{"stig":{"title":"Trend Micro Deep Security 9.x Security Technical Implementation Guide","version":"2","release":"1"},"checks":[{"vulnId":"V-241108","ruleId":"SV-241108r879511_rule","severity":"medium","ruleTitle":"Trend Deep Security must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.","description":"Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. \n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.","checkContent":"Review the Trend Deep Security server configuration to ensure the number of concurrent sessions is limited to one.\n\nIn the administration console go to: \nSystem Settings >> Security >> Number of concurrent sessions allowed per User \n\nReview the policy to ensure no more than 1 session is permitted.\n\nIf more than 1 session is permitted this is a finding.","fixText":"Configure the Trend Deep Security server to limit the number of concurrent sessions to one.\n\nSet the current session limit to 1.\n\nAdministration >> System Settings >> Security >> Number of concurrent sessions allowed per User >> 1","ccis":["CCI-000054"]},{"vulnId":"V-241109","ruleId":"SV-241109r879513_rule","severity":"medium","ruleTitle":"Trend Deep Security must initiate a session lock after a 15-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead.","checkContent":"Review the Trend Deep Security server configuration to ensure a session lock is initiated after a 15-minute period of inactivity.\n\nReview the application System Settings, to ensure the system timeout is set to 15 minutes or less. \n\nIf the timeout session is not set to 15 minutes or less this is a finding. \n\nAdministration >> System Settings >> Security >> User Security >> Session Timeout: 10 Minutes","fixText":"Configure the Trend Deep Security server to initiate a session lock after a 15-minute period of inactivity.\n\nSet the Session Timeout to 15 minutes or less.\n\nAdministration >> Security >> User Security >> Session Timeout: 10 Minutes","ccis":["CCI-000057"]},{"vulnId":"V-241110","ruleId":"SV-241110r879522_rule","severity":"medium","ruleTitle":"Trend Deep Security must provide automated mechanisms for supporting account management functions.","description":"Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. \n\nA comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.\n\nThe application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. \n\nAccount management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.","checkContent":"Review the Trend Deep Security server configuration to ensure automated mechanisms for supporting account management functions are automated.\n\nInterview the ISSO to determine a list of authorized users and their perspective roles supporting the application. Review the identified users within the following:\n\nAdministration >> User Management >> Users >> Assign Role\n\nIf the identified users do not match the roles assigned within the application this is a finding.","fixText":"Configure the Trend Deep Security server to provide automated mechanisms for supporting account management functions.\n\nConfigure the user permissions according to their assigned roles within the organization. \n\nAdministration >> User Management >> Users >> Assign Role","ccis":["CCI-000015"]},{"vulnId":"V-241111","ruleId":"SV-241111r879525_rule","severity":"medium","ruleTitle":"Trend Deep Security must automatically audit account creation.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server to ensure account creation is automatically audited.\n\nVerify \"User Created\" events is enabled by reviewing the following:\n \nAdministration >> System Settings >> System Events >> Enable Event ID 650 User Created.\n\nSelect: Record\nSelect: Forward\n\nIf \"User Created\" is not enabled this is a finding.","fixText":"Configure the Trend Deep Security server to automatically audit account creation.\n\nEnable \"User Created\" events by selecting the following:\n \nAdministration >> System Settings >> System Events >> Enable Event ID 650 User Created.\n\nSelect: Record\nSelect: Forward","ccis":["CCI-000018"]},{"vulnId":"V-241112","ruleId":"SV-241112r879526_rule","severity":"medium","ruleTitle":"Trend Deep Security must automatically audit account modification.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure account creation is automatically audited.\n\nVerify \"User Updated\" events is enabled by reviewing the following:\n\nAdministration >> System Settings >> System Events >> Enable Event ID 652 User Updated.\n\nSelect: Record\nSelect: Forward\n\nIf \"User Updated\" is not enabled this is a finding.","fixText":"Configure the Trend Deep Security server to automatically audit account creation.\n\nEnable \"User Updated\" events by selecting the following:\n\nAdministration >> System Settings >> System Events >> Enable Event ID 652 User Updated.\n\nSelect: Record\nSelect: Forward","ccis":["CCI-001403"]},{"vulnId":"V-241113","ruleId":"SV-241113r879527_rule","severity":"medium","ruleTitle":"Trend Deep Security must automatically audit account disabling actions.","description":"When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure account disabling actions are automatically audited.\n\nVerify \"User Locked Out\" events are enabled by reviewing the following:\n\nAdministration >> System Settings >> System Events >> Enable Event ID 603 User Locked Out.\n\nSelect: Record\nSelect: Forward\n\nIf \"User Locked Out\" is not enabled this is a finding.","fixText":"Configure the Trend Deep Security server to automatically audit account disabling actions.\n\nEnable \"User Locked Out\" events by selecting the following:\n\nAdministration >> System Settings >> System Events >> Enable Event ID 603 User Locked Out.\n\nSelect: Record\nSelect: Forward","ccis":["CCI-001404"]},{"vulnId":"V-241114","ruleId":"SV-241114r879528_rule","severity":"medium","ruleTitle":"Trend Deep Security must automatically audit account removal actions.","description":"When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure account removal actions are automatically audited.\n\nVerify \"User Deleted\" events are enabled by reviewing the following:\n \nAdministration >> System Settings >> System Events >> Enable Event ID 651 User Deleted.\n\nSelect: Record\nSelect: Forward\n\nIf \"User Deleted\" is not enabled this is a finding.","fixText":"Configure the Trend Deep Security server to automatically audit account removal actions.\n\nEnable \"User Deleted\" events by selecting the following:\n\nAdministration >> System Settings >> System Events >> Enable Event ID 651 User Deleted.\n\nSelect: Record\nSelect: Forward","ccis":["CCI-001405"]},{"vulnId":"V-241115","ruleId":"SV-241115r879533_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.","description":"A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all system information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. \n\nApplication specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).\n\nApplications providing information flow control must be able to enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.","checkContent":"Review the Trend Deep Security server configuration to ensure approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies are enforced.\n\nInterview the ISSO in order to identify all users with permissions to the application. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed.\n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server configuration to enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.\n\nUse the Computer and Group Rights panel to confer viewing, editing, deleting, Alert-dismissal, and Event tagging rights to Users in a Role. These rights can apply to all computers and computer groups or they can be restricted to only certain computers.\n\nTo restrict access, select the \"Selected Computers\" radio button and put a check next to the computer groups and computers that Users in this Role will have access to.\n\nAdministration >> User Management >> Roles\n\nSelect a Role and click Properties >> Computer Rights","ccis":["CCI-001368"]},{"vulnId":"V-241116","ruleId":"SV-241116r879534_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.","description":"A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. \n\nApplication specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).