STIGQter STIGQter: STIG Summary: Trend Micro Deep Security 9.x Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 26 Feb 2016

CheckedNameTitle
SV-80347r1_ruleTrend Deep Security must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
SV-80349r1_ruleTrend Deep Security must initiate a session lock after a 15-minute period of inactivity.
SV-80351r1_ruleTrend Deep Security must automatically audit account creation.
SV-80353r1_ruleTrend Deep Security must automatically audit account modification.
SV-80355r1_ruleTrend Deep Security must automatically audit account disabling actions.
SV-80357r1_ruleTrend Deep Security must automatically audit account removal actions.
SV-80359r1_ruleTrend Deep Security must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
SV-80361r1_ruleTrend Deep Security must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
SV-80363r1_ruleTrend Deep Security must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
SV-80365r1_ruleTrend Deep Security must provide audit record generation capability for DoD-defined auditable events within all application components.
SV-80367r1_ruleTrend Deep Security must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SV-80369r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful attempts to access privileges occur.
SV-80371r1_ruleTrend Deep Security must initiate session auditing upon startup.
SV-80373r1_ruleTrend Deep Security must provide the capability for authorized users to capture, record, and log all content related to a user session.
SV-80375r1_ruleTrend Deep Security must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-80377r1_ruleTrend Deep Security must protect audit information from any type of unauthorized read access.
SV-80379r1_ruleTrend Deep Security must protect audit information from unauthorized modification.
SV-80381r1_ruleTrend Deep Security must protect audit information from unauthorized deletion.
SV-80383r1_ruleTrend Deep Security must protect audit tools from unauthorized access.
SV-80385r1_ruleTrend Deep Security must protect audit tools from unauthorized modification.
SV-80387r1_ruleTrend Deep Security must protect audit tools from unauthorized deletion.
SV-80389r1_ruleTrend Deep Security must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-80391r1_ruleTrend Deep Security must use cryptographic mechanisms to protect the integrity of audit information.
SV-80393r1_ruleTrend Deep Security must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-80395r1_ruleTrend Deep Security must scan all media used for system maintenance prior to use.
SV-80397r1_ruleTrend Deep Security must provide automated mechanisms for supporting account management functions.
SV-80399r1_ruleTrend Deep Security must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-80403r1_ruleTrend Deep Security must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
SV-80405r1_ruleTrend Deep Security must enforce a minimum 15-character password length.
SV-80407r1_ruleTrend Deep Security must enforce password complexity by requiring that at least one upper-case character be used.
SV-80409r1_ruleTrend Deep Security must enforce password complexity by requiring that at least one numeric character be used.
SV-80411r1_ruleTrend Deep Security must enforce password complexity by requiring that at least one special character be used.
SV-80415r1_ruleTrend Deep Security must enforce a 60-day maximum password lifetime restriction.
SV-80417r1_ruleTrend Deep Security must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-80419r1_ruleTrend Deep Security must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
SV-80421r1_ruleTrend Deep Security must isolate security functions from non-security functions.
SV-80423r1_ruleTrend Deep Security must restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems.
SV-80425r1_ruleTrend Deep Security must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SV-80427r1_ruleTrend Deep Security must automatically update malicious code protection mechanisms.
SV-80429r1_ruleTrend Deep Security must notify ISSO and ISSM of failed security verification tests.
SV-80431r1_ruleTrend Deep Security must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
SV-80433r1_ruleTrend Deep Security must configure malicious code protection mechanisms to perform periodic scans of the information system every seven (7) days.
SV-80435r1_ruleTrend Deep Security must be configured to perform real-time malicious code protection scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
SV-80437r1_ruleTrend Deep Security must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
SV-80439r1_ruleTrend Deep Security must notify System Administrators and Information System Security Officers when accounts are created.
SV-80441r1_ruleTrend Deep Security must notify System Administrators and Information System Security Officers when accounts are modified.
SV-80443r1_ruleTrend Deep Security must notify System Administrators and Information System Security Officers for account disabling actions.
SV-80445r1_ruleTrend Deep Security must notify System Administrators and Information System Security Officers for account removal actions.
SV-80447r1_ruleTrend Deep Security must automatically audit account enabling actions.
SV-80449r1_ruleTrend Deep Security must notify SA and ISSO of account enabling actions.
SV-80457r1_ruleTrend Deep Security must audit the execution of privileged functions.
SV-80459r1_ruleTrend Deep Security must off-load audit records onto a different system or media than the system being audited.
SV-80461r1_ruleTrend Deep Security must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
SV-80463r1_ruleTrend Deep Security must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
SV-80465r1_ruleTrend Deep Security must alert the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected.
SV-80467r1_ruleTrend Deep Security must prohibit user installation of software without explicit privileged status.
SV-80469r1_ruleTrend Deep Security must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
SV-80471r1_ruleTrend Deep Security must enforce access restrictions associated with changes to application configuration.
SV-80473r1_ruleTrend Deep Security must audit the enforcement actions used to restrict access associated with changes to the application.
SV-80475r1_ruleTrend Deep Security must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
SV-80477r1_ruleTrend Deep Security must maintain a separate execution domain for each executing process.
SV-80479r1_ruleTrend Deep Security must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
SV-80481r1_ruleTrend Deep Security must implement organization-defined security safeguards to protect its memory from unauthorized code execution.
SV-80483r1_ruleTrend Deep Security must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
SV-80485r1_ruleTrend Deep Security detection application must detect network services that have not been authorized or approved by the organization-defined authorization or approval processes.
SV-80487r1_ruleTrend Deep Security must, when unauthorized network services are detected, log the event and alert the ISSO, ISSM, and other individuals designated by the local organization.
SV-80489r1_ruleTrend Deep Security must continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.
SV-80491r1_ruleTrend Deep Security must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.
SV-80495r1_ruleTrend Deep Security must notify the system administrator when anomalies in the operation of the security functions are discovered.
SV-80497r1_ruleTrend Deep Security must implement security safeguards when integrity violations are discovered.
SV-80501r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful attempts to modify privileges occur.
SV-80503r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful attempts to modify security objects occur.
SV-80507r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful attempts to modify security levels occur.
SV-80509r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful attempts to delete privileges occur.
SV-80513r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful attempts to delete security objects occur.
SV-80515r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful logon attempts occur.
SV-80517r1_ruleTrend Deep Security must generate audit records for privileged activities or other system-level access.
SV-80519r1_ruleTrend Deep Security must generate audit records when successful/unsuccessful accesses to objects occur.
SV-80521r1_ruleTrend Deep Security must generate audit records for all direct access to the information system.
SV-80523r1_ruleTrend Deep Security must generate audit records for all account creations, modifications, disabling, and termination events.
SV-80525r1_ruleTrend Deep Security must generate audit records for all kernel module load, unload, and restart events and, also for all program initiations.
SV-80527r1_ruleTrend Deep Security must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.
SV-80533r1_ruleTrend Deep Security must synchronize with Active Directory on a daily (or AO-defined) basis.
SV-80535r1_ruleTrend Deep Security must reside on a Web Server configured for multifactor authentication.
SV-80537r1_ruleTrend Deep Security must enforce password complexity by requiring that at least one lower-case character be used.