{"stig":{"title":"Dragos Platform 2.x Security Technical Implementation Guide","version":"1","release":"6"},"checks":[{"vulnId":"V-270904","ruleId":"SV-270904r1058027_rule","severity":"medium","ruleTitle":"Dragos must configure idle timeouts at 10 minutes.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically at the operating system level but may be at Dragos level. \n\nWhen Dragos design specifies Dragos rather than the operating system will determine when to lock the session, Dragos session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed. \n\nPublicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.\n\nSatisfies: SRG-APP-000002, SRG-APP-000003, SRG-APP-000190, SRG-APP-000295, SRG-APP-000389","checkContent":"Verify session timeout is configured.\n\nIn the UI, navigate to Admin >> SiteStore Management >> Advanced Settings.\n\nClick \"Configurations\".\n\nIf Idle Auto-Logout Minutes is not set to \"10\" minutes, this is a finding. \n\nIf Re-Authenticate User Device (Inactive) is not set to \"1h\", this is a finding.","fixText":"Set session timeout configurations.\n\nIn the UI, navigate to Admin >> SiteStore Management >> Advanced Settings.\n\nClick \"Configurations\".\n\nSet Idle Auto-Logout Minutes to \"10\".\n\nSet Re-Authenticate User Device (Inactive) to \"1h\".\n\nClick \"Save & Apply\".","ccis":["CCI-000060","CCI-000057","CCI-001133","CCI-002361","CCI-002038"]},{"vulnId":"V-270910","ruleId":"SV-270910r1057994_rule","severity":"medium","ruleTitle":"Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.","description":"Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. \n\nA comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in noncentralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.\n\nDragos Platform must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within Dragos Platform itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. \n\nAccount management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.\n\nSatisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000065, SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000163, SRG-APP-000165, SRG-APP-000170, SRG-APP-000173, SRG-APP-000233, SRG-APP-000345, SRG-APP-000317, SRG-APP-000318","checkContent":"Review the authentication method being used by the Platform. \n\nIn the UI, navigate to Admin >> SiteStore Management >> Authentication Providers.\n\nIf the Platform does not have an Authentication Provider configured, this is a finding.","fixText":"Configure LDAP.\n\nIn the UI, navigate to Admin >> SiteStore Management >> Authentication Providers.\n\nNext to LDAP/Active Directory, click \"ADD PROVIDER\".\n\nFill in the configuration in the \"Add New LDAP Provider\" form.\n\nClick \"Save\".","ccis":["CCI-000015","CCI-000017","CCI-000044","CCI-000765","CCI-000766","CCI-000767","CCI-000768","CCI-000795","CCI-000200","CCI-000195","CCI-000198","CCI-001084","CCI-002238","CCI-002142","CCI-002145"]},{"vulnId":"V-270916","ruleId":"SV-270916r1057996_rule","severity":"medium","ruleTitle":"The Dragos Platform must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: SRG-APP-000068, SRG-APP-000069","checkContent":"Verify the Dragos Platform displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system when login in via SSH.\n\nIf the banner does not exist or is not formatted in accordance with applicable DOD policy, this is a finding.","fixText":"Configure the Dragos Platform to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system:\n\n1. Log in to the SiteStore or Sensor via SSH.\n\n2. Input \"config banner pre_login\" into the CLI.\n\n3. Input the banner text shown below, pressing \"Enter\" after each line. Press config appl CTRL-D to save the text or CTRL-C to quit without saving.\n\n4. Apply the banner by executing the following:\nconfig apply\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","ccis":["CCI-000048","CCI-000050"]},{"vulnId":"V-270917","ruleId":"SV-270917r1155096_rule","severity":"medium","ruleTitle":"The publicly accessible Dragos Platform application must display the Standard Mandatory DOD Notice and Consent Banner before granting access to Dragos Platform.","description":"Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for desktops, laptops, and other devices accommodating banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Verify that the Standard Mandatory DOD Notice and Consent Banner appears before being granted access to Dragos Platform UI. \n\nIf the Standard Mandatory DOD Notice is not presented, this is a finding.\n\nExample Banner: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\\\n-At any time, the USG may inspect and seize data stored on this IS.