\n\nApplications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.","checkContent":"Review the Trend Deep Security server to ensure approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies are enforced.\n\nInterview the ISSO in order to identify all users with permissions to the application. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. \n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server to enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.\n\nUse the Computer and Group Rights panel to confer viewing, editing, deleting, Alert-dismissal, and Event tagging rights to Users in a Role. These rights can apply to all computers and computer groups or they can be restricted to only certain computers.\n\nTo restrict access, select the \"Selected Computers\" radio button and put a check next to the computer groups and computers that Users in this Role will have access to.\n\nAdministration >> User Management >> Roles\n\nSelect a Role and click Properties >> Computer Rights","ccis":["CCI-001414"]},{"vulnId":"V-241117","ruleId":"SV-241117r879546_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.","checkContent":"Review the Trend Deep Security server configuration to ensure the limit of three consecutive invalid logon attempts by a user during a 15-minute time period is enforced.\n\nVerify the number of failed logon attempts. Go to Administration >> System Settings >> Security >> User Security >> Number of incorrect sign-in attempts allowed (before lock out): 3\n\nIf the number is greater than 3 this is a finding.","fixText":"Configure the Trend Deep Security server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.\n\nConfigure the number of failed logon attempts to 3.\n\nAdministration >> System Settings >> Security >> User Security >> Number of incorrect sign-in attempts allowed (before lock out): 3","ccis":["CCI-000044"]},{"vulnId":"V-241118","ruleId":"SV-241118r879550_rule","severity":"medium","ruleTitle":"Trend Deep Security must scan all media used for system maintenance prior to use.","description":"There are security-related issues arising from software brought into the information system specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a system in order to troubleshoot system traffic, or a vendor installing or running a diagnostic application in order to troubleshoot an issue with a vendor supported system).\n\nIf, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.\n\nThis requirement addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch).","checkContent":"Review the Trend Deep Security server to ensure all media used for system maintenance is scanned prior to use.\n\nVerify Anti-Malware is enabled on each server that is applicable to the accreditation boundary.\n\nGo to Computers.\nRight-click a computer from the list of systems, select properties Anti-Malware >> General\nVerify Configuration is set to \"On\" or \"Inherit On\".\n\nIf Verify Configuration is set to \"Off\", this is a finding.","fixText":"Configure the Trend Deep Security server to scan all media used for system maintenance prior to use.\n\nThe scope of Malware Scans can be controlled by editing the Malware Scan Configuration that is in effect on a computer. The Malware Scan Configuration determines which files and directories are included or excluded during a scan and which actions are taken if malware is detected on a computer (for example, clean, quarantine, or delete). There are two types of Malware Scan Configurations:\n- Manual/Scheduled Scan Configurations\n- Real-Time Scan Configurations\n\nTo enable Anti-Malware functionality on a computer:\nGo to Computers.\nRight-click a computer from the list of systems, select properties Anti-Malware >> General\nSet Configuration to \"On\" or \"Inherit On\".","ccis":["CCI-000870"]},{"vulnId":"V-241119","ruleId":"SV-241119r879559_rule","severity":"medium","ruleTitle":"Trend Deep Security must provide audit record generation capability for DoD-defined auditable events within all application components.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the application will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.","checkContent":"Review the Trend Deep Security server configuration to ensure audit record generation capability for DoD-defined auditable events within all application components is provided.\n\nVerify the Administration >> System Settings >> System Events, are set to “Record.”\n- capture successful and unsuccessful logon attempts,\n- privileged activities or other system level access,\n- starting and ending time for user access to the system\n- concurrent logons from different workstations\n- successful and unsuccessful accesses to objects\n- all program initiations,\n- all direct access to the information system, \n- all account creation, modification, disabling, and termination actions.\n\nIf these settings are not set to “Record”, this is a finding.","fixText":"Configure Trend Deep Security to provide audit record generation capability for DoD-defined auditable events within all application components.\n\nGo to Administration >> System Settings >> System Events, and set the following settings to “Record.”\n160 Authentication Failed\n600 User Signed In\n601 User Signed Out\n602 User Timed Out\n603 User Locked Out\n604 User Unlocked\n608 User Session Validation Failed\n609 User Made Invalid Request\n610 User Session Validated\n611 User Viewed Firewall Event\n613 User Viewed Intrusion Prevention Event\n615 User Viewed System Event\n616 User Viewed Integrity Monitoring Event\n617 User Viewed Log Inspection Event\n618 User Viewed Quarantined File Detail\n619 User Viewed Anti-Malware Event\n620 User Viewed Web Reputation Event\n621 User Signed In As Tenant\n650 User Created\n651 User Deleted\n652 User Updated\n653 User Password Set\n660 Role Created\n661 Role Deleted\n662 Role Updated\n702 Credentials Generated\n703 Credential Generation Failed","ccis":["CCI-000169"]},{"vulnId":"V-241120","ruleId":"SV-241120r879560_rule","severity":"medium","ruleTitle":"Trend Deep Security must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n \nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.","checkContent":"Review the Trend Deep Security server to ensure only the ISSM (or individuals or roles appointed by the ISSM) is allowed to select which auditable events are to be audited.\n\nVerify the user roles and assigned permissions within the Administration >> User Management >> Roles >> Properties >> Other Rights.\n\nIf a user role (e.g., Auditor) has any \"View Only\" for Alerts, Alert Configuration, Integrity Monitoring, and Log Inspection Rules, this is a finding.","fixText":"Configure the Trend Deep Security server to only allow the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.\n\nConfigure the assigned permissions for user roles within the \nAdministration >> User Management >> Roles >> Properties >> Other Rights. Set the following to \"View Only\"\nAlerts\nAlert Configuration\nIntegrity Monitoring\nLog Inspection Rule","ccis":["CCI-000171"]},{"vulnId":"V-241121","ruleId":"SV-241121r879561_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful attempts to access privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure only the ISSM (or individuals or roles appointed by the ISSM) is allowed to select which auditable events are to be audited.\n\nVerify the following events within the Administration >> System Settings >> System Events, are set to “Record.”\n660 Role Created \n661 Role Deleted \n662 Role Updated \n663 Roles Imported \n664 Roles Exported \n\nIf these settings are not set to “Record”, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to access privileges occur.\n\nGo to Administration >> System Settings >> System Events, and set the following settings to “Record.”\n660 Role Created \n661 Role Deleted \n662 Role Updated \n663 Roles Imported \n664 Roles Exported","ccis":["CCI-000172"]},{"vulnId":"V-241122","ruleId":"SV-241122r879562_rule","severity":"medium","ruleTitle":"Trend Deep Security must initiate session auditing upon startup.","description":"If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.","checkContent":"Review the Trend Deep Security server to ensure session auditing upon startup is initiated.\n\nVerify the following events within the Administration >> System Settings >> System Events, are set to “Record.”\n600 User Signed In\n601 User Signed Out\n602 User Timed Out\n603 User Locked Out\n608 User Session Validation Failed\n610 User Session Validated\n\nIf these settings are not set to “Record”, this is a finding.","fixText":"Configure the Trend Deep Security server to initiate session auditing upon startup.\n\nGo to Administration >> System Settings >> System Events, and set the following settings to “Record.”\n600 User Signed In\n601 User Signed Out\n602 User Timed Out\n603 User Locked Out\n608 User Session Validation Failed\n610 User Session Validated","ccis":["CCI-001464"]},{"vulnId":"V-241123","ruleId":"SV-241123r879570_rule","severity":"medium","ruleTitle":"Trend Deep Security must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","checkContent":"Review the Trend Deep Security server configuration to ensure the ISSO and SA (at a minimum) are alerted in the event of an audit processing failure.\n\nVerify any audit processing failure events within Administration >> System Settings >> System Events, are set to “Forward” \n\nIf these settings are not set to “Forward”, this is a finding.","fixText":"Configure the Trend Deep Security server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.\n\nGo to Administration >> System Settings >> System Events, and set the following settings to “Forward.”\n\n0 Unknown Error\n266 Warnings/Errors Cleared\n609 User Made Invalid Request\n740 Agent/Appliance Error\n801 Error Dismissed\n913 Automatic Diagnostic Package Error\n923 Usage Information Package Error\n997 Tagging Error\n998 System Event Notification Error\n999 Internal Software Error\n1677 Trusted Platform Module Error","ccis":["CCI-000139"]},{"vulnId":"V-241124","ruleId":"SV-241124r879576_rule","severity":"medium","ruleTitle":"Trend Deep Security must protect audit information from any type of unauthorized read access.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access.\n\nThis requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories.\n\nAdditionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.","checkContent":"Review the Trend Deep Security server configuration to ensure audit information from any type of unauthorized read access is protected.\n\nInterview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. \n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server to protect audit information from any type of unauthorized read access.\n\nEdit the audit permission according the local policy by modifying the roles under:\n\nAdministration >> User Management >> Roles\nSelect the applicable role.\nClick \"Computer Rights\" to modify user permissions.\nNext select “Other Rights” and modify accordingly.","ccis":["CCI-000162"]},{"vulnId":"V-241125","ruleId":"SV-241125r879577_rule","severity":"medium","ruleTitle":"Trend Deep Security must protect audit information from unauthorized modification.","description":"If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. \n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. \n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.","checkContent":"Review the Trend Deep Security server configuration to ensure audit information is protected from unauthorized modification.\n\nInterview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed.\n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server to protect audit information from unauthorized modification.\n\nEdit the audit permission according the local policy by modifying the roles under:\n\nAdministration >> User Management >> Roles\nSelect the applicable role.\nClick \"Computer Rights\" to modify user permissions.\nNext select “Other Rights” and modify accordingly.","ccis":["CCI-000163"]},{"vulnId":"V-241126","ruleId":"SV-241126r879578_rule","severity":"medium","ruleTitle":"Trend Deep Security must protect audit information from unauthorized deletion.","description":"If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. \n\nSome commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. \n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself.","checkContent":"Review the Trend Deep Security server configuration to ensure audit information is protected from unauthorized deletion.\n\nInterview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed.\n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server to protect audit information from unauthorized deletion.\n\nEdit the audit permission according the local policy by modifying the roles under:\n\nAdministration >> User Management >> Roles\nSelect the applicable role.\nClick \"Computer Rights\" to modify user permissions.\nNext select “Other Rights” and modify accordingly.","ccis":["CCI-000164"]},{"vulnId":"V-241127","ruleId":"SV-241127r879579_rule","severity":"medium","ruleTitle":"Trend Deep Security must protect audit tools from unauthorized access.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Review the Trend Deep Security server configuration to ensure audit tools are protected from unauthorized access.\n\nInterview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed.\n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server to protect audit tools from unauthorized access.\n\nEdit the audit permission according the local policy by modifying the roles under:\n\nAdministration >> User Management >> Roles\nSelect the applicable role.\nClick \"Computer Rights\" to modify user permissions.\nNext select “Other Rights” and modify accordingly.","ccis":["CCI-001493"]},{"vulnId":"V-241128","ruleId":"SV-241128r879580_rule","severity":"medium","ruleTitle":"Trend Deep Security must protect audit tools from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Review the Trend Deep Security server to ensure audit tools are protected from unauthorized modification.\n\nInterview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed.\n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server to protect audit tools from unauthorized modification.\n\nEdit the audit permission according the local policy by modifying the roles under:\n\nAdministration >> User Management >> Roles\nSelect the applicable role.\nClick \"Computer Rights\" to modify user permissions.\nNext select “Other Rights” and modify accordingly.","ccis":["CCI-001494"]},{"vulnId":"V-241129","ruleId":"SV-241129r879581_rule","severity":"medium","ruleTitle":"Trend Deep Security must protect audit tools from unauthorized deletion.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Review the Trend Deep Security server configuration to ensure audit tools are protected from unauthorized deletion.\n\nInterview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed.\n\nVerify the information gathered against the application's, \"Computer and Group Rights\" for each \"Role\" created along with the users assigned.\n\nIf the information gathered does not match the settings within the application this is a finding.","fixText":"Configure the Trend Deep Security server to protect audit tools from unauthorized deletion.\n\nEdit the audit permission according the local policy by modifying the roles under:\n\nAdministration >> User Management >> Roles\nSelect the applicable role.\nClick \"Computer Rights\" to modify user permissions.\nNext select “Other Rights” and modify accordingly.","ccis":["CCI-001495"]},{"vulnId":"V-241130","ruleId":"SV-241130r879582_rule","severity":"medium","ruleTitle":"Trend Deep Security must back up audit records at least every seven days onto a different system or system component than the system or component being audited.","description":"Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained. \n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.\n\nThis requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are backed up at least every seven days onto a different system or system component than the system or component being audited.\n\nVerify the application backup frequency by reviewing the configuration settings in Administration >> System Settings >> SIEM\n\nIf the \"Forward System Events to a remote computer (via Syslog)\" is not enabled with the proper configuration settings, this is a finding.","fixText":"Configure the Trend Deep Security server to back up audit records at least every seven days onto a different system or system component than the system or component being audited.\n\nConfigure the application to forward audit records to a log management tool for backup and storage.\nGo to Administration >> System Settings >> SIEM\nEnable \"Forward System Events to a remote computer (via Syslog)\"\n\nConfigure the following:\n\n Hostname or IP address to which events should be sent\n UDP port to which events should be sent\n Syslog Facility\n Syslog Format","ccis":["CCI-001348"]},{"vulnId":"V-241131","ruleId":"SV-241131r879583_rule","severity":"high","ruleTitle":"Trend Deep Security must use cryptographic mechanisms to protect the integrity of audit information.","description":"Audit records may be tampered with; if the integrity of audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nProtection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data. An example of a cryptographic mechanism is the computation and application of a cryptographic-signed hash using asymmetric cryptography. \n\nThis requirement applies to applications that generate or process audit records.","checkContent":"Review the Trend Deep Security server configuration to ensure cryptographic mechanisms are used to protect the integrity of audit information.\n\nVerify PDF encryption is enabled for report generation.\nGo to Administration >> User Management >> Users >> Right-click an administrative user account and select \"Properties\".\nWithin the \"Settings\" tab select \"Enable PDF Encryption\".\n\nIf \"Enable PDF Encryption\" is not enabled, this is a finding.","fixText":"Configure the Trend Deep Security server to use cryptographic mechanisms to protect the integrity of audit information.\n\nEnabled encryption for report generation.\nGo to Administration >> User Management >> Users >> Right-click an administrative user account and select \"Properties\".\nWithin the \"Settings\" tab select \"Enable PDF Encryption\" and enter a password.","ccis":["CCI-001350"]},{"vulnId":"V-241132","ruleId":"SV-241132r879588_rule","severity":"medium","ruleTitle":"Trend Deep Security must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services; however, doing so increases risk over limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.","checkContent":"Review the Trend Deep Security server to ensure the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, are prohibited or restricted.\n\nReview the firewall policy for approved ports, protocols and services associated within a defined group or a selected computer by selecting Computers, on the top menu bar.\n\nChoose the appropriate group and within the main page, select a computer for review.\n\nDouble-click the selected computer and click \"Firewall\".\n \nVerify the following settings are enabled:\n\nConfiguration: Inherit or On\nState: Activated\nFirewall Stateful Configurations: Inherited (If managed through a group policy)\nAssigned Firewall Rules: (are configured in accordance with local security policy) \n\nIf the options identified are not set or configured in accordance with local policy, this is a finding.","fixText":"Configure the Trend Deep Security server to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.\n\nFrom the top menu select Policies >> New >> New Policy.\n\nEnter a Name for the new policy; In Inherit from, select “None”.\n\nClick “Next” and Select “Yes”.\n\nChoose the applicable computers that will inherit this policy, and click “Next”.\n\nEnsure all options are selected from the “Select which Computer properties to base new Policy on:” window, and click “Next”.\n\nClick “Finish”.","ccis":["CCI-000382"]},{"vulnId":"V-241133","ruleId":"SV-241133r879589_rule","severity":"medium","ruleTitle":"Trend Deep Security must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. \n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following.\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Review the Trend Deep Security server configuration to ensure organizational users (or processes acting on behalf of organizational users) are uniquely identified and authenticated.\n\nVerify the user accounts under Administration >> User Management >> Users\n\nIf the accounts configured do not uniquely specify the organizational user's affiliation, this is a finding.","fixText":"Configure the Trend Deep Security server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).\n\nConfigure the appropriate affiliation display for the specified user under Administration >> User Management >> Users\nRight click the user account.\nClick \"Properties\" and Select “User Name”. \nEnter the appropriate user identifiers.","ccis":["CCI-000764"]},{"vulnId":"V-241134","ruleId":"SV-241134r879601_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Review the Trend Deep Security server configuration to ensure a minimum 15-character password length is enforced.\n\nVerify the policy value for minimum password length.\n\nIf the value for “User password minimum length” under the Administration >> System Settings >> Security tab is not set to 15, this is a finding.","fixText":"Configure the Trend Deep Security server to enforce a minimum 15-character password length.\n\nConfigure the policy value for minimum password length.\n\nUnder the Administration >> System Settings >> Security tab, set the value for “User password minimum length” to 15.","ccis":["CCI-000205"]},{"vulnId":"V-241135","ruleId":"SV-241135r879603_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce password complexity by requiring that at least one upper-case character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one upper-case character be used.\n\nVerify the values for password complexity.\n\nIf the \"User password requires both upper-and lower-case characters\" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.","fixText":"Configure the Trend Deep Security server to enforce password complexity by requiring that at least one uppercase character be used.\n\nEnable the checkbox for the \"User password requires both upper-and lower-case characters\" policy value for password complexity under the Administration >> System Settings >> Security tab.","ccis":["CCI-000192"]},{"vulnId":"V-241136","ruleId":"SV-241136r879604_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce password complexity by requiring that at least one lower-case character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one lower-case character be used.\n\nVerify the values for password complexity.\n\nIf the \"User password requires both upper-and lower-case characters\" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.","fixText":"Configure the Trend Deep Security server to enforce password complexity by requiring that at least one lower-case character be used.\n\nEnable the checkbox for the \"User password requires both upper-and lower-case characters\" policy value for password complexity under the Administration >> System Settings >> Security tab.","ccis":["CCI-000193"]},{"vulnId":"V-241137","ruleId":"SV-241137r879605_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one numeric character be used.\n\nVerify the values for password complexity.\n\nIf the \"User password requires both letters and numbers\" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.","fixText":"Configure the Trend Deep Security server to enforce password complexity by requiring that at least one numeric character be used.\n\nEnable the checkbox for the \"User password requires both letters and numbers\" policy value for password complexity under the Administration >> System Settings >> Security tab.","ccis":["CCI-000194"]},{"vulnId":"V-241138","ruleId":"SV-241138r879606_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one special character be used.\n\nVerify the values for password complexity.\n\nIf the \"User password requires non-alphanumeric characters\" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.","fixText":"Configure the Trend Deep Security server to enforce password complexity by requiring that at least one special character be used.\n\nEnable the checkbox for the \"User password requires non-alphanumeric characters\" policy value for password complexity under the Administration >> System Settings >> Security tab.","ccis":["CCI-001619"]},{"vulnId":"V-241139","ruleId":"SV-241139r879611_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. \n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. \n\nThis requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.","checkContent":"Review the Trend Deep Security server configuration to ensure a 60 day maximum password lifetime restriction is enforced.\n\nVerify the policy value for minimum password length.\n\nIf the value for “User password expires” under the Administration >> System Settings >> Security tab is not set to 60 Days, this is a finding.","fixText":"Configure the Trend Deep Security server to enforce a 60 day maximum password lifetime restriction.\n\nConfigure the policy value for maximum password lifetime.\n\nUnder the Administration >> System Settings >> Security tab, set the value for “User password expires” to 60.","ccis":["CCI-000199"]},{"vulnId":"V-241140","ruleId":"SV-241140r879617_rule","severity":"medium","ruleTitle":"Trend Deep Security must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. \n\nNon-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors and guest researchers). \n\nNon-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.","checkContent":"Review the Trend Deep Security server configuration to ensure non-organizational users (or processes acting on behalf of non-organizational users) are uniquely identified and authenticated.\n\nVerify the user accounts under Administration >> User Management >> Users\n\nIf the accounts configured do not uniquely specify the organizational user's affiliation, this is a finding.","fixText":"Configure the Trend Deep Security server to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).\n\nTo help prevent inadvertent disclosure of controlled information, all contractors are identified by the inclusion of the abbreviation \"ctr\" and all foreign nationals are identified by the inclusion of their two character country code. See ECAD-1 Affiliation Display\n\nConfigure the appropriate affiliation display for the specified user under Administration >> User Management >> Users\nRight click the user account.\nClick \"Properties\" and Select “User Name”. \nEnter the appropriate user identifiers.","ccis":["CCI-000804"]},{"vulnId":"V-241141","ruleId":"SV-241141r879622_rule","severity":"medium","ruleTitle":"Trend Deep Security must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.","checkContent":"Review the Trend Deep Security server configuration to ensure all network connections associated with a communications session are terminated at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.\n\nIf the value for user session termination under the Administration >> System Settings >> Security >> Session timeout, is not set to 10 minutes, this is a finding.","fixText":"Configure the Trend Deep Security server to terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.\n\nConfigure the policy value for session timeout. Under the Administration >> System Settings >> Security, set the value for “Session timeout” to 10 minutes.","ccis":["CCI-001133"]},{"vulnId":"V-241142","ruleId":"SV-241142r879643_rule","severity":"medium","ruleTitle":"Trend Deep Security must isolate security functions from non-security functions.","description":"An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. \n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. \n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Applications restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.","checkContent":"Review the Trend Deep Security server configuration to ensure security functions are isolated from non-security functions.\n\nIn order to restrict access to security functions through the use of access control mechanisms, least privilege capabilities must be enforced within the Deep Security, “User management” settings.\n\nIf role-based access controls are not enforced within the Administration >> User management >> Roles, this is a finding.","fixText":"Configure the Trend Deep Security server to isolate security functions from non-security functions.\n\nConfigure role-based access controls for least privileged accounts within the Administration >> User management >> Roles.","ccis":["CCI-001084"]},{"vulnId":"V-241143","ruleId":"SV-241143r879650_rule","severity":"medium","ruleTitle":"Trend Deep Security must restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems.","description":"DoS is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nIndividuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber attacks on third parties.\n\nApplications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks.\n\nThe methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it.","checkContent":"Review the Trend Deep Security server configuration to ensure the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems is restricted.\n\nDeep Security policies for Firewall Rules can be disruptive causing a denial of service to the environment if not properly configured.\n\nIt is imperative that access to the firewall rule policies be restricted to authorized personnel by enforcing least privileged within the Deep Security, “User management” settings.\n\nIf role-based access controls are not enforced within the Administration >> User management >> Roles >> [Policy Name] >> Properties >> Policy Rights, this is a finding.","fixText":"Configure the Trend Deep Security server to restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems.\n\nConfigure the role-based access controls to prevent access to policy modifications within the Administration >> User management >> Roles >> [Policy Name] >> Properties >> Policy Rights. The “Edit” option should only be enabled to authorized users.","ccis":["CCI-001094"]},{"vulnId":"V-241144","ruleId":"SV-241144r879651_rule","severity":"medium","ruleTitle":"Trend Deep Security must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nIn the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. \n\nThe methods employed to meet this requirement will vary depending upon the technology the application utilizes. However, a variety of technologies exist to limit or, in some cases, eliminate the effects of application related DoS attacks. Employing increased capacity and bandwidth combined with specialized application layer protection devices and service redundancy may reduce the susceptibility to some DoS attacks.","checkContent":"Review the Trend Deep Security server configuration to ensure excess capacity, bandwidth, or other redundancy is managed to limit the effects of information flooding types of Denial of Service (DoS) attacks.\n\nReview the “CPU Usage Level” under Administration >> System Settings >> Advanced >> CPU Usage During Recommendation Scans.\n\nDepending on resource capabilities for monitored agent scans, it may be necessary to limit the “CPU Usage Level” from High to Low. \n\nIf the setting is not configured in accordance with the SA best practice recommendation this is a finding.","fixText":"Configure the Trend Deep Security server to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.\n\nConfigure the “CPU Usage Level” in accordance with the SA best practice under Administration >> System Settings >> Advanced >> CPU Usage During Recommendation Scans.","ccis":["CCI-001095"]},{"vulnId":"V-241145","ruleId":"SV-241145r879659_rule","severity":"medium","ruleTitle":"Trend Deep Security must automatically update malicious code protection mechanisms.","description":"Malicious software detection applications need to be constantly updated in order to identify new threats as they are discovered. \n\nAll malicious software detection software must come with an update mechanism that automatically updates the application and any associated signature definitions. The organization (including any contractor to the organization) is required to promptly install security-relevant malicious code protection software updates. Examples of relevant updates include anti-virus signatures, detection heuristic rule sets, and/or file reputation data employed to identify and/or block malicious software from executing.\n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. \n\nThis requirement applies to applications providing malicious code protection.","checkContent":"Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms are automatically updated.\n\nAnalyze the system using the Administration >> System Settings >> Updates page.\n\nVerify that the “Automatically download updates to imported software” option is checked.\n\nIf this option is not enabled, this is a finding.","fixText":"Configure the Trend Deep Security server to automatically update malicious code protection mechanisms.\n\nGo to the Administration >> System Settings >> Updates page, and scroll down to Software Updates.\n\nCheck the box to enable “Automatically download updates to imported software”.","ccis":["CCI-001247"]},{"vulnId":"V-241146","ruleId":"SV-241146r879661_rule","severity":"medium","ruleTitle":"Trend Deep Security must notify ISSO and ISSM of failed security verification tests.","description":"If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing.","checkContent":"Review the Trend Deep Security server configuration to ensure the ISSO and ISSM are notified of failed security verification tests.\n\nFrom Administration >> User Management >> Users\n\nSelect the account associated with the ISSM or ISSO and double-click.\n\nUnder the Contact Information tab, verify the Contact Information is associated with account is complete and accurate.\n\nIf the account information is missing or incorrect, this is a finding.\n\nNext, verify the \"Receive Alert Email\" check box is selected.\n\nIf the \"Receive Alert Email\" checkbox is not selected, this is finding.","fixText":"Configure the Trend Deep Security server to notify ISSO and ISSM of failed security verification tests.\n\nGo to Administration >> User Management >> Users\n\nSelect the account associated with the ISSM or ISSO and double-click.\n\nUnder the “Contact Information” tab enter the users Contact Information.\n\nNext, select the checkbox for “Receive Alert Emails”.","ccis":["CCI-001294"]},{"vulnId":"V-241147","ruleId":"SV-241147r879662_rule","severity":"medium","ruleTitle":"Trend Deep Security must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.","description":"Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. Malicious code may also be able to run and attach programs, which may allow the unauthorized distribution of malicious mobile code. Once this code is installed on endpoints within the network, unauthorized users may be able to breach firewalls and gain access to sensitive data.\n\nThis requirement applies to applications providing malicious code protection. Malicious code protection mechanisms include, but are not limited, to, anti-virus and malware detection software. Malicious code protection mechanisms (including signature definitions and rule sets) must be updated when new releases are available.","checkContent":"Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms are updated whenever new releases are available in accordance with organizational configuration management policy and procedures.\n\nAnalyze the system using the Administration >> System Settings >> Updates page. \n\nVerify that the “Automatically download updates to imported software” option is enabled.\n\nIf this option is not enabled, this is a finding.","fixText":"Configure the Trend Deep Security server to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.\n\nGo to the Administration >> System Settings >> Updates page, and scroll down to Software Updates.\n\nCheck the box to enable “Automatically download updates to imported software”.","ccis":["CCI-001240"]},{"vulnId":"V-241148","ruleId":"SV-241148r879663_rule","severity":"medium","ruleTitle":"Trend Deep Security must configure malicious code protection mechanisms to perform periodic scans of the information system every seven (7) days.","description":"Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. It is not enough to simply have the software installed; this software must periodically scan the system to search for malware on an organization-defined frequency. \n\nThis requirement applies to applications providing malicious code protection.","checkContent":"Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms perform periodic scans of the information system every seven (7) days.\n\nAnalyze one of the custom policies under the “Policies” tab, by right clicking and selecting “Details.”\nVerify the following settings are enabled:\n\n1. Under the Overview >> General tab, \"Anti-Malware\" is set to “On”\n2. Under the Anti-Malware >> General tab, “Real-Time Scan” is set to “Default”\n3. Under the Anti-Malware >> General tab, a custom “Malware Scan Configuration” is enabled with a Schedule configured to no more than 7 days.\n\nIf \"Anti-Malware\" is set anything other than “On” this is a finding. \n\nIf “Malware Scan Configuration” is set to “No Configuration,” this is a finding.","fixText":"Configure the Trend Deep Security server malicious code protection mechanisms to perform periodic scans of the information system every seven (7) days.\n\nTo enable malicious code protection via the anti-malware, configure the following settings under the “Policies” tab.\nUnder “Policies” right clicking and selecting “Details.” Configure the following settings:\n\n1. Under the Overview >> General tab, set \"Anti-Malware\" to “On”\n2. Under the Anti-Malware >> General tab, set “Real-Time Scan” to “Default”\n3. Under the Anti-Malware >> General tab, set a weekly scan under “Scheduled” by selecting “New”. Name the scheduled scan “Weekly” and configure it for a select day and time of the week. Click “OK” when finished.","ccis":["CCI-001241"]},{"vulnId":"V-241149","ruleId":"SV-241149r879664_rule","severity":"medium","ruleTitle":"Trend Deep Security must be configured to perform real-time malicious code protection scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.","description":"Malicious code protection mechanisms include, but are not limited, to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. It is not enough to simply have the software installed; this software must periodically scan the system to search for malware on an organization-defined frequency. \n\nThis requirement applies to applications providing malicious code protection.","checkContent":"Review the Trend Deep Security server to ensure real-time malicious code protection scans are performed on files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.\n\nVerify the Anti-Malware, Real-Time Scan is enabled by reviewing the following settings under the “Policies” tab. Under “Policies” right click and select “Details” and choose “Anti-Malware.\n\nReview the following settings: Anti-Malware State is set to “On” and the “Real-Time Scan” is set to “Default.”\n\nIf the two settings are not configured accordingly, this is a finding.","fixText":"Configure the Trend Deep Security server to perform real-time malicious code protection scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.\n\nTo enable malicious code protection via the anti-malware, configure the following settings under the “Policies” tab.\nUnder “Policies” right clicking and selecting “Details.” Configure the following settings:\n\n1. Under the Overview >> General tab, set \"Anti-Malware\" to “On”\n2. Under the Anti-Malware >> General tab, set “Real-Time Scan” to “Default”. Click “OK” when finished.","ccis":["CCI-001242"]},{"vulnId":"V-241150","ruleId":"SV-241150r879665_rule","severity":"medium","ruleTitle":"Trend Deep Security must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.","description":"Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nApplications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement.\n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. \n\nThis requirement applies to applications providing malicious code protection.","checkContent":"Review the Trend Deep Security server configuration to ensure malicious code is blocked and quarantined upon detection, then send an immediate alert to appropriate individuals.\n\nVerify the “Custom remediation actions” for “Recognized Malware” under the Policy settings for Anti-Malware.\n- Under “Policies” tab right click any of the selected policies and click “Details.”\n- Choose “Anti-Malware” and deselect “Default Real-Time Scan Configuration.” Be sure to re-enable this option once the review is complete.\n- Click “Edit” and select “Actions.”\n- Under the “Recognized Malware” verify the following settings:\n - For Virus: Clean\n - For Trojans: Quarantine\n - For Packer: Quarantine\n - For Spyware: Quarantine\n - For Other Threats: Clean\n- Under “Possible Malware” verify “Quarantine” is selected.\n\nIf any of the settings are not configured accordingly, this is a finding.","fixText":"Configure the Trend Deep Security server to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.\n\nConfigure the “Custom remediation actions” for “Recognized Malware” under the Policy settings for Anti-Malware.\n- Under “Policies” tab right click any of the selected policies and click “Details.” \n- Choose “Anti-Malware” and deselect “Default Real-Time Scan Configuration.” Be sure to re-enable this option once the review is complete. \n- Click “Edit” and select “Actions.”\n- Under the “Recognized Malware” configure the following settings:\n - For Virus: Clean\n - For Trojans: Quarantine\n - For Packer: Quarantine\n - For Spyware: Quarantine\n - For Other Threats: Clean\n- Under “Possible Malware” select “Quarantine.”","ccis":["CCI-001243"]},{"vulnId":"V-241151","ruleId":"SV-241151r879669_rule","severity":"medium","ruleTitle":"Trend Deep Security must notify System Administrators and Information System Security Officers when accounts are created.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are created.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).”\n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650.\n\nIf the options for “Record” and “Forward” are not enabled for \"User Created\", this is a finding.","fixText":"Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers when accounts are created.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\n2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record and Forward”.","ccis":["CCI-001683"]},{"vulnId":"V-241152","ruleId":"SV-241152r879670_rule","severity":"medium","ruleTitle":"Trend Deep Security must notify System Administrators and Information System Security Officers when accounts are modified.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSOs) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are modified.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).”\n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events for “User Updated” Event ID 652.\n\nIf the options for “Record” and “Forward” are not enabled for \"User Updated\", this is a finding.","fixText":"Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers when accounts are modified.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration > System Settings > Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. \n\n2. Configure the alert using the Administration > System Settings > System Events for “User Updated” Event ID 652. Select the options for Record and Forward.","ccis":["CCI-001684"]},{"vulnId":"V-241153","ruleId":"SV-241153r879671_rule","severity":"medium","ruleTitle":"Trend Deep Security must notify System Administrators and Information System Security Officers for account disabling actions.","description":"When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nIn order to detect and respond to events that affect user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are disabled.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).”\n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events for “User Locked Out” Event ID 603.\n\nIf the options for “Record” and “Forward” are not enabled for \"User Locked Out\", this is a finding.","fixText":"Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers for account disabling actions.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\n2. Configure the alert using the Administration >> System Settings >> System Events for “User Locked Out” Event ID 603. Select the options for “Record” and “Forward”.","ccis":["CCI-001685"]},{"vulnId":"V-241154","ruleId":"SV-241154r879672_rule","severity":"medium","ruleTitle":"Trend Deep Security must notify System Administrators and Information System Security Officers for account removal actions.","description":"When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nIn order to detect and respond to events that affect user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are removed.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).”\n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events for “User Deleted” Event ID 651.\n\nIf the options for “Record” and “Forward” are not enabled for \"User Deleted\", this is a finding.","fixText":"Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers for account removal actions.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\n2. Configure the alert using the Administration >> System Settings >> System Events for “User Deleted” Event ID 651. Select the options for “Record” and “Forward”.","ccis":["CCI-001686"]},{"vulnId":"V-241155","ruleId":"SV-241155r879696_rule","severity":"medium","ruleTitle":"Trend Deep Security must automatically audit account enabling actions.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure account enabling actions are automatically audited.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).”\n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650.\n\nIf the options for “Record” and “Forward” are not enabled for \"User Created\", this is a finding.","fixText":"Configure the Trend Deep Security server to automatically audit account enabling actions.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\n2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record” and “Forward”.","ccis":["CCI-002130"]},{"vulnId":"V-241156","ruleId":"SV-241156r879697_rule","severity":"medium","ruleTitle":"Trend Deep Security must notify SA and ISSO of account enabling actions.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSOs exists. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. \n\nIn order to detect and respond to events that affect user accessibility and application processing, applications must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure the SA and ISSO are notified of account enabling actions.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).”\n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650.\n\nIf the options for “Record” and “Forward” are not enabled for \"User Created\", this is a finding.","fixText":"Configure the Trend Deep Security server to notify SA and ISSO of account enabling actions.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\n2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record” and “Forward”.","ccis":["CCI-002132"]},{"vulnId":"V-241157","ruleId":"SV-241157r879720_rule","severity":"medium","ruleTitle":"Trend Deep Security must audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat.","checkContent":"Review the Trend Deep Security server to ensure the execution of privileged functions are audited.\n\nInterview the ISSO for a list of functions identified as privileged within the application “System Events.” Privileged functions within the system events will include but are not limited to: Computer Created, Computer Deleted, User Added, etc.). \n\nVerify the list against the Administration >> System Settings >> System Events tab. \n\nIf the events are not to Record and Forward, this is a finding.","fixText":"Configure the Trend Deep Security server to audit the execution of privileged functions.\n\nEnable the necessary privileged functions by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events tab.","ccis":["CCI-002234"]},{"vulnId":"V-241158","ruleId":"SV-241158r879731_rule","severity":"medium","ruleTitle":"Trend Deep Security must off-load audit records onto a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are off-loaded onto a different system or media than the system being audited.\n\nVerify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog:\n\n1. Go to the Administration> > System Settings >> SIEM tab.\n2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog) option” is Enabled.\n3. Verify the IP address to the selected host name is entered.\n4. Verify UDP port 514 or agency selected port is provided.\n5. Verify the appropriate Syslog facility and Common Event Settings\n\nIf any of these settings are missing from the SIEM configuration, this is a finding.","fixText":"Configure the Trend Deep Security server to off-load audit records onto a different system or media than the system being audited.\n\nTo configure the Manager to instruct all managed computers to use Syslog:\n\n1. Go to the Administration >> System Settings >> SIEM tab.