STIGQter STIGQter: STIG Summary: Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide

Version: 2

Release: 5 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-45260r2_ruleThe IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.
SV-45262r2_ruleThe IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
SV-45382r2_ruleThe IDPS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description.
SV-45383r2_ruleThe IDPS must produce audit records containing information to establish when (date and time) the events occurred.
SV-45384r2_ruleThe IDPS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and IDPS component which detected the event.
SV-45385r2_ruleThe IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.
SV-45386r2_ruleThe IDPS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic.
SV-45397r2_ruleIn the event of a logging failure caused by the lack of audit record storage capacity, the IDPS must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.
SV-45458r2_ruleThe IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.
SV-45500r2_ruleThe IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application.
SV-45593r2_ruleThe IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.
SV-45652r2_ruleThe IDPS must block any prohibited mobile code at the enclave boundary when it is detected.
SV-45659r3_ruleThe IDPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation.
SV-45660r2_ruleIn the event of a failure of the IDPS function, the IDPS must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted.
SV-45683r2_ruleThe IDPS must verify the integrity of updates obtained directly from the vendor.
SV-45686r2_ruleThe IDPS must block malicious code.
SV-45716r2_ruleThe IDPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
SV-69563r1_ruleThe IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions.
SV-69565r1_ruleThe IDPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.
SV-69567r2_ruleThe IDPS must provide audit record generation with a configurable severity and escalation level capability.
SV-69569r1_ruleIDPS must support centralized management and configuration of the content captured in audit records generated by all IDPS components.
SV-69571r1_ruleThe IDPS must off-load log records to a centralized log server.
SV-69573r1_ruleThe IDPS must off-load log records to a centralized log server in real-time.
SV-69575r1_ruleThe IDPS must assign a critical severity level to all audit processing failures.
SV-69577r3_ruleThe IDPS must provide an alert to, at a minimum, the system administrator and ISSO when any audit failure events occur.
SV-69579r1_ruleIn the event of a logging failure, caused by loss of communications with the central logging server, the IDPS must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.
SV-69581r1_ruleThe IDPS must provide log information in a format that can be extracted and used by centralized analysis tools.
SV-69583r1_ruleThe IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.
SV-69585r1_ruleThe IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server).
SV-69587r1_ruleThe IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-69589r1_ruleThe IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.
SV-69591r1_ruleThe IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
SV-69593r2_ruleThe IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based attack detection.
SV-69595r1_ruleThe IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
SV-69597r1_ruleThe IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding.
SV-69601r1_ruleThe IDPS must block malicious ICMP packets by properly configuring ICMP signatures and rules.
SV-69603r1_ruleThe IDPS must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.
SV-69605r1_ruleThe IDPS must perform real-time monitoring of files from external sources at network entry/exit points.
SV-69607r1_ruleThe IDPS must quarantine and/or delete malicious code.
SV-69609r2_ruleThe IDPS must send an immediate (within seconds) alert to, at a minimum, the system administrator when malicious code is detected.
SV-69611r1_ruleIDPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.
SV-69621r2_ruleThe IDPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum.
SV-69623r1_ruleThe IDPS must generate a log record when unauthorized network services are detected.
SV-69625r3_ruleThe IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected.
SV-69627r1_ruleThe IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.
SV-69629r1_ruleThe IDPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.
SV-69631r3_ruleThe IDSP must send an alert to, at a minimum, the ISSM and ISSO when intrusion detection events are detected which indicate a compromise or potential for compromise.
SV-69633r3_ruleThe IDPS must send an alert to, at a minimum, the ISSM and ISSO when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise.
SV-69635r3_ruleThe IDPS must generate an alert to, at a minimum, the ISSM and ISSO when root level intrusion events which provide unauthorized privileged access are detected.
SV-69637r3_ruleThe IDPS must send an alert to, at a minimum, the ISSM and ISSO when user level intrusions which provide non-privileged access are detected.
SV-69639r3_ruleThe IDPS must send an alert to, at a minimum, the ISSM and ISSO when denial of service incidents are detected.
SV-69641r2_ruleThe IDPS must generate an alert to, at a minimum, the ISSM and ISSO when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
SV-69643r1_ruleTo protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-69645r1_ruleTo protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-69647r1_ruleTo protect against unauthorized data mining, the IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-69649r1_ruleTo protect against unauthorized data mining, the IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-69653r1_ruleTo protect against unauthorized data mining, the IDPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-69655r1_ruleTo protect against unauthorized data mining, the IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-69841r2_ruleThe IDPS must fail securely in the event of an operational failure.
SV-69843r2_ruleThe IDPS must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules.