomalies detected during network monitoring.\nConfigure the IDPS application to log access control and other security policy violations in the application audit log.",
"iacontrols": null,
"id": "V-34624",
"ruleID": "SV-45499r1_rule",
"severity": "medium",
"title": "The IDPS must ensure detected unauthorized security-relevant configuration changes are tracked.",
"version": "SRG-NET-000129-IDPS-00096"
},
"V-34625": {
"checkid": "C-42849r1_chk",
"checktext": "Obtain a list of required ports and services needed to operate the IDPS sensors from the vendor documentation.\nVerify ports and services that are not needed are disabled.\n\nIf unnecessary services and capabilities are enabled, this is a finding.",
"description": "A compromised IDPS introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Prevention of network breaches from within the network requires a comprehensive defense-in-depth strategy, including securing all devices connecting to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each IDPS is to only enable the services and capabilities required for operation.",
"fixid": "F-38897r1_fix",
"fixtext": "Disable unneeded ports, protocols, and services.",
"iacontrols": null,
"id": "V-34625",
"ruleID": "SV-45500r1_rule",
"severity": "medium",
"title": "The IDPS must not have unnecessary services and capabilities enabled.",
"version": "SRG-NET-000131-IDPS-00097"
},
"V-34626": {
"checkid": "C-42850r1_chk",
"checktext": "View the configuration of the system and vendor documentation.\nCompare enabled functions, ports, and services with the PPSM requirements.\n\nIf prohibited functions, ports, protocols, and services are enabled, this is a finding.",
"description": "A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Prevention of network breaches from within the network requires a comprehensive defense-in-depth strategy, including security all devices connecting to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each IDPS is to only enable the ports, protocols, and services required for operation. The IDPS application must not be configured to use ports, protocols or services which are prohibited by the Ports, Protocol, and Service Management (PPSM) requirements. Unneeded functions and capabilities must also be disabled.",
"fixid": "F-38898r1_fix",
"fixtext": "Disable functions, ports, protocols, and services not required for operation.",
"iacontrols": null,
"id": "V-34626",
"ruleID": "SV-45501r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to prohibit or restrict the use of organizationally defined functions, ports, protocols, and/or services.",
"version": "SRG-NET-000132-IDPS-00098"
},
"V-34627": {
"checkid": "C-42851r1_chk",
"checktext": "Verify anti-malware software is installed on the sensors.\n\nIf anti-malware software is not installed and configured to protect each sensor, this is a finding.",
"description": "A compromised IDPS introduces risk to the entire network infrastructure as well as data resources accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Prevention of network breaches from within the network requires a comprehensive defense-in-depth strategy, including security all devices connecting to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each IDPS is to only enable the services required for operation. Any form of automatic execution should be disabled as it can easily be exploited by hackers to infect hosts with malware and viruses.",
"fixid": "F-38899r1_fix",
"fixtext": "Install and configure an anti-malware solution on the sensors (e.g., HIDS, anti-virus, and/or whitelisting).",
"iacontrols": null,
"id": "V-34627",
"ruleID": "SV-45502r1_rule",
"severity": "medium",
"title": "The IDPS must employ automated mechanisms to prevent program execution in accordance with organizationally defined specifications.",
"version": "SRG-NET-000133-IDPS-00099"
},
"V-34628": {
"checkid": "C-42852r1_chk",
"checktext": "Verify the use of an automated mechanism to detect the addition of unauthorized sensors and other IDPS components or devices.\n\nIf an automated mechanism is not used to monitor for unauthorized IDPS components or devices, this is a finding.",
"description": "This requirement addresses configuration management of the IDPS components as well as detection of unauthorized devices on the network. The IDPS must automatically detect the installation of unauthorized software or hardware sensors and other IDPS components. Monitoring may be accomplished on an ongoing basis or by periodic monitoring. Automated mechanisms can be implemented within the network element and/or in another separate information system or device.",
"fixid": "F-38900r1_fix",
"fixtext": "Install and configure an automated mechanism to detect the addition of unauthorized IDPS components, such as rogue sensors or other unauthorized devices.",
"iacontrols": null,
"id": "V-34628",
"ruleID": "SV-45503r1_rule",
"severity": "medium",
"title": "The IDPS must employ automated mechanisms to detect the addition of unauthorized components or devices. ",
"version": "SRG-NET-000134-IDPS-00100"
},
"V-34629": {
"checkid": "C-42853r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "User information contained on a network element is associated to the user's account and the resources the user is authorized to access. If this information becomes corrupted by hardware failures or by a malicious user, it must be restored immediately to ensure network access availability. Backing up this information is a critical step for data recovery.\n\nThe IDPS does not contain user level data; therefore this requirement is not applicable.",
"fixid": "F-38901r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34629",
"ruleID": "SV-45504r1_rule",
"severity": "low",
"title": "The network element must support organizational requirements to conduct backups of user level information contained in the device per organizationally defined frequency that is consistent with recovery time and recovery point objectives.",
"version": "SRG-NET-000135-IDPS-NA"
},
"V-34630": {
"checkid": "C-42854r1_chk",
"checktext": "Review the IDPS configuration to determine whether the IDPS is configured to backup system level data and is capable of backing up according to a defined frequency. \n\nIf the IDPS does not support the organizational requirements to conduct backups of system level data according to a defined frequency, this is a finding.",
"description": "System level information includes default and customized settings and security attributes, as well as software required for the execution and operation of the device. Information system backup is a critical step in insuring system integrity and availability. If the system fails and there is no backup of the system level information, a denial of service condition is possible for all who utilize this critical network component.\n\nThis control requires the IDPS support the organizational central backup process for system level information associated with the IDPS. This function may be provided by the IDPS itself; however, the preferred best practice is a centralized backup rather than each network element performing discrete backups.",
"fixid": "F-38902r1_fix",
"fixtext": "Configure the IDPS to backup system level data according to an organizationally defined frequency.",
"iacontrols": null,
"id": "V-34630",
"ruleID": "SV-45505r1_rule",
"severity": "low",
"title": "The IDPS must support organizational requirements to conduct backups of system level information contained in the information system per organizationally defined frequency.",
"version": "SRG-NET-000136-IDPS-00101"
},
"V-34631": {
"checkid": "C-42855r1_chk",
"checktext": "Review the IDPS backup configuration to determine if the IDPS backs up the information system documentation, including security-related documentation, per organization defined frequency that is consistent with recovery time and recovery point object. \n\nIf the IDPS does not back up the information system documentation, including security-related documentation, this is a finding.",
"description": "Information system backup is a critical step in maintaining data assurance and availability. Information system and security related documentation contains information pertaining to system configuration and security settings. If this information was not backed up, and a system failure occurred, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a back up of information system and security related documentation provides for a quicker recovery time when system outages occur.\n\nThis control requires the IDPS support the organizational central backup process for user account information associated with the IDPS. This function may be provided by the IDPS itself; however, the preferred best practice is a centralized backup rather than each network element performing discrete backups.",
"fixid": "F-38903r1_fix",
"fixtext": "Configure the IDPS to conduct backups of information system documentation including security-related documentation per organization defined frequency that is consistent with recovery time and recovery point object.",
"iacontrols": null,
"id": "V-34631",
"ruleID": "SV-45506r1_rule",
"severity": "low",
"title": "The IDPS must support organizational requirements to conduct backups of information system documentation, including security related documentation, per organizationally defined frequency that is consistent with recovery time and recovery point objectives.",
"version": "SRG-NET-000137-IDPS-00102"
},
"V-34632": {
"checkid": "C-42856r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization\u2019s security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or IDPS. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly an IDPS providing opportunity for intruders to compromise resources within the network infrastructure. \n\nThe IDPS does not enforce identification and authentication of all organizational users. Non-privileged users are not authorized to authenticate to the sensors or management consoles.",
"fixid": "F-38904r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34632",
"ruleID": "SV-45507r1_rule",
"severity": "low",
"title": "The network element must enforce the identification and authentication of all organizational users.",
"version": "SRG-NET-000138-IDPS-NA"
},
"V-34633": {
"checkid": "C-42857r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nVerify the configuration for the management console and sensors requires access by a DoD approved multifactor authentication (e.g., PKI, SecureID, or DoD Alternate Token) mechanism.\n\nIf multifactor authentication is not used for network access to privileged accounts, this is a finding.",
"description": "Multifactor authentication uses two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA privileged account is defined as: \nAn information system account with authorizations of a privileged user. \n\nNetwork Access is defined as: \nAccess to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).\n\nMultifactor authentication provides strong protection for authentication mechanisms. Without a strong authentication method, the system is more easily breached by standard access control attacks.",
"fixid": "F-38905r1_fix",
"fixtext": "Configure all accounts accessing the IDPS to use multifactor authentication (e.g., PKI, SecureID, or DoD Alternate Token).",
"iacontrols": null,
"id": "V-34633",
"ruleID": "SV-45508r1_rule",
"severity": "medium",
"title": "The IDPS must use multifactor authentication for network access to privileged accounts.",
"version": "SRG-NET-000139-IDPS-00103"
},
"V-34634": {
"checkid": "C-42859r1_chk",
"checktext": "Verify the configuration for the management console and sensors requires access using a DoD approved multifactor authentication (e.g., PKI, SecureID, or DoD Alternate Token) mechanism.\nIf multifactor authentication is not used, this is a finding.",
"description": "Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric).",
"fixid": "F-38907r1_fix",
"fixtext": "Configure the IDPS to use multifactor authentication for local access to privileged accounts.",
"iacontrols": null,
"id": "V-34634",
"ruleID": "SV-45509r1_rule",
"severity": "low",
"title": "The IDPS must use multifactor authentication for local access to privileged accounts.",
"version": "SRG-NET-000141-IDPS-00104"
},
"V-34635": {
"checkid": "C-42858r2_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As users have access to many of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user, to include potential escalation of privileges.\n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nNon-privileged accounts are not authorized on the IDPS components regardless of configuration.",
"fixid": "F-38906r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34635",
"ruleID": "SV-45510r1_rule",
"severity": "low",
"title": "The network element must use multifactor authentication for network access to non-privileged accounts.",
"version": "SRG-NET-000140-IDPS-NA"
},
"V-34636": {
"checkid": "C-42860r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": " Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As users have access to many of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user, to include potential escalation of privileges. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nNon-privileged accounts are not authorized on the IDPS components regardless of configuration.",
"fixid": "F-38908r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34636",
"ruleID": "SV-45511r1_rule",
"severity": "low",
"title": "The network element must use multifactor authentication for local access to non-privileged accounts.",
"version": "SRG-NET-000142-IDPS-NA"
},
"V-34637": {
"checkid": "C-42861r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS account management configuration and settings to determine if all individuals authorized access to the system have an individual account and that account is required to gain access to the system prior to the use of a group account. \n\nIf group authentication does not require prior individual authentication, this is a finding.",
"description": "To assure individual accountability and prevent unauthorized access, organizational users (and any processes acting on behalf of users) must be individually identified and authenticated. Sharing group accounts on any device is prohibited. If group accounts are not changed when individuals leave the group, that person could gain control of the network device. However, there are times when they are deemed mission essential. The security architecture of the IDPS and any installed applications must allow use of an individual authenticator (e.g., AAA server or Active Directory authentication) prior to using individual authentications. Group authenticators must be necessary for the operation of the system.",
"fixid": "F-38909r1_fix",
"fixtext": "Configure the IDPS to require individuals to authenticate with an individual authenticator prior to using a group authenticator.",
"iacontrols": null,
"id": "V-34637",
"ruleID": "SV-45512r1_rule",
"severity": "medium",
"title": "The IDPS must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.",
"version": "SRG-NET-000143-IDPS-00105"
},
"V-34638": {
"checkid": "C-42862r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nVerify the configuration for the management console and sensors requires access by a DoD approved multifactor authentication (e.g., PKI, SecureID, or DoD Alternate Token) mechanism.\n\nIf multifactor authentication is not used for network access to privileged accounts, this is a finding.",
"description": "Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user.\n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nWhen one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as Out of Band Two Factor Authentication (OOB2FA). OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user.",
"fixid": "F-38910r1_fix",
"fixtext": "Configure the IDPS to require multifactor authentication, with one of the factors being a device separate from the information system gaining access, when accessing privileged accounts via the network.",
"iacontrols": null,
"id": "V-34638",
"ruleID": "SV-45513r1_rule",
"severity": "medium",
"title": "The IDPS must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed.",
"version": "SRG-NET-000144-IDPS-00106"
},
"V-34639": {
"checkid": "C-42863r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Single factor authentication poses much unnecessary risk upon any information system as most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As users have access to many of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user, to include escalation of privileges.\n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nWhen one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as Out of Band Two Factor Authentication (OOB2FA). OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user.\n\nNon-privileged accounts are not authorized on the IDPS components regardless of configuration.",
"fixid": "F-38911r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34639",
"ruleID": "SV-45514r1_rule",
"severity": "low",
"title": "The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed.",
"version": "SRG-NET-000145-IDPS-NA"
},
"V-34640": {
"checkid": "C-42864r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nVerify the configuration for the management console and sensors requires access by a DoD approved replay-resistant authentication method, such as DoD PKI, SecureID, or DoD Alternate Token.\n\nIf DoD PKI, SecureID, or DoD Alternate Token is not used for authentication, this is a finding.",
"description": "All authentication credentials must be maintained on an authentication server. Messages between the authenticator and the IDPS validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any IDPS. A replay attack is a form of a network attack in which a valid session or series of IP packets is intercepted by a malicious user who at a later time transmits the packets to gain access to the target device.",
"fixid": "F-38912r1_fix",
"fixtext": "Configure local accounts to use DoD approved, replay resistant authentication mechanisms for access to the IDPS. Approved methods are DoD PKI, SecureID, or DoD Alternate Token.",
"iacontrols": null,
"id": "V-34640",
"ruleID": "SV-45515r1_rule",
"severity": "medium",
"title": "The IDPS must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.",
"version": "SRG-NET-000146-IDPS-00107"
},
"V-34641": {
"checkid": "C-42865r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Authorization for access to any network element requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device for which the individual is requesting access to. Therefore, all authentication credentials must be maintained on an authentication server. Messages between the authenticator and the network element validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any network element A replay attack is a form of a network attack in which a valid session or series of IP packets is intercepted by a malicious user who at a later time transmits the packets to gain access to the target device.\n\nNon-privileged users do not access the IDPS.",
"fixid": "F-38913r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34641",
"ruleID": "SV-45516r1_rule",
"severity": "low",
"title": "The network element must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts.",
"version": "SRG-NET-000147-IDPS-NA"
},
"V-34642": {
"checkid": "C-42866r1_chk",
"checktext": "Verify sensor communications to network elements (e.g., sensors, management consoles, routers, SYSLOG servers, and forensics servers) are configured to establish authentication using a unique identifier.\nVerify authentication is based on an organizationally defined list of authorized device types.\n\nIf devices not included on the organizationally defined list are allowed to connect, this is a finding.",
"description": "An IDPS must have a level of trust with any node wanting to connect to it. Device authentication prevents an authorized user from connecting to perform privileged functions using a device which may contain security issues which may provide a vector for compromising the IDPS.\n\nCommunications to the IDPS components must be carefully restricted. Today's devices may need to communicate with the firewall, router, SYSLOG server, other IDPS components, and management clients. This control requires the organization to define these devices specifically and to identify these approved devices by type (e.g., firewall, router, remote PC, etc.). Thus, the authentication decision must take the device type, not just the user's authorization into account when allowing access. For example, a system administrator may be authorized access; however, access must also be from an authorized device.",
"fixid": "F-38914r1_fix",
"fixtext": "Configure the IDPS to authenticate based on an organizationally defined list of authorized device types.",
"iacontrols": null,
"id": "V-34642",
"ruleID": "SV-45517r1_rule",
"severity": "low",
"title": "The IDPS must authenticate an organizationally defined list of specific devices by device type before establishing a connection.",
"version": "SRG-NET-000148-IDPS-00108"
},
"V-34643": {
"checkid": "C-42867r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "This requirement addresses device to device authentication during remote network management sessions used to manage the IDPS components. A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Remote management must be secured using cryptography; and authentication must use a bidirectional authentication method where each device is authenticated. \n\nThe IDPS does not connect directly to devices on remote external networks. Remote management sessions must use the existing remote management access communications infrastructure, thus this requirement is not applicable.",
"fixid": "F-38915r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34643",
"ruleID": "SV-45518r1_rule",
"severity": "low",
"title": "The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.",
"version": "SRG-NET-000149-IDPS-NA"
},
"V-34644": {
"checkid": "C-42868r1_chk",
"checktext": "If the IDPS devices do not have the capability to communicate directly with wireless devices, this is not a finding.\n\nVerify direct IDPS communications with wireless network devices (e.g., wireless sensors or wireless management consoles) are configured to establish bidirectional authentication before establishing communications.\nVerify the bidirectional authentication is between cryptographically based devices.\n\nIf communication between the IDPS and wireless network devices does not use bidirectional authentication, this is a finding.\nIf authentication is not established between cryptographically based devices, this is a finding.",
"description": "This requirement is for device to device authentication between wireless network devices and the IDPS components. Without authentication, an unauthorized device may connect to the IDPS and intercept monitored traffic, make configuration changes, or initiate man-in-the-middle attacks. Hence, it is imperative that authentication is bi-directional (mutual authentication) using cryptography to ensure a high level of trust and authenticity.\n\nDevice authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device as deemed appropriate by the organization.\n\nThe devices typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local area networks.",
"fixid": "F-38916r1_fix",
"fixtext": "Configure the IDPS to require bidirectional authentication when communicating with wireless network devices.\nUse cryptographically based devices to perform the bidirectional authentication.",
"iacontrols": null,
"id": "V-34644",
"ruleID": "SV-45519r1_rule",
"severity": "medium",
"title": "The IDPS must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.",
