{"stig":{"title":"Axonius Federal Systems Ax-OS Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-276001","ruleId":"SV-276001r1122653_rule","severity":"medium","ruleTitle":"Ax-OS must limit the number of concurrent sessions to 10 for all accounts and/or account types.","description":"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.\n\nSatisfies: SRG-APP-000001, SRG-APP-000246, SRG-APP-000247, SRG-APP-000435","checkContent":"From the Axonius Toolbox (accessed via Secure Shell [SSH]) Main Actions Menu, select the following options:\n\nCompliance Actions >> Advanced Compliance Actions >> Maximum Concurrent Logins\n\nIf \"Current Status: Disable\" is shown, this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nCompliance Actions >> Advanced Compliance Actions >> Maximum Concurrent Logins >> Enable","ccis":["CCI-000054","CCI-001094","CCI-001095","CCI-002385"]},{"vulnId":"V-276002","ruleId":"SV-276002r1122656_rule","severity":"medium","ruleTitle":"Ax-OS must automatically terminate a graphical user interface (GUI) user session after 15 minutes.","description":"An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.\n\nTo thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met.\n\nSession termination ends all processes associated with a user's logical session except those specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nSatisfies: SRG-APP-000003, SRG-APP-000190, SRG-APP-000295","checkContent":"Select the gear icon (System Settings) >> Privacy and Security >> Session.\n\nUnder the Session Menu, verify the \"Enable session timeout\" slide bar is enabled.\n\nVerify \"Session idle timeout (minutes)\" is set to \"15\".\n\nIf \"Session idle timeout (minutes)\" is not set to 15 minutes or less, this is a finding.","fixText":"Select the gear icon (System Settings) >> Privacy and Security >> Session.\n\nUnder the Session Menu, enable the \"Enable session timeout\" slide bar.\n\nSet \"Session idle timeout (minutes)\" to \"15\".\n\nClick \"Save\".","ccis":["CCI-000057","CCI-001133","CCI-002361"]},{"vulnId":"V-276003","ruleId":"SV-276003r1122659_rule","severity":"medium","ruleTitle":"Ax-OS must automatically terminate a Secure Shell (SSH) user session after 15 minutes.","description":"An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.\n\nTo thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met.\n\nSession termination ends all processes associated with a user's logical session except those specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.","checkContent":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nCompliance Actions >> Advanced Compliance Actions >> Idle session timeout\n\nIf \"Idle session timeout\" is not enabled, this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nCompliance Actions >> Advanced Compliance Actions >> Idle session timeout\n\nEnable \"Idle session timeout\".","ccis":["CCI-000057"]},{"vulnId":"V-276004","ruleId":"SV-276004r1122662_rule","severity":"high","ruleTitle":"Ax-OS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.","checkContent":"From the Axonius Toolbox (accessed via Secure Shell [SSH]) Main Actions Menu, select the following options:\n\nSystem Actions >> Advanced System Actions\n\nIf \"Enable FIPS Mode\" is present, this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nSystem Actions >> Advanced System Actions >> Enable FIPS Mode \n\nIf \"Disable FIPS Mode\" is displayed, no action is required.","ccis":["CCI-000068"]},{"vulnId":"V-276005","ruleId":"SV-276005r1122665_rule","severity":"medium","ruleTitle":"Ax-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"Strong access controls are critical to securing the application server. The application server must employ access control policies (e.g., identity-based, role-based, and attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, and cryptography) to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, and application domains) in the application server.\n\nWithout stringent logical access and authorization controls, an adversary may have the ability, with little effort, to compromise the application server and associated supporting infrastructure.\n\nSatisfies: SRG-APP-000033, SRG-APP-000158, SRG-APP-000211, SRG-APP-000233, SRG-APP-000340, SRG-APP-000342, SRG-APP-000328, SRG-APP-000380, SRG-APP-000386, SRG-APP-000472, SRG-APP-000473, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735","checkContent":"Role-Based Access Control hierarchy is to be defined by the authorizing official (AO). Separation of duties must be configured.\n\nSelect the gear icon (System Settings) >> Access Management >> LDAP & SAML.\n\nDepending on the multifactor type configured, under LDAP or SAML, locate \"User Assignment Settings\".\n\nIf only one assigned role exists, this is a finding.","fixText":"Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured.\n\nSelect the gear icon (System Settings) >> Access Management >> LDAP & SAML.\n\nDepending on the multifactor type configured, under LDAP or SAML, locate \"User Assignment Settings\".