STIGQter STIGQter: STIG Summary: DBN-6300 NDM Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 12 Sep 2017

CheckedNameTitle
SV-79465r1_ruleThe DBN-6300 must provide automated support for account management functions.
SV-79473r1_ruleThe DBN-6300 must automatically audit account creation.
SV-79475r1_ruleThe DBN-6300 must automatically audit account modification.
SV-79477r1_ruleThe DBN-6300 must be compliant with at least one IETF Internet standard authentication protocol.
SV-79479r1_ruleThe DBN-6300 must automatically audit account removal actions.
SV-79481r1_ruleThe DBN-6300 must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-79483r1_ruleThe DBN-6300 must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
SV-79485r1_ruleThe DBN-6300 must generate audit log events for a locally developed list of auditable events.
SV-79487r1_ruleThe DBN-6300 must provide audit record generation capability for DoD-defined auditable events within the DBN-6300.
SV-91623r1_ruleThe DBN-6300 must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the audit log.
SV-91625r1_ruleThe DBN-6300 must generate log records when successful attempts to access privileges occur.
SV-91627r1_ruleThe DBN-6300 must initiate session auditing upon startup.
SV-91629r1_ruleThe DBN-6300 must produce audit log records containing sufficient information to establish what type of event occurred.
SV-91631r1_ruleThe DBN-6300 must produce audit records containing information to establish when (date and time) the events occurred.
SV-91633r1_ruleThe DBN-6300 must produce audit records containing information to establish where the events occurred.
SV-91635r1_ruleThe DBN-6300 must produce audit log records containing information to establish the source of events.
SV-91637r1_ruleThe DBN-6300 must produce audit records that contain information to establish the outcome of the event.
SV-91639r1_ruleThe DBN-6300 must generate audit records containing information that establishes the identity of any individual or process associated with the event.
SV-91641r1_ruleThe DBN-6300 must generate audit records containing the full-text recording of privileged commands.
SV-91643r1_ruleThe DBN-6300 must use internal system clocks to generate time stamps for audit records.
SV-91645r1_ruleThe DBN-6300 must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-91647r1_ruleThe DBN-6300 must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
SV-91649r1_ruleThe DBN-6300 must use multifactor authentication for network access (remote and nonlocal) to privileged accounts.
SV-91651r1_ruleThe DBN-6300 must use multifactor authentication for local access to privileged accounts.
SV-91653r1_ruleThe DBN-6300 must implement replay-resistant authentication mechanisms for network access to privileged accounts.
SV-91655r1_ruleThe DBN-6300 must enforce a minimum 15-character password length.
SV-91657r1_ruleThe DBN-6300 must prohibit password reuse for a minimum of five generations.
SV-91659r1_ruleIf multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one upper-case character be used.
SV-91661r1_ruleIf multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one lower-case character be used.
SV-91663r1_ruleIf multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one numeric character be used.
SV-91665r1_ruleIf multifactor authentication is not supported and passwords must be used, the DBN-6300 must enforce password complexity by requiring that at least one special character be used.
SV-91667r1_ruleThe DBN-6300 must enforce 24 hours/1 day as the minimum password lifetime.
SV-91669r1_ruleThe DBN-6300 must enforce a 60-day maximum password lifetime restriction.
SV-91671r1_ruleThe DBN-6300 must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-91673r1_ruleThe DBN-6300 must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
SV-91675r1_ruleThe DBN-6300 must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
SV-91677r1_ruleThe DBN-6300 must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
SV-91679r1_ruleThe DBN-6300 must automatically audit account enabling actions.
SV-91681r1_ruleThe DBN-6300 must audit the execution of privileged functions.
SV-91683r1_ruleThe DBN-6300 must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near real time.
SV-91685r1_ruleThe DBN-6300 must compare internal information system clocks at least every 24 hours with an authoritative time server.
SV-91687r1_ruleThe DBN-6300 must synchronize its internal system clock to the NTP server when the time difference is greater than one second.
SV-91689r1_ruleThe DBN-6300 must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).
SV-91691r1_ruleThe DBN-6300 must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
SV-91693r1_ruleThe DBN-6300 must audit the enforcement actions used to restrict access associated with changes to the device.
SV-91695r1_ruleApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
SV-91697r1_ruleApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
SV-91699r1_ruleThe DBN-6300 must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
SV-91701r1_ruleThe DBN-6300 must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
SV-91703r1_ruleThe DBN-6300 must generate audit records when successful/unsuccessful logon attempts occur.
SV-91705r1_ruleThe DBN-6300 must generate audit records for privileged activities or other system-level access.
SV-91707r1_ruleThe DBN-6300 must generate audit records showing starting and ending time for administrator access to the system.
SV-91709r1_ruleThe DBN-6300 must generate audit records when concurrent logons from different workstations occur.
SV-91711r1_ruleThe DBN-6300 must generate audit records for all account creation, modification, disabling, and termination events.
SV-91713r1_ruleThe DBN-6300 must off-load audit records onto a different system or media than the system being audited.
SV-91715r1_ruleThe DBN-6300 must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
SV-91717r1_ruleAccounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.
SV-91719r1_ruleThe DBN-6300 must obtain its public key certificates from an appropriate certificate policy through an approved service provider.