"version": "SRG-NET-000150-IDPS-00109"
},
"V-34645": {
"checkid": "C-42869r1_chk",
"checktext": "Verify direct IDPS communications with network devices (e.g., firewall, router, sensors, or management console) are configured to establish bidirectional authentication before establishing communications.\nVerify the bidirectional authentication is between cryptographically based devices.\n\nIf communication between the IDPS and network devices does not use bidirectional authentication, this is a finding.\nIf device authentication is not established using cryptographically based devices, this is a finding.",
"description": "This requirement is for device to device authentication between IDPS components and other network devices. Without authentication, an unauthorized device may connect to the IDPS and intercept monitored traffic, make configuration changes, or initiate man-in-the-middle attacks. Hence, it is imperative that authentication is bi-directional (mutual authentication) using cryptography to ensure a high level of trust and authenticity.\n\nDevice authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device as deemed appropriate by the organization.\n\nThe devices typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local area networks.",
"fixid": "F-38917r1_fix",
"fixtext": "Configure the IDPS to require bidirectional authentication when communicating with network devices.\nUse cryptographically based devices to perform the bidirectional authentication.",
"iacontrols": null,
"id": "V-34645",
"ruleID": "SV-45520r1_rule",
"severity": "medium",
"title": "The IDPS must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.",
"version": "SRG-NET-000151-IDPS-00110"
},
"V-34646": {
"checkid": "C-42870r1_chk",
"checktext": "Verify the site has configured the IDPS to implement DAC. Access could be granted based on file types, location, metadata, or source/destination IP address.\n\nIf DAC techniques are not used for security control, this is a finding.",
"description": "Access control policies (e.g., identity-based policies, role-based policies) and access enforcement mechanisms (e.g., access control lists, policy maps, and cryptography) are used to control access between users and objects (e.g., devices, data, and destination addresses) within the network. Without these security policies, access control and enforcement mechanisms will not prevent unauthorized access to user account information, system logs, and other files.",
"fixid": "F-38919r1_fix",
"fixtext": "Configure the IDPS components using DAC as required by organizationally defined policies.",
"iacontrols": null,
"id": "V-34646",
"ruleID": "SV-45521r1_rule",
"severity": "low",
"title": "The IDPS must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.",
"version": "SRG-NET-000306-IDPS-00207"
},
"V-34647": {
"checkid": "C-42871r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "This control addresses dynamic management of account identifiers. Identifiers identify an individual, group, role, or device. Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. User identifiers are the names of the information system accounts associated with specific individuals. \n\nDynamic establishment of new identifiers and their associated authorizations will occur while the system is operational. New identifiers or changes to existing identifiers must take effect without the need for a system or session restart. Pre-established trust relationships and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate each identifier are essential to prevent unauthorized access by changed or revoked accounts. Dynamic functionality also prevents disruption of operations by minimizing the need for system restarts.\n\nDynamic management of identifiers, attributes, and associated access authorizations is not a function of the IDPS, thus this requirement is not applicable.",
"fixid": "F-38918r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34647",
"ruleID": "SV-45522r1_rule",
"severity": "medium",
"title": "The network element must dynamically manage identifiers, attributes, and associated access authorizations.",
"version": "SRG-NET-000152-IDPS-NA"
},
"V-34648": {
"checkid": "C-42872r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative DNS servers, one configured as primary and the other as secondary.\n\nThis requirement is a function of the DNS and is not applicable to the IDPS.",
"fixid": "F-38920r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34648",
"ruleID": "SV-45523r1_rule",
"severity": "low",
"title": "The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation.",
"version": "SRG-NET-000305-IDPS-NA"
},
"V-34649": {
"checkid": "C-42873r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative domain name system (DNS) servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). With regard to role separation, DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists). \n\nThis requirement is a function of the DNS and is not applicable to the IDPS.",
"fixid": "F-38921r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34649",
"ruleID": "SV-45524r1_rule",
"severity": "low",
"title": "The network element that collectively provides name/address resolution service for an organization must be fault-tolerant.",
"version": "SRG-NET-000304-IDPS-NA"
},
"V-34650": {
"checkid": "C-42874r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources that own DNS data. Network elements that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. DNS is not an IDPS function.\n\nThis requirement is a function of the DNS and is not applicable to the IDPS.",
"fixid": "F-38922r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34650",
"ruleID": "SV-45525r1_rule",
"severity": "low",
"title": "The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.",
"version": "SRG-NET-000303-IDPS-NA"
},
"V-34651": {
"checkid": "C-42875r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources. Network elements that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.\n\nThis requirement is a function of the DNS and is not applicable to the IDPS.",
"fixid": "F-38923r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34651",
"ruleID": "SV-45526r1_rule",
"severity": "low",
"title": "The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.",
"version": "SRG-NET-000302-IDPS-NA"
},
"V-34652": {
"checkid": "C-42876r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources. Network elements that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.\n\nThis requirement is a function of the DNS and is not applicable to the IDPS.",
"fixid": "F-38924r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34652",
"ruleID": "SV-45527r1_rule",
"severity": "low",
"title": "The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.",
"version": "SRG-NET-000301-IDPS-NA"
},
"V-34653": {
"checkid": "C-42877r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. A domain name system (DNS) server is an example of an information system that provides name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Network elements using technologies other than the DNS to map between host/service names and network addresses provide other methods of assuring the authenticity and integrity of response data. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23.\n\nThis requirement is a function of the DNS and is not applicable to the IDPS.",
"fixid": "F-38925r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34653",
"ruleID": "SV-45528r1_rule",
"severity": "low",
"title": "The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution.",
"version": "SRG-NET-000300-IDPS-NA"
},
"V-34654": {
"checkid": "C-42878r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Decisions regarding the employment of mobile code within the network element are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Preventing execution of mobile code on a client is the function of a HIDS, thus this control is out of scope. \n\nPreventing execution of mobile code on the client is not a function of the IDPS.",
"fixid": "F-38926r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34654",
"ruleID": "SV-45529r1_rule",
"severity": "low",
"title": "The network element must prevent the automatic execution of mobile code in organizationally defined software applications and require organizationally defined actions prior to executing the code.",
"version": "SRG-NET-000290-IDPS-NA"
},
"V-34655": {
"checkid": "C-42879r1_chk",
"checktext": "If this is an IDS only implementation, this is not applicable.\nVerify signatures exist that monitor and detect the execution of prohibited mobile code. \n\nIf sensors are not configured to prevent the execution of mobile code, this is a finding.",
"description": "The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for each piece of code to travel smoothly from one host to another. Mobile code systems range from simple applets to intelligent software agents. These systems offer several advantages over the more traditional distributed computing approach. Decisions regarding the employment of mobile code within the IDPS are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. IDPS must be configured to detect mobile code and prevent the affected traffic from reaching its intended destination and being executed. \n\nThis requirement requires enforcement action that is not the purview of the IDPS. Therefore, this requirement applies only to IPS implementations.",
"fixid": "F-38927r1_fix",
"fixtext": "Install and configure signatures that monitor for and prevent the execution of prohibited mobile code.",
"iacontrols": null,
"id": "V-34655",
"ruleID": "SV-45530r1_rule",
"severity": "medium",
"title": "The IDPS must prevent the execution of prohibited mobile code.",
"version": "SRG-NET-000289-IDPS-00206"
},
"V-34656": {
"checkid": "C-42880r1_chk",
"checktext": "Verify signatures are installed that prevent the download of prohibited mobile code.\n\nIf the system is not configured to take action to prevent the download of prohibited mobile code, this is a finding.",
"description": "Decisions regarding the use of mobile code within the IDPS are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Prohibited mobile code may contain malicious code and may be the source of network or client attacks if download is allowed.",
"fixid": "F-38928r1_fix",
"fixtext": "Install and configure signatures that monitor for and prevent the download of prohibited mobile code.",
"iacontrols": null,
"id": "V-34656",
"ruleID": "SV-45531r1_rule",
"severity": "medium",
"title": "The IDPS must prevent the download of prohibited mobile code.",
"version": "SRG-NET-000288-IDPS-00205"
},
"V-34657": {
"checkid": "C-42881r1_chk",
"checktext": "Review all accounts and verify any accounts that have been inactive or expired for longer than the organizationally defined time period are authorized to remain. \n\nIf inactive or expired accounts are present and not authorized to remain, this is a finding.",
"description": "Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to the operating system. Operating systems need to track periods of user inactivity and disable accounts after an organizationally defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. Limiting inactivity timeouts lowers the risk of an attacker hijacking an unattended session.",
"fixid": "F-38929r1_fix",
"fixtext": "Configure the IDPS to disable the user identifiers after an organizationally defined time period of inactivity.",
"iacontrols": null,
"id": "V-34657",
"ruleID": "SV-45532r1_rule",
"severity": "medium",
"title": "The IDPS must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.",
"version": "SRG-NET-000287-IDPS-00204"
},
"V-34658": {
"checkid": "C-42882r1_chk",
"checktext": "Review the IDPS account configuration files to determine if the privilege functions to access and modify audit settings and files are restricted to authorized security personnel. \nReview locations of audit logs generated as a result of non-local accesses to privileged accounts and the execution of privileged functions. \nVerify there are appropriate controls and permissions to protect the audit information from unauthorized access.\n\nIf the audit records which are generated upon non-local access to privileged accounts or upon the execution of privileged functions are not protected, this is a finding.",
"description": "Auditing may not be reliable when performed by the network element to which the user being audited has privileged access. The privileged user may inhibit auditing or modify audit records. This control enhancement helps mitigate this risk by requiring that privileged access be further defined between audit-related privileges and other privileges, thus, limiting the users with audit-related privileges. Reducing the risk of audit compromises by privileged users can also be achieved by performing audit activity on a separate information system or by using storage media that cannot be modified (e.g., write-once recording devices).",
"fixid": "F-38930r1_fix",
"fixtext": "Configure the system to protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.",
"iacontrols": null,
"id": "V-34658",
"ruleID": "SV-45533r1_rule",
"severity": "medium",
"title": "The IDPS must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.",
"version": "SRG-NET-000286-IDPS-00203"
},
"V-34659": {
"checkid": "C-42883r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. It is imperative that when information is being moved from one security domain to another, policy filters must be applied to the data to enforce the organization's security policy requirements. Actions to support this requirement include, but are not limited to: checking packet payload for embedded malware; dropping packets not conforming to standards; and blocking packets using ports and protocols that are not allowed to cross these domains based on DoD and local policy. \n\nData transfer requirements are not an IDPS function. This requirement applies to Cross Domain Solutions. Implementation and placement of the sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
"fixid": "F-38931r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34659",
"ruleID": "SV-45534r1_rule",
"severity": "low",
"title": "The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.",
"version": "SRG-NET-000285-IDPS-NA"
},
"V-34660": {
"checkid": "C-42884r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. It is imperative that when information is being moved from one security domain to another, mechanisms are deployed to detect traffic with payloads that are not in conformance with the policy of the DoD and the organization. \n\nData transfer requirements are not an IDPS function. This requirement applies to information flow control for Cross Domain Solutions. Implementation and placement of the sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
"fixid": "F-38932r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34660",
"ruleID": "SV-45535r1_rule",
"severity": "low",
"title": "The network element must detect unsanctioned information when transferring information between different security domains.",
"version": "SRG-NET-000284-IDPS-NA"
},
"V-34661": {
"checkid": "C-42885r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "It is imperative that when information is being moved from one security domain to another, policy filters must be applied to the data to enforce the organization\u2019s security policy requirements. \n\nData transfer requirements are not an IDPS function. This requirement applies to information flow control for Cross Domain Solutions. Implementation and placement of the sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
"fixid": "F-38933r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34661",
"ruleID": "SV-45536r1_rule",
"severity": "low",
"title": "The network element must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains.",
"version": "SRG-NET-000283-IDPS-NA"
},
"V-34662": {
"checkid": "C-42886r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Information must be decomposed into policy-relevant subcomponents, so the applicable policies and filters can be applied when information is being transferred between different security domains. \n\nData transfer requirements are not an IDPS function. This requirement applies to information flow control for Cross Domain Solutions. Implementation and placement of the sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
"fixid": "F-38934r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34662",
"ruleID": "SV-45537r1_rule",
"severity": "low",
"title": "The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.",
"version": "SRG-NET-000282-IDPS-NA"
},
"V-34663": {
"checkid": "C-42887r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Traffic flows must be identified by types and traffic rates when information is being transferred between different security domains. \n\nData transfer requirements are not an IDPS function. This requirement applies to Cross Domain Solutions. Implementation and placement of the sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
"fixid": "F-38935r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34663",
"ruleID": "SV-45538r1_rule",
"severity": "low",
"title": "The network element must identify information flows by data type specification and usage when transferring information between different security domains.",
"version": "SRG-NET-000281-IDPS-NA"
},
"V-34664": {
"checkid": "C-42888r1_chk",
"checktext": "Verify rules are created to examine and block packet with malformed or otherwise disallowed metadata.\n\nIf a rule or signature does not exist which examines metadata, this is a finding.",
"description": "Metadata is information about one or more pieces of data. This may include information about the data's purpose, creator, origin, or classification. Information flow control regulates where information is allowed to travel within a network and between hosts as opposed to who is allowed to access the information. Information flow enforcement mechanisms compare security attributes on all information such as source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. This is a network architecture best practice and does not require a configuration setting on the IDPS sensor.",
"fixid": "F-38936r1_fix",
"fixtext": "Download a vendor signature or create a rule which examines metadata.",
"iacontrols": null,
"id": "V-34664",
"ruleID": "SV-45539r1_rule",
"severity": "medium",
"title": "The IDPS must enforce information flow control on metadata.",
"version": "SRG-NET-000280-IDPS-00202"
},
"V-34665": {
"checkid": "C-42889r1_chk",
"checktext": "Verify when the IDPS management console and sensors are off-line, the configuration files, log files, account information, and other security information are not accessible without proper authentication.\n\nIf the system does not prevent access when the system is in a state where the security policy and auditing cannot be enforced, this is a finding.",
"description": "Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Examples: IDPS sensor rules, cryptographic key management information, key configuration parameters for security services, and access control lists. Secure, non-operable system states are states in which the IDPS is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.",
"fixid": "F-38937r1_fix",
"fixtext": "Configure the management console to prevent administrator access when the audit and privilege policies cannot be enforced.",
"iacontrols": null,
"id": "V-34665",
"ruleID": "SV-45540r1_rule",
"severity": "medium",
"title": "The IDPS must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.",
"version": "SRG-NET-000279-IDPS-00201"
},
"V-34666": {
"checkid": "C-42890r1_chk",
"checktext": "View the configuration screen on the management console.\nVerify the information flow and access control resulting from the sensor rules display in human readable form. This display can be in an onscreen format or in a report generated by a tool.\nVerify existing user rights and privileges associated with users and objects are displayed in human readable form. This display can be onscreen or generated by a reporting tool.\n\nIf access control privileges are not displayed in human readable form, this is a finding. If information flow is not displayed in a human readable form, this is a finding. ",
"description": "When applications generate or output data, the associated security attributes need to be displayed. Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files, registry keys) within the information system. Security attributes are used to: enable the implementation of access control and flow control policies; reflect special dissemination, handling or distribution instructions; or support other aspects of the information security policy. Objects output from the information system include pages, screens, or their equivalent. Output devices include printers and video displays on client devices. If security attributes are not displayed in human readable form, then it is difficult to disseminate errors in information access control or information flow policy. ",
"fixid": "F-38938r1_fix",
"fixtext": "Configure settings for security reporting tools to provide reports of security attributes for information flows and user privileges.",
"iacontrols": null,
"id": "V-34666",
"ruleID": "SV-45541r1_rule",
"severity": "low",
"title": "The IDPS must display security attributes in human readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions using organizationally identified human readable, standard naming conventions.",
"version": "SRG-NET-000278-IDPS-00200"
},
"V-34667": {
"checkid": "C-42891r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Local access to the private network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Remote access to the network can be accomplished via connection to a VPN gateway. Eliminating unauthorized access to the network is vital to maintaining a secured network. \n\nIf the package is malformed or has an anomaly, it may cause an alert or a message to the firewall or router, however the IPS does not directly disable the unauthorized access.",
"fixid": "F-38939r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34667",
"ruleID": "SV-45542r1_rule",
"severity": "low",
"title": "The network element must disable network access by unauthorized devices and must log the information as a security violation.",
"version": "SRG-NET-000277-IDPS-NA"
},
"V-34668": {
"checkid": "C-42892r1_chk",
"checktext": "Verify the system is configured to automatically send an administrator an alert when sensors are unexpectedly taken offline or fail. A keep-alive signal or monitoring functionality should be used to detect sensor failure from a central management tool.\nVerify the IDPS components are configured to either shut down or send a notification if sensor monitoring functions fail.\n\nIf the sensors and other components deemed critical to monitoring network segments are not monitored for failure and unexpected off-line events, this is a finding. ",
"description": "Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining the system's security fail to function, the system could continue operating in an insecure state. If appropriate actions are not taken when an IDPS component failure occurs, a DoS condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of IDPS security components, the IDPS must either activate a system alert message, send an alarm, or shut down.",
"fixid": "F-38940r1_fix",
"fixtext": "Configure each sensor to automatically send an alert upon failure of any sensor or other critical component (e.g., log aggregation data management console server).",
"iacontrols": null,
"id": "V-34668",
"ruleID": "SV-45543r1_rule",
"severity": "low",
"title": "The IDPS must activate an organizationally defined alarm when a system component failure is detected.",
