The operating system must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33278 | SRG-OS-000267-NA | SV-43697r1_rule | Medium |
| Description |
|---|
| This is a requirement that maintenance needs to be done on a separate interface or encrypted channel to segment maintenance activity from regular usage. When performing non-local maintenance, there is a possibility of the session being monitored and replayed to gain unauthorized access into a system. Rationale for non-applicability: Authentication requirements for device connections and software updates provide adequate IA in this context. The existence of out of band connections is not particularly meaningful in the context of a wireless communications device where all wireless interfaces share the same medium of the electromagnetic spectrum. Management of the mobile device does not occur over a separate physical or virtual network. If management sessions are authenticated and protected by cryptography, separating the session into a separate virtual network is unnecessary. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41575r1_chk ) |
|---|
| This requirement is NA for the Mobile OS SRG. |
| Fix Text (F-37208r1_fix) |
|---|
| The requirement is NA. No fix is required. |