\\\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.","fixText":"1. Download the following script, and put it in the /root directory on the sitestore where you want to apply the DOD Banner:\n\nimport os, json, sys, time\n# Created by bdudley@dragos.com to assist with Dragos STIG implementation\n# specifically related to DOD Banner for web UI before login\nos.chdir(\"/root\")\n# version compatibility check\nif 'Platform Version: 2.' not in os.popen(\"dragoscmd version\").read():\n    print(\"This version of the Dragos platform is incompatible with this script.\")\n    exit()\nDOD_BANNER_JS = \"alert('You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\\\n-At any time, the USG may inspect and seize data stored on this IS.\\\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.');\"\nfstream = open('banner.js', 'w')\nfstream.write(DOD_BANNER_JS)\nfstream.close()\n# get the platform-ui container id\nplatformui = os.popen(\"kubectl get pods | grep platform-ui | grep -v platform-ui-logger | awk '{print $1}'\").read().strip()\nBANNER_DIR = '/usr/share/nginx/html/source/'\nHTML_DIR = '/usr/share/nginx/html/'\nif \"--restore-defaults\" in sys.argv:\n    print(\"Restoring to default, no banner.\")\n    os.system(\"kubectl -n dragos-sitestore cp ./index.html.bak \"+platformui+\":\"+HTML_DIR+\"index.html\")\n    print(\"Done, reload the page to test changes.\")\n    exit()\n# this will check periodically to make sure the banner changes persisted, and re-apply them if not\nif \"--persist-banner\" in sys.argv:\n    # check the current settings\n    current_html = os.popen(\"curl -k https://localhost\").read()\n    if \"./source/banner.js\" in current_html:\n        print(\"Banner is currently set, taking no action.\")\n        exit()\n    else:\n        fstream = open(\"banner.log\", \"a\")\n        fstream.write(\"[\"+time.ctime().replace(\"  \", \"\")+\"] banner was not set, setting banner now.\\n\")\n        fstream.close()\n    # put the banner js file in the appropriate directory\n    os.system(\"kubectl -n dragos-sitestore cp ./banner.js \"+platformui+\":\"+BANNER_DIR+\"banner.js\")\n    # update the current version of index.html in the pod\n    os.system(\"kubectl -n dragos-sitestore cp ./index.html.patched \"+platformui+\":\"+HTML_DIR+\"index.html\")\n    exit()\n# is the sitestore up and running?\nif \"System is ready.\" not in os.popen(\"dragoscmd system k3s status\").read():\n    print(\"System is not ready, wait until all pods are started before configuring banner.\")\n    exit()\n# is there a backup of the old index.html file\nif os.path.exists('index.html.bak') == False:\n    print(\"Creating an index.html backup...\")\n    os.system(\"kubectl -n dragos-sitestore cp \"+platformui+\":\"+HTML_DIR+\"index.html ./index.html.bak\")\n    print(\"Done.\")\n# put the banner js file in the appropriate directory\nos.system(\"kubectl -n dragos-sitestore cp ./banner.js \"+platformui+\":\"+BANNER_DIR+\"banner.js\")\n# perform appropriate patching on the index.html backup\nfstream = open(\"index.html.bak\", \"r\")\nhtml = fstream.read()\nfstream.close()\noriginal = '<script nonce=\"**CSP_NONCE**\" type=\"module\" crossorigin'\nreplacement = '<script src=\"./source/banner.js\" nonce=\"**CSP_NONCE**\"></script><script nonce=\"**CSP_NONCE**\" type=\"module\" crossorigin'\nfstream = open(\"index.html.patched\", \"w\")\nfstream.write(html.replace(original, replacement))\nfstream.close()\n# update the current version of index.html in the pod\nos.system(\"kubectl -n dragos-sitestore cp ./index.html.patched \"+platformui+\":\"+HTML_DIR+\"index.html\")\nprint(\"Banner configuration changes complete, reload the login page (or logout) to see the popup.  If the formatting for the popup needs to be adjusted, make the changes in the banner block above and re-run this script.\")\nprint(\"\\nUse the below format to create a cron that makes the banner persist through reboots:\\n\\n*/5 * * * * python3 /root/DOD_Banner_Config_Utility.py --persist-banner\\n\\n\")\n\n2. Run the script with the following syntax: python3 DOD_Banner_Config_Utility.py, and go to the sitestore login page to verify the banner is present.\n3. Schedule the cron with the following syntax to make sure the change survives reboots: 5 * * * * python3 /root/DOD_Banner_Config_Utility.py --persist-banner","ccis":["CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"vulnId":"V-270919","ruleId":"SV-270919r1190805_rule","severity":"medium","ruleTitle":"The Dragos Platform must only allow local administrative and service user accounts.","description":"Only two default UI accounts facilitate the initial setup and configuration of the platform. These accounts provide immediate access to the system, allowing administrators to quickly get the system up and running without needing to create new user accounts during the initial installation phase.\n\nDuring maintenance, updates, or support operations, default accounts allow vendor support teams to access the system without needing to manage a variety of customer-specific accounts. This can streamline support activities and reduce downtime.