None Computing title Riverbed NetIM NDM Security Technical Implementation Guide version 1 releaseinfo Release: 1 Vuln_Num V-275452 Rule_ID SV-275452r1147406_rule Severity high Rule_Title The Riverbed NetIM must enable and configure user audit logging. Vuln_Discuss Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. If the User-Audit Logging role is not assigned to an admin, then all admins can see the log. If the role is defined, then the role is the only one that can see the local audit log. Satisfies: SRG-APP-000028-NDM-000210, SRG-APP-000381-NDM-000305, SRG-APP-000029-NDM-000211, SRG-APP-000027-NDM-000209, SRG-APP-000091-NDM-000223, SRG-APP-000092-NDM-000224, SRG-APP-000516-NDM-000334, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000099-NDM-000229, SRG-APP-000098-NDM-000228, SRG-APP-000097-NDM-000227, SRG-APP-000096-NDM-000226, SRG-APP-000095-NDM-000225, SRG-APP-000101-NDM-000231, SRG-APP-000100-NDM-000230, SRG-APP-000177-NDM-000263, SRG-APP-000319-NDM-000283, SRG-APP-000026-NDM-000208, SRG-APP-000343-NDM-000289 Check_Content Verify user audit logging is enabled. 1. From the GUI menu, navigate to Configure >> All Settings >> Administer >> User Audit. 2. Under the User Audit Logging section, verify "Yes" is selected. If user audit logging is not enabled and assigned, this is a finding. Fix_Text Enable the User Audit role and assign to a user. 1. From the GUI, navigate to Configure >> All Settings >> Administer >> User Audit. 2. On the Settings tab, select "Yes" under the User Audit Logging section. 3. Assign the role to an admin user account. Note: The user auditor role removes all other admin roles and functions from the users assigned the role of audit administrator. Other types of administrators, including the default admin of last resort, will not be able to access the auditing functions or local audit log. Not_Reviewed Vuln_Num V-275453 Rule_ID SV-275453r1147409_rule Severity medium Rule_Title The Riverbed NetIM must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. Vuln_Discuss Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. Check_Content Verify only the account of last resort, "admin", exists on the device. In the GUI, navigate to Configure >> All Settings >> Administer >> User Management. If local user accounts exist other than the account of last resort, this is a finding. Fix_Text Use of the default GUI account "admin" as the account of last resort is strongly recommended. It must have a DOD-compliant password and be securely stored in a safe for emergency, but not day-to-day, use. The "NetIMAdmin" default shell account cannot be changed but must be the only user shell account. It must have a DOD-compliant password. Remove all GUI local accounts other than the default admin account. 1. In the GUI, navigate to Configure >> All Settings >> Administer >> User Management. 2. In the Local Users section, click the "X" icon in the Actions column of the user's entry. The NetIMAdmin shell account must remain the only local login account at this level. Not_Reviewed Vuln_Num V-275454 Rule_ID SV-275454r1147412_rule Severity high Rule_Title The Riverbed NetIM must be configured to assign appropriate user roles or access levels to authenticated users. Vuln_Discuss Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Check_Content Review the user role assignments on the NetIM. 1. In the GUI, navigate to Configure >> All Settings >> User Management. 2. In the TACACS+ pane, inspect the Last Login Server column. Verify all users except for the account of last resort are listed and the role assigned for nonprivileged users is "USERS". Verify the admins are assigned admin roles, and the single audit administrator is assigned the role AUDIT_ADMIN. The audit admin role must be defined for DOD sites. If NetIM account roles are not configured or if the roles assigned are not compliant, this is a finding. Fix_Text Configure AAA services. Note: This process must be done during initial installation of NetIM when prompted. This minimizes the need for system administrators to later access the Ubuntu bash shell. Important: All individual admin accounts must be configured on an authentication server, the NetIM must be configured to point to a PKI-based authentication server, and roles must be mapped to the authorization attributes on the authentication server. Check the system security plan (SSP) to determine which roles are required to be defined for remote users. Note: Enable TACACS+ Authentication from Ubuntu bash shell during initial installation of the application. Accessing bash commands requires the sysadmin to type "Challenge" at the NetIM shell. Use the site's support email account to send the Challenge code and receive the Response code. DISA requires system admins to immediately log out of NetIMAdmin once the required bash access is no longer needed to mitigate the risk of this superadmin access being inadvertently used. Admins should not leave the bash shell open for long periods without logging out. 1. From the root of the installation directory, enter the following command: $ bash cd <installation directory > ./app.sh /TACACS_STATE enabled 2. In the GUI, navigate to Configure >> All Settings >> Integrate >> TACACS+. 