STIGQter STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 28 Apr 2017

CheckedNameTitle
SV-85907r1_ruleThe CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
SV-85909r1_ruleThe CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
SV-85911r1_ruleThe CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
SV-85913r1_ruleThe CA API Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.
SV-85915r1_ruleThe CA API Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-85917r1_ruleThe CA API Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
SV-85919r1_ruleThe CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions.
SV-85923r1_ruleThe CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
SV-85931r1_ruleThe CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
SV-85939r1_ruleThe CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
SV-85949r2_ruleThe CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
SV-85953r1_ruleThe CA API Gateway must produce audit records containing information to establish the source of the events.
SV-85957r1_ruleThe CA API Gateway must produce audit records containing information to establish the outcome of the events.
SV-85959r1_ruleThe CA API Gateway must generate audit records containing information to establish the identity of any individual or process associated with the event.
SV-85961r1_ruleThe CA API Gateway must protect audit information from unauthorized read access.
SV-85963r1_ruleThe CA API Gateway must protect audit information from unauthorized deletion.
SV-85965r1_ruleThe CA API Gateway must protect audit tools from unauthorized access.
SV-85967r1_ruleThe CA API Gateway must not have unnecessary services and functions enabled.
SV-85969r1_ruleThe CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services.
SV-85971r1_ruleThe CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
SV-85973r1_ruleThe CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-85975r1_ruleThe CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges.
SV-85977r1_ruleThe CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
SV-85979r1_ruleThe ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
SV-85981r1_ruleThe CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-85983r1_ruleThe CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
SV-85985r1_ruleThe CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-85987r1_ruleThe CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
SV-85989r1_ruleThe CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity.
SV-85991r1_ruleThe CA API Gateway must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.
SV-85993r1_ruleThe CA API Gateway must protect the authenticity of communications sessions.
SV-85995r1_ruleThe CA API Gateway must invalidate session identifiers upon user logout or other session termination.
SV-85997r1_ruleThe CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.
SV-85999r1_ruleThe CA API Gateway providing content filtering must integrate with an ICAP-enabled Intrusion Detection System that updates malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
SV-86001r1_ruleThe CA API Gateway providing content filtering must be configured to perform real-time scans of files from external sources at network entry/exit points as they are downloaded and prior to being opened or executed.
SV-86003r1_ruleThe CA API Gateway providing content filtering must block malicious code upon detection.
SV-86005r1_ruleThe CA API Gateway providing content filtering must delete or quarantine malicious code in response to malicious code detection.
SV-86007r1_ruleThe CA API Gateway providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection.
SV-86009r1_ruleThe CA API Gateway providing content filtering must automatically update malicious code protection mechanisms.
SV-86011r1_ruleThe CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.
SV-86013r1_ruleThe CA API Gateway providing content filtering must block or restrict detected prohibited mobile code.
SV-86015r1_ruleThe CA API Gateway providing content filtering must prevent the download of prohibited mobile code.
SV-86017r1_ruleThe CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods.
SV-86019r1_ruleTo protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-86021r1_ruleTo protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-86023r1_ruleTo protect against data mining, the CA API Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-86045r1_ruleTo protect against data mining, the CA API Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-86047r1_ruleTo protect against data mining, the CA API Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-86049r1_ruleTo protect against data mining, the CA API Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-86051r1_ruleThe CA API Gateway must off-load audit records onto a centralized log server.
SV-86053r1_ruleThe CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
SV-86055r1_ruleThe CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SV-86057r1_ruleThe CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SV-86059r1_ruleThe CA API Gateway must prohibit the use of cached authenticators after an organization-defined time period.
SV-86061r1_ruleThe CA API Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
SV-86063r1_ruleThe CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles.
SV-86065r1_ruleThe CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
SV-86067r1_ruleThe CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
SV-86069r1_ruleThe CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
SV-86071r1_ruleThe CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
SV-86073r1_ruleThe CA API Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
SV-86075r1_ruleThe CA API Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system.
SV-86077r1_ruleThe CA API Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
SV-86079r1_ruleThe CA API Gateway providing content filtering must generate a notification on the console when root-level intrusion events that attempt to provide unauthorized privileged access are detected.
SV-86081r1_ruleThe CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user-level intrusions that provide non-privileged access are detected.
SV-86083r1_ruleThe CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when Denial of Service (DoS) incidents are detected.
SV-86085r1_ruleThe ALG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
SV-86087r1_ruleThe CA API Gateway providing user authentication intermediary services must transmit only encrypted representations of passwords.
SV-86089r1_ruleThe CA API Gateway must check the validity of all data inputs except those specifically identified by the organization.
SV-86091r1_ruleThe CA API Gateway must reveal error messages only to the ISSO, ISSM, and SCA.
SV-86093r1_ruleThe CA API Gateway providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur.
SV-86095r1_ruleThe CA API Gateway providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system.
SV-86097r1_ruleThe CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
SV-86099r1_ruleThe CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
SV-86101r1_ruleThe CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
SV-86103r1_ruleThe CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
SV-86105r1_ruleThe CA API Gateway providing user access control intermediary services must automatically terminate a user session when organization-defined conditions or trigger events that require a session disconnect occur.
SV-86107r1_ruleThe CA API Gateway providing user access control intermediary services must provide a logoff capability for user-initiated communications sessions.
SV-86109r1_ruleThe CA API Gateway providing user access control intermediary services must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
SV-86111r1_ruleThe CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
SV-86113r1_ruleThe CA API Gateway must off-load audit records onto a centralized log server in real time.