\n\nDefault accounts passwords must be changed and protected so they cannot be exploited by attackers to gain unauthorized access to the system.\n\nSatisfies: SRG-APP-000080, SRG-APP-000234","checkContent":"Verify local user accounts.\n\nWhile logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> User Management >> Users.\n\nIf any user except the UI administrator account is configured to authenticate with username and password, this is a finding.","fixText":"Remove any nondefault user accounts configured to authenticate with username and password or configure an approved identity provider for all required user accounts.\n\n1.Remove user:\nWhile logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> User Management >> Users.\nClick the kebab menu next to the user and select \"Delete User\".\nClick \"DELETE\" in the verification window.\n\n2. Add Authentication method:\nWhile logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> User Management >> Users.\nClick the kebab menu next to the user and select \"Edit User\".\nClick \"Authentication\" in the page selector.\nAdd information to appropriate authentication method and click \"Save\".","ccis":["CCI-000166","CCI-001682"]},{"vulnId":"V-270932","ruleId":"SV-270932r1058029_rule","severity":"medium","ruleTitle":"The Dragos Platform must have notification and audit services installed.","description":"Installing the Knowledge Pack(s) is essential for the Dragos Platform to provide comprehensive security monitoring, compliance, and operational visibility within industrial environments. It enhances the Platform's capabilities in detecting and responding to threats, ensuring regulatory compliance, and maintaining the overall security. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required.\n\nThe pack provides enhanced visibility into the operations of the Dragos Platform. This includes monitoring user activities, changes to system configurations, and other critical events. Improved visibility helps in identifying potential security issues and operational anomalies before they escalate into significant problems.","checkContent":"Ensure all notification and audit services are functional.\n\nLog in to the SiteStore CLI and execute the following command:\nsystem k3s status\n\nIf the message does not return \"system is ready\", this is a finding. \n\n(Note that for approximately 15–20 minutes after system startup or reboot, system will not be ready. Additionally, until the sensor is paired with a SiteStore, one pod on the sensor will not be ready).","fixText":"If a notification does not appear, install KP-CW-24-001. This knowledge pack will add this and other notifications relevant to the STIG to the Dragos Platform.\n\nTo add Knowledge Pack:\nWhile logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> SiteStore Management >> Knowledge Packs.\n\nLocate all \"STIG-KP_Plus\" Knowledge Pack(s).\n\nClick \"Deploy\" button next to the Knowledge Pack(s).\n\nFill in the form and click \"DEPLOY\".","ccis":["CCI-000139"]},{"vulnId":"V-270944","ruleId":"SV-270944r1107127_rule","severity":"medium","ruleTitle":"The Dragos Platform must be configured to send backup audit records.","description":"Configuring the Dragos Platform to send out backup audit records is a critical best practice for ensuring the security, integrity, and availability of audit data. It supports disaster recovery, regulatory compliance, forensic investigations, and overall operational resilience, thereby strengthening the organization's cybersecurity posture.\n\nStoring backup audit records in a separate location ensures that even if the primary system is compromised or experiences a failure, the audit records remain intact and secure. This separation enhances the overall integrity and security of the audit data.\n\nIn the event of a catastrophic event such as a cyberattack, hardware failure, or natural disaster, having backup audit records stored offsite allows for recovery of critical audit data. This capability is essential for restoring operations and conducting post-incident analyses.\n\nIn the aftermath of a security incident, forensic investigators rely on audit records to reconstruct events and understand the nature and impact of the incident. Backup audit records provide a reliable source of information for these investigations, even if the primary records are tampered with or deleted.\n\nRegularly backing up audit records ensures operational continuity by safeguarding critical data. In case of an unexpected event, the Dragos Platform can quickly access the backup records to continue monitoring and analyzing security events without significant disruption.\n\nRegular backups of audit records help ensure accountability by providing a reliable and tamper-evident log of activities. This accountability is essential for maintaining trust and transparency within the organization and with external stakeholders.\n\nSatisfies: SRG-APP-000125, SRG-APP-000515, SRG-APP-000358","checkContent":"Verify third-party server is used to offload audit records.\n\n1. Check for a configured Syslog Server. In the UI, navigate to Admin >> Integrations.\n\nClick \"LAUNCH\" in the Syslog section.\n\nIf a Syslog Server is not listed or Status is not connected, this is a finding. \n\nIf the protocol of the Syslog Server is not TLS or mTLS, this is a finding. \n\n2. Check for an export rule. In the UI, navigate to Notification >> RULES Tab.\n\nVerify a rule exists and has the following:\nAction = \"Send Syslog (<your syslog server>)\"\nCriteria = \"IF Notification Type equals System\" \n\nIf this rule does not exist with the correct Action and Criteria, this is a finding.","fixText":"Create Syslog server and Rule.\n\n1. Create a Syslog server on a third-party device. The steps may vary depending on the chosen Syslog server software.\n\n2. Create a syslog server output in the Dragos UI.\nNavigate to Admin >> Integrations.\nClick \"LAUNCH\" in the Syslog section.\nClick \"ADD NEW SERVER\".\nEnter third-party server information, select TLS or mTLS in the protocol dropdown, and click \"NEXT\".  Note: This step may require TLS certificate generation.\nInput Message Template.\nClick \"SAVE\".\n\n3. Create a rule.\nNavigate to Notification >> RULES Tab.\nClick \"NEW RULE\".\nFill in Name and Processing Order.\nSelect For Rule Criteria:\nIf ANY of the following - \"Notification Type\" \"Equals\" \"System\"\nAction = Send Syslog (third-party server)\nClick \"SAVE\".","ccis":["CCI-001348","CCI-001851","CCI-001851"]},{"vulnId":"V-270945","ruleId":"SV-270945r1107130_rule","severity":"medium","ruleTitle":"The Dragos Platform must have disk encryption enabled on a virtual machines (VMs).","description":"Enabling disk encryption on VMs running the Dragos Platform is a critical security measure to protect sensitive data, ensure compliance with regulations, and provide a robust defense against various threats, including unauthorized access, data breaches, and insider threats.\n\nDisk encryption ensures that the data stored on the VM's disk is unreadable to unauthorized users. This is crucial for protecting sensitive information, such as security logs, configurations, and other operational data, from being accessed if the disk is physically stolen or if unauthorized access is obtained.\n\nIn the event of a security breach, encrypted disks prevent attackers from easily accessing the data stored on the VMs. This is particularly important for mitigating the risks associated with data breaches, including the potential exposure of sensitive operational technology (OT) and industrial control system (ICS) data.\n\nVMs can be snapshotted or cloned, creating exact copies of the VM, including its data. Disk encryption ensures that even if a snapshot or clone is made, the data remains protected and cannot be accessed without the appropriate decryption keys.\n\nDisk encryption protects data at rest, which is data stored on the disk when the system is not in use. This is a critical aspect of data security, as it ensures that the data remains protected even if the VM is powered off or in a dormant state.\n\nFor organizations using both on-premises and cloud environments, disk encryption provides a consistent approach to data security. This helps maintain uniform security policies and practices across different infrastructure setups.\n\nIn multi-tenant environments, where multiple virtual machines run on the same physical hardware, disk encryption ensures that data on one VM cannot be accessed by other tenants or compromised VMs on the same host.","checkContent":"If Dragos is running on an appliance, this check is Not Applicable. \n\nIf the hypervisor is using full disk encryption, this check is Not Applicable.\n\nCheck for disk encryption in a VM.\n\nLog into the VM and access the VM using remote access method, such as SSH.\n\nUse Built-in Tools or Commands:\nLinux:\n1. Open a terminal window.\n\n2. Use the following command to check if any encrypted partitions exist:\nlsblk -o NAME,FSTYPE,LABEL,UUID,SIZE,MOUNTPOINT,TYPE\n\n3. Check for partitions with the filesystem type \"crypto_LUKS\" or similar.\n\n4. Use the following command to list encrypted volumes:\ncryptsetup luksDump /dev/sdX\n(Replace /dev/sdX with the appropriate device name)\n\nIf volumes are not encrypted, this is a finding.","fixText":"If Dragos is running on an appliance, this check is Not Applicable. \n\nIf the hypervisor is using full disk encryption, this check is Not Applicable.\n\nLUKS (Linux Unified Key Setup):\nDuring the installation process, most Linux distributions provide an option to encrypt the disk. Select this option to set up encryption.\n\nTo encrypt an existing installation, use tools such as cryptsetup to set up encryption manually. Here is a general guide:\n\nExecute the following (Replace /dev/sdX with the appropriate device name):\n\nsudo cryptsetup luksFormat /dev/sdX\nsudo cryptsetup open /dev/sdX encrypted_disk\nsudo mkfs.ext4 /dev/mapper/encrypted_disk\nsudo mount /dev/mapper/encrypted_disk /mnt","ccis":["CCI-001350"]},{"vulnId":"V-270947","ruleId":"SV-270947r1155102_rule","severity":"high","ruleTitle":"Dragos Platforms must limit privileges and not allow the ability to run shell.","description":"If Dragos Platform were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to applications with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nSatisfies: SRG-APP-000133, SRG-APP-000206, SRG-APP-000246, SRG-APP-000340, SRG-APP-000342, SRG-APP-000384","checkContent":"Verify shell environment:\n\nLog in to the Dragos Platform CLI. \n\nExecute the following command:\nelevate\n\nEnter the elevate (admin) password, then execute the following command:\nrun shell\n\nIf the option \"run shell\" executes successfully and places the terminal session into a shell environment, this is a finding.\n\nNote: A shell environment will be noticeable because the terminal line will be in the format \"user@dragos:~$\" compared to dragoscmd, which would be \"dragos>\". If shell is properly uninstalled, the return will be \"Error: No such command 'shell'.\" The shell can be enabled and disabled as needed for troubleshooting efforts with appropriate authentication as dragos_admin.","fixText":"Uninstall shell environment:\n\nLog in to the Dragos Platform CLI. \n\nExecute the following command:\nelevate\n\nEnter the elevate password, then execute the following command:\ndisable shell\n\nOnce this has been executed, users cannot create interactive bash shell sessions. This command removes the shell from the Platform; it can only be enabled again if the dragos_admin user authenticates and changes the configuration for maintenance.\n\nNote: Access to the bash shell via the \"run shell\" command is disabled bu default.","ccis":["CCI-001499","CCI-001166","CCI-001094","CCI-002235","CCI-002233","CCI-001764"]},{"vulnId":"V-270952","ruleId":"SV-270952r1057499_rule","severity":"medium","ruleTitle":"Dragos must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.","description":"Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. \n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Obtain the LDAP group name mapped to the admin role.\n\nRequest from the LDAP administrator the group membership of this LDAP group, and compare to the list of individuals appointed by the ISSM.\n\nIf users that are not defined by the ISSM as requiring admin rights are present in the admin role membership, this is a finding.","fixText":"Provide the list of individuals assigned by the ISSM to be members of the admin role to the Dragos administrator.\n\nProvide the list of individuals assigned by the ISSM to be members of the admin role to the LDAP administrator to add to the LDAP group mapped to the admin role.\n\nCreate user accounts and assign the admin role for users provided in the lists.","ccis":["CCI-001941"]},{"vulnId":"V-270955","ruleId":"SV-270955r1155105_rule","severity":"medium","ruleTitle":"The Dragos Platform must configure local password policies.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.\n\nSatisfies: SRG-APP-000164, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000174","checkContent":"Check password configurations.\nIn the UI, navigate to Admin >> SiteStore Management >> Authentication Providers.\n \nClick \"EDIT\" in the Local Authentication section. \n\nVerify the following settings:\n1. Password Expiration is set to \"2 months\" or less. \n2. Password Reuse Limit is set to \"5\" or less.\n3. Minimum Length is set to \"15\" or greater. \n4. Uppercase and lowercase letters is checked.\n5. Special characters is checked.\n6. Numeric characters is checked.\n7. Number of failed logins is set to \"5\", within is set to \"15 minutes\", results in is set to \"60 minute lockout\".\n\nIf any settings are not configured correctly, this is a finding.","fixText":"Change password configurations.\n\nIn the UI, navigate to Admin >> SiteStore Management >> Authentication Providers.\n\nClick \"EDIT\" in the Local Authentication section. \n\nChange the fields to the following settings:\nPassword Expiration = \"2 months\" or less\nPassword Reuse Limit = \"5\" or less\nMinimum Length = \"15\" or greater\nUppercase and lowercase letters = Checked\nSpecial characters = Checked\nNumeric characters = Checked\nNumber of failed logins = 5\nWithin = 15 minutes\nResults in = 60 minute lockout\n\n\nClick \"SAVE\".