\n\nAssign two or more roles as defined by the AO and tie them to an LDAP/SAML user or group.","ccis":["CCI-000213","CCI-000778","CCI-001082","CCI-001084","CCI-002235","CCI-002233","CCI-002165","CCI-001813","CCI-001774","CCI-002696","CCI-002699","CCI-003638","CCI-003639","CCI-003640","CCI-003641","CCI-003642"]},{"vulnId":"V-276006","ruleId":"SV-276006r1122668_rule","severity":"medium","ruleTitle":"Ax-OS must display the Standard Mandatory DOD Notice and Consent Banner before granting access to Ax-OS.","description":"Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for desktops, laptops, and other devices accommodating banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: SRG-APP-000070, SRG-APP-000068","checkContent":"Select the gear icon (System Settings) >> GUI >> Login.\n\nUnder Login Page Settings >> Custom message (up to 3000 characters), verify the Standard Mandatory DOD Notice and Consent Banner is displayed. \n\nIf the banner is not displayed, this is a finding.","fixText":"Select the gear icon (System Settings) >> GUI >> Login.\n\nUnder Login Page Settings >> Custom message (up to 3000 characters), enter the Standard Mandatory DOD Notice and Consent Banner text.\n\nClick \"Save\".","ccis":["CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388","CCI-000048"]},{"vulnId":"V-276007","ruleId":"SV-276007r1122671_rule","severity":"medium","ruleTitle":"Ax-OS must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the Toolbox.","description":"Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for desktops, laptops, and other devices accommodating banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Access the Axonius Toolbox via Secure Shell (SSH) and verify the Standard Mandatory DOD Notice and Consent Banner is displayed. \n\nIf the banner is not displayed, this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nCompliance Actions >> Advanced Compliance Actions >> Update SSH Banner Text\n\nEnter the Standard Mandatory DOD Notice and Consent Banner text.","ccis":["CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"vulnId":"V-276008","ruleId":"SV-276008r1122674_rule","severity":"medium","ruleTitle":"Ax-OS password manager must be disabled.","description":"It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions). \n\nExamples of nonessential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality that is not required for every mission but cannot be disabled.","checkContent":"Select the gear icon (System Settings) >> Access Management >> External Password Managers.\n\nIf the \"Use Password Manager\" slide bar is enabled, this is a finding.","fixText":"Select the gear icon (System Settings) >> Access Management >> External Password Managers.\n\nDisable the \"Use Password Manager\" slide bar.","ccis":["CCI-000381"]},{"vulnId":"V-276009","ruleId":"SV-276009r1122677_rule","severity":"high","ruleTitle":"Ax-OS must use multifactor authentication for network access to the customer account.","description":"Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. \n\nMultifactor authentication requires using two or more factors to achieve authentication. \n\nFactors include: \n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). \n\nA privileged account is defined as an information system account with authorizations of a privileged user. \n\nNetwork access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).","checkContent":"Have the system administrator (SA) demonstrate accessing the Axonius Toolbox (accessed via Secure Shell [SSH]).\n\nVerify the SA is using a password-protected SSH key to log in to the system. \n\nIf the SA is not using a password-protected SSH key to log in to the system, this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nSystem Actions >> Update customer account SSH key\n\nFollow the on-screen prompts to configure key-based authentication.","ccis":["CCI-000765"]},{"vulnId":"V-276010","ruleId":"SV-276010r1122680_rule","severity":"high","ruleTitle":"Ax-OS must use multifactor authentication for network access to the files account.","description":"Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. \n\nMultifactor authentication requires using two or more factors to achieve authentication. \n\nFactors include: \n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). \n\nA privileged account is defined as an information system account with authorizations of a privileged user. \n\nNetwork access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).","checkContent":"Have the system administrator (SA) demonstrate logging in to the Axonius host via Secure File Transfer Protocol (SFTP).\n\nVerify the SA is using a password-protected Secure Shell (SSH) key to log in to the system. \n\nIf the SA is not using a password-protected SSH key to log in to the system, this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nSystem Actions >> Update files account SSH key\n\nFollow the on-screen prompts to configure key-based authentication.","ccis":["CCI-000765"]},{"vulnId":"V-276011","ruleId":"SV-276011r1123259_rule","severity":"high","ruleTitle":"Ax-OS must use multifactor authentication for network access to nonprivileged accounts.","description":"To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. \n\nMultifactor authentication uses two or more factors to achieve authentication. \n\nFactors include:\n(i) Something you know (e.g., password/PIN); \n(ii) Something you have (e.g., cryptographic identification device, token); or \n(iii) Something you are (e.g., biometric). \n\nA nonprivileged account is any information system account with authorizations of a nonprivileged user. \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) that is obtained through a network connection.