{
"stig": {
"date": "2020-02-04",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-99567": {
"checkid": "C-98417r1_chk",
"checktext": "Validate the Jamf Pro EMM server has been configured to not accept a certificate if the certificate cannot be validated.\n\n1. Open the Jamf Pro EMM console.\n2. Open \"Settings\".\n3. Select \"User-Initiated Enrollment\".\n4. Under the General tab, verify \"Use a third-party signing certificate\" is selected.\n5. Verify the name and certificate extension of the DoD p12 certificate is listed.\n\nIf the Jamf Pro EMM server has been not been configured to not accept a certificate if the certificate cannot be validated, this is a finding.",
"description": "When a Jamf Pro EMM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks.\n\nSFR ID: FIA_X509_EXT.2.2",
"fixid": "F-105251r1_fix",
"fixtext": "Configure the Jamf Pro EMM server to not accept a certificate if the certificate cannot be validated.\n\n1. Open the Jamf Pro EMM console.\n2. Open \"Settings\".\n3. Select \"User-Initiated Enrollment\".\n4. Under the General tab, select \"Use a third-party signing certificate\".\n5. Drag and drop the DoD p12 certificate.\n6. Click \"Save\".",
"iacontrols": null,
"id": "V-99567",
"ruleID": "SV-108671r1_rule",
"severity": "medium",
"title": "When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.",
"version": "JAMF-10-000040"
},
"V-99569": {
"checkid": "C-98419r1_chk",
"checktext": "Verify device enrollment restrictions are set up to limit enrollment by iOS device.\n\n1. Open Jamf Pro admin interface.\n2. Select \"Devices\".\n3. Select \"Smart Device Groups\".\n4. Select desired device group.\n5. Verify approved model numbers are listed.\n\nIf device enrollment restrictions are not set up, this is a finding.",
"description": "Good configuration management of a mobile device is a key capability for maintaining the mobile device\u2019s security baseline. Restricting network access to only authorized devices is a key configuration management attribute. Device type is a key way to specify mobile devices that can be adequately secured.\n\nSFR ID: FMT_SMF.1.1(2) b, FIA_ENR_EXT.1.2",
"fixid": "F-105253r1_fix",
"fixtext": "Build Smart Device Group that matches DoD requirements and said groups are within exclusions of Configuration Profiles, Mobile Device Apps, etc.\n\n1. Open Jamf Pro admin interface.\n2. Select \"Devices\".\n3. Select \"Smart Device Groups\".\n4. Select \"New\".\n5. Enter a name for the group.\n6. Select \"Criteria\".\n7. Select \"Add\" to add new Model, Model Identifier, or Model Number.\n8. Continue to add all models that satisfy this requirement.\n9. Select \"Save\".\n\nAdd this Smart Device Group to any Configuration Profile, Mobile Device Apps as an Exception Scope.",
"iacontrols": null,
"id": "V-99569",
"ruleID": "SV-108673r1_rule",
"severity": "medium",
"title": "The Jamf Pro EMM server must configure the MDM Agent/platform to enable the DoD required device enrollment restrictions allowed for enrollment [specific device model].",
"version": "JAMF-10-000440"
},
"V-99571": {
"checkid": "C-98421r1_chk",
"checktext": "Verify the Jamf Pro EMM server or platform is configured to initiate a session lock after a 15-minute period of inactivity.\n\nReview the variable in the Jamf Pro web.xml file.\n\nOn the Jamf Pro host server, open the web.xml file:\n\nIf using macOS, the web.xml file is located at the following filepath:\n/Library/JSS/Tomcat/webapps/ROOT/WEB-INF/\n\nIf using Windows, the web.xml file is located at the following filepath:\nC:\\Program Files\\JSS\\Tomcat\\webapps\\ROOT\\WEB-INF\\\n\nIf using Linux, the web.xml file is located at the following filepath:\n/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/\n\nLocate the following setting:\n
\"\"Place DoD warning banner first line here\"\"
\n\"\"place second (or next) line here\"\"
\n\n\nRestart Tomcat for changes to take effect.", "iacontrols": null, "id": "V-99577", "ruleID": "SV-108681r1_rule", "severity": "low", "title": "The Jamf Pro EMM server must be configured to display the required DoD warning banner upon administrator logon.\n\nNote: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).", "version": "JAMF-10-000550" }, "V-99579": { "checkid": "C-98429r1_chk", "checktext": "Administrator and Audit level permission groups are configured by default within Jamf Pro server. \n\nVerify the additional group permissions by:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Select \"Jamf Pro User Accounts and Groups\".\n4. View the necessary information for each group has been created with appropriate privilege sets.