STIGQter STIGQter: STIG Summary: Network Device Management Security Requirements Guide

Version: 3

Release: 2 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-69273r2_ruleThe network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
SV-69275r1_ruleThe network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
SV-69277r1_ruleThe network device must initiate a session lock after a 15-minute period of inactivity.
SV-69279r2_ruleThe application or console being used to administer a network device must provide the capability for network administrators to directly initiate a session lock.
SV-69281r1_ruleThe network device must retain the session lock until the administrator reestablishes access using established identification and authentication procedures.
SV-69289r1_ruleThe network device must automatically audit account creation.
SV-69291r1_ruleThe network device must automatically audit account modification.
SV-69293r1_ruleThe network device must automatically audit account disabling actions.
SV-69295r1_ruleThe network device must automatically audit account removal actions.
SV-69297r2_ruleThe network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SV-69299r1_ruleThe network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
SV-69301r2_ruleThe network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
SV-69303r1_ruleThe network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-69305r2_ruleThe network device must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
SV-69313r1_ruleThe network device must audit the execution of privileged functions.
SV-69319r1_ruleThe network device must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
SV-69321r1_ruleThe network device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SV-69325r1_ruleThe network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
SV-69331r1_ruleThe network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
SV-69335r2_ruleThe network device must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SV-69337r1_ruleThe network device must generate audit records when successful/unsuccessful attempts to access privileges occur.
SV-69339r1_ruleThe network device must initiate session auditing upon startup.
SV-69341r1_ruleThe network device must produce audit log records containing sufficient information to establish what type of event occurred.
SV-69343r1_ruleThe network device must produce audit records containing information to establish when (date and time) the events occurred.
SV-69345r1_ruleThe network device must produce audit records containing information to establish where the events occurred.
SV-69347r3_ruleThe network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services
SV-69355r2_ruleThe network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
SV-69357r1_ruleThe network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
SV-69361r1_ruleThe network device must enforce a minimum 15-character password length.
SV-69365r2_ruleThe network device must enforce password complexity by requiring that at least one upper-case character be used.
SV-69367r2_ruleThe network device must enforce password complexity by requiring that at least one lower-case character be used.
SV-69369r2_ruleThe network device must enforce password complexity by requiring that at least one numeric character be used.
SV-69371r2_ruleThe network device must enforce password complexity by requiring that at least one special character be used.
SV-69373r3_ruleThe network device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
SV-69375r1_ruleThe network device must produce audit log records containing information to establish the source of events.
SV-69377r3_ruleThe network device must only store cryptographic representations of passwords.
SV-69379r2_ruleThe network device must transmit only encrypted representations of passwords.
SV-69383r1_ruleThe network device must produce audit records that contain information to establish the outcome of the event.
SV-69389r1_ruleThe network device must generate audit records containing information that establishes the identity of any individual or process associated with the event.
SV-69393r1_ruleThe network device must generate audit records containing the full-text recording of privileged commands.
SV-69395r2_ruleThe network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SV-69399r4_ruleThe network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
SV-69401r1_ruleThe network device must terminate all sessions and network connections when nonlocal device maintenance is completed.
SV-69403r2_ruleThe network device must shut down by default upon audit failure (unless availability is an overriding concern).
SV-69405r2_ruleThe network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-69407r1_ruleThe network device must invalidate session identifiers upon administrator logout or other session termination.
SV-69409r1_ruleThe network device must recognize only system-generated session identifiers.
SV-69411r1_ruleThe network device must use internal system clocks to generate time stamps for audit records.
SV-69413r1_ruleThe network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
SV-69417r3_ruleThe network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
SV-69419r1_ruleThe network device must protect audit information from unauthorized modification.
SV-69425r1_ruleThe network device must protect audit information from unauthorized deletion.
SV-69429r1_ruleThe network device must protect audit tools from unauthorized access.
SV-69437r1_ruleThe network device must protect audit tools from unauthorized modification.
SV-69443r1_ruleNetwork devices must provide a logout capability for administrator-initiated communication sessions.
SV-69445r2_ruleThe network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
SV-69447r1_ruleThe network device must terminate shared/group account credentials when members leave the group.
SV-69449r1_ruleThe network device must automatically audit account enabling actions.
SV-69451r1_ruleThe network device must protect audit tools from unauthorized deletion.
SV-69455r1_ruleThe network device must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-69461r1_ruleIf the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
SV-69463r1_ruleIf the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
SV-69465r1_ruleThe network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
SV-69467r2_ruleThe network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SV-69477r2_ruleThe network device must be configured to synchronize internal information system clocks using redundant authoritative time sources.
SV-69479r1_ruleThe network device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-69481r1_ruleThe network device must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
SV-69485r1_ruleThe network device must prohibit installation of software without explicit privileged status.
SV-69489r1_ruleThe network device must enforce access restrictions associated with changes to device configuration.
SV-69491r1_ruleThe network device must audit the enforcement actions used to restrict access associated with changes to the device.
SV-69501r3_ruleThe Cisco router must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
SV-69507r1_ruleThe network device must prohibit the use of cached authenticators after an organization-defined time period.
SV-69509r1_ruleNetwork devices performing maintenance functions must restrict use of these functions to authorized personnel only.
SV-69511r3_ruleThe network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
SV-69513r3_ruleThe network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions
SV-69515r2_ruleThe network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
SV-69517r1_ruleIf the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.
SV-69519r1_ruleThe network device must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
SV-69521r1_ruleThe network device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
SV-69523r1_ruleThe network device must generate audit records when successful/unsuccessful logon attempts occur.
SV-69525r1_ruleThe network device must generate audit records for privileged activities or other system-level access.
SV-69527r1_ruleThe network device must generate audit records showing starting and ending time for administrator access to the system.
SV-69529r1_ruleThe network device must generate audit records when concurrent logons from different workstations occur.
SV-69533r1_ruleThe network device must off-load audit records onto a different system or media than the system being audited.
SV-69541r3_ruleThe network device must generate log records for a locally developed list of auditable events
SV-69543r1_ruleThe network device must enforce access restrictions associated with changes to the system components.
SV-69545r5_ruleThe network device must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
SV-69553r2_ruleThe network device must be configured to to conduct backups of system level information contained in the information system when changes occur.
SV-69555r1_ruleThe network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
SV-69559r1_ruleThe network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
SV-69561r1_ruleThe network device must limit privileges to change the software resident within software libraries.
SV-78487r1_ruleThe network device must not have any default manufacturer passwords when deployed.
SV-78491r3_ruleThe network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
SV-83339r2_ruleThe network device must authenticate Network Time Protocol sources using authentication that is cryptographically based.
SV-108121r1_ruleThe network device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.
SV-108123r1_ruleThe network device must be running an operating system release that is currently supported by the vendor.