\n\nApplications that integrate with the DOD Active Directory and use the DOD Common Access Card (CAC) are examples of compliant multifactor authentication solutions.","checkContent":"Select the gear icon (System Settings) >> Access Management >> LDAP & SAML.\n\nUnder LDAP & SAML, if the slide bar for \"Allow LDAP Logins\" or \"Allow SAML Logins\" is not selected, this is a finding.\n\nIf the LDAP or SAML configuration does not point to an authentication source approved by the authorizing official (AO), this is a finding.","fixText":"Select the gear icon (System Settings) >> Access Management >> LDAP & SAML.\n\nUnder LDAP & SAML, enable either the slide bar for \"Allow LDAP Logins\" or the slide bar for \"Allow SAML Logins\".\n\nConfigure the remaining fields for the environment.","ccis":["CCI-000766"]},{"vulnId":"V-276012","ruleId":"SV-276012r1156548_rule","severity":"high","ruleTitle":"Ax-OS must have no local accounts for the user interface.","description":"To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. \n\nMultifactor authentication uses two or more factors to achieve authentication. \n\nFactors include:\n(i) Something you know (e.g., password/PIN); \n(ii) Something you have (e.g., cryptographic identification device, token); or \n(iii) Something you are (e.g., biometric). \n\nA nonprivileged account is any information system account with authorizations of a nonprivileged user. \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) that is obtained through a network connection.\n\nApplications that integrate with the DOD Active Directory and use the DOD common access card (CAC) are examples of compliant multifactor authentication solutions.\n\nSatisfies: SRG-APP-000150, SRG-APP-000023, SRG-APP-000024, SRG-APP-000025, SRG-APP-000065, SRG-APP-000148, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000178, SRG-APP-000180, SRG-APP-000183, SRG-APP-000318, SRG-APP-000345, SRG-APP-000389, SRG-APP-000391, SRG-APP-000392, SRG-APP-000394, SRG-APP-000395, SRG-APP-000400, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000410, SRG-APP-000427, SRG-APP-000580, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000740, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000880, SRG-APP-000885, SRG-APP-000890","checkContent":"Role-Based Access Control hierarchy is to be defined by the authorizing official (AO). Separation of duties must be configured.\n\nSelect the gear icon (System Settings) >> User and Role Management >> Users.\n\nIn the list of users, verify there are no users with \"Internal\" listed in the Source column.\n\nIf there are any users with \"Internal\" in the Source column that have not been documented and approved by the AO, this is a finding. \n\nIf all users with \"Internal\" in the Source column are documented and approved by the AO, or if no users with \"Internal\" in the Source column exist, this is not a finding.","fixText":"Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured.\n\nSelect the gear icon (System Settings) >> User and Role Management >> Users.\n\nAfter Lightweight Directory Access Protocol (LDAP)/Single Sign-On (SSO) has been configured, remove all local users.","ccis":["CCI-000766","CCI-000015","CCI-000016","CCI-000017","CCI-000044","CCI-000764","CCI-004045","CCI-004046","CCI-001941","CCI-003627","CCI-000185","CCI-000186","CCI-000187","CCI-000206","CCI-000804","CCI-000884","CCI-002145","CCI-002238","CCI-002038","CCI-001953","CCI-001954","CCI-001958","CCI-001967","CCI-002007","CCI-004068","CCI-002009","CCI-002010","CCI-004083","CCI-004085","CCI-001632","CCI-002470","CCI-003628","CCI-003629","CCI-003747","CCI-004047","CCI-004058","CCI-004059","CCI-004060","CCI-004061","CCI-004062","CCI-004063","CCI-004064","CCI-004065","CCI-004066","CCI-004192","CCI-004901","CCI-004902"]},{"vulnId":"V-276013","ruleId":"SV-276013r1122689_rule","severity":"high","ruleTitle":"Ax-OS must protect the authenticity of communications sessions.","description":"Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nApplication communication sessions are protected using transport encryption protocols such as Transport Layer Security (TLS). TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one way) or mutual (two way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for the client and server to authenticate each other. \n\nThis requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). \n\nThis requirement addresses communications protection at the application session versus the network packet. It also establishes grounds for confidence at both ends of communications sessions in relation to the ongoing identities of other parties and validity of information transmitted. \n\nDepending on the required degree of confidentiality and integrity, web services/SOA will require the use of TL) mutual authentication (two-way/bidirectional).\n\nSatisfies: SRG-APP-000219, SRG-APP-000910","checkContent":"Select the gear icon (System Settings) >> Privacy and Security >> Certificate and Encryption.