STIGQter STIGQter: STIG Summary: A10 Networks ADC NDM Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 15 Apr 2016

CheckedNameTitle
SV-82521r1_ruleThe A10 Networks ADC must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
SV-82523r1_ruleThe A10 Networks ADC must enforce the limit of three consecutive invalid logon attempts.
SV-82525r1_ruleThe A10 Networks ADC must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-82527r1_ruleThe A10 Networks ADC must allow only the ISSM (or individuals or roles appointed by the ISSM) Root, Read Write, or Read Only privileges.
SV-82529r1_ruleThe A10 Networks ADC must produce audit log records containing information (FQDN, unique hostname, management or loopback IP address) to establish the source of events.
SV-82531r1_ruleThe A10 Networks ADC must have command auditing enabled.
SV-82533r1_ruleThe A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-82535r1_ruleThe A10 Networks ADC must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-82537r1_ruleThe A10 Networks ADC must disable management protocol access to all interfaces except the management interface.
SV-82539r1_ruleThe A10 Networks ADC must not have any shared accounts (other than the emergency administration account).
SV-82541r1_ruleThe A10 Networks ADC must not use the default admin account.
SV-82543r1_ruleThe A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.
SV-82545r1_ruleThe A10 Networks ADC must prohibit the use of unencrypted protocols for network access to privileged accounts.
SV-82547r1_ruleThe A10 Networks ADC must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-82549r1_ruleThe A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
SV-82551r1_ruleThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are created.
SV-82553r1_ruleThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are modified.
SV-82555r1_ruleThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are disabled.
SV-82557r1_ruleThe A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are removed.
SV-82559r1_ruleWhen anyone who has access to the emergency administration account no longer requires access to it or leaves the organization, the password for the emergency administration account must be changed.
SV-82561r1_ruleThe A10 Networks ADC must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
SV-82563r1_ruleThe A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
SV-82565r1_ruleThe A10 Networks ADC must send Emergency messages to the Console, Syslog, and Monitor.
SV-82567r1_ruleThe A10 Networks ADC must compare internal information system clocks at least every 24 hours with an authoritative time server.
SV-82569r1_ruleThe A10 Networks ADC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
SV-82571r1_ruleThe A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-82573r1_ruleThe A10 Networks ADC must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-82575r1_ruleThe A10 Networks ADC must authenticate Network Time Protocol sources.
SV-82577r1_ruleOperators of the A10 Networks ADC must not use the Telnet client built into the device.
SV-82579r1_ruleThe A10 Networks ADC must not use SNMP Versions 1 or 2.
SV-82581r1_ruleThe A10 Networks ADC must off-load audit records onto a different system or media than the system being audited.
SV-82583r1_ruleThe A10 Networks ADC must not use the default enable password.
SV-82585r1_ruleThe A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.
SV-82587r1_ruleThe A10 Networks ADC must restrict management connections to the management network.
SV-82589r1_ruleThe A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
SV-82591r1_ruleThe A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
SV-82593r1_ruleThe A10 Networks ADC must employ centrally managed authentication server(s).