UCF STIG Viewer Logo

The IDPS must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34608 SRG-NET-000121-IDPS-00088 SV-45476r1_rule Medium
Description
Changes to any software components of the IDPS can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Software must be obtained from a trusted patch server not from the vendor. The IDPS sensors should not have to verify the software again. Self-signed certificates are disallowed by this control. This control does not mandate DoD certificates for this purpose, however, the certificate used to verify the software must be from an approved source.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-42825r2_chk )
If verification of the applications and updates is performed on a centralized patch server, this is not a finding.

Verify the IDPS components are configured to prevent the installation of software updates or applications which are not signed by an organizationally approved private key.

If the IDPS does not prevent the installation of organizationally defined critical applications and updates not digitally signed with an organizationally approved private key, this is a finding.
Fix Text (F-38873r1_fix)
Obtain software updated from an approved trusted patch server.
Configure the IDPS components to check for signed software programs when installation is attempted. Allow only organizationally approved digital signatures.