"version": "SRG-NET-000274-IDPS-00199"
},
"V-34670": {
"checkid": "C-42894r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS account management configuration and settings to determine whether the minimum password length is configured. \n\nIf the IDPS configuration does not enforce a minimum password length, this is a finding.",
"description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Password length is one factor in determining password strength. Use of a longer password string will exponentially increase the time and/or resources required to compromise the password.\n\nInformation systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password thus gaining access to the system and causing the device, information, or the local network to be compromised or a denial of service. \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38942r1_fix",
"fixtext": "Configure the IDPS to enforce a minimum password length.",
"iacontrols": null,
"id": "V-34670",
"ruleID": "SV-45545r1_rule",
"severity": "medium",
"title": "The IDPS must enforce minimum password length.",
"version": "SRG-NET-000153-IDPS-00111"
},
"V-34671": {
"checkid": "C-42895r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS account management configuration and settings to determine whether password reuse for the organizationally defined number of generations, is prohibited. \n\nIf the IDPS configuration does not prohibit password reuse, this is a finding.",
"description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. A password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user. \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38943r1_fix",
"fixtext": "Configure the IDPS to prohibit password reuse for the organizationally defined number of generations.",
"iacontrols": null,
"id": "V-34671",
"ruleID": "SV-45546r1_rule",
"severity": "medium",
"title": "The IDPS must prohibit password reuse for the organizationally defined number of generations.",
"version": "SRG-NET-000154-IDPS-00112"
},
"V-34672": {
"checkid": "C-42896r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS configuration and settings to determine whether passwords contain the organizationally defined number of upper case characters. \n\nIf the IDPS does not force the password to have the organizationally defined number of upper case characters, this is a finding.",
"description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string. \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38944r1_fix",
"fixtext": "Configure the IDPS to enforce password complexity by the number of upper case characters used.",
"iacontrols": null,
"id": "V-34672",
"ruleID": "SV-45547r1_rule",
"severity": "low",
"title": "The IDPS must enforce password complexity by the number of upper case characters used.",
"version": "SRG-NET-000155-IDPS-00113"
},
"V-34673": {
"checkid": "C-42897r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS configuration and settings to determine whether passwords contain the organization defined number of lower case characters. \n\nIf the IDPS does not force the password to have the organization defined number of lower case characters, this is a finding.",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. \n\nThe more complex the password is requires a greater number of possible combinations to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. Combinations requiring the use of upper case, lower case, numbers, and special characters enhance the complexity of the password string.\n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38945r1_fix",
"fixtext": "Configure the IDPS implementation to enforce password complexity by the number of lower case characters used.",
"iacontrols": null,
"id": "V-34673",
"ruleID": "SV-45548r1_rule",
"severity": "medium",
"title": "The IDPS must enforce password complexity by the number of lower case characters used.",
"version": "SRG-NET-000156-IDPS-00114"
},
"V-34674": {
"checkid": "C-42899r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS configuration and settings to determine whether passwords contain the organization defined number of numeric characters. \n\nIf the IDPS does not force the password to have the organization defined number of numeric characters, this is a finding.",
"description": "To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string. \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38947r1_fix",
"fixtext": "Configure the IDPS implementation to enforce password complexity by the number of numeric characters used.",
"iacontrols": null,
"id": "V-34674",
"ruleID": "SV-45550r1_rule",
"severity": "low",
"title": "The IDPS must enforce password complexity by the number of numeric characters used.",
"version": "SRG-NET-000157-IDPS-00115"
},
"V-34675": {
"checkid": "C-42900r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS account management configuration and settings to determine whether passwords contain the organization defined number of special characters. \n\nIf the IDPS does not require the password to have the organizationally defined number of special characters, this is a finding.",
"description": "To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string. Use of a complex password helps to increase the time and resources required to compromise the password. \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38948r1_fix",
"fixtext": "Configure the IDPS to enforce password complexity by the number of special characters used.",
"iacontrols": null,
"id": "V-34675",
"ruleID": "SV-45551r1_rule",
"severity": "medium",
"title": "The IDPS must enforce password complexity by the number of special characters used.",
"version": "SRG-NET-000158-IDPS-00116"
},
"V-34676": {
"checkid": "C-42902r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nVerify an organizationally defined value is set for the number of characters that must be changed when passwords are changed.\n\nIf an organizationally defined value is not set for the number of characters that must be different between the new password and the previously used password, this is a finding.",
"description": "To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. When users change the password, the system must ensure the new password is not too similar to the previously used password (s). \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38950r1_fix",
"fixtext": "Set an organizationally defined value for the number of characters that must be different between the new password and the previously used password.",
"iacontrols": null,
"id": "V-34676",
"ruleID": "SV-45553r1_rule",
"severity": "low",
"title": "The IDPS must enforce the number of characters changed when passwords are changed.",
"version": "SRG-NET-000159-IDPS-00117"
},
"V-34677": {
"checkid": "C-42903r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nVerify the system stores passwords in an encrypted form that is not visible to any system administrators, regardless of privileges.\n\nIf passwords are stored in clear text, this is a finding.",
"description": "To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. The IDPS can be compromised by personnel with physical access to the communication room. It is imperative for passwords to be stored encrypted, so they cannot be viewed by unauthorized staff. \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38951r1_fix",
"fixtext": "Configure the system to store passwords in encrypted form.",
"iacontrols": null,
"id": "V-34677",
"ruleID": "SV-45554r1_rule",
"severity": "medium",
"title": "The IDPS must enforce password encryption for storage.",
"version": "SRG-NET-000160-IDPS-00118"
},
"V-34678": {
"checkid": "C-42904r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nView the password configuration or system documentation.\nVerify the system is configured to encrypt passwords when logging on both locally and non-locally. \n\nIf passwords are sent in clear text, this is a finding.",
"description": "To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. The IDPS can be compromised by personnel with access to the network. Passwords sent in the clear can be intercepted and used by unauthorized personnel to gain administrative access to the IDPS. It is imperative to encrypt passwords before transmitting during any authentication process. \n\nThis control applies to passwords configured or controlled by the IDPS itself.",
"fixid": "F-38952r1_fix",
"fixtext": "Configure the IDPS to encrypt passwords prior to transmission as part of the authentication process.",
"iacontrols": null,
"id": "V-34678",
"ruleID": "SV-45555r1_rule",
"severity": "medium",
"title": "The IDPS must enforce password encryption for transmission.",
"version": "SRG-NET-000161-IDPS-00119"
},
"V-34679": {
"checkid": "C-42906r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nView the password configuration for local accounts.\nVerify the system is configured so the value for the minimum password lifetime restriction is set to an organizationally defined value.\n\nIf the value for the minimum lifetime password restriction is not set to an organizationally defined value, this is a finding.",
"description": "To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. \n\nA password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user. However, changing the password too frequently may result in the user changing a small portion of the password, or the user could mishandle the password in an attempt to remember the new password. This attribute is used to prevent repeated password changes to defeat the password reuse or history enforcement.\n\nThis control applies to accounts configured or controlled by the IDPS itself.",
"fixid": "F-38954r1_fix",
"fixtext": "Configure the account passwords so the value for the minimum lifetime restriction is set to an organizationally defined value.",
"iacontrols": null,
"id": "V-34679",
"ruleID": "SV-45557r1_rule",
"severity": "medium",
"title": "The IDPS must enforce minimum password lifetime restrictions.",
"version": "SRG-NET-000162-IDPS-00120"
},
"V-34680": {
"checkid": "C-42907r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nView the password configuration for local user accounts.\nVerify the system is configured so the value for the maximum password lifetime restriction is set to an organizationally defined value.\n\nIf the value for the maximum lifetime restriction is not set to an organizationally defined value, this is a finding.",
"description": "To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. A password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user. \n\nThis control applies to accounts configured or controlled by the IDPS itself.",
"fixid": "F-38955r1_fix",
"fixtext": "Configure the account passwords so the value for the maximum lifetime restriction is set to an organizationally defined value.",
"iacontrols": null,
"id": "V-34680",
"ruleID": "SV-45558r1_rule",
"severity": "medium",
"title": "The IDPS must enforce maximum password lifetime restrictions.",
"version": "SRG-NET-000163-IDPS-00121"
},
"V-34681": {
"checkid": "C-42909r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nInspect the user function of the device to view the PKI configuration.\nVerify the DoD CA has been configured in the certificate validation setting. \n\nIf the PKI configuration does not use a valid DoD CA for certificate validation, this is a finding.",
"description": "A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the \"\"root certificate\"\" or \"\"trust anchors\"\" such as a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted.\n\nThis control applies to accounts configured or controlled by the IDPS itself.",
"fixid": "F-38956r1_fix",
"fixtext": "Set the PKI certificate validation to point to a valid DoD CA.",
"iacontrols": null,
"id": "V-34681",
"ruleID": "SV-45559r1_rule",
"severity": "medium",
"title": "The IDPS must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.",
"version": "SRG-NET-000164-IDPS-00122"
},
"V-34682": {
"checkid": "C-42911r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nVerify settings for controlling authorized access to private keys are enabled. \n\nIf a rigorous technical key management policy is not in place to protect the private keys, this is a finding.",
"description": "The principle factor of PKI implementation is the private key used to encrypt or digitally sign information. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n\nThis control applies to accounts configured or controlled by the IDPS itself.",
"fixid": "F-38958r1_fix",
"fixtext": "Enable the setting on the IDPS that controls the authorized access to the user's private key.",
"iacontrols": null,
"id": "V-34682",
"ruleID": "SV-45561r1_rule",
"severity": "medium",
"title": "The IDPS must enforce authorized access to the corresponding private key for PKI-based authentication.",
"version": "SRG-NET-000165-IDPS-00123"
},
"V-34683": {
"checkid": "C-42912r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nInspect the user function of the device to view the PKI configuration.\nVerify each account is mapped to the user's PKI certificate.\n\nIf the local accounts are not mapped to the user's PKI certificate, this is a finding.",
"description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.\n\n\nThis control applies to accounts configured or controlled by the IDPS itself.",
"fixid": "F-38959r1_fix",
"fixtext": "Configure each local account to map the PKI certificate for each local user to the user's account.",
"iacontrols": null,
"id": "V-34683",
"ruleID": "SV-45562r1_rule",
"severity": "medium",
"title": "The IDPS must map the authenticated identity to the user account for PKI-based authentication.",
"version": "SRG-NET-000166-IDPS-00124"
},
"V-34684": {
"checkid": "C-42915r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nReview the IDPS configuration and settings to determine if authentication information (e.g., passwords) is displayed in clear text during authentication. \n\nIf passwords are displayed in clear text during the authentication process, this is a finding.",
"description": "To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the information system shall not provide any information that would allow an unauthorized user to compromise the authentication mechanism. During the authentication process, malicious users can gain knowledge of passwords by simply walking by a user logging on, and viewing what had been input. Obfuscation of user provided information when typed into the system is a method used in addressing this risk.",
"fixid": "F-38960r1_fix",
"fixtext": "Configure the authentication function to obscure feedback of authentication information during the authentication process.",
"iacontrols": null,
"id": "V-34684",
"ruleID": "SV-45563r1_rule",
"severity": "medium",
"title": "The IDPS must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.",
"version": "SRG-NET-000167-IDPS-00125"
},
"V-34685": {
"checkid": "C-42916r1_chk",
"checktext": "Review the IDPS documentation to verify it is using NIST-validated FIPS 140-2 compliant cryptography for encrypted authentication mechanisms. \n\nIf NIST-validated FIPS 140-2 compliant cryptography is not being used for all encrypted authentication mechanisms, this is a finding.",
"description": "Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. If required, encryption modules must meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.",
"fixid": "F-38962r1_fix",
"fixtext": "Configure all authentication mechanisms using encryption to use FIPS 140-2 validated algorithms.",
"iacontrols": null,
"id": "V-34685",
"ruleID": "SV-45565r1_rule",
"severity": "medium",
"title": "The IDPS must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms.",
"version": "SRG-NET-000168-IDPS-00126"
},
"V-34686": {
"checkid": "C-42917r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organizations security policy. Access to the network must be categorized as administrator, user, or guest, so the appropriate authorization can be assigned to the user requesting access to the network or a network element. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.\n\nIDPS must not have non-organizational users; therefore this requirement is not applicable.",
"fixid": "F-38963r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34686",
"ruleID": "SV-45566r1_rule",
"severity": "low",
"title": "The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.",
"version": "SRG-NET-000169-IDPS-NA"
},
"V-34687": {
"checkid": "C-42918r1_chk",
"checktext": "View the sensor logs on each sensor. Also, view the central management console log and audit log function. \n\nIf the logs are not enabled, this is a finding.",
"description": "Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the firewall. An automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any compromised network or the IDPS. Incident response teams can perform root cause analysis, determine how the exploit proliferated, identify all affected nodes, as well as contain and eliminate the threat.\n\nThe IDPS assists in the tracking of security incidents by logging detected security events. The sensor log can be centralized and used as part of the organization's event analysis.",
"fixid": "F-38964r1_fix",
"fixtext": "Enable the sensor, management console, and audit logs.",
"iacontrols": null,
"id": "V-34687",
"ruleID": "SV-45567r1_rule",
"severity": "medium",
"title": "The IDPS must employ automated mechanisms to assist in the tracking of security incidents.",
"version": "SRG-NET-000170-IDPS-00127"
},
"V-34688": {
"checkid": "C-42920r1_chk",
"checktext": "Inspect the IDPS audit event log configuration.\nVerify the logging server and sensors are set to shutdown if the audit log becomes full and new log entries cannot be written.\n\nIf the IDPS is not configured to invoke a system shutdown in the event of an audit log failure, this is a finding.",
"description": "It is critical that when a network device is at risk of failing to process audit logs as required, action is taken to mitigate the failure. If the device were to continue processing without auditing capabilities, the IDPS or the network could be compromised without logged information available for incident traceback.\n\nSome IDPS attacks try to generate specific traffic to fill up the logs of the sensors. Sudden saturation of the log may be an indication of a network attack. Sudden system shutdown must generate an alert; however that requirement is covered by another control.",
"fixid": "F-38966r1_fix",
"fixtext": "Configure the logging server and sensors to shutdown in case new audit log entries cannot be written to the log, unless an alternative audit capability exists.",
"iacontrols": null,
"id": "V-34688",
"ruleID": "SV-45569r1_rule",
"severity": "medium",
"title": "The IDPS must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists.",
"version": "SRG-NET-000171-IDPS-00128"
},
"V-34689": {
"checkid": "C-42921r1_chk",
"checktext": "Verify the IDPS restricts the use of maintenance tools to authorized system administrators.\n\nIf the use of maintenance tools is not restricted, this is a finding.",
"description": "This requirement addresses security-related issues associated with maintenance\ntools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools include hardware/software diagnostic test equipment and hardware/software packet sniffers. Maintenance tools connecting to an IDPS may contain malware or insert unauthorized capabilities; therefore, their use must be restricted to authorized personnel.",
"fixid": "F-38967r1_fix",
"fixtext": "Configure the IDPS to restrict access to maintenance tools for the IDPS to authorized system administrators.",
"iacontrols": null,
"id": "V-34689",
"ruleID": "SV-45570r1_rule",
"severity": "medium",
"title": "The IDPS must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only.",
"version": "SRG-NET-000172-IDPS-00129"
},
"V-34690": {
"checkid": "C-42922r1_chk",
"checktext": "Verify all sessions initiated using the GUI or SSH are logged in either the site's centralized audit log or the IDPS audit log.\nExamine the events in the audit log to see if diagnostic and maintenance sessions are annotated with a separate event code.\n\nIf diagnostic and maintenance sessions are not identified in the audit logs, this is a finding.",
"description": "Auditing and logging are key components of any security architecture. Logging the time, date, location, user, and actions performed of specific events provides a means to investigate an attack, recognize resource utilization, or capacity thresholds, or to simply identify an improperly configured IDPS. If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.\n\nThis requirement pertains to the use of privileged access when using the GUI or SSH to connect non-locally for the purpose of a diagnostic session on the servers and network elements.",
"fixid": "F-38968r1_fix",
"fixtext": "Configure the auditable events to capture all non-local sessions.\nConfigure the auditable events to capture diagnostic and maintenance sessions.",
"iacontrols": null,
"id": "V-34690",
"ruleID": "SV-45571r1_rule",
"severity": "low",
"title": "The IDPS must log non-local maintenance and diagnostic sessions.",
"version": "SRG-NET-000173-IDPS-00130"
},
"V-34691": {
"checkid": "C-42924r1_chk",
"checktext": "If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. \n\nVerify non-local access to accounts authorized to perform maintenance and diagnostic activities on the IDPS components requires authenticated access.\nVerify the authentication used is a DoD approved multifactor authentication method (e.g., PKI, SecureID, or DoD Alternate Token).\n\nIf a multifactor authentication is not used for non-local maintenance sessions, this is a finding.",
"description": "The IDPS must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. \n\nAuthentication techniques used in the establishment of non-local maintenance and diagnostic sessions reflect the network access requirements. Without authentication anyone with logical access can access IDPS components allowing, intruders to compromise resources within the network infrastructure. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. An example of a strong authenticator is PKI, where certificates are stored on a token which is protected by a password, passphrase, or biometric. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: \n\n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric).",
"fixid": "F-38970r1_fix",
"fixtext": "Configure the IDPS components to require login to an authentication server which uses multifactor authentication for non-local maintenance sessions.",
"iacontrols": null,
"id": "V-34691",
"ruleID": "SV-45572r1_rule",
"severity": "medium",
"title": "The IDPS must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user.",
"version": "SRG-NET-000174-IDPS-00131"
},
"V-34692": {
"checkid": "C-42928r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Network management is the process of monitoring network elements and links, configuring network elements, and enabling network services. Network management also includes the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out-of-band (OOB) management for network elements is a best practice and the first step in the deployment of a management network. OOB management networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities. The management network should have a direct link with local connection to the managed network elements. Where this is not possible, the management traffic can traverse over the production network or transient IP backbone via private encrypted tunnel.\n\nCreating logical or physically separate communications pathways for network traffic is not a function of the IDPS.",
"fixid": "F-38972r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34692",
"ruleID": "SV-45575r1_rule",
"severity": "low",