\n\nJamf Pro EMM server will have the appropriate group level permissions available for applying to individual user accounts or AD groups.\n\nIf required administrator roles have not been set up on the server, this is a finding.", "description": "Having several administrative roles for the Jamf Pro EMM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.\n\n- Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS.\n- Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators.\n- Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator.\n- Auditor: Responsible for reviewing and maintaining server and mobile device audit logs.\n\nSFR ID: FMT_SMR.1.1(1)", "fixid": "F-105263r1_fix", "fixtext": "Administrator and Audit level permission groups are configured by default within Jamf Pro server. \n\nConfigure the additional group permissions by:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Select \"Jamf Pro User Accounts and Groups\".\n4. Select \"New\".\n5. Select \"Create Standard Group\", click \"Next\".\n6. Fill out all the necessary information for creating the group including the privilege set.\n7. Click \"Save\".\n8. Repeat for each group of permissions that are needed.\n\nOnce completed, Jamf Pro EMM server will have the appropriate group level permissions available for applying to individual user accounts or AD groups.", "iacontrols": null, "id": "V-99579", "ruleID": "SV-108683r1_rule", "severity": "medium", "title": "The Jamf Pro EMM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.", "version": "JAMF-10-000610" }, "V-99581": { "checkid": "C-98431r1_chk", "checktext": "Interview the site ISSM. \n\nDetermine if the site has connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. \n\n- If YES, verify the AGS implementation has been reviewed using the Application Layer Gateway SRG. Verify the Jamf Pro EMM server is configured to connect to the AGS:\n1. Go to the server console.\n2. Open \"Settings\".\n3. Select \"SSO\" (Single Sign-on).\n4. Verify Single Sign-on Authentication is enabled and connection to the AGS using SAML-based protocol is set up.\n\n- If NO, verify strong password controls for the administrator local accounts are in place. (Verified by JAMF-10-100700 to JAMF-10-100820.)\n\nIf Jamf Pro EMM is not connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to your DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or has not been configured to use strong password controls for the administrator local accounts, this is a finding.", "description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Jamf Pro EMM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Jamf Pro EMM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FIA", "fixid": "F-105265r1_fix", "fixtext": "Implement one of the following options:\n\nOption #1. Connect Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. Note: Jamf requires AGS to support SAML.\n\n- Set up AGS / IdAM environment.\n- Connect the Jamf pro EMM to the AGS:\n1. Open \"Settings\".\n2. Select \"SSO\" (Single Sign-on).\n3. Select \"Edit\".\n4. Enable Single Sign-on Authentication.\n5. Complete the appropriate settings to connect Jamf Pro EMM to the AGS using SAML-based protocol.\n6. Click \"Save\".\n\nNote: If Option #1 is used, requirements JAMF-10-100700 to JAMF-10-10820 are Not Applicable and requirement JAMF-10-200040 is Applicable - Configurable.\n\nOption #2. Implement strong password policy for admin local accounts. Configure the server password policy (JAMF-10-100700 to JAMF-10-10820).\n\nNote: If Option #2 is used, requirement JAMF-10-200040 is Not Applicable.", "iacontrols": null, "id": "V-99581", "ruleID": "SV-108685r1_rule", "severity": "medium", "title": "The Jamf Pro EMM server must be configured to leverage the MDM platform user accounts and groups for Jamf Pro EMM server user identification and CAC authentication.", "version": "JAMF-10-000670" }, "V-99583": { "checkid": "C-98433r1_chk", "checktext": "Interview the site ISSM. \n\nDetermine if the site has connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. \n\n- If YES, verify the AGS implementation has been reviewed using the Application Layer Gateway SRG. Verify the Jamf Pro EMM server is configured to connect to the AGS:\n1. Go to the server console.\n2. Open \"Settings\".\n3. Select \"SSO\" (Single Sign-on).\n4. Verify Single Sign-on Authentication is enabled and connection to the AGS using SAML-based protocol is set up.\n\n- If NO, verify strong password controls for the administrator local accounts are in place. (Verified by JAMF-10-100700 to JAMF-10-100820.)