UCF STIG Viewer Logo

Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide


Overview

Date Finding Count (59)
2020-06-12 CAT I (High): 0 CAT II (Med): 59 CAT III (Low): 0
STIG Description
The IDPS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-55345 Medium The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
V-55389 Medium The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when root level intrusion events which provide unauthorized privileged access are detected.
V-55383 Medium The IDPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.
V-34555 Medium In the event of a logging failure caused by the lack of audit record storage capacity, the IDPS must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.
V-55387 Medium The IDPS must send an alert to, at a minimum, the ISSM and ISSO when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise.
V-55385 Medium The IDSP must send an alert to, at a minimum, the ISSM and ISSO when intrusion detection events are detected which indicate a compromise or potential for compromise.
V-55337 Medium The IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.
V-34750 Medium In the event of a failure of the IDPS function, the IDPS must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted.
V-34759 Medium The IDPS must verify the integrity of updates obtained directly from the vendor.
V-55379 Medium The IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected.
V-34594 Medium The IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.
V-55377 Medium The IDPS must generate a log record when unauthorized network services are detected.
V-55339 Medium The IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server).
V-55317 Medium The IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions.
V-55319 Medium The IDPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.
V-55331 Medium The IDPS must provide an alert to, at a minimum, the system administrator and ISSO when any audit failure events occur.
V-55597 Medium The IDPS must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules.
V-55335 Medium The IDPS must provide log information in a format that can be extracted and used by centralized analysis tools.
V-34788 Medium The IDPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
V-55359 Medium The IDPS must perform real-time monitoring of files from external sources at network entry/exit points.
V-55355 Medium The IDPS must block malicious ICMP packets by properly configuring ICMP signatures and rules.
V-55357 Medium The IDPS must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.
V-55381 Medium The IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.
V-55397 Medium To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-34625 Medium The IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application.
V-55399 Medium To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-34707 Medium The IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.
V-34544 Medium The IDPS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic.
V-55391 Medium The IDPS must send an alert to, at a minimum, the ISSM and ISSO when user level intrusions which provide non-privileged access are detected.
V-55393 Medium The IDPS must send an alert to, at a minimum, the ISSM and ISSO when denial of service incidents are detected.
V-34540 Medium The IDPS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description.
V-55395 Medium The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
V-34542 Medium The IDPS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and IDPS component which detected the event.
V-34541 Medium The IDPS must produce audit records containing information to establish when (date and time) the events occurred.
V-55347 Medium The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based attack detection.
V-55375 Medium The IDPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum.
V-34485 Medium The IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-34484 Medium The IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.
V-34762 Medium The IDPS must block malicious code.
V-34749 Medium The IDPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation.
V-34543 Medium The IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.
V-34743 Medium The IDPS must block any prohibited mobile code at the enclave boundary when it is detected.
V-55329 Medium The IDPS must assign a critical severity level to all audit processing failures.
V-55325 Medium The IDPS must off-load log records to a centralized log server.
V-55343 Medium The IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.
V-55327 Medium The IDPS must off-load log records to a centralized log server in real-time.
V-55321 Medium The IDPS must provide audit record generation with a configurable severity and escalation level capability.
V-55323 Medium IDPS must support centralized management and configuration of the content captured in audit records generated by all IDPS components.
V-55351 Medium The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding.
V-55409 Medium To protect against unauthorized data mining, the IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-55349 Medium The IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
V-55333 Medium In the event of a logging failure, caused by loss of communications with the central logging server, the IDPS must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.
V-55361 Medium The IDPS must quarantine and/or delete malicious code.
V-55363 Medium The IDPS must send an immediate (within seconds) alert to, at a minimum, the system administrator when malicious code is detected.
V-55407 Medium To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-55365 Medium IDPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.
V-55401 Medium To protect against unauthorized data mining, the IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-55341 Medium The IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-55403 Medium To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.