STIGQter STIGQter: STIG Summary: Riverbed SteelHead CX v8 NDM Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 30 Nov 2015

CheckedNameTitle
SV-77279r1_ruleRiverbed Optimization System (RiOS) must provide automated support for account management functions.
SV-77325r1_ruleRiverbed Optimization System (RiOS) must terminate local shared/group account credentials, such as the Admin account is used, when members who know the account password leave the group.
SV-77327r1_ruleRiverbed Optimization System (RiOS) must disable the local Shark and Monitor accounts so they cannot be used as shared accounts by users.
SV-77329r1_ruleRiverbed Optimization System (RiOS) must automatically generate a log event for account creation events.
SV-77331r1_ruleRiverbed Optimization System (RiOS) must automatically log event for account modification.
SV-77333r1_ruleRiverbed Optimization System (RiOS) must automatically generate a log event for account disabling actions.
SV-77335r1_ruleRiverbed Optimization System (RiOS) must automatically generate a log event for account removal actions.
SV-77337r1_ruleRiverbed Optimization System (RiOS) must generate alerts that can be forwarded to the administrators and ISSO when local accounts are created.
SV-77339r1_ruleRiverbed Optimization System (RiOS) must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
SV-77341r1_ruleRiverbed Optimization System (RiOS) must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled.
SV-77343r1_ruleRiverbed Optimization System (RiOS) must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.
SV-77345r1_ruleRiverbed Optimization System (RiOS) must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SV-77347r1_ruleRiverbed Optimization System (RiOS) must generate a log event when privileged functions are executed.
SV-77349r1_ruleRiverbed Optimization System (RiOS) must enforce the limit of three (3) consecutive invalid logon attempts by a user during a 15-minute time period for device console access.
SV-77351r1_ruleRiverbed Optimization System (RiOS) must enforce the limit of three (3) consecutive invalid logon attempts by a user during a 15-minute time period for web-based management access.
SV-77353r1_ruleRiverbed Optimization System (RiOS) must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
SV-77355r1_ruleRiverbed Optimization System (RiOS) must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-77357r1_ruleRiverbed Optimization System (RiOS) must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
SV-77387r1_ruleRiverbed Optimization System (RiOS) must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
SV-77389r1_ruleRiverbed Optimization System (RiOS) must generate audit records containing the full-text recording of privileged commands.
SV-77391r1_ruleRiverbed Optimization System (RiOS) must generate an email alert of all log failure events requiring alerts.
SV-77407r1_ruleRiverbed Optimization System (RiOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-77411r1_ruleRiverbed Optimization System (RiOS) must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).
SV-77413r1_ruleRiverbed Optimization System (RiOS) must protect audit information from any type of unauthorized read access.
SV-77415r1_ruleRiverbed Optimization System (RiOS) must protect audit information from unauthorized modification.
SV-77417r1_ruleRiverbed Optimization System (RiOS) must protect audit information from unauthorized deletion.
SV-77419r1_ruleRiverbed Optimization System (RiOS) must protect audit tools from unauthorized access.
SV-77421r1_ruleRiverbed Optimization System (RiOS) must protect audit tools from unauthorized deletion.
SV-77423r1_ruleRiverbed Optimization System (RiOS) must provide audit record generation capability for DoD-defined auditable events within the network device.
SV-77425r1_ruleRiverbed Optimization System (RiOS) must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be logged.
SV-77427r1_ruleRiverbed Optimization System (RiOS) must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-77429r1_ruleRiverbed Optimization System (RiOS) must generate a log event for the enforcement actions used to restrict access associated with changes to the device.
SV-77431r1_ruleRiverbed Optimization System (RiOS) must enable the password authentication control policy to ensure password complexity controls and other password policy requirements are enforced.
SV-77433r1_ruleRiverbed Optimization System (RiOS) must employ automated mechanisms to centrally manage authentication settings.
SV-77435r1_ruleRiverbed Optimization System (RiOS) must employ automated mechanisms to centrally apply authentication settings.
SV-77437r1_ruleRiverbed Optimization System (RiOS) must employ automated mechanisms to centrally verify authentication settings.
SV-77439r1_ruleRiverbed Optimization System (RiOS) must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-77441r1_ruleRiverbed Optimization System (RiOS) must back up the system configuration files when configuration changes are made to the device.
SV-77443r1_ruleRiverbed Optimization System (RiOS) must implement replay-resistant authentication mechanisms for network access to privileged accounts.
SV-77445r1_ruleRiverbed Optimization System (RiOS) must authenticate network management endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
SV-77447r1_ruleRiverbed Optimization System (RiOS) must authenticate SNMP server before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
SV-77449r1_ruleRiverbed Optimization System (RiOS) must authenticate NTP server before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
SV-77451r1_ruleRiverbed Optimization System (RiOS) must enforce a minimum 15-character password length.
SV-77453r1_ruleRiverbed Optimization System (RiOS) must enforce password complexity by requiring that at least one upper-case character be used.
SV-77455r1_ruleRiverbed Optimization System (RiOS) must enforce password complexity by requiring that at least one lower-case character be used.
SV-77457r1_ruleRiverbed Optimization System (RiOS) must enforce password complexity by requiring that at least one numeric character be used.
SV-77459r1_ruleRiverbed Optimization System (RiOS) must enforce password complexity by requiring that at least one numeric character be used.
SV-77461r1_ruleRiverbed Optimization System (RiOS) must require that when a password is changed, the characters are changed in at least 15 of the positions within the password.
SV-77463r1_ruleRiverbed Optimization System (RiOS) must enforce a 60-day maximum password lifetime restriction.
SV-77465r1_ruleRiverbed Optimization System (RiOS) must prohibit password reuse for a minimum of five generations.
SV-77467r1_ruleRiverbed Optimization System (RiOS) must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SV-77469r1_ruleRiverbed Optimization System (RiOS) performing maintenance functions must restrict use of these functions to authorized personnel only.
SV-77471r1_ruleApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
SV-77473r1_ruleApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
SV-77475r1_ruleRiverbed Optimization System (RiOS) must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-77477r1_ruleRiverbed Optimization System (RiOS) must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
SV-77479r1_ruleRiverbed Optimization System (RiOS) must generate unique session identifiers using a FIPS 140-2 approved random number generator.
SV-77481r1_ruleRiverbed Optimization System (RiOS) must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the network device management network by employing organization-defined security safeguards.
SV-77483r1_ruleRiverbed Optimization System (RiOS) must generate an alert that can be sent to security personnel when threats identified by authoritative sources (e.g., CTOs) and IAW with CJCSM 6510.01B occur.
SV-77485r1_ruleThe application must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).