\n\nIf Jamf Pro EMM is not connected to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication or has not been configured to use strong password controls for the administrator local accounts, this is a finding.", "description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Jamf Pro EMM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Jamf Pro EMM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FIA", "fixid": "F-105267r1_fix", "fixtext": "Implement one of the following options:\n\nOption #1. Connect Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. Note: Jamf requires AGS to support SAML.\n\n- Set up AGS/IdAM environment.\n- Connect the Jamf pro EMM to the AGS:\n1. Open \"Settings\".\n2. Select \"SSO\" (Single Sign-on).\n3. Select \"Edit\".\n4. Enable Single Sign-on Authentication.\n5. Complete the appropriate settings to connect Jamf Pro EMM to the AGS using SAML-based protocol.\n6. Click \"Save\".\n\nNote: If Option #1 is used, requirements JAMF-10-100700 to JAMF-10-10820 are Not Applicable and requirement JAMF-10-200040 is Applicable - Configurable.\n\nOption #2. Implement strong password policy for admin local accounts. Configure the server password policy (JAMF-10-100700 to JAMF-10-10820).\n\nNote: If Option #2 is used, requirement JAMF-10-200040 is Not Applicable.", "iacontrols": null, "id": "V-99583", "ruleID": "SV-108687r1_rule", "severity": "medium", "title": "Authentication of Jamf Pro EMM server accounts must be configured so they are implemented either via an Authentication Gateway Service (AGS) which connects to the site DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or via strong password controls for the administrator local accounts.", "version": "JAMF-10-000685" }, "V-99585": { "checkid": "C-98435r1_chk", "checktext": "Review the Jamf Pro EMM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address.\n\nIf there is not a host-based firewall present on the Jamf Pro EMM server platform, this is a finding.", "description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the MDM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the MDM server runs in a cloud or virtualized solution.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7b\n\nSatisfies: SRG-APP-000142", "fixid": "F-105269r1_fix", "fixtext": "Install a DoD-approved firewall on the Jamf Pro EMM server.", "iacontrols": null, "id": "V-99585", "ruleID": "SV-108689r1_rule", "severity": "medium", "title": "The Jamf Pro EMM server platform must be protected by a DoD-approved firewall.", "version": "JAMF-10-200010" }, "V-99587": { "checkid": "C-98437r1_chk", "checktext": "Ask the Jamf Pro EMM server administrator for a list of ports, protocols, and IP address ranges necessary to support Jamf Pro EMM server and platform functionality. A list can usually be found in the STIG Supplemental document or Jamf Pro EMM product documentation.\n\nCompare the list against the configuration of the firewall and identify discrepancies.\n\nIf the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.", "description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7b\n\nSatisfies: SRG-APP-000142", "fixid": "F-105271r1_fix", "fixtext": "Configure the firewall on the Jamf Pro EMM server to only permit ports, protocols, and IP address ranges necessary for operation.", "iacontrols": null, "id": "V-99587", "ruleID": "SV-108691r1_rule", "severity": "medium", "title": "The firewall protecting the Jamf Pro EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Jamf Pro EMM server and platform functions.", "version": "JAMF-10-200020" }, "V-99589": { "checkid": "C-98439r1_chk", "checktext": "Ask the Jamf Pro EMM server administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of the Jamf Pro EMM server or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list.\n\nIf any allowed ports, protocols, and services on the Jamf Pro EMM server host-based firewall are not included on the DoD PPSM CAL list, this is a finding.", "description": "All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7b\n\nSatisfies: SRG-APP-000142", "fixid": "F-105273r1_fix", "fixtext": "Turn off any ports, protocols, and services on the Jamf Pro EMM server host-based firewall that are not on the DoD PPSM CAL list.", "iacontrols": null, "id": "V-99589", "ruleID": "SV-108693r1_rule", "severity": "medium", "title": "The firewall protecting the Jamf Pro EMM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).", "version": "JAMF-10-200030" }, "V-99591": { "checkid": "C-98441r2_chk", "checktext": "Talk to the site Administrator to confirm the AGS has been configured to connect to the Jamf Pro EMM server using the TLS connection or confirm during a review of the AGS.