The IDPS must support and maintain the binding of organizationally defined security attributes to information in storage.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34521	SRG-NET-000054-IDPS-00048	SV-45363r1_rule		Medium

Description
Security attribute assignments (e.g., metadata, classification, subject categories, nationality, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. Typically, the security attributes used for data stored on the management console or sensors is not granular. The sensors are configured to send data to a management console using IP addresses or other network identifiers. While the data is in storage on the sensors, the system will limit user access based on assigned user account permissions. If the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information. This requirement applies to the event log files and IDPS application files stored on the IDPS management console and sensors.

Description

Security attribute assignments (e.g., metadata, classification, subject categories, nationality, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. Typically, the security attributes used for data stored on the management console or sensors is not granular. The sensors are configured to send data to a management console using IP addresses or other network identifiers. While the data is in storage on the sensors, the system will limit user access based on assigned user account permissions. If the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information. This requirement applies to the event log files and IDPS application files stored on the IDPS management console and sensors.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42711r1_chk )
Ask the site representative if all individuals with an account on the IDPS have the same rights to files on the management console and sensors. If rights to files are assigned per user, then verify the IDPS supports this requirement. If this capability to view the permissions for the event log files, application software, and senor logs is available, then verify the permissions are set to allow only authorized users. If there is an organizationally defined requirement for granular security attributes, but this capability does not exist or is not implemented, this is a finding.

Check Text ( C-42711r1_chk )

Ask the site representative if all individuals with an account on the IDPS have the same rights to files on the management console and sensors.
If rights to files are assigned per user, then verify the IDPS supports this requirement.
If this capability to view the permissions for the event log files, application software, and senor logs is available, then verify the permissions are set to allow only authorized users.

If there is an organizationally defined requirement for granular security attributes, but this capability does not exist or is not implemented, this is a finding.

Fix Text (F-38759r1_fix)
Configure the management console and sensors to restrict access to the sensor logs to users and entities based on access privileges.