STIGQter STIGQter: STIG Summary: Bromium Secure Platform 4.x Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 10 May 2018

CheckedNameTitle
SV-95127r1_ruleThe Bromium Enterprise Controller (BEC) must set the number of concurrent sessions to 1.
SV-95129r1_ruleThe Bromium Enterprise Controller (BEC) lockout_delay_base in the settings.json file must be set to a minimum of 10 and the lockout_delay_scale must be set to 1 at a minimum.
SV-95131r1_ruleThe Bromium Enterprise Controller (BEC) must be configured for authorized system administrators to capture and log content related to a Bromium vSentry client.
SV-95133r1_ruleThe Bromium Enterprise Controller (BEC) must generate a log record that can be sent to the central log server, which will alert the system administrator (SA) and Information System Security Officer (ISSO), at a minimum, when a Bromium vSentry client has not connected to the BEC for logging or policy update purposes for an organization-defined time period.
SV-95135r1_ruleThe Bromium Enterprise Controller (BEC) must protect the BEC Web Console from unauthorized access.
SV-95137r1_ruleThe Bromium Enterprise Controller (BEC) must protect BEC Web console from unauthorized modification.
SV-95139r1_ruleThe Bromium Enterprise Controller (BEC) must remove all local Bromium accounts after setup is complete and use the account recovery procedures to recover the local account if network access using the Bromium Account of Last Resort is required.
SV-95141r1_ruleThe Bromium vSentry client must automatically terminate a micro-virtual machine (VM) when any malicious activities are detected within the micro-VM.
SV-95143r1_ruleThe Bromium vSentry client must automatically capture and forward payloads (Malware Manifest) that were downloaded and determined to be malicious to the management console.
SV-95145r1_ruleThe Bromium Enterprise Controller (BEC) must be configured to immediately disconnect or disable remote access to the BEC.
SV-95147r1_ruleThe Bromium Enterprise Controller (BEC) must change the password for the Account of Last Resort when an individual with knowledge of the password leaves the group.
SV-95149r1_ruleThe Bromium Enterprise Controller (BEC) must be configured so that organization-identified administrator roles have permission to change, based on selectable criteria, the types of Bromium vSentry client events that are captured in the events log and stored in the SQL database with immediate effect.
SV-95151r1_ruleThe Bromium Enterprise Controller (BEC) must be configured to permit only authorized users to remotely view, in real time (within seconds of event occurring), all content related to an established Bromium vSentry client session.
SV-95153r1_ruleThe Bromium Enterprise Controller (BEC) must send log records to a central log server (i.e., syslog server).
SV-95155r1_ruleThe Bromium Enterprise Controller (BEC) must send history.log records to a central log server (i.e., syslog server).
SV-95157r1_ruleThe Bromium Enterprise Controller (BEC) must manage log record storage capacity so history.log does not exceed physical drive space capacity allocated by the database administrator (DBA) and system administrator.
SV-95159r1_ruleThe Bromium Enterprise Controller (BEC) must generate a log record that can be sent to the central log server, which will alert the system administrator (SA) and Information System Security Officer (ISSO), at a minimum, when it is unable to connect to the SQL database.
SV-95161r1_ruleThe Bromium Enterprise Controller (BEC) must be configured to provide report generation that supports on-demand reporting requirements for threat events.
SV-95163r1_ruleThe Bromium Enterprise Controller (BEC) must be configured to provide report generation that supports after-the-fact investigations of security incidents.
SV-95165r1_ruleThe Bromium vSentry client must prohibit user installation of software except for clients that are explicitly approved by the ISSM or other authorizing official.
SV-95167r1_ruleThe Bromium Enterprise Controller (BEC) Update Interval must be set to a maximum of one hour.
SV-95169r1_ruleIf the Host Based Security System (HBSS) is not installed to monitor the Bromium Enterprise Controller (BEC) application, processes, and registry settings, the Bromium Protection agent must be installed on the BEC server.
SV-95171r1_ruleThe Bromium vSentry client must include exceptions for HBSS to ensure interoperability and protect from attacks on critical files, applications, processes, registry settings, and attempts at executing unauthorized code in memory.
SV-95173r1_ruleThe Bromium Enterprise Controller (BEC) must have the base policy Logging Level set to Debug.
SV-95175r1_ruleThe Bromium monitoring module installed on the Bromium Enterprise Controller (BEC) or Bromium vSentry must generate an event and forward to the central log server when anomalies in the operation of security functions of the BEC or Bromium vSentry application are discovered.
SV-95187r1_ruleThe Bromium Enterprise Controller (BEC) must forward an event to the central log server when isolation is disabled on any protected Bromium vSentry client.
SV-95189r1_ruleThe Bromium Enterprise Controller (BEC) must be configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements.
SV-95191r1_ruleThe Bromium Enterprise Controller (BEC) must have Threat Intelligence lookup disabled.