"title": "The network element must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption.",
"version": "SRG-NET-000175-IDPS-NA"
},
"V-34693": {
"checkid": "C-42930r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Lack of authentication enables anyone to gain access to the network or possibly a network element, thus providing an opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to any network element to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics. If packets associated with these sessions are not encrypted, the integrity and confidentiality of non-local maintenance and diagnostics is at risk.\n\nProtection of maintenance tools is not a function of the IDPS. This is a network or OS function.",
"fixid": "F-38974r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34693",
"ruleID": "SV-45577r1_rule",
"severity": "low",
"title": "The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.",
"version": "SRG-NET-000176-IDPS-NA"
},
"V-34694": {
"checkid": "C-42931r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Lack of authentication enables anyone to gain access to the network or possibly a network element, thus providing an opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to any network element to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics.\n\nAll sessions must enforce identification and authentication. Protection of non-local maintenance and diagnostic sessions is not a function of the IDPS.",
"fixid": "F-38975r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34694",
"ruleID": "SV-45578r1_rule",
"severity": "low",
"title": "The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.",
"version": "SRG-NET-000177-IDPS-NA"
},
"V-34695": {
"checkid": "C-42932r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "In the event the remote node has abnormally terminated or an upstream link from the managed device is down, the management session will be terminated; thereby, freeing device resources and eliminating any possibility of an unauthorized user being orphaned to an open idle session of the managed device.\n\nAll sessions must terminate. The IDPS does not know if it is non-local access. Protection of non-local maintenance and diagnostic sessions is not a function of the IDPS.",
"fixid": "F-38976r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34695",
"ruleID": "SV-45579r1_rule",
"severity": "low",
"title": "The network element must terminate all sessions when non-local maintenance is completed.",
"version": "SRG-NET-000178-IDPS-NA"
},
"V-34696": {
"checkid": "C-42935r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "When data is written to portable digital media, there is the risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection.\n\nNeither physical nor cryptographic protection of portable digital media is a function of the IDPS application. This function is performed by the underlying OS.",
"fixid": "F-38978r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34696",
"ruleID": "SV-45581r1_rule",
"severity": "low",
"title": "The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.",
"version": "SRG-NET-000179-IDPS-NA"
},
"V-34697": {
"checkid": "C-42936r1_chk",
"checktext": "Inspect the encryption configuration function for the sensors and the management console.\nVerify encryption is automatically used for all data in storage on hard drives and other digital media. This includes sensor event logs and application audit logs. \n\nIf the system is not configured to encrypt information in storage, this is a finding.",
"description": "When data is written to digital media, there is the risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring physical protection. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls to the facility where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms (e.g., TLS/SSL) used is based upon maintaining the confidentiality and integrity of the information. The strength of mechanisms is commensurate with the classification and sensitivity of the information.\n\nSensor event logs and application audit logs must be encrypted while in storage on the sensors or management console hard drive or other digital media.",
"fixid": "F-38979r1_fix",
"fixtext": "Configure the IDPS to protect information in storage with cryptographic mechanisms.",
"iacontrols": null,
"id": "V-34697",
"ruleID": "SV-45582r1_rule",
"severity": "medium",
"title": "The IDPS must employ cryptographic mechanisms to protect information in storage.",
"version": "SRG-NET-000180-IDPS-00132"
},
"V-34698": {
"checkid": "C-42937r1_chk",
"checktext": "Verify the use of sensor rules that monitor for unauthorized software.\n\nIf IDPS sensor rules are not used to monitor for unauthorized software use on organizational information systems, this is a finding.",
"description": "The IDPS monitors the network for known vulnerabilities and malicious software, such as Trojan horses, hacker tools, DDoS agents, and spyware. Many of these vulnerabilities may not be detected by anti-virus software or host-based intrusion detection systems. Unauthorized software may contain malware or malicious code which may be exploited by an attacker to gain access.",
"fixid": "F-38980r1_fix",
"fixtext": "Configure the IDPS sensors to detect unauthorized software.",
"iacontrols": null,
"id": "V-34698",
"ruleID": "SV-45583r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to detect the presence of unauthorized software on organizational information systems.",
"version": "SRG-NET-000181-IDPS-00133"
},
"V-34699": {
"checkid": "C-42939r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The IDPS must prevent the presentation of information system management functionality at an interface for general (i.e., non-privileged) users. The intent of this control enhancement is to ensure administration options are not available to general or unauthorized users (including prohibiting the use of the grey-out option commonly used to eliminate accessibility to such information). For example, administration options are not presented until the user has appropriately established a session with administrator privileges.\n\nNon-privileged (general) users are not allowed access to the IDPS components, thus this requirement is not applicable.",
"fixid": "F-38982r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34699",
"ruleID": "SV-45584r1_rule",
"severity": "low",
"title": "The network element must separate user functionality (including user interface services) from information system management functionality.",
"version": "SRG-NET-000182-IDPS-NA"
},
"V-34700": {
"checkid": "C-42940r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Information system management-related functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management-related functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate. An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different domain and with additional access controls.\n\nNon-privileged (general) users are not allowed access to the IDPS components, thus this requirement is not applicable.",
"fixid": "F-38983r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34700",
"ruleID": "SV-45586r1_rule",
"severity": "low",
"title": "The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.",
"version": "SRG-NET-000183-IDPS-NA"
},
"V-34701": {
"checkid": "C-42941r1_chk",
"checktext": "Verify the application is designed to separate security functions from non-security functions (i.e., separate address space) for executing process.\n\nIf the system is not designed to isolate security functions from non-security functions, this is a finding.",
"description": "The IDPS must be designed and configured to isolate security functions from non-security functions. An isolation boundary is implemented via partitions and domains. This boundary must provide separation between processes having different security levels. These processes are used by the hardware, software, and firmware of the IDPS components to perform various functions. The IDPS application must maintain a separate execution domain (e.g., address space) for each executing process to minimize the risk of leakage or corruption of privileged information. \n\nThis control is normally a function of the IDPS application design and is usually not a configurable setting; however, there may be settings in some IDPS applications that must be configured to optimize function isolation.",
"fixid": "F-38984r1_fix",
"fixtext": "Enable settings that isolate security functions from non-security functions.",
"iacontrols": null,
"id": "V-34701",
"ruleID": "SV-45587r1_rule",
"severity": "medium",
"title": "The IDPS must isolate security functions from non-security functions.",
"version": "SRG-NET-000184-IDPS-00134"
},
"V-34702": {
"checkid": "C-42942r1_chk",
"checktext": "Verify an isolation boundary (e.g., use of separate address space) is used for each executing process.\n\nIf the vendor application design documentation indicates there is no boundary separation between security functions, this is a finding.",
"description": "The IDPS must be designed and configured to isolate security functions enforcing access and information flow control. Isolation must separate processes that perform security functions from those performing non-security. An isolation boundary is implemented via partitions and domains. This boundary must provide access control and integrity protection of the hardware, software, and firmware of the IDPS components. The IDPS application must maintain a separate execution domain (e.g., use of separate address space) for each executing process to minimize the risk of leakage or corruption of privileged information. This control is normally a function of the IDPS application design and is usually not a configurable setting; however, there may be settings in some IDPS applications that must be configured to optimize function isolation.",
"fixid": "F-38985r1_fix",
"fixtext": "Enable settings that isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.",
"iacontrols": null,
"id": "V-34702",
"ruleID": "SV-45588r1_rule",
"severity": "medium",
"title": "The IDPS must isolate security functions used to enforce access and information flow control from both non-security functions and from other security functions.",
"version": "SRG-NET-000186-IDPS-00135"
},
"V-34703": {
"checkid": "C-42943r1_chk",
"checktext": "Verify the application is designed to separate security functions from non-security functions (e.g., use of separate address space) for executing process. \n\nIf the vendor application design documentation indicates there is no boundary separation between security functions, this is a finding.",
"description": "The IDPS must be designed and configured to minimize the number of non-security functions included within the boundary containing security functions. An isolation boundary, implemented via partitions and domains, must be used to minimize the mixture of these functions, thus minimizing the risk of leakage or corruption of privileged information.\n\nThis control is normally a function of the IDPS application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.",
"fixid": "F-38986r1_fix",
"fixtext": "Enable settings to create an isolation boundary. \nConfigure the network boundary to minimize the number of non-security functions included within the boundary which contain security functions.",
"iacontrols": null,
"id": "V-34703",
"ruleID": "SV-45589r1_rule",
"severity": "medium",
"title": "The IDPS must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.",
"version": "SRG-NET-000187-IDPS-00136"
},
"V-34704": {
"checkid": "C-42945r1_chk",
"checktext": "Verify the application is designed to separate security functions from non-security functions (e.g., use of separate address space) for executing process. \n\nIf the vendor application design documentation indicates there is no boundary separation between security functions, this is a finding.",
"description": "The IDPS must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. \n\nThis control is normally a function of the IDPS application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.",
"fixid": "F-38987r1_fix",
"fixtext": "Enable settings that implement security functions as a layered structure minimizing interactions between layers of the design.",
"iacontrols": null,
"id": "V-34704",
"ruleID": "SV-45590r1_rule",
"severity": "medium",
"title": "The IDPS must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.",
"version": "SRG-NET-000189-IDPS-00137"
},
"V-34705": {
"checkid": "C-42946r1_chk",
"checktext": "Verify the application is designed to prevent unauthorized and unintended information transfer between user sessions. \nSettings needed to enable or optimize this security feature must be enabled and configured.\n\nIf the system is not configured to prevent unauthorized and unintended information transfer via shared system resources, this is a finding.",
"description": "The purpose of this control is to prevent information produced by the actions of a prior user, role, or the actions of a process acting on behalf of a prior user or role from being available to any current user, role, or process from obtaining access to a shared system resource (e.g., registers, main memory, or secondary storage) after the resource has been released back to the IDPS. Control of information in shared resources is also referred to as object reuse.",
"fixid": "F-38988r1_fix",
"fixtext": "Enable settings that prevent unauthorized and unintended information transfer via shared system resources.",
"iacontrols": null,
"id": "V-34705",
"ruleID": "SV-45591r1_rule",
"severity": "medium",
"title": "The IDPS must prevent unauthorized and unintended information transfer via shared system resources.",
"version": "SRG-NET-000190-IDPS-00138"
},
"V-34706": {
"checkid": "C-42950r1_chk",
"checktext": "Review the IDPS to determine if it is configured to protect against and limit the effects of DoS attacks. \n\nIf the IDPS is not configured to limit DoS attacks, this is a finding.",
"description": "A DoS attack against the IDPS components can leave the network without vital intrusion detection and prevention services, leaving the network and devices open to attack. A variety of technologies exist to limit or eliminate the effects of DoS attacks. The IDPS must help monitor for and filter certain types of packets to protect information system components on internal organizational networks from DoS attacks. Use of multiple sensors, load balancers, increasing sensor log capacity, and providing service redundancy may also reduce the IDPS's susceptibility to denial of service attacks.",
"fixid": "F-38990r1_fix",
"fixtext": "Configure the IDPS to protect against or limit the effects of DoS attacks.",
"iacontrols": null,
"id": "V-34706",
"ruleID": "SV-45592r1_rule",
"severity": "medium",
"title": "The IDPS must protect against or limit the effects of Denial of Service (DoS) attacks.",
"version": "SRG-NET-000191-IDPS-00139"
},
"V-34707": {
"checkid": "C-42952r1_chk",
"checktext": "Review the IDPS documentation and configuration to determine if the system restricts the ability of users or systems to launch DoS attacks against other information systems or networks from the IDPS components themselves.\n\nIf the IDPS is not configured to restrict this ability, this is a finding.",
"description": "The IDPS must prevent users from using the IDPS components to launch a DoS attack. Use of mechanisms that throttle traffic and resources so that attackers cannot generate unlimited traffic via the IDPS application can assist in this effort. Sensor logs capacity management along with techniques which prevent the logging of redundant information during an attack, also guard against DoS attacks.",
"fixid": "F-38991r1_fix",
"fixtext": "Configure the IDPS to restrict the ability of users or other systems to launch DoS attacks against other information systems or networks from the IDPS components.",
"iacontrols": null,
"id": "V-34707",
"ruleID": "SV-45593r1_rule",
"severity": "medium",
"title": "The IDPS must restrict the ability of users to launch DoS attacks against other information systems or networks.",
"version": "SRG-NET-000192-IDPS-00140"
},
"V-34708": {
"checkid": "C-42953r1_chk",
"checktext": "Review the IDPS documentation and configuration to determine if excess capacity and bandwidth are managed, and if redundancy is built into the system to limit the effects of information flooding types of DoS attacks on IDPS components themselves.\n\nIf excess capacity and bandwidth are not managed, or redundancy is not built into the architecture, this is a finding.",
"description": "Managing excess capacity ensures that sufficient capacity is available\nto counter flooding attacks. Managing excess capacity may include establishing selected usage priorities, quotas, or partitioning. The device must be configured to contain and limit a DoS attack\u2019s effect on the device\u2019s resource utilization.",
"fixid": "F-38992r1_fix",
"fixtext": "Configure the IDPS to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks.",
"iacontrols": null,
"id": "V-34708",
"ruleID": "SV-45594r1_rule",
"severity": "medium",
"title": "The IDPS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks.",
"version": "SRG-NET-000193-IDPS-00141"
},
"V-34709": {
"checkid": "C-42955r1_chk",
"checktext": "Review the IDPS documentation and system configuration to determine if resource prioritization is implemented as part of the IDPS application. \n\nIf the system is not configured to prioritize resources, this is a finding.",
"description": "Priority protection helps prevent a lower priority process from delaying or interfering with the information system servicing any higher-priority process. If priority protection is not implemented, network congestion may result in poor network service because priority traffic may be delayed or dropped, and this in turn could result in a denial of service condition.\n\nAn additional IDPS component, a load balancer, is recommended for use with larger networks and will facilitate traffic prioritization and bandwidth management.",
"fixid": "F-38993r1_fix",
"fixtext": "Configure the IDPS to limit the use of resources by priority.",
"iacontrols": null,
"id": "V-34709",
"ruleID": "SV-45595r1_rule",
"severity": "medium",
"title": "The IDPS must limit the use of resources by priority.",
"version": "SRG-NET-000194-IDPS-00142"
},
"V-34710": {
"checkid": "C-42957r1_chk",
"checktext": "If this function is performed by another network element, this is not a finding.\n\nVerify sensor rules exist that monitor inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination.\n\nIf rules do not exist to monitor inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination, this is a finding.",
"description": "Spoofing source addresses occurs when a malicious user outside the network has created packets with a source address belonging to the private address space of the target network. This is done in an attempt to slip through the perimeter as a member host to gain access to internal resources or to conceal identity to perform an attack. It is imperative that all inbound and outbound traffic with spoofed or invalid source addresses are blocked. If inbound traffic is not monitored to make sure source and destination of packets are authorized, then malicious users outside the network may be able to send packets to the private, trusted network.\n\nTypically, this function is performed by the network firewall. However, some newer IDPS products are able to perform this function.",
"fixid": "F-38995r1_fix",
"fixtext": "Implement sensor rules to monitor inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination.",
"iacontrols": null,
"id": "V-34710",
"ruleID": "SV-45597r1_rule",
"severity": "medium",
"title": "The IDPS must check inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination.",
"version": "SRG-NET-000195-IDPS-00143"
},
"V-34711": {
"checkid": "C-42959r1_chk",
"checktext": "Review the IDPS components to determine if a host based protection mechanism (e.g., HBSS) is used. \n\nIf a host based protection tool is not configured, this is a finding.",
"description": "A host-based boundary protection mechanism is, for example, a host based firewall. Host based boundary protection mechanisms are employed on devices to protect the asset where the data resides and to inspect data that has been decrypted. Host based firewalls also allow for finer granularity when determining which ports, protocols, and services need to be enabled on a system by system basis. Without a host based protection mechanism, the IDPS may not have adequate protection against attacks that may not be detected at the perimeter firewall.",
"fixid": "F-38996r1_fix",
"fixtext": "Employ a host based protection tool (e.g., HBSS) on the IDPS sensors and management console/server.",
"iacontrols": null,
"id": "V-34711",
"ruleID": "SV-45598r1_rule",
"severity": "low",
"title": "The IDPS must implement host based boundary protection mechanisms.",
"version": "SRG-NET-000196-IDPS-00144"
},
"V-34712": {
"checkid": "C-42971r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "To secure the enclave, the site must implement defense-in-depth security. This requires the deployment of various network security elements at strategic locations. The enclave must also be segregated into separate subnets with unique security policies. Subnetting provides a number of essential network services (e.g., public content, remote access, and perimeter protection). If isolation techniques, such as subnetting, are not used, unauthorized access to privileged information could result.\n\nThe IDPS does not divide the network into subnets.",
"fixid": "F-39003r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34712",
"ruleID": "SV-45605r1_rule",
"severity": "low",
"title": "The network element must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets.",
"version": "SRG-NET-000197-IDPS-NA"
},
"V-34713": {
"checkid": "C-42972r1_chk",
"checktext": "Verify the OOBM interface for all sensors is configured with an IP address from the address space belonging to the OOBM network. \nAfter determining which interface is connected to the OOBM access switch, review the managed device configuration. \nVerify the interface has been assigned an address from the local management address block.\n\nIf management traffic is not directed through a dedicated management interface for purposes of access control and auditing, this is a finding.",
"description": "Although the IDPS is not responsible for routing all network management traffic to the management network, it must route all outgoing communications through the OOBM interface. If management traffic is allowed onto the user network segments, privileged information may be intercepted by non-privileged users which could lead to the compromise of network devices.\n\nIDPS sensors are installed in stealth mode with one interface installed on the management network. This interface is used for communications with the management console and other network elements. The management console is installed on the management network. If in-band management is required because of mission requirements, a dedicated IP address for the remote management client, as well as traffic encryption is required.",
"fixid": "F-39004r1_fix",
"fixtext": "Configure the IDPS\u2019s OOBM interface with an IP address from the address space belonging to the OOBM network.",
"iacontrols": null,
"id": "V-34713",
"ruleID": "SV-45606r1_rule",
"severity": "medium",
"title": "The IDPS must route all management traffic through a dedicated management interface.",
"version": "SRG-NET-000198-IDPS-00145"
},
"V-34714": {
"checkid": "C-42973r1_chk",