\n\nIf the AGS has not been configured to connect to the Jamf Pro EMM server using a TLS connection, this is a finding.", "description": "Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPsec.\n\nCommunication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nSFR ID: FMT_SMF.1.1(2) b / SC-8, SC-8 (1), SC-8 (2)\n\nSatisfies: SRG-APP-000439, SRG-APP-000440", "fixid": "F-105275r2_fix", "fixtext": "Confirm the Administrator has configured the AGS to connect to the Jamf Pro EMM server using the TLS connection.", "iacontrols": null, "id": "V-99591", "ruleID": "SV-108695r1_rule", "severity": "medium", "title": "The Jamf Pro EMM server must connect to [Authentication Gateway Service (AGS)] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.", "version": "JAMF-10-200065" }, "V-99593": { "checkid": "C-98443r2_chk", "checktext": "Verify all local accounts on the Jamf Pro EMM server have been disabled. Note: the server service account is not disabled.\n\n1. Log in to the Jamf pro EMM console.\n2. Open \"Settings\".\n3. Verify all Jamf Pro User Accounts & Groups have been disabled.\n\nIf all local accounts on the Jamf Pro EMM server have not been disabled, this is a finding.", "description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Jamf Pro EMM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Jamf Pro EMM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FMT_SMF.1.1(2) b / IA-5(1)(a)\n\nSatisfies: SRG-APP-000148", "fixid": "F-105277r2_fix", "fixtext": "Disable all local accounts on the Jamf Pro EMM server with the following procedure. Note: The server service account should not be disabled.\n\n1. Open \"Settings\".\n2. Select \"Jamf Pro User Accounts & Groups\".\n3. Select the user/accounts that need to be disabled.\n4. Upon selection, click on the \"Edit\" button.\n5. Change the \"Access Status\" to \"Disabled\".\n6. Click \"Save\".\n7. Repeat steps 3-6 for all local accounts.", "iacontrols": null, "id": "V-99593", "ruleID": "SV-108697r1_rule", "severity": "medium", "title": "All Jamf Pro EMM server local accounts created during application installation and configuration must be disabled.", "version": "JAMF-10-200040" }, "V-99597": { "checkid": "C-98447r1_chk", "checktext": "Verify the installed version of Jamf Pro EMM is currently supported.\n\nOn the Jamf Pro console do the following to determine the version number of the server:\n1. Log in to the console.\n2. View the version number listed in the upper left corner.\n\nList of current supported versions:\nv10.18 (End of Support Date: TBD\nv10.17 (TBD)\nv10.16 (TBD)\nv10.15 (TBD)\nv10.14 (TBD)\nv10.13.1 (TBD)\n\nIf the displayed Jamf Pro server version is not currently supported or is not a newer version than on the list above, this is a finding.", "description": "The MDM/EMM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities which leaves them subject to exploitation.\n\nSFR ID: FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2", "fixid": "F-105281r1_fix", "fixtext": "Update the Jamf Pro EMM to a supported version (see list below) or newer version.\nv10.18 (End of Support Date: TBD\nv10.17 (TBD)\nv10.16 (TBD)\nv10.15 (TBD)\nv10.14 (TBD)\nv10.13.1 (TBD)", "iacontrols": null, "id": "V-99597", "ruleID": "SV-108701r1_rule", "severity": "high", "title": "Jamf Pro EMM must be maintained at a supported version.", "version": "JAMF-10-000700" }, "V-99599": { "checkid": "C-98449r1_chk", "checktext": "Verify the mysql_secure_installation has been installed on the Jamf host server. \n\n1. Log in to MySQL. Execute the \"show databases;\" command.\n- Verify that the database named \"Test\" is not shown in output of the command.\n\n2. Verify the root account has a string representing the password and not a blank value.\n- select * from mysql.user;\n\n3. Verify the anonymous users have been removed and verify the user field contains a user name.\n- select * from mysql.user;\n\nAll three steps must be correct to indicate mysql_secure_installation has been executed.\n\nIf the mysql_secure_installation has not been installed on the Jamf host server, this is a finding.", "description": "The mysql_secure_installation configuration of MySQL adds several important configuration settings that block several attack vectors. The My SQL application could be exploited by an adversary without mysql_secure_installation.\n\nSFR ID: FMT_SMF.1(2)b. / CM-7(1)(b)\n\nSatisfies: SRG-APP-000383", "fixid": "F-105283r1_fix", "fixtext": "Install the mysql_secure_installation. \n\n1. Install MySQL.