3. On the TACACS+ Configurations page, fill out all required information. Add the IP address for the authentication server, add a role for the remote user, and check the box for "Require Authentication". 4. Select the check box for "Require Authorization" and provide the authorization attributes and role attributes. To add, modify, or delete a user account or log off a user, follow these steps: 1. In the GUI, navigate to Configure >> All Settings >> Administer >> User Management. 2. To add a TACACS+ user, click the "+" icon next to "Create TACACS+ user". 3. Select a valid TACACS+ username, assign a role from the dropdown list, then click "Save". 4. For audit administrator, assign the role of USER_AUDITOR. Not_Reviewed Vuln_Num V-275455 Rule_ID SV-275455r1148274_rule Severity medium Rule_Title NetIM must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device. Vuln_Discuss Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users. Check_Content Verify the NetIM is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. From the GUI, view the presented banner. Verify the banner's content and formatting matches the following: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the approved banner is not presented, this is a finding. Fix_Text Configure the login banner. 1. From the GUI, go to Configure >> All settings. 2. From the Administrator group, select "Login settings". 3. Check "Banner Message Enabled". 4. Check "Require Acknowledgement". 5. Enter the banner text below and click "Submit". "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Not_Reviewed Vuln_Num V-275456 Rule_ID SV-275456r1147418_rule Severity medium Rule_Title NetIM must retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. Vuln_Discuss The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DOD will not be in compliance with system use notifications required by law. To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement. In the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, then entering the password is also acceptable. Check_Content Determine if NetIM is configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. 1. From the GUI, go to Configure >> All Settings. 2. From the Administrator group, select "Login settings". 3. Verify the "Require Acknowledgement" box is checked. If NetIM does not retain the banner on the screen until the administrator acknowledges the banner this is a finding. Fix_Text Configure NetIM to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. 1. From the top menu, navigate to Configure >> All Settings. 2. From the Administrator group, select "Login settings". 3. Check "Require Acknowledgement". Not_Reviewed Vuln_Num V-275457 Rule_ID SV-275457r1147421_rule Severity low Rule_Title The Riverbed NetIM must generate an alert of all audit failure events. Vuln_Discuss To ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors. Check_Content Verify the system administrator (SA) and information system security officer (ISSO) are notified in the event of an audit processing failure by using the following command: $ sudo grep -i action_mail_acct /etc/rsyslog.d action_mail_acct = <administrator_email_account> If "action_mail_acct" is not set to the email address of the SA and/or ISSO, is commented out, or is missing, this is a finding. Fix_Text Configure the "/etc/rsyslog.d" service to notify the SA and ISSO in the event of an audit processing failure. 1. Add or modify the following line in the "/etc/rsyslog.d" file: action_mail_acct = <administrator_email_account> Note: Change "administrator_email_account" to the email address of the SA and/or ISSO. 2. Restart rsyslog service. $ sudo service rsyslog restart Note: An email package must be installed on the system for email notifications to be sent. Not_Reviewed Vuln_Num V-275461 Rule_ID SV-275461r1148276_rule Severity high Rule_Title The Riverbed NetIM must be configured to use an authentication server configured for multifactor authentication (MFA) using DOD PKI for the purpose of authenticating users prior to granting administrative access. Vuln_Discuss MFA is the requirement that two or more factors be used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence. Private industry recognizes and uses a variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates generated by the issuing CA are downloaded and saved to smartcards, referred to as common access cards (CAC) or personal identity verification (PIV) cards within the DOD. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180 Check_Content Review the AAA configuration. Navigate to the GUI portal admin user login screen. If TACACS+ is configured, the NetIM login screen presents only the option to use TACACS. If TACACS+ is not configured, this is a finding. Fix_Text Although all individual admin accounts must be configured on an authentication server, the NetIM must be configured to point to a DOD PKI-based authentication server and roles must be mapped to the authorization attributes on the authentication server. Check the SSP to see which roles are required to be defined for remote user. 1. Navigate to the installation directory typically located at /data1/riverbed/NetIM/<install_dir > and run the following command: $ app.sh /TACACS_STATE enabled 2. From the GUI, navigate to Configure >> All Settings >> Integrate >> TACACS+. 