"checktext": "Inspect the sensor rules installed on the sensors to block or ignore activity that would result in discovery of network devices by an unauthorized attacker by performing the following actions.\nVerify sensor rules exist that monitor for and drop unreachable traffic. \nVerify sensors do not announce network address information. \nVerify sensors ignore neighbor solicitation messages.\n\nIf the IDPS is not configured to prevent discovery of network devices and components, this is a finding.",
"description": "Allowing neighbor discovery messages to reach external network nodes is dangerous as it provides an attacker a method of obtaining information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded as the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages. \n\nTo mitigate the risk of reconnaissance or a Denial of Service (DoS) attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages.\n\nIDPS sensors are installed in stealth mode with one interface installed on the management network. This interface is used for communications with the management console and other network elements. The management console is installed on the management network.",
"fixid": "F-39005r1_fix",
"fixtext": "Implement sensor rules that monitor for and drop unreachable traffic and ignore neighbor solicitation messages. Configure rules or signatures so network address information is not announced.",
"iacontrols": null,
"id": "V-34714",
"ruleID": "SV-45607r1_rule",
"severity": "medium",
"title": "The IDPS must prevent discovery of specific system components or devices comprising a managed interface.",
"version": "SRG-NET-000199-IDPS-00146"
},
"V-34715": {
"checkid": "C-42974r1_chk",
"checktext": "If this is an IDS only implementation, this is not applicable.\nInspect the rules installed on the IPS.\nVerify signatures exist that monitor for valid formation of protocol formats.\nVerify an enforcement action is taken for disallowed or malformed protocol formats.\n\nIf rules that monitor and enforce protocol formats are not installed, this is a finding.",
"description": "Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by attackers to exploit a host\u2019s protocol stack to create a Denial of Service (DoS) or force a device reset, to bypass security gateway filtering, or to compromise a vulnerable device. It is imperative these packets are recognized and discarded at the network perimeter.\n\nThis requirement is not applicable for IDS only implementations since it is specifically for enforcement.",
"fixid": "F-39006r1_fix",
"fixtext": "Implement rules to monitor and prevent the use of disallowed or malformed protocol formats.",
"iacontrols": null,
"id": "V-34715",
"ruleID": "SV-45608r1_rule",
"severity": "medium",
"title": "The IDPS must enforce strict adherence to protocol format.",
"version": "SRG-NET-000200-IDPS-00147"
},
"V-34716": {
"checkid": "C-42976r1_chk",
"checktext": "If this is an IDS only implementation, this is not applicable. If this function is performed by another network element, this is not a finding.\n\nInspect the rules installed on the IPS.\nVerify rules exist to monitor for invalid access into the organization\u2019s internal networks.\nVerify an enforcement action is taken to deny all access for direct connection to the internal network from outside the enclave.\n\nIf a rule preventing direct access to the internal network from a source external to the DoD enclave does not exist, this is a finding.",
"description": "The enclave\u2019s internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of the enclave. The initial defense for the internal network is to block any traffic at the perimeter attempting to make a connection to a host residing on the internal network.\n\nThis requirement is not applicable for IDS only implementations since it is specifically for enforcement. Typically, this function is performed by the network firewall. However, some newer IDPS products are able to perform this function.",
"fixid": "F-39008r1_fix",
"fixtext": "Implement rules for monitoring and enforcing a denial-by-default of access traffic from outside the enclave with destination addresses directly to the internal network.",
"iacontrols": null,
"id": "V-34716",
"ruleID": "SV-45610r1_rule",
"severity": "medium",
"title": "The IDPS must prevent access into the organizations internal networks except as explicitly permitted and controlled by employing boundary protection devices.",
"version": "SRG-NET-000201-IDPS-00148"
},
"V-34717": {
"checkid": "C-42977r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal network is to block any traffic at the perimeter that is attempting to make a connection to a host residing on the internal network. In addition, allowing unknown or undesirable outbound traffic by the firewall or router will establish a state that will subsequently permit the return of this undesirable traffic inbound.\n\nThis requirement applies to devices whose main purpose is the blocking of network traffic such as firewalls and routers and is not applicable to the IDPS.",
"fixid": "F-39009r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34717",
"ruleID": "SV-45611r1_rule",
"severity": "low",
"title": "The network element must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.",
"version": "SRG-NET-000202-IDPS-NA"
},
"V-34718": {
"checkid": "C-42978r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network, such as a web server, web mail, and chat rooms. This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to. The proxy server is in the middle, handling both sides of the session. Hence, all routing devices must forward traffic to the appropriate proxy to filter the traffic and initiate the sessions with the external server.\n\nThis requirement applies to proxy servers and is not applicable to the IDPS.",
"fixid": "F-39010r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34718",
"ruleID": "SV-45612r1_rule",
"severity": "low",
"title": "The network element must route organizationally defined internal communications traffic to organizationally defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.",
"version": "SRG-NET-000203-IDPS-NA"
},
"V-34719": {
"checkid": "C-42980r1_chk",
"checktext": "Verify rules exist that monitor and block outbound traffic with internal source addresses that are harmful or will pose a threat to external information systems.\n\nIf rules do not exist to monitor and enforce filtering of internal addresses posing a threat to external information systems, this is a finding.",
"description": "Monitoring and filtering the outbound traffic adds a layer of protection to the enclave. Unlike an IDS, an IPS can both detect and take action to prevent harmful traffic from leaving the network. Blocking harmful outbound traffic can also prevent the network from being used as the source of an attack.\n\nIn the case of an IDS only implementation, control must be achieved using another method or network device; however, this requirement must be implemented as part of the IDPS solution.",
"fixid": "F-39011r1_fix",
"fixtext": "Configure the IPS with rules to enforce filtering of internal addresses posing a threat to external information systems.",
"iacontrols": null,
"id": "V-34719",
"ruleID": "SV-45613r1_rule",
"severity": "medium",
"title": "The IDPS must monitor and enforce filtering of internal addresses posing a threat to external information systems.",
"version": "SRG-NET-000204-IDPS-00149"
},
"V-34720": {
"checkid": "C-42981r1_chk",
"checktext": "Verify one or more sensors are configured to monitor traffic from both internal and external interfaces.\nVerify rules exist to detect harmful traffic on both the external and internal boundary interfaces.\n\nIf rules do not exist to monitor and control traffic at both the external and internal boundary interfaces, this is a finding.",
"description": "Monitoring and controlling both inbound and outbound network traffic adds a layer of protection to the enclave. Unlike an IDS, an IPS can both detect and take action to prevent harmful traffic from leaving the network. Blocking harmful inbound and outbound traffic can also prevent the network from being used as the source of an attack.\n\nIn the case of an IDS only implementations, control must be achieved using another method or network device; however, this requirement must be implemented as part of the IDPS solution.",
"fixid": "F-39012r1_fix",
"fixtext": "Configure the IDPS with rules to monitor and control traffic at both the external and internal boundary interfaces.",
"iacontrols": null,
"id": "V-34720",
"ruleID": "SV-45614r1_rule",
"severity": "medium",
"title": "The IDPS must monitor and control traffic at both the external and internal boundary interfaces.",
"version": "SRG-NET-000205-IDPS-00150"
},
"V-34721": {
"checkid": "C-42982r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The firewall will build a state to allow return traffic for all initiated traffic that was allowed outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the enclave, in addition to being a good Internet citizen by preventing your network from being used as an attack base. All network elements must be configured to ensure all traffic is forwarded through the perimeter security infrastructure when sending traffic to external destinations.\n\nThe IDPS itself does not originate traffic destined for external devices.",
"fixid": "F-39013r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34721",
"ruleID": "SV-45616r1_rule",
"severity": "low",
"title": "The network element must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.",
"version": "SRG-NET-000206-IDPS-NA"
},
"V-34722": {
"checkid": "C-42983r1_chk",
"checktext": "This control does not apply if the information is protected by a physical security solution (e.g., Protective Distribution System [PDS] or physical access control) while in transit. \n\nInspect the encryption configuration for each configured interface capable of communication with the network.\nVerify the encryption module is configured to use an approved hashing algorithm to protect information in transit through all interfaces capable of transmitting information.\n\nIf the IDPS and sensors do not use cryptographic mechanisms to protect the integrity of information while in transit, this is a finding.",
"description": "The IDPS must employ cryptographic mechanisms to recognize changes to information during transmission unless the transmission is otherwise protected by alternative physical measures. If connectivity is provided by a commercial service provider rather than a dedicated service, obtaining the necessary assurances regarding the implementation of needed security controls for transmission integrity may not be possible. Without cryptographic integrity controls, information traveling over commercial networks could be altered or compromised during transmission. Therefore, these controls must be obtained from the service provider using appropriate contracting vehicles. If this is not feasible, then the organization will implement physical or logical compensating security controls. ",
"fixid": "F-39015r1_fix",
"fixtext": "Configure the cryptographic module on all interfaces capable of communications to use cryptographic mechanisms configured with an approved hashing algorithm to protect the integrity of information while in transit.",
"iacontrols": null,
"id": "V-34722",
"ruleID": "SV-45617r1_rule",
"severity": "medium",
"title": "The IDPS must protect the integrity of transmitted information.",
"version": "SRG-NET-000207-IDPS-00151"
},
"V-34723": {
"checkid": "C-42984r2_chk",
"checktext": "This control does not apply if the information is protected by a physical security solution (e.g., PDS or physical access control) while in transit. \n\nInspect the encryption configuration for each configured interface. \nVerify the encryption module is configured to use an approved hashing algorithm to protect information in transit through all interfaces capable of transmitting information.\n\nIf the IDPS and sensors do not use cryptographic mechanisms to protect the integrity of information while in transit, this is a finding.",
"description": "This control applies to communications across internal and external networks, unless the information is protected by a physical security solution (e.g., PDS or physical access control) while in transit. The IDPS must employ cryptographic mechanisms to recognize changes to information during transmission unless the transmission is otherwise protected by alternative physical measures. If connectivity is provided by a commercial service provider rather than a dedicated service, obtaining the necessary assurances regarding the implementation of needed security controls for transmission integrity may not be possible. Without cryptographic integrity controls, information traveling over commercial networks could be altered or compromised during transmission. Therefore, these controls must be obtained from the service provider using appropriate contracting vehicles. If this is not feasible, then the organization will implement physical or logical compensating security controls.",
"fixid": "F-39016r1_fix",
"fixtext": "Configure the cryptographic module on all interfaces capable of communications to use cryptographic mechanisms configured with an approved hashing algorithm to protect the integrity of information while in transit.",
"iacontrols": null,
"id": "V-34723",
"ruleID": "SV-45618r1_rule",
"severity": "medium",
"title": "The IDPS must use cryptographic mechanisms to protect the integrity of information while in transit, unless otherwise protected by alternative physical measures.",
"version": "SRG-NET-000208-IDPS-00152"
},
"V-34724": {
"checkid": "C-42986r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "This control applies to communications across internal and external networks. The IDPS must employ cryptographic mechanisms to recognize changes to information while preparing information for transmission unless the transmission is otherwise protected by alternative physical measures. If connectivity is provided by a commercial service provider rather than a dedicated service, obtaining the necessary assurances regarding the implementation of needed security controls for transmission integrity may not be possible. Without cryptographic integrity controls, information traveling over commercial networks could be altered or compromised during transmission. Therefore, these controls must be obtained from the service provider using appropriate contracting vehicles. If this is not feasible, then the organization will implement physical or logical compensating security controls. \n\nAggregation and encapsulation of network level traffic is not a function of the IDPS, thus this requirement is not applicable.",
"fixid": "F-39018r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34724",
"ruleID": "SV-45620r1_rule",
"severity": "low",
"title": "The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.",
"version": "SRG-NET-000209-IDPS-NA"
},
"V-34725": {
"checkid": "C-42987r1_chk",
"checktext": "Open the management application.\nInspect the encryption configuration.\nVerify encryption is automatically used for all data in transit.\nVerify the device is configured to negotiate a key exchange before full encryption takes place when using approved cryptographic transmission algorithms.\n\nIf the system is not configured to use cryptographic mechanisms to protect information in transit, this is a finding.",
"description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
"fixid": "F-39019r1_fix",
"fixtext": "Configure the IDPS to protect information in transit with cryptographic mechanisms.",
"iacontrols": null,
"id": "V-34725",
"ruleID": "SV-45621r1_rule",
"severity": "medium",
"title": "The IDPS must protect the confidentiality of transmitted information.",
"version": "SRG-NET-000210-IDPS-00153"
},
"V-34726": {
"checkid": "C-42989r1_chk",
"checktext": "Open the management application.\nInspect the encryption configuration.\nVerify encryption is automatically used for all data in transit.\nVerify the device is configured to negotiate a key exchange before full encryption takes place. \nVerify the device provides full encryption capability (AES or stronger).\n\nIf the system is not configured to use cryptographic mechanisms protect information in transit, this is a finding.",
"description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
"fixid": "F-39021r1_fix",
"fixtext": "Configure the device so encryption is automatically used for all data in transit.\nConfigure the device to negotiate a key exchange before starting full encryption transmissions.",
"iacontrols": null,
"id": "V-34726",
"ruleID": "SV-45623r1_rule",
"severity": "medium",
"title": "The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures.",
"version": "SRG-NET-000211-IDPS-00154"
},
"V-34727": {
"checkid": "C-42990r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.\n\nAggregation and encapsulation of network level traffic is not a function of the IDPS, thus this requirement is not applicable.",
"fixid": "F-39022r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34727",
"ruleID": "SV-45624r1_rule",
"severity": "low",
"title": "The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.",
"version": "SRG-NET-000212-IDPS-NA"
},
"V-34728": {
"checkid": "C-42991r1_chk",
"checktext": "Examine the vendor documentation or the configuration for communications between the sensors, management console, or other network device.\nVerify IDPS sensors and management servers terminate and close the session once the communication is no longer required or active.\n\nIf the IDPS application does not terminate and close sessions once the session is not needed, this is a finding.",
"description": "Terminating network connections associated with communications sessions include, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. \nIf sessions are not terminated when a transaction has completed, the session has the potential to be hijacked by an adversary. \n\nThe time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.",
"fixid": "F-39023r1_fix",
"fixtext": "Configure the IDPS system to terminate communication sessions when the transaction has ended or after an organizationally defined time period.",
"iacontrols": null,
"id": "V-34728",
"ruleID": "SV-45625r1_rule",
"severity": "medium",
"title": "The IDPS must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.",
"version": "SRG-NET-000213-IDPS-00155"
},
"V-34729": {
"checkid": "C-42993r1_chk",
"checktext": "Verify communications between the IDPS sensors and other trusted entities are configured to use secure paths to access security function (e.g., encryption, hashing, or out-of-band subnets).\n\nIf communications between the sensors and the management console are visible on the user or public network, this is a finding.",
"description": "The IDPS user interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf. To safeguard critical information that could be used by a malicious user to compromise the device or the entire network infrastructure, a trusted path is required for high-confidence connections between the security functions (i.e., login) of the IDPS components and the user.",
"fixid": "F-39025r1_fix",
"fixtext": "Configure the user interface to use a trusted communications pathway when accessing organizationally defined security functions.",
"iacontrols": null,
"id": "V-34729",
"ruleID": "SV-45627r1_rule",
"severity": "medium",
"title": "The IDPS must establish a trusted communications path between the user and organizationally defined security functions within the information system.",
"version": "SRG-NET-000214-IDPS-00156"
},
"V-34730": {
"checkid": "C-42995r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected, keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and to steal information. An attacker may be able to modify or corrupt a key to cause a Denial of Service. \n\nKey management is the process of generating and securely distributing keys used in the encryption process. This process includes a key management policy which includes key generation, distribution, storage, usage, lifetime duration, and destruction. Key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.\n\nKey management is not a function of the IDPS.",
"fixid": "F-39027r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34730",
"ruleID": "SV-45629r1_rule",
"severity": "low",
"title": "The network element must produce, control, and distribute symmetric cryptographic keys, using NIST-approved key management technology and processes.",
"version": "SRG-NET-000215-IDPS-NA"
},
"V-34731": {
"checkid": "C-42996r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and to steal information. An attacker may be able to modify or corrupt a key to cause a Denial of Service. \n\nKey management is the process of generating and securely distributing keys used in the encryption process. This process includes a key management policy which includes key generation, distribution, storage, usage, lifetime duration, and destruction. Key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.\n\nKey management is not a function of the IDPS.",
"fixid": "F-39028r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34731",
"ruleID": "SV-45630r1_rule",
"severity": "low",
"title": "The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.",
"version": "SRG-NET-000216-IDPS-NA"
},
"V-34732": {
"checkid": "C-42997r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and to steal information. An attacker may be able to modify or corrupt a key to cause a Denial of Service. Use of approved PKI Class 3 certificates or prepositioned keying material mitigates the risk to the network of duplication or modification of cryptographic keys.\n\nProducing, controlling, and distributing asymmetric cryptographic keys is not a function of the IDPS.",
"fixid": "F-39029r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34732",
"ruleID": "SV-45631r1_rule",
"severity": "low",
"title": "The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.",
"version": "SRG-NET-000217-IDPS-NA"
},
"V-34733": {
"checkid": "C-42998r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and to steal information. An attacker may be able to modify or corrupt a key to cause a Denial of Service. Use of approved PKI certificates or prepositioned keying material mitigates the risk to the network of duplication or modification of cryptographic keys.\n\nProducing, controlling, and distributing asymmetric cryptographic keys is not a function of the IDPS.",
"fixid": "F-39030r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34733",
"ruleID": "SV-45632r1_rule",
"severity": "low",
"title": "The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the users private key.",
"version": "SRG-NET-000218-IDPS-NA"
},
"V-34734": {
"checkid": "C-43000r1_chk",
"checktext": "Verify a FIPS-validated or NSA-approved cryptographic module is installed and configured on the IDPS components to protect transmissions and data in storage.\n\nIf FIPS-validated or NSA-approved cryptography is not used, this is a finding.",
"description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation. Using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance provides additional assurance that the cryptography has been implemented correctly. FIPS validation is a strict requirement for the use of cryptography in the Federal Government for unclassified information, as is NSA approval of cryptography for classified data and applications. This requirement applies where cryptography is required by the data owner or organizational policy to protect data in transit to or from the IDPS components or to protect data in storage on the IDPS components.",
"fixid": "F-39032r1_fix",
"fixtext": "Ensure the IDPS uses cryptographic protections which employ FIPS 140 validated or NSA approved cryptographic modules.",
"iacontrols": null,
"id": "V-34734",
"ruleID": "SV-45634r1_rule",
