- Notes, cautions, and warnings
- Preface
- Security Quick Reference
- Product and Subsystem Security
- Security controls map
- Authentication
- Authorization
- SSO limitations with PowerProtect Data Manager
- Network security
- Data security
- Cryptography
- Auditing and logging
- Enable logging to a central log server
- Serviceability
- Product code integrity
- Federal standards and compliance
- Miscellaneous Configuration and Management
Data Protection Central 19.7 Security Configuration Guide
STIG compliance
This section contains configuration and maintenance standards that the US Department of Defense (DoD) Information Assurance (IA) program requires.
These guidelines are designed to enhance security settings and configuration options before the systems are connected to a network. For more information about the various STIGs, see the Security Technical Implementation Guides (STIGs) section on DoD Cyber Exchange.
Severity Category Codes (CAT) describe the vulnerabilities that are used to assess a facility or system security posture. CAT I Severity Code describes security protections that can be bypassed, allowing immediate access by unauthorized personnel or unauthorized use of superuser privileges. CAT I weaknesses must be corrected before an Authorization to Operate (ATO) is granted.
Data Protection Central compliance with CAT I Security Requirements is described in Table 1.
| STIG Vulnerability ID | Rule Title | Category | User configuration | Comments |
|---|---|---|---|---|
| V-55051 | The network device must enforce the assigned privilege level for each administrator and authorizations for access to commands relative to the privilege level according to the applicable policy for the device. | CAT 1 | N/A | Data Protection Central implements Access Control Lists (ACL) to contain access to privileged commands and configuration files to the default user IDs, namely root, and admin. Also, AppArmor profiles confine the Data Protection Central application processes according to the defined AppArmor profiles. Data Protection Central runs on SUSE Linux Enterprise Server, which enables adding ACLs to restrict access according to privilege level and organizational policy. |
| V-55101 | The network device must be configured to prohibit the use of unnecessary or nonsecure functions, ports, protocols, and services. | CAT 1 | N/A | Data Protection Central has a firewall that allows only the protocols and ports that the application requires. |
| V-55103 | The network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators). | CAT 1 | N/A | Data Protection Central uses the Linux authentication mechanism for local and SSH authentication to uniquely identify and authenticate administrators. For the web interface, the authentication is through the Dell EMC lockbox, which also uniquely identifies and authenticates organizational administrators. |
| V-55131 | The network device must only store cryptographic representations of passwords. | CAT 1 | N/A | Data Protection Central uses the Linux infrastructure for authentication. Passwords are stored in /etc/shadow in encrypted form. Web interface login passwords are stored in EMC lockbox in encrypted form. |
| V-55133 | The network device must transmit only encrypted representations of passwords. | CAT 1 | N/A | Data Protection Central uses TLS for all HTTPS and AMQP communications with other systems in the solution. |
| V-55141 | The network device, when using PKI-based authentication, must accept only certificates that DoD-approved Certificate Authority issues. | CAT 1 | N/A | When adding a system in the Data Protection Central UI, Data Protection Central allows a user to view the certificate before accepting it. The user should accept a DoD-approved certificate. Data Protection Central supports PKI-based authentication and can be configured to use certificates that a DoD-approved Certificate Authority issues. |
| V-55149 | To protect the information from possible exploitation and use by unauthorized individuals, the network device must obscure feedback of authentication information during the authentication process. | CAT 1 | N/A | Data Protection Central obscures feedback of authentication information during the authentication process. For example, the UI displays asterisks when a user types in a password. |
| V-55153 | The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module. | CAT 1 | N/A | Data Protection Central uses FIPS 140-2 approved algorithms for all connections, and uses FIPS 140-2 validated cryptographic modules. |
| V-55159 | The network device must terminate all network connections that are associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | CAT 1 | Yes | Data Protection Central terminates SSH and console sessions after 10 minutes of inactivity. Web sessions are terminated after 20 minutes. This value is configurable (see SSH and console session timeout). At the end of the session, Data Protection Central terminates all network connections that are associated with the session. |
| V-55171 | The network device must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive). | CAT 1 | N/A | Data Protection Central implements Access Control Lists (ACL) to contain access to privileged commands and configuration files to the default users, root, and admin, that are delivered with the product. It is assumed that no other user is added to the system. Also, AppArmor profiles confine the Data Protection Central application processes according to the defined AppArmor profiles. Data Protection Central runs on SUSE Linux Enterprise Server, which enables you to add additional ACLs to restrict access according to privilege level and organizational policy. |
| V-55221 | The network device must prevent nonprivileged users from running privileged functions, including disabling, circumventing, or altering implemented security safeguards and countermeasures. | CAT 1 | N/A | Data Protection Central implements Access Control Lists (ACL) to contain access to privileged commands and configuration files to the default user IDs, namely root, and admin. Also, AppArmor profiles confine the Data Protection Central application processes according to the defined AppArmor profiles. Data Protection Central runs on SUSE Linux Enterprise Server, which enables you to add additional ACLs to restrict access according to privilege level and organizational policy. |
| V-55265 | The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. | CAT 1 | N/A | Data Protection Central uses FIPS 140-2 approved algorithms for all connections, and uses FIPS 140-2 validated cryptographic modules. |
| V-55267 | Applications that are used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. | CAT 1 | N/A | Data Protection Central uses SSH and HTTPS. Only SCP can be used to securely copy files from and to Data Protection Central. |
| V-99017 | The network device must be configured to send log data to a central log server for forwarding alerts to the administrators and the ISSO. | CAT 1 | Yes | Data Protection Central can be configured to send log data to a central log server. See Enable logging to a central log server. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\