STIGQter STIGQter: STIG Summary: ISEC7 EMM Suite v6.x Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 23 Aug 2019

CheckedNameTitle
SV-106373r1_ruleISEC7 EMM Suite must disable or delete local account created during application installation and configuration.
SV-106375r1_ruleThe ISEC7 EMM Suite must be configured to leverage the enterprise directory service accounts and groups for ISEC7 EMM Suite server admin identification and authentication.
SV-106377r1_ruleThe ISEC7 EMM Suite must configure the timeout for the console to be 15 minutes or less.
SV-106379r1_ruleThe ISEC7 EMM Suite, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
SV-106381r1_ruleThe Apache Tomcat Manager Web app password must be cryptographically hashed with a DoD approved algorithm.
SV-106383r1_ruleAll Web applications included with Apache Tomcat that are not required must be removed.
SV-106385r1_ruleLockOutRealm must not be removed from Apache Tomcat.
SV-106387r1_ruleThe LockOutRealm must be configured with a login failure count of 3.
SV-106389r1_ruleThe LockOutRealm must be configured with a login lockout time of 15 minutes.
SV-106391r1_ruleThe ISEC7 EMM Suite must configure Enable HTTPS to use HTTP over SSL in Apache Tomcat.
SV-106393r1_ruleThe version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.
SV-106395r1_ruleStack tracing must be disabled in Apache Tomcat.
SV-106397r1_ruleThe Apache Tomcat shutdown port must be disabled.
SV-106399r1_ruleThe ISEC7 EMM Suite must remove any unnecessaryusers or groups that have permissions to the server.xml file in Apache Tomcat.
SV-106401r1_ruleA manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager).
SV-106403r1_ruleSSL must be enabled on Apache Tomcat.
SV-106405r1_ruleTomcat SSL must be restricted except for ISEC7 EMM Suite tasks.
SV-106407r1_ruleThe ISEC7 EMM Suite must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
SV-106489r1_ruleThe ISEC7 EMM Suite must initiate a session lock after a 15-minute period of inactivity.
SV-106491r1_ruleThe ISEC7 EMM Suite must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
SV-106493r1_ruleThe ISEC7 EMM Suite must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the ISEC7 EMM Suite.
SV-106495r1_ruleThe ISEC7 EMM Suite server must be configured to have at least one user in the following Administrator roles: Security Administrator, Site Administrator, Help Desk User.
SV-106497r1_ruleThe ISEC7 EMM Suite must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-106499r1_ruleWhen using PKI-based authentication for user access, the ISEC7 EMM Suite must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-106501r1_ruleThe ISEC7 EMM Suite must accept Personal Identity Verification (PIV) credentials.
SV-106503r1_ruleBefore establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 EMM Suite must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.
SV-106505r1_ruleThe ISEC7 EMM Suite must allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
SV-106507r1_ruleThe ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
SV-106509r1_ruleThe ISEC7 EMM Suite must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
SV-106511r1_ruleThe ISEC7 EMM Suite must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 EMM Suite components, and off-load audit records onto a different system or media than the system being audited.
SV-106513r1_ruleThe ISEC7 EMM Suite must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.
SV-106515r1_ruleIf cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.
SV-106517r1_ruleThe ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures.
SV-106519r1_ruleThe Manager Web app password must be configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character