STIGQter STIGQter: STIG Summary: HP FlexFabric Switch NDM Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-80453r1_ruleThe HP FlexFabric Switch must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
SV-80631r1_ruleThe HP FlexFabric Switch must automatically disable accounts after a 35-day period of account inactivity.
SV-80633r1_ruleThe HP FlexFabric Switch must automatically audit account creation.
SV-80635r1_ruleThe HP FlexFabric Switch must automatically audit account modification.
SV-80637r1_ruleThe HP FlexFabric Switch must automatically audit account disabling actions.
SV-80639r1_ruleThe HP FlexFabric Switch must automatically audit account removal actions.
SV-80641r1_ruleThe HP FlexFabric Switch must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SV-80643r1_ruleThe HP FlexFabric Switch must enforce approved authorizations for controlling the flow of management information within the HP FlexFabric Switch based on information flow control policies.
SV-80645r1_ruleThe HP FlexFabric Switch must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-80647r1_ruleThe HP FlexFabric Switch must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-80649r1_ruleThe HP FlexFabric Switch must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
SV-80651r1_ruleUpon successful logon, the HP FlexFabric Switch must notify the administrator of the date and time of the last logon.
SV-80653r1_ruleUpon successful logon, the HP FlexFabric Switch must notify the administrator of the number of unsuccessful logon attempts since the last successful logon.
SV-80655r1_ruleThe HP FlexFabric Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
SV-80657r1_ruleThe HP FlexFabric Switch must provide audit record generation capability for DoD-defined auditable events within the HP FlexFabric Switch.
SV-80659r1_ruleThe HP FlexFabric Switch must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SV-80661r1_ruleThe HP FlexFabric Switch must generate audit records when successful/unsuccessful attempts to access privileges occur.
SV-80663r1_ruleThe HP FlexFabric Switch must initiate session auditing upon startup.
SV-80665r1_ruleThe HP FlexFabric Switch must produce audit log records containing sufficient information to establish what type of event occurred.
SV-80667r1_ruleThe HP FlexFabric Switch must produce audit records containing information to establish when (date and time) the events occurred.
SV-80669r1_ruleThe HP FlexFabric Switch must produce audit records containing information to establish where the events occurred.
SV-80671r1_ruleThe HP FlexFabric Switch must produce audit log records containing information to establish the source of events.
SV-80673r1_ruleThe HP FlexFabric Switch must produce audit records that contain information to establish the outcome of the event.
SV-80675r1_ruleThe HP FlexFabric Switch must generate audit records containing information that establishes the identity of any individual or process associated with the event.
SV-80677r1_ruleThe HP FlexFabric Switch must generate audit records containing the full-text recording of privileged commands.
SV-80679r1_ruleThe HP FlexFabric Switch must use internal system clocks to generate time stamps for audit records.
SV-80681r1_ruleThe HP FlexFabric Switch must protect audit information from any type of unauthorized read access.
SV-80683r1_ruleThe HP FlexFabric Switch must protect audit information from unauthorized modification.
SV-80685r1_ruleThe HP FlexFabric Switch must protect audit information from unauthorized deletion.
SV-80687r1_ruleThe HP FlexFabric Switch must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-80689r1_ruleThe HP FlexFabric Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-80691r1_ruleThe HP FlexFabric Switch must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
SV-80693r1_ruleThe HP FlexFabric Switch must enforce a minimum 15-character password length.
SV-80695r1_ruleThe HP FlexFabric Switch must prohibit password reuse for a minimum of five generations.
SV-80697r1_ruleIf multifactor authentication is not supported and passwords must be used, the HP FlexFabric Switch must enforce password complexity by requiring that at least one upper-case character be used.
SV-80699r1_ruleIf multifactor authentication is not supported and passwords must be used, the HP FlexFabric Switch must enforce password complexity by requiring that at least one lower-case character be used.
SV-80701r1_ruleIf multifactor authentication is not supported and passwords must be used, the HP FlexFabric Switch must enforce password complexity by requiring that at least one numeric character be used.
SV-80703r1_ruleIf multifactor authentication is not supported and passwords must be used, the HP FlexFabric Switch must enforce password complexity by requiring that at least one special character be used.
SV-80705r1_ruleThe HP FlexFabric Switch must enforce 24 hours/1 day as the minimum password lifetime.
SV-80707r1_ruleThe HP FlexFabric Switch must enforce a 60-day maximum password lifetime restriction.
SV-80709r1_ruleThe HP FlexFabric Switch, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-80711r1_ruleThe HP FlexFabric Switch must map the authenticated identity to the user account for PKI-based authentication.
SV-80713r1_ruleThe HP FlexFabric Switch must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-80715r1_ruleNetwork devices must provide a logoff capability for administrator-initiated communication sessions.
SV-80717r1_ruleThe HP FlexFabric Switch must automatically audit account enabling actions.
SV-80719r1_ruleThe HP FlexFabric Switch must generate an immediate alert for account enabling actions.
SV-80721r1_ruleIf the HP FlexFabric Switch uses discretionary access control, the HP FlexFabric Switch must enforce organization-defined discretionary access control policies over defined subjects and objects.
SV-80723r1_ruleIf the HP FlexFabric Switch uses role-based access control, the HP FlexFabric Switch must enforce organization-defined role-based access control policies over defined subjects and objects.
SV-80725r1_ruleThe HP FlexFabric Switch must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
SV-80727r1_ruleThe HP FlexFabric Switch must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
SV-80729r1_ruleThe HP FlexFabric Switch must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
SV-80731r2_ruleThe HP FlexFabric Switch must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SV-80733r1_ruleThe HP FlexFabric Switch must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
SV-80735r1_ruleThe HP FlexFabric Switch must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
SV-80737r1_ruleThe HP FlexFabric Switch must compare internal information system clocks at least every 24 hours with an authoritative time server.
SV-80739r1_ruleThe HP FlexFabric Switch must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
SV-80741r1_ruleThe HP FlexFabric Switch must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-80743r1_ruleThe HP FlexFabric Switch must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-80745r1_ruleThe HP FlexFabric Switch must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
SV-80747r1_ruleThe HP FlexFabric Switch must allow the use of a temporary password for system logons with an immediate change to a permanent password.
SV-80749r1_ruleApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
SV-80751r1_ruleApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
SV-80753r1_ruleThe HP FlexFabric Switch must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the HP FlexFabric Switch management network by employing organization-defined security safeguards.
SV-80755r1_ruleIf the HP FlexFabric Switch uses mandatory access control, the HP FlexFabric Switch must enforce organization-defined mandatory access control policies over all subjects and objects.
SV-80757r1_ruleThe HP FlexFabric Switch must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
SV-80759r1_ruleThe HP FlexFabric Switch must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
SV-80761r1_ruleThe HP FlexFabric Switch must generate audit records when successful/unsuccessful logon attempts occur.
SV-80763r1_ruleThe HP FlexFabric Switch must generate audit records for privileged activities or other system-level access.
SV-80765r1_ruleThe HP FlexFabric Switch must generate audit records showing starting and ending time for administrator access to the system.
SV-80767r1_ruleThe HP FlexFabric Switch must generate audit records when concurrent logons from different workstations occur.
SV-80769r1_ruleThe HP FlexFabric Switch must generate audit records for all account creations, modifications, disabling, and termination events.
SV-80771r1_ruleThe HP FlexFabric Switch must off-load audit records onto a different system or media than the system being audited.
SV-80773r1_ruleThe HP FlexFabric Switch must notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.
SV-80775r1_ruleThe HP FlexFabric Switch must generate audit log events for a locally developed list of auditable events.
SV-80777r1_ruleThe HP FlexFabric Switch must enforce access restrictions associated with changes to the system components.
SV-80779r1_ruleThe HP FlexFabric Switch must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
SV-80781r1_ruleThe HP FlexFabric Switch must employ automated mechanisms to assist in the tracking of security incidents.
SV-80783r1_ruleThe HP FlexFabric Switch must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
SV-80785r1_ruleThe HP FlexFabric Switch must have a local account that will only be used as an account of last resort with full access to the network device.
SV-80787r1_ruleThe HP FlexFabric switch must be configured to utilize an authentication server for the purpose of authenticating privilege users, managing accounts, and to centrally verify authentication settings and Personal Identity Verification (PIV) credentials.
SV-80789r1_ruleThe HP FlexFabric switch must be configured to send log data to a syslog server for the purpose of forwarding alerts to the administrators and the ISSO.
SV-80791r1_ruleThe HP FlexFabric switch must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.