3. On the TACACS+ Configurations page, fill out all required information. Add the IP address for the authentication server, add a role for the remote user, and check "Require Authentication". 4. Select "Require Authorization" and provide the authorization attributes and role attributes. To add, modify, or delete a user account or log off a user, follow these steps: 1. Navigate to Configure >> All Settings >> Administer >> User Management. 2. To add a TACACS+ user, click the "+" icon next to "Create TACACS+ user". 3. Select a valid TACACS+ username, assign a role from the dropdown list, then click "Save". For audit administrator, assign the role of USER_AUDITOR. For the default GUI "admin" account, the name must be changed. Note: The TACACS+ server must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type. Not_Reviewed Vuln_Num V-275462 Rule_ID SV-275462r1147436_rule Severity medium Rule_Title The Riverbed NetIM must support organizational requirements to back up the NetIM application and security configuration when changes occur. Vuln_Discuss System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who utilize this critical network component. This control requires the Riverbed NetIM to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups. Check_Content Review the system security plan (SSP) to determine the site's network device backup policy. Check the backup log repository identified by the site. Verify regular backups are being performed. If NetIM does not backup the information system documentation, including security-related documentation, when changes occur, this is a finding. Fix_Text Manually back up the application when changes occur in accordance with the SSP. This requirement normally gives an option for weekly, however since the backup requires the halting of system processes, weekly may not be operationally possible. 1. From the NetIM core/manager node, navigate to <install_dir >, by entering a command similar to the following: cd /data1/riverbed/NetIM/<install_dir > 2. Log in to the shell of each node and run the following command: $ app.sh SAVE_RESTORE export <path to directory for exporting zip file > <path to directory for exporting zip file > = backup repository that is off the NETIM hosts. Note: VM snapshots of each node may be preferred by the site and are an acceptable alternative mitigation. Not_Reviewed Vuln_Num V-275465 Rule_ID SV-275465r1147445_rule Severity medium Rule_Title The Riverbed NetIM must enforce a minimum 15-character password length. Vuln_Discuss Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Check_Content Verify Password Rules is configured to use a 15-character password. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. View the Maximum Password Length box. If a 15-character password is not required, this is a finding. Fix_Text Configure Password Rules to use a 15-character password. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. Check the Maximum Password Length box. 4. Enter "15" in the option box and click "Submit". Not_Reviewed Vuln_Num V-275466 Rule_ID SV-275466r1147448_rule Severity low Rule_Title The Riverbed NetIM must be configured to require immediate selection of a new password upon account recovery for password-based authentication. Vuln_Discuss Specify a temporary password to improve security. A temporary password can be enabled only if Account Control is enabled. If a temporary password is set, then the password set by Admin/Sys Admin for the new user shall expire on the first log in of the new user. A password expired page will appear for new users after the first login. Check_Content Verify Password Rules is configured to expire temporary passwords. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. View the Maximum age of temporary password in hours. If the Maximum age of temporary password in hours is not set, this is a finding. Fix_Text Configure Password Rules to expire temporary passwords. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. Check "Maximum age of temporary password in hours". 4. Enter an organization-defined number in the option box and click "Submit". Local users must not be created; however, setting these requirements is a best practice. Not_Reviewed Vuln_Num V-275467 Rule_ID SV-275467r1148279_rule Severity medium Rule_Title The Riverbed NetIM must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication. Vuln_Discuss Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. Check_Content Verify Password Rules is configured to use all available options. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select all available boxes and configure in compliance with DOD requirements. If any of the options is not selected, this is a finding. Fix_Text Configure Password Rules to use all available options. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select all available boxes, configure in compliance with DOD requirements, and click "Submit". Local users must not be created; however, setting these requirements is a best practice. Not_Reviewed Vuln_Num V-275473 Rule_ID SV-275473r1147469_rule Severity high Rule_Title The Riverbed NetIM must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting. Vuln_Discuss The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Check_Content Verify NetIM uses version 2.10 or later. In the GUI, view the version at the top above the main menu on the right. If the installed NetIM version is not version 2.10 or later, this is a finding. Fix_Text Upgrade NetIM to use a version 2.10 or later. To upgrade NetIM, access the NetIM Software License and Download portal (SLD) and navigate to the Software Download page, then follow the specific instructions for the upgrade version, including checking for release notes and alerts. Not_Reviewed Vuln_Num V-275481 Rule_ID SV-275481r1148299_rule Severity medium Rule_Title The Riverbed NetIM must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. Vuln_Discuss By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Check_Content Verify Password Rules are configured for "Maximum failed login attempts allowed". 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. Verify "Maximum failed login attempts allowed" is checked and set to "3". 4. Verify "Time interval for max failed login attempts in minutes" is set to "15". If both "Maximum failed login attempts allowed" is not set to "3" and the "Time interval for max failed login attempts in minutes" is set to "15", this is a finding. Fix_Text Configure the Password Rules for Maximum failed login attempts allowed. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. Check the box for "Maximum failed login attempts allowed". 4. Enter "3" in the option box. 5. Check the box for "Time interval for max failed login attempts in minutes". 6. Enter "15" in the option box and click "Submit". Note: Local users must not be created; however, setting these requirements are a good best practice. Not_Reviewed Vuln_Num V-275482 Rule_ID SV-275482r1147496_rule Severity medium Rule_Title The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited. Vuln_Discuss Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration. The ability to off-load those files is a common process used while managing information systems. Check_Content Verify auditing is configured to send events to a central log server by using the following command: $ sudo grep -i action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") If auditing is configured to send events to a central log server, this is a finding. Fix_Text Configure "rsyslog.d" service to send NetIM audit logs to central syslog. 1. Add or modify the following line in the "/etc/rsyslog.d" file: $ sudo nano /etc/rsyslog.d/60-netim.conf 2. Add the following text: *.* action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") 3. Restart rsyslog service. $ sudo service rsyslog restart Not_Reviewed Vuln_Num V-275488 Rule_ID SV-275488r1147514_rule Severity medium Rule_Title The Riverbed NetIM must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). Vuln_Discuss Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. The IP Detection Service tracks IP addresses (IPs) in the network and allows a user to query an IP address to determine the switch port to which a network device is connected. SNMP access to devices and a read-only community string (or equivalent SNMP v3 credentials) are required for the IP Detection Service to function. Community strings/credentials stored on NetIM are encrypted. Check_Content Verify NetIM is configured to authenticate SNMP messages using a FIPS-validated HMAC. 1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings. 2. Click "SNMP v3 Credentials". 3. In the Add SNMP v3 Credentials box, verify the following is configured: Security Level menu = AUTH_PRIV Auth Protocol = <protocol> Where <protocol> is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512 Priv Protocol = <cipher_protocol> Where <protocol> is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256 If SNMP messages are not authenticated using a FIPS-validated HMAC, this is a finding. Fix_Text Configure NetIM to authenticate SNMP messages using a FIPS-validated HMAC. 1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings. 2. Click "SNMP v3 Credentials". 3. In the Add SNMP v3 Credentials box, select the following: Security Level menu = AUTH_PRIV Auth Protocol = <protocol> Where <protocol> is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512. Priv Protocol = <protocol> Where <protocol> is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256 Note: FIPS compliance requires Version 2.10 or higher and a Ubuntu Pro license, both of which are covered in other CAT 1 requirements. Not_Reviewed