"severity": "medium",
"title": "The IDPS must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.",
"version": "SRG-NET-000219-IDPS-00157"
},
"V-34735": {
"checkid": "C-43001r1_chk",
"checktext": "Verify any cryptographic modules used to protect information in transit to and from IDPS components or data in storage on IDPS components are on the NIST Cryptographic Algorithm Validation Program (CAVP) product lists.\n\nIf FIPS-validated cryptography is not used to protect unclassified information while in transit or in storage, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Hence, it is imperative that transmission of data requiring privacy use FIPS-validated cryptography. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS validation provides assurance that the relevant cryptography has been implemented correctly. This requirement applies where cryptography is required by the data owner or organizational policy to protect data in transit to or from the IDPS components or to protect data in storage on the IDPS components.",
"fixid": "F-39033r1_fix",
"fixtext": "Install a FIPS-validated cryptography to protect unclassified information while in transit or in storage as required by the data owner or organizational policy.",
"iacontrols": null,
"id": "V-34735",
"ruleID": "SV-45635r1_rule",
"severity": "medium",
"title": "The IDPS must employ FIPS-validated cryptography to protect unclassified information.",
"version": "SRG-NET-000220-IDPS-00158"
},
"V-34736": {
"checkid": "C-43002r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. \n\nNSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: \n\nCryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms, this equipment is used to protect systems requiring the most stringent protection mechanisms.\n\nThis requirement is outside the scope of the IDPS. An NSA-approved, Type 1 device must be installed to provide classified encryption functionality.",
"fixid": "F-39034r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34736",
"ruleID": "SV-45636r1_rule",
"severity": "low",
"title": "The network element must employ NSA-approved cryptography to protect classified information.",
"version": "SRG-NET-000221-IDPS-NA"
},
"V-34737": {
"checkid": "C-43004r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. FIPS 140-2 Security Requirements for Cryptographic Modules can be found at the following web site: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.\n\nAlthough individuals may have a security clearance, they may not have a need to know and are required to be separated from the information in question. Applications must employ FIPS validated cryptography to protect unclassified information from those individuals who do not have a need to know.\n\nOnly authorized system administrators with necessary access approvals are allowed to access the IDPS. The IDPS management interface is connected only to the restricted management network. Encryption for the purpose of traffic separation is not applicable.",
"fixid": "F-39036r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34737",
"ruleID": "SV-45638r1_rule",
"severity": "low",
"title": "The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.",
"version": "SRG-NET-000222-IDPS-NA"
},
"V-34738": {
"checkid": "C-43009r1_chk",
"checktext": "Examine the architecture diagrams and IDPS configuration.\nVerify a sensor is installed and configured to monitor and protect the public DMZ.\n\nIf a sensor is not installed to protect the public DMZ subnet, this is a finding.",
"description": "Public-facing servers enable access to information by clients outside of the enclave. These servers are subject to greater exposure to attacks. It is imperative that the integrity of the data is maintained to ensure the enclave does not provide false or erroneous information. The IDPS must provide the necessary protection to ensure availability and integrity of the data and to reduce or eliminate DoS attacks directed against the servers on the public-facing segment. A sensor must be installed to monitor the publicly available segment (e.g., public DMZ).",
"fixid": "F-39041r1_fix",
"fixtext": "Install and configure a sensor to monitor the public DMZ subnet.",
"iacontrols": null,
"id": "V-34738",
"ruleID": "SV-45643r1_rule",
"severity": "medium",
"title": "The IDPS must protect the integrity and availability of publicly available information and applications.",
"version": "SRG-NET-000224-IDPS-00159"
},
"V-34739": {
"checkid": "C-43012r1_chk",
"checktext": "Verify sensor communications to the base, router, firewall, or central logging server are configured to use specific IP address information and interface/port.\n\nIf communications between the IDPS and external network devices are not restricted and clearly defined using specific security attributes, this is a finding.",
"description": "Security attributes are associated with internal structures within the IDPS application used to enable the implementation of access control and flow control policies or support other aspects of the information security policy. It is crucial these attributes are associated and validated to ensure access control and flow control policies are properly implemented.\n\nThe IDPS communicates with other systems to transmit notices and sensor logs or to update other network elements (e.g., IPS updating the router or firewall ACLs).",
"fixid": "F-39044r1_fix",
"fixtext": "Configure external network communications with IP address information.\nLimit the pathway by specifying interfaces to use.",
"iacontrols": null,
"id": "V-34739",
"ruleID": "SV-45646r1_rule",
"severity": "medium",
"title": "The IDPS must associate security attributes with information exchanged between information systems.",
"version": "SRG-NET-000225-IDPS-00160"
},
"V-34740": {
"checkid": "C-43014r1_chk",
"checktext": "Verify IDPS includes a process for validating the integrity and validity of the source IP address and source interface/port when receiving communications from other network devices.\n\nIf communications between the IDPS and external network devices do not include a process for validating the source IP address and source interface/port, this is a finding.",
"description": "Security attributes are associated with internal structures within the IDPS used to enable the implementation of access control and flow control policies or support other aspects of the information security policy. It is crucial these attributes are associated and validated to ensure access control and flow control policies are properly implemented. \n\nThe IDPS communicates with other systems to transmit notices and sensor logs or to update other network elements (e.g., IPS updating the router or firewall ACLs).",
"fixid": "F-39045r1_fix",
"fixtext": "Configure external network communications with IP address information and limit the pathway by specifying interfaces to use.",
"iacontrols": null,
"id": "V-34740",
"ruleID": "SV-45647r1_rule",
"severity": "medium",
"title": "The IDPS must validate the integrity of security attributes exchanged between information systems.",
"version": "SRG-NET-000226-IDPS-00161"
},
"V-34741": {
"checkid": "C-43016r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. \n\nThis requirement focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations. This control does not apply to the functionality of the IDPS.",
"fixid": "F-39048r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34741",
"ruleID": "SV-45650r1_rule",
"severity": "low",
"title": "The IDPS must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.",
"version": "SRG-NET-000227-IDPS-NA"
},
"V-34742": {
"checkid": "C-43017r1_chk",
"checktext": "Verify rules exist that monitor for unauthorized mobile code as it traverses the network.\n\nIf sensors are not configured to monitor network traffic for unauthorized mobile code, this is a finding.",
"description": "Mobile code are programs that can be executed on one or several hosts other than the one they originate from. These programs offer many benefits to the organization; however, decisions regarding the use of mobile code must also include consideration of which types of mobile code are not authorized for use.\n\nMalicious mobile code can be used to install malware on a computer. The code can be transmitted through interactive Web applications such as Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. \n\nWhile the IDPS cannot replace the anti-virus and host based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created sensor rules can be implemented which provide preemptive defense against both known and zero day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors.",
"fixid": "F-39049r1_fix",
"fixtext": "Install and configure rules to inspect network traffic on segments for unauthorized mobile code.",
"iacontrols": null,
"id": "V-34742",
"ruleID": "SV-45651r1_rule",
"severity": "medium",
"title": "The IDPS must implement detection and inspection mechanisms to identify unauthorized mobile code.",
"version": "SRG-NET-000228-IDPS-00162"
},
"V-34743": {
"checkid": "C-43018r1_chk",
"checktext": "Verify the sensors are configured to take action (e.g., blocking, quarantining, or alerting authorized individuals) when unauthorized mobile code is detected.\n\nIf the IDPS is not configured to take corrective action when unauthorized mobile code is detected, this is a finding.",
"description": "Mobile code is a program that can be executed on one or several hosts other than the one they originate from. These programs offer many benefits to the organization; however, decisions regarding the use of mobile code must also include consideration of which types of mobile code are not authorized for use.\n\nMalicious mobile code can be used to install malware on a computer. The code can be transmitted through interactive Web applications such as Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript.\n\nWhile the IDPS cannot replace the anti-virus and HIDS protection installed on the network's endpoints, vendor or locally created sensor rules can be implemented which provide preemptive defense against both known and zero day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors. When detected, the IDPS must log and drop the traffic containing the mobile code.",
"fixid": "F-39050r1_fix",
"fixtext": "Configure the sensors to take action (e.g., blocking, quarantining, or alerting authorized individuals) when unauthorized mobile code is detected.",
"iacontrols": null,
"id": "V-34743",
"ruleID": "SV-45652r1_rule",
"severity": "medium",
"title": "The IDPS must take corrective action when unauthorized mobile code is identified.",
"version": "SRG-NET-000229-IDPS-00163"
},
"V-34744": {
"checkid": "C-43019r1_chk",
"checktext": "Verify the application uses session authentication mechanisms (e.g., error checking, source and destination verification, and session identification).\n\nIf mechanisms are not provided to protect the authenticity of communications session between the IDPS components and other network elements, this is a finding.",
"description": "This requirement addresses communications protection at the session, versus\npacket level (e.g., sessions in service-oriented architectures providing web-based services). Maintaining the authenticity of the communications session and confidence in the mutual ongoing identity of both communicating entities, the information being transmitted may be malicious or invalid. Authenticity protection includes protecting against man-in-the-middle attacks (i.e., session hijacking) and guarding against the insertion of false information into sessions.",
"fixid": "F-39051r1_fix",
"fixtext": "Configure the IDPS to require session authentication mechanisms (e.g., error checking, source and destination verification, and session identification) when communicating.",
"iacontrols": null,
"id": "V-34744",
"ruleID": "SV-45653r1_rule",
"severity": "low",
"title": "The IDPS must provide mechanisms to protect the authenticity of communications sessions.",
"version": "SRG-NET-000230-IDPS-00164"
},
"V-34745": {
"checkid": "C-43020r1_chk",
"checktext": "Verify the configuration for communications is configured to invalidate session identifiers upon administrator logout or other session termination. \n\nIf the IDPS is not configured to release and invalidate session identifiers upon user logout or session termination, this is a finding.",
"description": "Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session.",
"fixid": "F-39052r1_fix",
"fixtext": "Configure the IDPS components to invalidate session identifiers upon user logout or other session termination.",
"iacontrols": null,
"id": "V-34745",
"ruleID": "SV-45654r1_rule",
"severity": "medium",
"title": "The IDPS must invalidate session identifiers upon user logout or other session termination.",
"version": "SRG-NET-000231-IDPS-00165"
},
"V-34746": {
"checkid": "C-43022r1_chk",
"checktext": "Verify the configuration for communications is configured to generate and use unique session identifiers for each communications session. \n\nIf the IDPS is not configured to generate and use unique session identifiers for each communications session, this is a finding.",
"description": "Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. Employing the concept of randomness in the generation of unique session identifiers helps to protect against attacks to determine future session identifiers.\n\nUnique session IDs address man-in-the-middle attacks including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.",
"fixid": "F-39053r1_fix",
"fixtext": "Configure the IDPS components to generate and use unique session identifiers for each communications session.",
"iacontrols": null,
"id": "V-34746",
"ruleID": "SV-45655r1_rule",
"severity": "medium",
"title": "The IDPS must generate a unique session identifier for each session.",
"version": "SRG-NET-000232-IDPS-00166"
},
"V-34747": {
"checkid": "C-43023r1_chk",
"checktext": "Verify the system is configured to allow only system generated session identifiers for communications. \n\nIf the IDPS is not configured to allow only system generated session identifiers for communications, this is a finding.",
"description": "Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers, especially when generated by the IDPS itself.\n\nUnique session IDs address man-in-the-middle attacks including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to IDPS application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.",
"fixid": "F-39055r1_fix",
"fixtext": "Configure the system to allow only system generated session identifiers for communications.",
"iacontrols": null,
"id": "V-34747",
"ruleID": "SV-45657r1_rule",
"severity": "medium",
"title": "The IDPS must allow only system generated session identifiers.",
"version": "SRG-NET-000233-IDPS-00167"
},
"V-34748": {
"checkid": "C-43024r1_chk",
"checktext": "Review the IDPS vendor documentation to determine if it utilizes random and unique session IDs.\n\nIf the application or configuration does not utilize random and unique session IDs, this is a finding.",
"description": "Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.\n\nUnique session IDs address man-in-the-middle attacks including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.",
"fixid": "F-39056r1_fix",
"fixtext": "Ensure the IDPS uses random, unique session identifiers with organizationally defined randomness requirements.",
"iacontrols": null,
"id": "V-34748",
"ruleID": "SV-45658r1_rule",
"severity": "medium",
"title": "The IDPS must generate unique session identifiers with organizationally defined randomness requirements.",
"version": "SRG-NET-000234-IDPS-00168"
},
"V-34749": {
"checkid": "C-43025r1_chk",
"checktext": "Examine the configuration settings for hardware and/or application failover of the sensors.\nVerify the IDPS sensors and management console are configured to fail to an organizationally defined secure state. Verify this secure state prevents or limits unauthorized, unaudited access.\n\nIf the system failover or hardware/software failure settings are not configured to fail to an organizationally defined known state for organizationally defined types of failures, this is a finding.",
"description": "Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a state that is known to be secure helps prevent the loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.",
"fixid": "F-39057r1_fix",
"fixtext": "Configure the system failover or hardware/software failure settings to fail to an organizationally defined known state for organizationally defined types of failures.\nConfigure an organizationally defined state that prevents or limits unauthorized, unaudited access.",
"iacontrols": null,
"id": "V-34749",
"ruleID": "SV-45659r1_rule",
"severity": "low",
"title": "The IDPS must fail to an organizationally defined known state for organizationally defined types of failures.",
"version": "SRG-NET-000235-IDPS-00169"
},
"V-34750": {
"checkid": "C-43026r1_chk",
"checktext": "Examine the configuration settings for hardware and/or application failover of the sensors.\nVerify the IDPS sensors are configured to preserve system state information upon failure.\nVerify the management console is configured to preserve organizationally defined system state information upon failure.\n\nIf a failover method is not in use, this is a finding.",
"description": "Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving system state information facilitates system restart and return to the operational mode of the organization with less disruption of the network. Each site should have a failover solution in place in case of system fault. IDPS components may include failover configuration using multiple management servers, logging databases, and sensor load balancers.",
"fixid": "F-39058r1_fix",
"fixtext": "Configure the system failover or hardware/software failure settings to preserve organizationally defined system state information in the event of a system failure.",
"iacontrols": null,
"id": "V-34750",
"ruleID": "SV-45660r1_rule",
"severity": "low",
"title": "The IDPS must preserve organizationally defined system state information in the event of a system failure.",
"version": "SRG-NET-000236-IDPS-00170"
},
"V-34751": {
"checkid": "C-43027r1_chk",
"checktext": "Verify all network segments with web servers installed are monitored by one or more sensors. Verify signatures are installed for application inspection and control of all web ports. Verify signatures are installed to monitor and analyze application traffic that uses port redirection. \n\nIf the IDPS sensors are not configured to perform application inspection and control of all web ports, this is a finding.",
"description": "In a regional Enterprise Enclave, different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) relevant to each sensor group. If more than one sensor group sees the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4. \n\nThe sensor monitoring the web server will be configured for application inspection and control of all web ports (e.g., 80, 3128, 8000, 8010, 8080, 8888, 24326, etc.). The sensor monitoring the web servers must monitor and control web traffic not received on web ports. This process is called port redirection. In many implementations port redirection is a separate signature to be installed.",
"fixid": "F-39059r1_fix",
"fixtext": "Install one or more sensors to monitor all network segments with web servers installed. Verify signatures are installed for application inspection and control of all web ports. Install signatures to monitor and analyze application traffic that uses port redirection. \nReview and tune all signatures that are specifically tailored to detect vulnerabilities in web servers.",
"iacontrols": null,
"id": "V-34751",
"ruleID": "SV-45661r1_rule",
"severity": "medium",
"title": "The IDPS must implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers.",
"version": "SRG-NET-000237-IDPS-00171"
},
"V-34752": {
"checkid": "C-43028r1_chk",
"checktext": "Inspect the encryption configuration settings.\nVerify all configuration files, system files, and logs stored on the management console are protected by encryption when at rest. \nVerify all configuration files, system files, and logs stored on the sensors are protected by encryption when at rest. \n\nIf files and logs stored on the management console or sensors are not encrypted, this is a finding.",
"description": "This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the IDPS. It is imperative that system data that is generated as well as device configuration data is protected.",
"fixid": "F-39060r1_fix",
"fixtext": "Enable file encryption for all storage drives in the sensors and management console.",
"iacontrols": null,
"id": "V-34752",
"ruleID": "SV-45662r1_rule",
"severity": "low",
"title": "The IDPS must protect the confidentiality and integrity of system information at rest.",
"version": "SRG-NET-000238-IDPS-00172"
},
"V-34753": {
"checkid": "C-43029r1_chk",
"checktext": "Inspect the encryption configuration. Verify encryption is automatically used for all data at rest.\n\nIf the system is not configured to employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures, this is a finding.",
"description": "This requirement is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the IDPS. It is imperative that system data that is generated, as well as device configuration data, is protected.",
"fixid": "F-39061r1_fix",
"fixtext": "Open the device\u2019s management application and navigate to the encryption configuration screen.\nConfigure the device so encryption is automatically used for all data at rest.",
"iacontrols": null,
"id": "V-34753",
"ruleID": "SV-45663r1_rule",
"severity": "medium",
"title": "The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.",
"version": "SRG-NET-000239-IDPS-00173"
},
"V-34754": {
"checkid": "C-43030r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Information can be subjected to unauthorized changes (e.g., malicious or unintentional modification) at information aggregation or protocol transformation points.\n\nThis control is covered as part of the OS SRG and implemented by configuration of a HIDS.",
"fixid": "F-39062r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34754",
"ruleID": "SV-45664r1_rule",
"severity": "low",
"title": "The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.",
"version": "SRG-NET-000241-IDPS-NA"
},
"V-34755": {
"checkid": "C-43031r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Security relevant software updates must be installed promptly and updated in order to mitigate the exploitation of known vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed expeditiously. By requiring the automated update of application software on a periodic schedule, flaws and newly discovered attack vendors will be remediated in a timely manner.\n \nThis requirement applies to flaw remediation systems. Flaw remediation is not a function of the IDPS.",
"fixid": "F-39063r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34755",
"ruleID": "SV-45665r1_rule",
"severity": "low",
"title": "The network element must be configured to automatically check for security updates to the application software on an organizationally defined frequency.",
"version": "SRG-NET-000242-IDPS-NA"
},
"V-34756": {
"checkid": "C-43032r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "It is imperative that the organization promptly installs security relevant software updates from an authorized patch management server to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. Software obtained from unauthorized sources may contain malicious code and may put the enclave at risk.\n\nThis requirement applies to flaw remediation systems. Flaw remediation is not a function of the IDPS.",
"fixid": "F-39064r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34756",