\n\nFor DragOS CLI: Passwords must meet a minimum requirement of 15 characters. Maximum password age is 1 year by default, and is configurable via the CLI.","ccis":["CCI-000205","CCI-000192","CCI-000193","CCI-000194","CCI-001619","CCI-000199"]},{"vulnId":"V-270978","ruleId":"SV-270978r1057577_rule","severity":"medium","ruleTitle":"Dragos must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of application configuration files and user-generated data stored or aggregated on the device.","description":"Confidentiality and integrity protections are intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device.\n\nThis requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.","checkContent":"If using Dragos hardware, this check is Not Applicable.\n\nIn a virtual environment, check for FIPS-validated encryption:\n\nCheck the documentation of the virtual environment being used (e.g., virtual machine software or cloud service provider documentation) to find out if it uses FIPS compliance or FIPS-validated encryption support.\n\nCheck for configuration settings related to encryption algorithms and cryptographic modules in the virtual environment. Some platforms allow users to enable FIPS mode.\n\nPerform testing to ensure that only FIPS-approved cryptographic algorithms are being used within the virtual environment. This would involve testing encryption and decryption processes to confirm compliance with FIPS standards.\n\nIf the virtual environment is not using FIPS-validated encryption or is not using FIPS compliance, this is a finding.","fixText":"If using Dragos hardware, this check is Not Applicable.\n\nConfiguring FIPS compliance in a virtual environment involves enabling settings or options that enforce the use of only FIPS-approved cryptographic algorithms and modules. The exact steps may vary depending on the virtualization platform being used (e.g., VMware, Hyper-V, VirtualBox) or the cloud service provider being used (e.g., AWS, Azure). Here is a general guide on how to configure FIPS compliance in a virtual environment:\n\nReview Documentation: \nStart by reviewing the documentation provided by the virtualization platform or cloud service provider. Check for information on FIPS compliance and how to enable it within the environment.\n\nEnable FIPS Mode:\nMany virtualization platforms offer an option to enable FIPS mode. Depending on the platform, this option may be found in the settings or configuration menu.\n\nUpdate Software: \nEnsure the virtualization software and any guest operating systems are up to date. Some updates may include patches or changes related to FIPS compliance.\n\nConfigure Security Policies:\nCheck if there are specific security policies or configurations related to FIPS compliance that need to be set within the virtual environment. This could include policies related to encryption, authentication, or other security-related settings.\n\nTest Configuration: \nAfter enabling FIPS mode and configuring any necessary settings, perform testing to ensure that only FIPS-approved cryptographic algorithms are being used within the virtual environment. Test various cryptographic operations to verify compliance.","ccis":["CCI-001199"]},{"vulnId":"V-270993","ruleId":"SV-270993r1058013_rule","severity":"medium","ruleTitle":"The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.","description":"Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk.\n\nSatisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294","checkContent":"While logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> User Management >> Users.\n\nCreate a new user account (does not require roles or authentication). \n\n(Within 15 minutes)\n1. Click the \"Notifications\" button. \nVerify a notification appears within Dragos Platform notifications page. \n\nIf a notification does not occur, this is a finding. \n\n2. Observe that the same notification appears in the aggregate server/syslog recipient.\n(Note: Depending on the software application used, steps to view syslog third-party alerts may vary.)\n\nIf an alert is not being sent to third-party syslog, this is a finding. \n\n3. Check Rules:\nNavigate to Notification >> RULES Tab.\n\nVerify a rule exists and has the following:\nAction = \"Send Syslog (third-party server)\"\nCriteria = \"Detected By Equals Authentication to the Dragos Platform\"\n          \"Detected By Equals User Account Activity\" \n\nIf a rule does not exist with the correct Action and Criteria, this is a finding.\n\n4. Remove the test user just created.","fixText":"1. If a notification does not appear, install KP-CW-24-001. This knowledge pack will add this and other notifications relevant to the STIG to the Dragos Platform.\n\nAdding Knowledge Pack:\nWhile logged in to the Dragos Platform with administrative privileges, navigate to Admin >> SiteStore Management >> Knowledge Packs.\n\nLocate all \"STIG-KP_Plus\" Knowledge Pack(s).\n\nClick \"Deploy\" button next to the Knowledge Pack(s).\n\nFill in the form and click \"DEPLOY\".