V-55051
|
The network device must enforce the assigned privilege level for each administrator and authorizations for access to commands relative to the privilege level according to the applicable policy for the device.
|
CAT 1
|
N/A
|
Data Protection Central implements Access Control Lists (ACL) to contain access to privileged commands and configuration files to the default user IDs, namely root, and admin. Also, AppArmor profiles confine the
Data Protection Central application processes according to the defined AppArmor profiles.
Data Protection Central runs on SUSE Linux Enterprise Server, which enables adding ACLs to restrict access according to privilege level and organizational policy.
|
V-55101
|
The network device must be configured to prohibit the use of unnecessary or nonsecure functions, ports, protocols, and services.
|
CAT 1
|
N/A
|
Data Protection Central has a firewall that allows only the protocols and ports that the application requires.
|
V-55103
|
The network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
|
CAT 1
|
N/A
|
Data Protection Central uses the Linux authentication mechanism for local and SSH authentication to uniquely identify and authenticate administrators. For the web interface, the authentication is through the Dell EMC lockbox, which also uniquely identifies and authenticates organizational administrators.
|
V-55131
|
The network device must only store cryptographic representations of passwords.
|
CAT 1
|
N/A
|
Data Protection Central uses the Linux infrastructure for authentication. Passwords are stored in
/etc/shadow in encrypted form. Web interface login passwords are stored in EMC lockbox in encrypted form.
|
V-55133
|
The network device must transmit only encrypted representations of passwords.
|
CAT 1
|
N/A
|
Data Protection Central uses TLS for all HTTPS and AMQP communications with other systems in the solution.
|
V-55141
|
The network device, when using PKI-based authentication, must accept only certificates that DoD-approved Certificate Authority issues.
|
CAT 1
|
N/A
|
When adding a system in the
Data Protection Central UI,
Data Protection Central allows a user to view the certificate before accepting it. The user should accept a DoD-approved certificate.
Data Protection Central supports PKI-based authentication and can be configured to use certificates that a DoD-approved Certificate Authority issues.
|
V-55149
|
To protect the information from possible exploitation and use by unauthorized individuals, the network device must obscure feedback of authentication information during the authentication process.
|
CAT 1
|
N/A
|
Data Protection Central obscures feedback of authentication information during the authentication process. For example, the UI displays asterisks when a user types in a password.
|
V-55153
|
The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
|
CAT 1
|
N/A
|
Data Protection Central uses FIPS 140-2 approved algorithms for all connections, and uses FIPS 140-2 validated cryptographic modules.
|
V-55159
|
The network device must terminate all network connections that are associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
|
CAT 1
|
Yes
|
Data Protection Central terminates SSH and console sessions after 10 minutes of inactivity. Web sessions are terminated after 20 minutes. This value is configurable (see
SSH and console session timeout). At the end of the session,
Data Protection Central terminates all network connections that are associated with the session.
|
V-55171
|
The network device must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
|
CAT 1
|
N/A
|
Data Protection Central implements Access Control Lists (ACL) to contain access to privileged commands and configuration files to the default users, root, and admin, that are delivered with the product. It is assumed that no other user is added to the system. Also, AppArmor profiles confine the
Data Protection Central application processes according to the defined AppArmor profiles.
Data Protection Central runs on SUSE Linux Enterprise Server, which enables you to add additional ACLs to restrict access according to privilege level and organizational policy.
|
V-55221
|
The network device must prevent nonprivileged users from running privileged functions, including disabling, circumventing, or altering implemented security safeguards and countermeasures.
|
CAT 1
|
N/A
|
Data Protection Central implements Access Control Lists (ACL) to contain access to privileged commands and configuration files to the default user IDs, namely root, and admin. Also, AppArmor profiles confine the
Data Protection Central application processes according to the defined AppArmor profiles.
Data Protection Central runs on SUSE Linux Enterprise Server, which enables you to add additional ACLs to restrict access according to privilege level and organizational policy.
|
V-55265
|
The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
|
CAT 1
|
N/A
|
Data Protection Central uses FIPS 140-2 approved algorithms for all connections, and uses FIPS 140-2 validated cryptographic modules.
|
V-55267
|
Applications that are used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
|
CAT 1
|
N/A
|
Data Protection Central uses SSH and HTTPS. Only SCP can be used to securely copy files from and to
Data Protection Central.
|
V-99017
|
The network device must be configured to send log data to a central log server for forwarding alerts to the administrators and the ISSO.
|
CAT 1
|
Yes
|
Data Protection Central can be configured to send log data to a central log server. See
Enable logging to a central log server.
|