"ruleID": "SV-45666r1_rule",
"severity": "low",
"title": "The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components.",
"version": "SRG-NET-000243-IDPS-NA"
},
"V-34757": {
"checkid": "C-43047r1_chk",
"checktext": "Review the rules of the IDPS. Verify malicious code protection mechanisms are implemented to detect and eradicate malicious code at the network perimeter (e.g., blacklists, whitelists, malware protection, and behavior analysis).\n\nIf the IDPS does not employ malicious code protection mechanisms to detect and eradicate malicious code at the network perimeter, this is a finding.",
"description": "The organization must employ malicious code protection mechanisms at information system entry and exit points. This protection must detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or inserted through the exploitation of information system vulnerabilities. \n \nMalicious code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, web accesses, and removable media. Malicious code includes viruses, worms, Trojan horses, and spyware. \n\nWhile the IDPS cannot replace anti-virus or HIDS protection installed on the network's endpoints, sensor rules can be implemented which provide preemptive defense against both known and zero day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors.",
"fixid": "F-39079r1_fix",
"fixtext": "Configure the IDPS to employ malicious code protection mechanisms are implemented to detect and eradicate malicious code at the network perimeter (e.g., blacklists, whitelists, malware protection, and behavior analysis)",
"iacontrols": null,
"id": "V-34757",
"ruleID": "SV-45681r1_rule",
"severity": "medium",
"title": "The IDPS must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter.",
"version": "SRG-NET-000244-IDPS-00174"
},
"V-34758": {
"checkid": "C-43048r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It can also run and attach programs, which provide a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, web accesses, and removable media. \n\nProviding malicious code protection on network endpoint is not the function of the IDPS, thus this requirement is not applicable.",
"fixid": "F-39080r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34758",
"ruleID": "SV-45682r1_rule",
"severity": "low",
"title": "The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.",
"version": "SRG-NET-000245-IDPS-NA"
},
"V-34759": {
"checkid": "C-43049r1_chk",
"checktext": "Review the configuration or system maintenance logs to verify the malicious code protection mechanisms and rules definitions are kept updated when new releases are available.\n\nIf malicious code protection mechanisms and rules definitions are not kept updated, this is a finding.",
"description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It can also run and attach programs, which provide a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, web accesses, and removable media. \n\nWhile the IDPS cannot replace anti-virus or HIDS protection installed on the network's endpoints, sensor rules can be implemented which provide preemptive defense against both known and zero day vulnerabilities. However, if sensor rules are not kept up to date, new defenses and protection against emerging threats will not be available.",
"fixid": "F-39081r1_fix",
"fixtext": "Configure the IDPS for implementing updates for sensor rules and malicious code protection mechanisms in accordance with organizational configuration management policy and procedures.",
"iacontrols": null,
"id": "V-34759",
"ruleID": "SV-45683r1_rule",
"severity": "medium",
"title": "The IDPS must update malicious code protection mechanisms and rules definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.",
"version": "SRG-NET-000246-IDPS-00175"
},
"V-34760": {
"checkid": "C-43050r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Many of these are not detected by anti-virus software or even host intrusion detection systems. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Vulnerability assessment monitoring must be performed on a regular basis to identify devices that are vulnerable or have already been breached by malicious code.\n\nProviding malicious code monitoring on network information systems is not the function of the IDPS, thus this requirement is not applicable.",
"fixid": "F-39082r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34760",
"ruleID": "SV-45684r1_rule",
"severity": "low",
"title": "The network element must employ malicious code protection mechanisms to perform periodic monitoring of the information system on an organizationally defined frequency.",
"version": "SRG-NET-000247-IDPS-NA"
},
"V-34761": {
"checkid": "C-43051r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Many of these are not detected by anti-virus software or even host intrusion detection systems. Once they have residency within the network, unauthorized users may be able to breach firewalls and access sensitive data by assuming the identity of authorized users. Real-time monitoring must be performed on files from external sources as they are downloaded and prior to being opened or executed. \n\nMonitoring of individual files is not the function of the IDPS, thus this requirement is not applicable.",
"fixid": "F-39083r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34761",
"ruleID": "SV-45685r1_rule",
"severity": "low",
"title": "The network element must be configured to perform real-time monitoring of files from external sources as they are downloaded and prior to being opened or executed.",
"version": "SRG-NET-000248-IDPS-NA"
},
"V-34762": {
"checkid": "C-43052r1_chk",
"checktext": "Review the rules implemented on the IDPS to verify organizationally defined actions are performed upon the detection of malicious code.\n\nIf the IDPS is not configured to perform organizationally defined actions when malicious code is detected, this is a finding.",
"description": "Organizations may determine that in response to malicious code detection, different actions may be warranted for different situations. For example, the IDPS may send different alerts, block malicious packets, block the IP address, or update the firewall depending on the capabilities of the implementation. Upon detection of traffic transporting malicious code, the IDPS must perform organizationally defined actions to notify or prevent malicious code from further impacting the network.",
"fixid": "F-39084r1_fix",
"fixtext": "Configure the IDPS to perform organizationally defined actions when malicious code is detected.",
"iacontrols": null,
"id": "V-34762",
"ruleID": "SV-45686r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to perform organizationally defined actions in response to malicious code detection.",
"version": "SRG-NET-000249-IDPS-00176"
},
"V-34763": {
"checkid": "C-43053r1_chk",
"checktext": "Review the rules implemented on the IDPS to verify the system is configured to address the false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.\n\nIf the IDPS is not configured to address false positives during malicious code detection and eradication and the resulting impact on the availability of the system, this is a finding.",
"description": "One of the top concerns of any IDPS solution is false positives. Incorrectly identifying valid access and traffic as an attack can result in constant network traffic disruptions, inappropriately dropped packets, or unnecessary administrator alerts. Critical business activities can be delayed and additional IT resources needed to investigate and determine the nature of the false positives. Mechanisms which examine the traffic in context (stateful) or look for application and usage patterns are used by IDPS solutions to minimize false positives.",
"fixid": "F-39085r1_fix",
"fixtext": "Configure the IDPS to address the receipt of false positives during malicious code detection and eradication processes.",
"iacontrols": null,
"id": "V-34763",
"ruleID": "SV-45687r1_rule",
"severity": "medium",
"title": "The IDPS must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.",
"version": "SRG-NET-000250-IDPS-00177"
},
"V-34764": {
"checkid": "C-43054r1_chk",
"checktext": "Obtain a list of the rules currently in use. The latest new rules are often flagged by date or other indicator.\nCompare listing of the most recently downloaded \u201cnew\u201d rules, with that obtained from the current version on the Patch Management server or the vendor site. \n\nIf the system is not configured to automatically update malicious code protection mechanisms and rules definitions, this is a finding.",
"description": "Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. The black hats and malicious code writers continuously find new methods to attack hosts and the network infrastructure. It is imperative that new protection mechanisms developed to mitigate their risks be installed as quickly as possible. \n\nFor the IDPS, rules are also updated to detect attempts to exploit systems. Not updating the rule sets could lead to missed reconnaissance and malicious attacks.",
"fixid": "F-39086r1_fix",
"fixtext": "Install the latest approved version of the vendor rules update for the detection of malicious code.",
"iacontrols": null,
"id": "V-34764",
"ruleID": "SV-45688r1_rule",
"severity": "medium",
"title": "The IDPS must automatically update malicious code protection mechanisms and rule definitions.",
"version": "SRG-NET-000251-IDPS-00178"
},
"V-34765": {
"checkid": "C-43055r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "It is critical the protection mechanisms used to detect and contain malicious code are not tampered with by unauthorized users. \n\nThis control pertains to anti-virus products which are out of scope.",
"fixid": "F-39087r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34765",
"ruleID": "SV-45689r1_rule",
"severity": "low",
"title": "The network element must prevent non-privileged users from circumventing malicious code protection capabilities.",
"version": "SRG-NET-000252-IDPS-NA"
},
"V-34766": {
"checkid": "C-43056r1_chk",
"checktext": "Verify only authenticated and authorized system administrators have access to the update functionality for malicious code protection mechanisms and signatures.\n\nIf malicious code protection installed on the IDPS components is not configured to allow only authorized system administrators to update the software, this is a finding.",
"description": "Malicious code includes viruses, worms, Trojan horses, and spyware. It is critical the protection mechanisms used to detect and contain this code are not tampered with by unauthorized users and are only updated when directed by a privileged user.",
"fixid": "F-39088r1_fix",
"fixtext": "Remove permissions from system administrators who are not authorized for access to malicious code protection mechanisms and signature file configuration functionality.",
"iacontrols": null,
"id": "V-34766",
"ruleID": "SV-45690r1_rule",
"severity": "medium",
"title": "The IDPS must only update malicious code protection mechanisms when directed by a privileged user.",
"version": "SRG-NET-000253-IDPS-00179"
},
"V-34767": {
"checkid": "C-43057r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, web accesses, and removable media. \n\nThis control pertains to anti-virus products which are out of scope.",
"fixid": "F-39089r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34767",
"ruleID": "SV-45691r1_rule",
"severity": "low",
"title": "The network element must not allow users to introduce removable media into the information system.",
"version": "SRG-NET-000254-IDPS-NA"
},
"V-34768": {
"checkid": "C-43058r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing a sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. \n\nThis is a network architecture design requirement. The network architecture should be designed such that all ingress traffic passes the sensor decrypted and is inspected by the firewall and Network IDPS. This is not an IDPS function. ",
"fixid": "F-39090r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34768",
"ruleID": "SV-45692r1_rule",
"severity": "low",
"title": "The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.",
"version": "SRG-NET-000255-IDPS-NA"
},
"V-34769": {
"checkid": "C-43059r1_chk",
"checktext": "Review the IDPS rules to determine what events are defined for each interface (inbound and outbound).\n\nIf rules have not been installed to monitor each enabled interface for anomalies, this is a finding.",
"description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. Placing a sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel. Without monitoring of both outbound and inbound traffic for anomalies, critical indicators of attacks may be missed until it is too late.",
"fixid": "F-39091r1_fix",
"fixtext": "Download a vendor rule set or create rules which examine network traffic on the inbound and outbound interfaces for anomalies. \nDefine clipping levels/thresholds to provide a baseline. The rule must monitor for and alert on specific attacks identifying potential security violations or attacks.",
"iacontrols": null,
"id": "V-34769",
"ruleID": "SV-45693r1_rule",
"severity": "medium",
"title": "The IDPS must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.",
"version": "SRG-NET-000256-IDPS-00180"
},
"V-34770": {
"checkid": "C-43060r1_chk",
"checktext": "Applies to networks where DHCPv6 is not used.\n\nVerify a sensor signature exists to monitor inbound and outbound TCP and UDP traffic for prohibited port numbers (e.g., 67, 68, 546, 547, 647, 847, and 2490). Verify the IPS or another system takes action to drop the prohibited packets.\n\nIf the IDPS is not configured to detect and drop inbound and outbound TCP and UDP packets using prohibited ports, this is a finding.",
"description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel. \n\nThe IDS must be configured to monitor this traffic; however, the IPS must also be configured to take action to drop the traffic. The IPS must be configured to drop inbound and outbound TCP and UDP packets with the following port numbers: 67, 68, 546, 547, 647, 847, and 2490 on the IDPS. This requirement applies only if DHCPv6 is not used.",
"fixid": "F-39092r1_fix",
"fixtext": "Create or install a rule to monitor for any inconsistencies in the advertised \u201cM or O bit values\u201d of router advertisements on a link. \nCreate or install a rule to detect traffic on the commonly used DHCP ports. The following port numbers for both TCP and UDP are associated with DHCP: 67, 68, 546, 547, 647, 847, and 2490.\nConfigure the rule to drop packets using prohibited ports.",
"iacontrols": null,
"id": "V-34770",
"ruleID": "SV-45694r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to monitor inbound and outbound TCP and UDP packets, dropping traffic using prohibited port numbers.",
"version": "SRG-NET-000256-IDPS-00181"
},
"V-34771": {
"checkid": "C-43061r1_chk",
"checktext": "Inspect the alert functionality using the management console. Verify the system is configured to provide alerts to an email or monitored system screen when any of an organizationally defined list of compromise or potentially compromise events occur.\n\nIf the system is not configured to provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur, this is a finding.",
"description": "When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism. Near real-time alerts for critical events allow the administrators to respond to these potential compromise indicators since they may miss other types of alerts if they are not currently logged into the management console.",
"fixid": "F-39093r1_fix",
"fixtext": "Configure the IDPS to alert the administrators using email or another near real-time method when an organizationally defined list of events that may indicate an attack or other security violation occurs.",
"iacontrols": null,
"id": "V-34771",
"ruleID": "SV-45695r1_rule",
"severity": "medium",
"title": "The IDPS must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur.",
"version": "SRG-NET-000257-IDPS-00182"
},
"V-34772": {
"checkid": "C-43062r1_chk",
"checktext": "Verify the device is protecting the network management subnet. \nProtocols going to the management network should be known to the SA. \nAlarms should be generated for unexpected traffic types.\n\nIf the sensor is not configured to alarm if unexpected protocols for network management enter the subnet, this is a finding.",
"description": "The management network must detect all attacks on the management hosts. The management network has a range of traffic that is permitted. Some of the following traffic is allowed on the Management Hosts Segment: Trivial File Transfer Protocol (TFTP [UDP 69]): For network device configuration files from devices on the Managed Devices Segment; FTP-Data (TCP 20): For file transfers to network devices on the Managed Devices Segment and for Internet downloads; FTP-Control (TCP 21): For file transfers to network devices on the Managed Devices Segment and for Internet downloads; Sysco (UDP 514): From network devices on the Managed Devices Segment; Telnet (TCP 23): To network devices on the Managed Devices Segment; SSH (TCP 22): To network devices on the Managed Devices Segment; Network Time Protocol (NTP [UDP 123]): To synchronize the clocks of all network devices on the Managed Devices Segment; HTTP (TCP 80): To the Internet and from hosts on other segments to download the host-based IPS agent software; HTTPS (TCP 443): To network devices on the Managed Devices Segment and the Internet, as well as between the host-based IPS Console and its agents; TACACS+ (TCP 49): For administrator authentication to devices on the Managed Devices Segment; RADIUS (UDP 1812/1813 authentication/accounting): For authentication of administrator remote-access VPN connections coming from the Remote Administration Segment; ICMP (IP Protocol 1): Echo request and response to reach network devices on the Managed Devices Segment and the Internet; DNS (UDP 53): For name translation services for management hosts as they access services on the Internet; Simple Network Management Protocol (SNMP [UDP 161]): To query information from network devices on the Managed Devices Segment; SNMP-Trap (UDP 162): To receive trap information from network devices on the Managed Devices Segment.",
"fixid": "F-39094r1_fix",
"fixtext": "Implement or modify the sensor to protect the management network.",
"iacontrols": null,
"id": "V-34772",
"ruleID": "SV-45696r1_rule",
"severity": "medium",
"title": "The IDPS must be configured to alarm if unexpected protocols for network management enter the subnet.",
"version": "SRG-NET-000257-IDPS-00183"
},
"V-34773": {
"checkid": "C-43063r1_chk",
"checktext": "Review the interface configuration function for all sensors on all network segments. \nVerify all interfaces used to monitor network traffic are not configured with IP addresses (configured to use stealth mode).\n\nIf the sensor interfaces used to monitor network traffic are not installed in stealth mode, this is a finding.",
"description": "The IDPS must prevent non-privileged users from gaining access to the system in order to circumvent intrusion detection and prevention capabilities. Circumventing IDPS capabilities would require gaining access to the configuration of the system. To prevent access by non-privileged users and processes, both passive and inline sensors must be installed in stealth mode. \n\nOperating a sensor without IP addresses assigned to monitoring interfaces is known as operating in stealth mode. Thus, only network interfaces used for IDPS management are configured with an IP address and management ports are accessible only from the management network. This conceals the sensors from attackers and thus limits exposure to attacks. If monitoring is being performed using a switch SPAN port, the sensors must be configured in stealth mode and the Network Interface Card (NIC) must be connected to the SPAN port with no network protocol stacks bound to the port. A second NIC must then be connected to an OOB network.",
"fixid": "F-39095r1_fix",
"fixtext": "Remove the IP addresses from all IDPS sensor interfaces monitoring data flow.",
"iacontrols": null,
"id": "V-34773",
"ruleID": "SV-45697r1_rule",
"severity": "medium",
"title": "The IDPS must be installed in stealth mode without an IP address on the interface with data flow.",
"version": "SRG-NET-000258-IDPS-00184"
},
"V-34774": {
"checkid": "C-43064r1_chk",
"checktext": "Verify the sensors are configured to alert the various individuals when specific events (as defined by the organization) are detected.\n \nIf the IDPS is not configured to alert specific individuals when suspicious events are detected, this is a finding.",
"description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism.",
"fixid": "F-39096r1_fix",
"fixtext": "Implement alerts to notify specific individuals when suspicious events are detected.",
"iacontrols": null,
"id": "V-34774",
"ruleID": "SV-45698r1_rule",
"severity": "medium",
"title": "The IDPS must notify an organizationally defined list of incident response personnel of suspicious events.",
"version": "SRG-NET-000259-IDPS-00185"
},
"V-34775": {
"checkid": "C-43065r1_chk",
"checktext": "Verify the IDPS is configured to take an organizationally defined list of least-disruptive actions to terminate suspicious events.\n\nIf the IDPS is not configured to take an organizationally defined list of least-disruptive actions to terminate suspicious events, this is a finding.",
"description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, the IDPS must take action to thwart the attack using methods creating the least disruption to network availability.",
"fixid": "F-39097r1_fix",
"fixtext": "Configure the IDPS to take an organizationally defined list of least-disruptive actions to terminate suspicious events",
"iacontrols": null,
"id": "V-34775",
"ruleID": "SV-45699r1_rule",
"severity": "medium",
"title": "The IDPS must take an organizationally defined list of least-disruptive actions to terminate suspicious events.",
"version": "SRG-NET-000260-IDPS-00186"
},
"V-34776": {
"checkid": "C-43066r1_chk",
"checktext": "Verify the sensor data collected during network monitoring is protected from access by unauthorized system administrators. Verify system administrators, regardless of privileges, cannot modify or delete log entries on the system. \n\nIf the sensor logs are not protected from unauthorized access, modification, and deletion, this is a finding.",
"description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. The intrusion detection device must be configured to ensure non-privileged users are not able to circumvent the detection or alerting mechanisms. In addition, all information collected by the intrusion detection systems must be protected from unauthorized access, modification, and deletion. Train system administrators to never modify or delete portions of the log records that are stored in achieve locations as part of the official records.",
"fixid": "F-39098r1_fix",
"fixtext": "Configure the system to protect sensor event logs from unauthorized access, modification, and deletion while on the sensors or on the management server.",
"iacontrols": null,
"id": "V-34776",
"ruleID": "SV-45700r1_rule",
"severity": "medium",
"title": "The IDPS must protect information obtained from network monitoring from unauthorized access, modification, and deletion.",
"version": "SRG-NET-000261-IDPS-00187"
},
"V-34777": {
"checkid": "C-43067r1_chk",
"checktext": "This requirement is NA for IDPS. No fix required.",
"description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing a sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Regardless of direction, all encrypted traffic must be decrypted prior to reaching the sensor or firewall, so all traffic can be monitored. \n\nThis is a network architecture design requirement. Redesign the network architecture, so all ingress traffic will pass the sensor decrypted and must be inspected by the firewall and network IDPS.",