\n2. Using the Jamf Pro Security Recommendations document, go to the path based on the host operating system and execute the appropriate mysql_secure_installation script.", "iacontrols": null, "id": "V-99599", "ruleID": "SV-108703r1_rule", "severity": "medium", "title": "The default mysql_secure_installation must be installed.", "version": "JAMF-10-100060" }, "V-99601": { "checkid": "C-98451r1_chk", "checktext": "Verify a unique database name and a unique MySQL user with a secure password have been created for use in Jamf Pro EMM.\n\n1. Execute the show databases command.\n- Ensure at least one database name other than the default databases exits. The default databases are:\ninfomation_schema\nmysql\nperformance_schema\nsys\n\n2. Verify there is a unique MySQL user.\n- In MySQL, run select * mysql.user;\n- Look for a user that is not Root or one of the other MySQL service accounts.\n\nBoth of these steps must be correct.\n\nIf a unique database name and a unique MySQL user with a secure password have not been created, this is a finding.", "description": "If the default MySQL database name and password are not changed an adversary could gain unauthorized access to the application which could lead to the compromise of sensitive DoD data.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5(1)(c)\n\nSatisfies: SRG-APP-000171", "fixid": "F-105285r1_fix", "fixtext": "Create a unique database name and a unique MySQL user with a secure password. The procedure is found in the following Jamf Knowledge Base article:\n\nhttps://www.jamf.com/jamf-nation/articles/542/title", "iacontrols": null, "id": "V-99601", "ruleID": "SV-108705r1_rule", "severity": "medium", "title": "A unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM.", "version": "JAMF-10-100080" }, "V-99603": { "checkid": "C-98453r1_chk", "checktext": "Verify separate MySQL user accounts with limited privileges have been created within Jamf Pro EMM.\n\nIn MySQL, execute the following command: \nshow grants for username@localhost;\n\nVerify the privileges match what is in the Jamf Knowledge Base article.\n\nIf separate MySQL user accounts with limited privileges have not been created within Jamf Pro EMM, this is a finding.", "description": "If separate MySQL accounts with limited privileges are not created an adversary could gain unauthorized access to the application or gain access unauthorized features which could lead to the compromise of sensitive DoD data.\n\nSFR ID: FMT_SMF.1(2)b. / CM-6 b\n\nSatisfies: SRG-APP-000516", "fixid": "F-105287r1_fix", "fixtext": "Create separate MySQL user accounts with limited privileges within Jamf Pro EMM.\n\nThe procedures for creating user accounts and assigning account privileges are found in the following Jamf Knowledge Base articles:\n\nMySQL 8.0: https://dev.mysql.com/doc/refman/8.0/en/creating-accounts.html\nMySQL 5.7: https://dev.mysql.com/doc/refman/5.7/en/creating-accounts.html\n\nFollowing is a list MySQL privileges that are required for different types of environments:\n- For a standalone web application or the master node in clustered environments:\nINSERT, SELECT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES\n\n- For a child node in clustered environments: \nINSERT, SELECT, UPDATE, DELETE, DROP, LOCK TABLES\n\n- To view connections from cluster nodes with different MySQL users:\nPROCESS\n\nNote: The \"PROCESS\" privilege requires the use of \"*.*\".", "iacontrols": null, "id": "V-99603", "ruleID": "SV-108707r1_rule", "severity": "medium", "title": "Separate MySQL user accounts with limited privileges must be created within Jamf Pro EMM.", "version": "JAMF-10-100100" }, "V-99605": { "checkid": "C-98455r1_chk", "checktext": "Verify MySQL of database backups have been scheduled in Jamf Pro EMM.\n\n1. Open \"Jamf Server Tools\".\n2. Click \"Scheduled Backups\" in the sidebar.\n3. Verify backups are scheduled.\n\n If MySQL of database backups have not been scheduled in Jamf Pro EMM, this is a finding.", "description": "Database backups are a recognized best practice to protect against key data loss and possible adverse impacts to the mission of the organization.\n\nSFR ID: FMT_SMF.1(2)b. / CM-6 b\n\nSatisfies: SRG-APP-000516", "fixid": "F-105289r1_fix", "fixtext": "Schedule MySQL of database backups in Jamf Pro EMM. \n\nThe procedure is found in the following Jamf Knowledge Base article:\n\nhttps://www.jamf.com/jamf-nation/articles/579/title", "iacontrols": null, "id": "V-99605", "ruleID": "SV-108709r1_rule", "severity": "medium", "title": "MySQL database backups must be scheduled in Jamf Pro EMM.", "version": "JAMF-10-100110" }, "V-99607": { "checkid": "C-98457r1_chk", "checktext": "Verify the MySQL