\n\n2. If a notification appears but is not received by the aggregate/syslog server, ensure there is a rule to trigger a syslog export in the \"Notifications\" applet of the Dragos Platform. If not, create one.\n\nTo create a rule, navigate to Notification >> RULES Tab.\n\nCreate two Attributes.\n\nClick \"NEW RULE\".\n\nFill in Name and Processing Order.\n\nClick \"ADD ATTRIBUTE\" in the \"If ANY of the following\" block\nType = \"Detected By\"\nSelect Operation = \"Equals\"\nSelect Value = \"Authentication to the Dragos Platform\"\n\nClick \"ADD ATTRIBUTE\" in the \"If ANY of the following\" block\nType = \"Detected By\"\nSelect Operation = \"Equals\"\nSelect Value = \"User Account Activity\"\n\nIn the \"THEN perform the following actions block:\nClick \"ADD ACTION\"\nAction = Send Syslog (third-party server)\n\nClick \"SAVE\".","ccis":["CCI-001683","CCI-001684","CCI-001685","CCI-001686"]},{"vulnId":"V-271008","ruleId":"SV-271008r1057667_rule","severity":"medium","ruleTitle":"Dragos Platform must allocate audit record storage retention length.","description":"In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of Dragos Platform and is closely associated with the database administrator (DBA) and system administrator (SA) roles. The DBA or SA will usually coordinate the allocation of physical drive space with Dragos Platform owner/installer and Dragos Platform will prompt the installer to provide the capacity information, the physical location of the disk, or both.","checkContent":"In the UI, navigate to Admin >> SiteStore Management >> Advanced Settings.\n\nReview the System Security Plan (SSP).\n\nVerify Deleted Retention Days and Source Data Retention Days is set accordance with organization-defined audit record storage requirements. If not, this is a finding.","fixText":"In the UI, navigate to Admin >> SiteStore Management >> Advanced Settings.\n\nSet \"Deleted Retention Days\" and \"Source Data Retention Days\" (length in days) in accordance with organization-defined audit record storage requirements. \n\nClick \"Save & Apply\".","ccis":["CCI-001849"]},{"vulnId":"V-271027","ruleId":"SV-271027r1130600_rule","severity":"medium","ruleTitle":"The Syslog client must use TCP connections.","description":"Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.\n\nThe organization must perform a periodic scan/review of Dragos (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.","checkContent":"Use the netstat command to display active UDP traffic:\nnetstat -n -u\n\nIf the syslog client is using a UDP connection, this is a finding.","fixText":"Changing UDP ports to TCP ports and using TCP instead involves modifying the configuration of the application or service that uses UDP for communication.\n\nModify the syslog client configuration to specify TCP instead of UDP. This may involve changing port numbers or selecting TCP as the communication protocol.\n\nAfter making the necessary changes, restart the application or service to apply the new configuration settings. This ensures that the syslog client starts using TCP ports instead of UDP ports.","ccis":["CCI-001762"]},{"vulnId":"V-271034","ruleId":"SV-271034r1057745_rule","severity":"medium","ruleTitle":"Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.","description":"The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access.\n\nPIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.\n\nSatisfies: SRG-APP-000402, SRG-APP-000403, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000177, SRG-APP-000176, SRG-APP-000175, SRG-APP-000401","checkContent":"Verify that Dragos is configured to use the DOD CAC or other PKI credential to log in to the application.\n\nLog in to the application. \n\nIf DOD CAC or other PKI is not configured, this is a finding.","fixText":"Configure an SSO proxy service using LDAP to provide PKI credentials.","ccis":["CCI-002009","CCI-002010","CCI-001953","CCI-001954","CCI-000185","CCI-000186","CCI-000187","CCI-001991"]},{"vulnId":"V-271049","ruleId":"SV-271049r1057790_rule","severity":"medium","ruleTitle":"The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. \n\nThis requirement focuses on communications protection for Dragos Platform session rather than for the network packet.\n\nThis requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).\n\nSatisfies: SRG-APP-000427, SRG-APP-000605","checkContent":"Open a web browser and navigate to the Dragos Platform UI.\n\nLocate the security or certificate status indicator at the address bar.\n\nOpen the certificate information. If the certificate is signed by anyone other than DOD, PKI, or CA, this is a finding.","fixText":"Change Certificate via GUI.\n\nIn the UI, navigate to Admin >> SiteStore Management >> Advanced Settings.\n\nClick \"Change Certificate\".\n\nFill in the correct fields and either upload or insert the certificate.