"fixid": "F-39099r1_fix",
"fixtext": "This requirement is NA for IDPS. No fix required.",
"iacontrols": null,
"id": "V-34777",
"ruleID": "SV-45701r1_rule",
"severity": "low",
"title": "The organization must ensure all encrypted traffic is visible to network monitoring tools.",
"version": "SRG-NET-000262-IDPS-NA"
},
"V-34778": {
"checkid": "C-43068r1_chk",
"checktext": "Verify one or more sensors are installed to monitor outbound traffic at the external boundary of the network. (At a minimum, a sensor should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving.) \n\nIf one or more sensors are not placed to monitor and analyze outbound traffic at the external boundary, this is a finding.",
"description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDPS sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.",
"fixid": "F-39100r1_fix",
"fixtext": "Place an IDPS sensor on the perimeter segment to monitor outbound traffic.",
"iacontrols": null,
"id": "V-34778",
"ruleID": "SV-45702r1_rule",
"severity": "medium",
"title": "The IDPS must analyze outbound traffic at the external boundary of the network.",
"version": "SRG-NET-000263-IDPS-00188"
},
"V-34779": {
"checkid": "C-43070r1_chk",
"checktext": "Verify one or more sensors on the internal network segments are configured to monitor outbound traffic. \n\nIf outbound traffic is not monitored by one or more internal sensors, this is a finding.",
"description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they must be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing a sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.",
"fixid": "F-39101r1_fix",
"fixtext": "Configure one or more internal sensors to monitor outbound traffic.",
"iacontrols": null,
"id": "V-34779",
"ruleID": "SV-45703r1_rule",
"severity": "medium",
"title": "The IDPS must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.",
"version": "SRG-NET-000264-IDPS-00189"
},
"V-34780": {
"checkid": "C-43071r1_chk",
"checktext": "Verify one or more sensors are installed to monitor the network for wireless networking protocols. \n\nIf the site does not have a WIDS installed, this is a finding.",
"description": "DoD information could be compromised if wireless monitoring is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. A wireless IDS (WIDS) sensor must be installed and placed to monitor wireless network transmissions for possible attacks and unauthorized traffic.",
"fixid": "F-39103r1_fix",
"fixtext": "Install and configure one or more WIDS to monitor the network for unauthorized wireless traffic.",
"iacontrols": null,
"id": "V-34780",
"ruleID": "SV-45705r1_rule",
"severity": "medium",
"title": "The IDPS must detect attack attempts to the wireless network.",
"version": "SRG-NET-000265-IDPS-00190"
},
"V-34781": {
"checkid": "C-43072r1_chk",
"checktext": "Verify the WIDS is configured to monitor the network for unauthorized wireless devices. Verify the configuration will detect devices which are using non-standard wireless protocols. Verify the placement of the WIDS will detect devices transmitting in all offices and work spaces for the site.\n\nIf the WIDS is not configured to detect rogue wireless devices, this is a finding.",
"description": "DoD information could be compromised if wireless monitoring is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. A WIDS sensor must be installed and placed to monitor wireless network transmissions for possible attacks and unauthorized traffic. Rogue devices are unauthorized wireless devices which are either connected to the enclave or are being used by personnel in DoD spaces. These devices may either provide attackers with a way into the enclave or attempt to breach the network.",
"fixid": "F-39104r1_fix",
"fixtext": "Configure the WIDS to monitor for rogue wireless devices.",
"iacontrols": null,
"id": "V-34781",
"ruleID": "SV-45706r1_rule",
"severity": "medium",
"title": "The IDPS must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.",
"version": "SRG-NET-000266-IDPS-00191"
},
"V-34782": {
"checkid": "C-43073r1_chk",
"checktext": "Review the IDPS vendor documentation and system configuration to determine if the correct operation of security functions, in accordance with organizationally defined conditions and frequency, is verified. \n\nIf the correct operation of organizationally defined security functions cannot be verified, this is a finding.",
"description": "Security functional testing involves testing the system for conformance to the application's security function specifications, as well as, compliance with the underlying security model.\n\nThe need to verify security functionality applies to all security functions. For those security functions that are not able to execute automated self-tests, the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. System initialization, shutdown, and aborts must be configured to ensure the system remains in a secure state. If tests are not provided and periodically run, the integrity of the system state cannot be verified.",
"fixid": "F-39105r1_fix",
"fixtext": "Configure the IDPS to verify the correct operation of security functions in accordance with organizationally defined conditions and frequency.",
"iacontrols": null,
"id": "V-34782",
"ruleID": "SV-45707r1_rule",
"severity": "medium",
"title": "The IDPS must verify the correct operation of security functions, in accordance with organizationally defined conditions and frequency.",
"version": "SRG-NET-000267-IDPS-00192"
},
"V-34783": {
"checkid": "C-43075r1_chk",
"checktext": "Verify automated self-tests are configured to take action if a failure is detected.\n\nIf the system is not configured to respond to security function anomalies in accordance with organizationally defined responses and alternative actions, this is a finding.",
"description": "Verification of security functionality is necessary to ensure the system\u2019s defenses are enabled. These anomalies are detected by running self-tests on each component in the IDPS. For those security functions that are not able to execute automated self-tests the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Upon detection of security function anomalies or failure of automated self-tests, the IDPS must respond in accordance with organizationally defined responses and alternative actions. If security functionality is not verified, the system could become compromised without the knowledge of the system administrators. \n\nIf automated self-tests are not available for all devices, then implement one of the following alternatives: \n(i) Document the risk as accepted.\n(ii) Provide and document manual testing procedures.",
"fixid": "F-39106r1_fix",
"fixtext": "For all IDPS components, enable automation self-test failure action (e.g., state change, alerts, or alarms).",
"iacontrols": null,
"id": "V-34783",
"ruleID": "SV-45709r1_rule",
"severity": "medium",
"title": "The IDPS must respond to security function anomalies in accordance with organizationally defined responses and alternative actions.",
"version": "SRG-NET-000268-IDPS-00193"
},
"V-34784": {
"checkid": "C-43076r1_chk",
"checktext": "Verify alerts are enabled to notify system administrators of failed security self-tests when they occur on any of the sensors or management console.\n\nIf the system is not configured to provide notification of failed automated security tests, this is a finding.",
"description": "Upon detection of a failure of an automated security self-test, the network element must respond in accordance with organizationally defined responses and alternative actions. Without taking any self-healing actions or notifying an administrator, the defense of the element and the network is left vulnerable and both could be breached. If system administrators are not alerted to failed security tests, the systems' defense could become compromised without the knowledge of the system administrators.",
"fixid": "F-39108r1_fix",
"fixtext": "Enable notifications for failed security self-tests on each IDPS component. Configure the notification to alert the system administrator upon failure of the self-tests.",
"iacontrols": null,
"id": "V-34784",
"ruleID": "SV-45710r1_rule",
"severity": "medium",
"title": "The IDPS must provide notification of failed automated security tests.",
"version": "SRG-NET-000269-IDPS-00194"
},
"V-34785": {
"checkid": "C-43078r1_chk",
"checktext": "Verify the IDPS is configured to provide automatic support of the site's distributed security testing systems.\n\nIf the system is not configured to provide automated support for the management of distributed security testing, this is a finding.",
"description": "The need to verify security functionality is necessary to ensure the IDPS\u2019s defense is enabled. To scale the deployment of the verification process, the IDPS must provide automated support for the management of distributed security testing. This control addresses security verification during network state changes. The IDPS can be configured to automatically provide logs to other devices on the network to be used for security verification processes.",
"fixid": "F-39110r1_fix",
"fixtext": "Configure the IDPS to support the site's distributed security testing systems.",
"iacontrols": null,
"id": "V-34785",
"ruleID": "SV-45712r1_rule",
"severity": "low",
"title": "The IDPS must provide automated support for the management of distributed security testing.",
"version": "SRG-NET-000270-IDPS-00195"
},
"V-34786": {
"checkid": "C-43079r1_chk",
"checktext": "Verify file integrity software has been installed on each sensor and management console (i.e., HIDS).\nVerify file integrity software is configured to monitor and alert if IDPS software is changed.\n\nIf the system is not configured to detect unauthorized changes to software and information, this is a finding.",
"description": "Anomalous behavior and unauthorized changes must be detected before the IDPS is breached or no longer in service. Identifying the source and method used to make the unauthorized change will help to determine what data is at risk and if other systems may be affected. HIDS software must be installed on the IDPS devices and sensors to protect the device itself from being breached and to monitor for unauthorized application file changes. This requirement is applicable to network appliances. For sensors with an underlying operating system, a compliance review of operating system is required which will include this HIDS requirement.",
"fixid": "F-39111r1_fix",
"fixtext": "Install file integrity software on each sensor and management console.\nConfigure integrity software to monitor and alert when software is changed.",
"iacontrols": null,
"id": "V-34786",
"ruleID": "SV-45713r1_rule",
"severity": "medium",
"title": "The IDPS must detect unauthorized changes to software and information.",
"version": "SRG-NET-000271-IDPS-00196"
},
"V-34787": {
"checkid": "C-43080r1_chk",
"checktext": "Verify signatures or rules exist on the management console to monitor the data for excessive error messages from network components. Verify signature or rules exist to identify and respond to potential security-relevant error conditions.\n\nIf the system is not configured to identify and respond to potential security-relevant error conditions, this is a finding.",
"description": "Error messages generated by various components and services of the network devices can indicate a possible security violation or breach. The IDPS implementation must detect and respond to error messages that may be a symptom of a compromise and provide notification. These error messages may be part of the network traffic on segments being monitored. Responses to these conditions include alerts or traffic dropping/blocking. If security-relevant error conditions are not identified by the IDPS, intrusion attacks may remain undetected, allowing more serious damage to the network.",
"fixid": "F-39112r1_fix",
"fixtext": "Configure the system to identify and respond to potential security-relevant error conditions.",
"iacontrols": null,
"id": "V-34787",
"ruleID": "SV-45714r1_rule",
"severity": "medium",
"title": "The IDPS must identify and respond to potential security-relevant error conditions.",
"version": "SRG-NET-000272-IDPS-00197"
},
"V-34788": {
"checkid": "C-43082r1_chk",
"checktext": "Review the error message sent by the system. (These messages may be part of the sensor rules or may be in a message repository, depending on the product used.) \nVerify the system notifications for error messages or sensor alerts do not contain sensitive or potentially harmful information, as defined by the organization.\n\nIf sensitive or potentially harmful information, as defined by the organization, is included as part of the event sensor/audit event entries or the sensor alert messages, this is a finding.",
"description": "The extent to which the IDPS is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, these error messages must not reveal information captured in the log data that could compromise either the device or the network. Hence, the content of error messages (within the sensor and audit logs) and alerts sent to the system administrators must be carefully considered. This requirement includes device or IDPS application error conditions, as well as sensor log alerts. IDPS error messages can potentially provide a wealth of information to an attacker, such as providing a security flaw within the IDPS implementation itself, allowing inadvertent access or exploitation of the resource records.",
"fixid": "F-39114r1_fix",
"fixtext": "Remove sensitive or potentially harmful information, as defined by the organization, from the logged notification messages for error conditions or sensor alerts.",
"iacontrols": null,
"id": "V-34788",
"ruleID": "SV-45716r1_rule",
"severity": "medium",
"title": "The IDPS must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.",
"version": "SRG-NET-000273-IDPS-00198"
},
"V-34790": {
"checkid": "C-43098r1_chk",
"checktext": "If this is an IDS only implementation, this is not a finding. \nIf the site does not require one-way traffic enforcing this is not applicable.\nVerify rules exist to monitor network traffic for violations of one-way traffic flow restrictions. \nVerify the unauthorized traffic is dropped.\n\nIf a rule or signature does not exist which enforces one-way traffic rules, this is a finding.",
"description": "The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. This control is applicable to IPS installations because it requires the enforcement (rather than just monitoring) of traffic flows. Information flow control regulates where information is allowed to travel within a network and between interconnected networks. This control requires the organization implement hardware mechanisms, such as the IPS, to enforce one-way traffic flows.",
"fixid": "F-39130r1_fix",
"fixtext": "Create a rule in the IPS which blocks traffic flowing in unauthorized directions on the monitored network segment.",
"iacontrols": null,
"id": "V-34790",
"ruleID": "SV-45730r1_rule",
"severity": "medium",
"title": "The IDPS must enforce organizationally defined one-way traffic flows.",
"version": "SRG-NET-000032-IDPS-00031"
},
"V-34792": {
"checkid": "C-43099r1_chk",
"checktext": "Verify security attributes are not removed during transmission for information to system components and other systems (sensors, the management console, non-local management computers, firewalls, routers, and other network elements.)\n\nIf the IDPS does not support and maintain the binding of organizationally defined security attributes to information in transmission, this is a finding.",
"description": "Security attribute assignments are representations of the properties or characteristics of an entity. For the IDPS this most likely will apply to user access privileges and classification metadata associated with reports, logs, or other information stored on the components. \n\nSecurity attributes and labels should be leveraged to protect stored information, as well as information flowing to external devices. Information stored, processed, and transmitted by the IDPS include sensors event logs, local audit logs, and application files. Security attributes and labels must also be leveraged to protect communications between the IDPS components and other devices, such as sensors, the management console, non-local management computers, firewalls, routers, and other network elements. Examples of possible IDPS security attributes that may be used by the organization to implement security policy include: session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification; or VLAN identification.\n\nIf the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information.",
"fixid": "F-39131r1_fix",
"fixtext": "Configure the IDPS management console to support and maintain the binding of organizationally defined security attributes for information being transmitted between system components and external systems.",
"iacontrols": null,
"id": "V-34792",
"ruleID": "SV-45732r1_rule",
"severity": "medium",
"title": "The IDPS must support and maintain the binding of organizationally defined security attributes to information in transmission.",
"version": "SRG-NET-000056-IDPS-00050"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critial Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critial Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critial Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-34462": "true",
"V-34463": "true",
"V-34464": "true",
"V-34465": "true",
"V-34466": "true",
"V-34467": "true",
"V-34468": "true",
"V-34469": "true",
"V-34470": "true",
"V-34471": "true",
"V-34472": "true",
"V-34473": "true",
"V-34475": "true",
"V-34476": "true",
"V-34481": "true",
"V-34482": "true",
"V-34483": "true",
"V-34484": "true",
"V-34485": "true",
"V-34486": "true",
"V-34487": "true",
"V-34488": "true",
"V-34491": "true",
"V-34492": "true",
"V-34493": "true",
"V-34494": "true",
"V-34495": "true",
"V-34496": "true",
"V-34497": "true",
"V-34498": "true",
"V-34499": "true",
"V-34500": "true",
"V-34501": "true",
"V-34502": "true",
"V-34503": "true",
"V-34504": "true",
"V-34505": "true",
"V-34506": "true",
"V-34507": "true",
"V-34508": "true",
"V-34509": "true",
"V-34510": "true",
"V-34511": "true",
"V-34514": "true",
"V-34515": "true",
"V-34516": "true",
"V-34517": "true",
"V-34518": "true",
"V-34519": "true",
"V-34520": "true",
"V-34521": "true",
"V-34522": "true",
"V-34523": "true",
"V-34524": "true",
"V-34525": "true",
"V-34526": "true",
"V-34527": "true",
"V-34528": "true",
"V-34529": "true",
"V-34530": "true",
"V-34531": "true",
"V-34532": "true",
"V-34533": "true",
"V-34534": "true",
"V-34535": "true",
"V-34536": "true",
"V-34537": "true",
"V-34538": "true",
"V-34539": "true",
"V-34540": "true",
"V-34541": "true",
"V-34542": "true",
"V-34543": "true",
"V-34544": "true",
"V-34545": "true",
"V-34546": "true",
"V-34547": "true",
"V-34548": "true",
"V-34549": "true",
"V-34550": "true",
"V-34551": "true",
"V-34552": "true",
"V-34553": "true",
"V-34554": "true",
"V-34555": "true",
"V-34556": "true",
"V-34557": "true",
"V-34558": "true",
"V-34559": "true",
"V-34560": "true",
"V-34561": "true",
"V-34562": "true",
"V-34563": "true",
"V-34564": "true",
"V-34565": "true",
"V-34566": "true",
"V-34567": "true",
"V-34568": "true",
"V-34569": "true",
"V-34570": "true",
"V-34571": "true",
"V-34572": "true",
"V-34573": "true",
"V-34574": "true",
"V-34575": "true",
"V-34576": "true",
"V-34577": "true",
"V-34578": "true",
"V-34579": "true",
"V-34580": "true",
"V-34581": "true",
"V-34582": "true",
"V-34583": "true",
"V-34584": "true",
"V-34585": "true",
"V-34586": "true",
"V-34587": "true",
"V-34588": "true",
"V-34589": "true",
"V-34591": "true",
"V-34592": "true",
"V-34593": "true",
"V-34594": "true",
"V-34595": "true",
"V-34596": "true",
"V-34597": "true",
"V-34598": "true",
"V-34599": "true",
"V-34600": "true",
"V-34601": "true",
"V-34602": "true",
"V-34603": "true",
"V-34604": "true",
"V-34605": "true",
"V-34606": "true",
"V-34607": "true",
"V-34608": "true",
"V-34609": "true",
"V-34611": "true",
"V-34612": "true",
"V-34613": "true",
"V-34614": "true",
"V-34615": "true",
"V-34616": "true",
"V-34617": "true",
"V-34618": "true",
"V-34619": "true",
"V-34620": "true",
"V-34621": "true",
"V-34622": "true",
"V-34623": "true",
"V-34624": "true",
"V-34625": "true",
"V-34626": "true",
"V-34627": "true",
"V-34628": "true",
"V-34629": "true",
"V-34630": "true",
"V-34631": "true",
"V-34632": "true",
"V-34633": "true",
"V-34634": "true",
"V-34635": "true",
"V-34636": "true",
"V-34637": "true",
"V-34638": "true",
"V-34639": "true",
"V-34640": "true",
"V-34641": "true",
"V-34642": "true",
"V-34643": "true",
"V-34644": "true",
"V-34645": "true",
"V-34646": "true",
"V-34647": "true",
"V-34648": "true",
"V-34649": "true",
"V-34650": "true",
"V-34651": "true",
"V-34652": "true",
"V-34653": "true",
"V-34654": "true",
"V-34655": "true",
"V-34656": "true",
"V-34657": "true",
"V-34658": "true",
"V-34659": "true",
"V-34660": "true",
"V-34661": "true",
"V-34662": "true",
"V-34663": "true",
"V-34664": "true",
"V-34665": "true",
"V-34666": "true",
"V-34667": "true",
"V-34668": "true",
"V-34670": "true",
"V-34671": "true",
"V-34672": "true",
"V-34673": "true",
"V-34674": "true",
"V-34675": "true",
"V-34676": "true",
"V-34677": "true",
"V-34678": "true",
"V-34679": "true",
"V-34680": "true",
"V-34681": "true",
"V-34682": "true",
"V-34683": "true",
"V-34684": "true",
"V-34685": "true",
"V-34686": "true",
"V-34687": "true",
"V-34688": "true",
"V-34689": "true",
"V-34690": "true",
"V-34691": "true",
"V-34692": "true",
"V-34693": "true",
"V-34694": "true",
"V-34695": "true",
"V-34696": "true",
"V-34697": "true",
"V-34698": "true",
"V-34699": "true",
"V-34700": "true",
"V-34701": "true",
"V-34702": "true",
"V-34703": "true",
"V-34704": "true",
"V-34705": "true",
"V-34706": "true",
"V-34707": "true",
"V-34708": "true",
"V-34709": "true",
"V-34710": "true",
"V-34711": "true",
"V-34712": "true",
"V-34713": "true",
"V-34714": "true",
"V-34715": "true",
"V-34716": "true",
"V-34717": "true",
"V-34718": "true",
"V-34719": "true",
"V-34720": "true",
"V-34721": "true",
"V-34722": "true",
"V-34723": "true",
"V-34724": "true",
"V-34725": "true",
"V-34726": "true",
"V-34727": "true",
"V-34728": "true",
"V-34729": "true",
"V-34730": "true",
"V-34731": "true",
"V-34732": "true",
"V-34733": "true",
"V-34734": "true",
"V-34735": "true",
"V-34736": "true",
"V-34737": "true",
"V-34738": "true",
"V-34739": "true",
"V-34740": "true",
"V-34741": "true",
"V-34742": "true",
"V-34743": "true",
"V-34744": "true",
"V-34745": "true",
"V-34746": "true",
"V-34747": "true",
"V-34748": "true",
"V-34749": "true",
"V-34750": "true",
"V-34751": "true",
"V-34752": "true",
"V-34753": "true",
"V-34754": "true",
"V-34755": "true",
"V-34756": "true",
"V-34757": "true",
"V-34758": "true",
"V-34759": "true",
"V-34760": "true",
"V-34761": "true",
"V-34762": "true",
"V-34763": "true",
"V-34764": "true",
"V-34765": "true",
"V-34766": "true",
"V-34767": "true",
"V-34768": "true",
"V-34769": "true",
"V-34770": "true",
"V-34771": "true",
"V-34772": "true",
"V-34773": "true",
"V-34774": "true",
"V-34775": "true",
"V-34776": "true",
"V-34777": "true",
"V-34778": "true",
"V-34779": "true",
"V-34780": "true",
"V-34781": "true",
"V-34782": "true",
"V-34783": "true",
"V-34784": "true",
"V-34785": "true",
"V-34786": "true",
"V-34787": "true",
"V-34788": "true",
"V-34790": "true",
"V-34792": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "intrusion_detection_and_prevention_systems_idps_security_requirements_guide",
"title": "Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide",
"version": "1"
}
}