\n\nUnder SSL Certificate, if the certificate has not been changed from the self-signed default certificate, unless otherwise approved by the authorizing official (AO), this is a finding.\n\nUnder Certificate Verifications Settings, if \"Use OCSP\" is not selected, this is a finding.\n\nUnder SSL Trust & CA Settings, if \"Use custom certificate\" is not selected and configured for a DOD PKI (or other AO-approved certificate), this is a finding.\n\nUnder Mutual TLS Settings, if the \"Enable mutual TLS\" slide bar is not enabled, and the \"Enforce client certificate validation\" box is unchecked, this is a finding.\n\nUnder Encryption Settings, if the \"Allow legacy SSL cipher suites for adapters\" is checked, this is a finding.","fixText":"Select the gear icon (System Settings) >> Privacy and Security >> Certificate and Encryption.\n\nUnder Certificate Verifications Settings, select \"Use OCSP\".\n\nUnder SSL Trust & CA Settings, select \"Use custom certificate\" and configure for a DOD PKI (or other AO-approved certificate).\n\nUnder Mutual TLS Settings, enable the \"Enable mutual TLS\" slide bar. Check the \"Enforce client certificate validation\" box.\n\nUnder Encryption Settings, ensure the \"Allow legacy SSL cipher suites for adapters\" box is unchecked.","ccis":["CCI-001184","CCI-004909"]},{"vulnId":"V-276014","ruleId":"SV-276014r1122692_rule","severity":"high","ruleTitle":"Ax-OS must off-load audit records onto a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nSatisfies: SRG-APP-000358, SRG-APP-000086, SRG-APP-000090, SRG-APP-000097, SRG-APP-000108, SRG-APP-000111, SRG-APP-000115, SRG-APP-000116, SRG-APP-000118, SRG-APP-000120, SRG-APP-000121, SRG-APP-000122, SRG-APP-000123, SRG-APP-000125, SRG-APP-000181, SRG-APP-000267, SRG-APP-000275, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320, SRG-APP-000357, SRG-APP-000359, SRG-APP-000360, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000515, SRG-APP-000745, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000945, SRG-APP-000950, SRG-APP-000955","checkContent":"Select the gear icon (System Settings) >> External Integrations >> Syslog.\n\nUnder the Syslog menu, if the \"Use Syslog\" slide bar is not selected, this is a finding.\n\nUnder the Syslog menu, if \"Syslog instance\" has not been configured for an external log server(or otherwise proven Syslog is being captured by an external log server), this is a finding.","fixText":"Select the gear icon (System Settings) >> External Integrations >> Syslog.\n\nUnder the Syslog menu, enable \"Use Syslog\".\n\nUnder the Syslog menu, configure \"Syslog instance\" for an external log server.","ccis":["CCI-001851","CCI-000174","CCI-000171","CCI-000132","CCI-000139","CCI-000154","CCI-000158","CCI-000159","CCI-000162","CCI-000164","CCI-001493","CCI-001494","CCI-001495","CCI-001348","CCI-001876","CCI-001314","CCI-001294","CCI-000015","CCI-001849","CCI-001855","CCI-001858","CCI-001875","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001896","CCI-003821","CCI-003822","CCI-003823","CCI-003824","CCI-003825","CCI-003826","CCI-003827","CCI-003828","CCI-003829","CCI-003830","CCI-003831","CCI-003834","CCI-004992","CCI-004996","CCI-004997"]},{"vulnId":"V-276015","ruleId":"SV-276015r1122695_rule","severity":"medium","ruleTitle":"Ax-OS must implement privileged access authorization to all information systems and infrastructure components for selected organization-defined vulnerability scanning activities.","description":"In certain situations, the nature of the vulnerability scanning may be more intrusive, or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.\n\nThe vulnerability scanning application must use privileged access authorization for the scanning account.","checkContent":"From the Axonius Toolbox (accessed via Secure Shell [SSH]) Main Actions Menu, select the following options:\n\nCompliance Actions >> Advanced Compliance Actions >> Update Tenable Scan Account Permissions\n\nEnter the scanning account username.\n\nIf no scanning account has been set, this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nCompliance Actions >> Advanced Compliance Actions >> Add Tenable Scan Account\n\nEnter the username.","ccis":["CCI-001067"]},{"vulnId":"V-276016","ruleId":"SV-276016r1123260_rule","severity":"medium","ruleTitle":"Ax-OS must compare the internal system clocks on an organization-defined frequency with an organization-defined authoritative time source.","description":"Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.\n\nSatisfies: SRG-APP-000925, SRG-APP-000371, SRG-APP-000372, SRG-APP-000374, SRG-APP-000920","checkContent":"From the Axonius Toolbox (accessed via Secure Shell [SSH]) Main Actions Menu, select the following options:\n\nSystem Actions >> Advanced System Actions >> NTP Sources\n\nIf any NTP sources listed are not an authoritative time source approved by the authorizing official (AO), this is a finding.","fixText":"From the Axonius Toolbox (accessed via SSH) Main Actions Menu, select the following options:\n\nSystem Actions >> Advanced System Actions >> Configure NTP\n\nEnter the hostname/IP of an AO-approved authoritative time source.","ccis":["CCI-004923","CCI-004926","CCI-001890","CCI-004922"]}]}