\n\nClick \"Save & Apply\".","ccis":["CCI-002470","CCI-000185"]},{"vulnId":"V-271070","ruleId":"SV-271070r1107133_rule","severity":"medium","ruleTitle":"The Dragos Platform must alert the information system security officer (ISSO), information system security manager (ISSM), and other individuals designated by the local organization when events are detected that indicate a compromise or potential for compromise.","description":"When a security event occurs, Dragos Platform must immediately notify the appropriate support personnel so they can respond appropriately.\n\nAlerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection mechanisms, or prevention mechanisms.\n\nIOCs are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise.","checkContent":"1. Check Server Configuration.\n\nIf using Syslog Server:\nVerify third-party server is used to receive communication-related notifications.\nCheck for a configured Syslog Server.\nIn the UI, navigate to Admin >> Integrations.\nClick \"LAUNCH\" in the Syslog section.\n\nIf no server is configured or the status is not \"Connected\", this is a finding. \n\nIf no recipient is configured, this is a finding.\n\n2. Check Rules:\nNavigate to Notification >> RULES Tab.\nVerify a rule exists and has the following:\nAction = \"Send (<your syslog server>)\"\nCriteria = \"Notification Type Equals System\"\n          \"Notification Type Equals System Failure\" \n\nIf a rule does not exist with the correct Action and Criteria, this is a finding.","fixText":"1. Configure Servers.\nIf using Syslog Server:\nCreate a Syslog server on a third-party device.\nThe steps may vary depending on the chosen Syslog server software. Refer to 2.3.x Dragos Platform Syslog Integration Guide in the Customer Portal for additional help.\n\nCreate a syslog server output in the Dragos UI.\nNavigate to Admin >> Integrations.\nClick \"LAUNCH\" in the Syslog section.\nClick \"ADD NEW SERVER\".\nEnter third-party server information and click \"NEXT\".\nInput Message Template.\nClick \"SAVE\".\n\n\n2. Creating System Rules:\nNavigate to Notification >> RULES Tab.\nClick \"NEW RULE\".\nFill in Name and Processing Order.\n\nCreate two Attributes.\nClick \"ADD ATTRIBUTE\" in the \"If ANY of the following\" block:\nType = \"Notification Type\"\nSelect Operation = \"Equals\"\nSelect Value = \"System\"\n\nClick \"ADD ATTRIBUTE\" in the \"If ANY of the following\" block:\nType = \"Notification Type\"\nSelect Operation = \"Equals\"\nSelect Value = \"System failure\"\n\nIn the \"THEN perform the following actions block:\nClick \"ADD ACTION\".\nAction = \"Send (<your syslog server>)\"\n\nClick \"SAVE\".","ccis":["CCI-002664"]},{"vulnId":"V-271105","ruleId":"SV-271105r1057958_rule","severity":"medium","ruleTitle":"Before establishing a network connection with a Network Time Protocol (NTP) server, Dragos Platform must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server.","description":"Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nCurrently, DOD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. The NTP uses MD5 authentication keys. The MD5 algorithm is not approved for use in either the FIPS or NIST recommendation; thus, a CAT 1 finding is allocated in CCI-000803. However, the use of MD5 is preferred to no authentication at all and can be used to mitigate this requirement to a CAT II finding.\n\nThe trusted-key statement permits authenticating NTP servers. The product must be configured to support separate keys for each NTP server. Severs should have PKI device certificate involved for use in the device authentication process.\n\nServer authentication is performed by the client using the server's public key certificate, which the server presents during the handshake. The exact nature of the cryptographic operation for server authentication is dependent on the negotiated cipher suite and extensions. In most cases (e.g., RSA for key transport, DH, and ECDH), authentication is performed explicitly through verification of digital signatures present in certificates and implicitly by the use of the server public key by the client during the establishment of the master secret. A successful \"Finished\" message implies that both parties calculated the same master secret and thus, the server must have known the private key corresponding to the public key used for key establishment.","checkContent":"Verify NTP Server.\n\nLog in to the Dragos Platform CLI. \n\nExecute the following command:\nconfig show\n\nIf an NTP server is configured, the following will be in the output. If the following is not in the output, this is a finding. (Note: \"servers\" will be the configured server.) \n\n \"system\": {\n    \"ntp\": {\n      \"enabled\": true,\n      \"servers\": [\n        \"pool.ntp.org\"\n      ]\n    }\n  }","fixText":"Configure NTP Server.\n\nLog in to the Dragos Platform CLI. \n\nExecute the following command:\nconfig ntp server add [\"SERVER_NAME\"]","ccis":["CCI-001967"]}]}