\n2. In the System Event Notification (from the Manager) area, set the Forward System Events to a remote computer (via Syslog) option.\n3. Type the hostname or the IP address of the Syslog computer.\n4. Enter which UDP port to use (usually 514).\n5. Select which Syslog facility to use.\n6. Select the \"Common Event Format\" log format. (The \"Basic Syslog\" format is listed only for legacy support and should not be used for new integrations.)","ccis":["CCI-001851"]},{"vulnId":"V-241159","ruleId":"SV-241159r879732_rule","severity":"medium","ruleTitle":"Trend Deep Security must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.","description":"If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion.","checkContent":"Review the Trend Deep Security server configuration to ensure an immediate warning is provided to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.\n\n1. Analyze the system using the Administration > System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).”\n\nIf this email address is not present or does not belong to a distribution for system administrator and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events tab for “Manager Available Disk Space Too Low” Event ID 170. \n\nIf the options for “Record” and “Forward” are not enabled for “Manager Available Disk Space Too Low”, this is a finding","fixText":"Configure the Trend Deep Security server to provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\n2. Configure the alert using the Administration >> System Settings >> System Events for “Manager Available Disk Space Too Low” Event ID 170. Select the options for “Record” and “Forward”.","ccis":["CCI-001855"]},{"vulnId":"V-241160","ruleId":"SV-241160r879733_rule","severity":"medium","ruleTitle":"Trend Deep Security must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).","checkContent":"Review the Trend Deep Security server configuration to ensure an immediate real-time alert is provided to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.\n\nAnalyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” \n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.","fixText":"Configure the Trend Deep Security server to provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.\n\nConfigure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab.\nInsert a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.","ccis":["CCI-001858"]},{"vulnId":"V-241161","ruleId":"SV-241161r879750_rule","severity":"medium","ruleTitle":"Trend Deep Security must alert the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected.","description":"Unauthorized software not only increases risk by increasing the number of potential vulnerabilities, it also can contain malicious code. Sending an alert (in real time) when unauthorized software is detected allows designated personnel to take action on the installation of unauthorized software.\n\nThis requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).","checkContent":"Review the Trend Deep Security server configuration to ensure the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) are alerted when the unauthorized installation of software is detected.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” \n\nIf this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events for “Software Added” Event ID 151.\n\nIf the options for “Record” and “Forward” are not enabled for “Software Added”, this is a finding.","fixText":"Configure the Trend Deep Security server to alert the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected.\n\n1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\n2. Configure the alert using the Administration >> System Settings >> System Events for “Software Added” Event ID 151. Select the options for “Record” and “Forward”.","ccis":["CCI-001811"]},{"vulnId":"V-241162","ruleId":"SV-241162r879751_rule","severity":"medium","ruleTitle":"Trend Deep Security must prohibit user installation of software without explicit privileged status.","description":"Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.\n\nApplication functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. \n\nThe application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. \n\nThis requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications.","checkContent":"Review the Trend Deep Security server configuration to ensure user installation of software without explicit privileged status is prohibited.\n\nAnalyze the system using Administration >> User Management >> Roles.\nReview each role created that is not “Full Access”.\nRight-Click >> Properties on the desired role, and select “Other Rights.”\nThe “Updates” setting should be set to “View Only” or “Hide.” \n\nIf any other option is selected other than “View Only” or “Hide”, this is a finding.","fixText":"Configure the Trend Deep Security server to prohibit user installation of software without explicit privileged status.\n\nConfigure the application to prevent non-authorized users from updating Deep Security by selecting Administration >> User Management >> Roles.\nRight-Click >> Properties on any of the roles listed and choose “Other Rights.”\nSet the “Updates” setting to “View Only” or “Hide”.","ccis":["CCI-001812"]},{"vulnId":"V-241163","ruleId":"SV-241163r879752_rule","severity":"medium","ruleTitle":"Trend Deep Security must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.","description":"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can have unintended side effects, some of which may be relevant to security. \n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the application. Examples of security responses include, but are not limited to the following: halting application processing; halting selected application functions; or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.","checkContent":"Review the Trend Deep Security server configuration to ensure organization-defined automated security responses are implemented if baseline configurations are changed in an unauthorized manner.\n\nDeep Security, Policies, are policy templates that specify the security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. \n\n1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” \n\nIf this email address is not present or does not belong to a distribution for system administrator and ISSOs, this is a finding.\n\n2. Analyze the system using the Administration >> System Settings >> System Events tab to ensure the following events are enabled:\n\n 350 Policy Created Record Forward\n 351 Policy Deleted Record Forward\n 352 Policy Updated Record Forward\n 353 Policies Exported Record Forward\n 354 Policies Imported Record Forward\n\nIf the options for “Record” and “Forward” are not enabled on these events, this is a finding","fixText":"Configure the Trend Deep Security server to implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.\n\nConfigure the application to prevent unauthorized changes to the baseline policies by selecting Administration >> System Settings >> System Events.\n\nEnable the Record and Forward option for each of the following:\n \n 350 Policy Created\n 351 Policy Deleted\n 352 Policy Updated \n 353 Policies Exported\n 354 Policies Imported","ccis":["CCI-001744"]},{"vulnId":"V-241164","ruleId":"SV-241164r879753_rule","severity":"medium","ruleTitle":"Trend Deep Security must enforce access restrictions associated with changes to application configuration.","description":"Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. \n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","checkContent":"Review the Trend Deep Security server configuration to ensure access restrictions associated with changes to application configuration are enforced.\n\nInspect the settings used for enforcing least privilege through access restrictions under Administration >> User Management >> Roles.\n\nSelect a role under the “Roles” menu and click \"Properties\". \n\n1. Select the “Computer Rights” tab and verify the settings configured under the “Computer and Group Rights” area. \n\nIf non-authorized users have access to anything other than “View”, this is a finding. \n\n2. Select the “Policy Rights” tab and verify the settings configured under the “Policy Rights” area. \n\nIf non-authorized users have access to anything other than “View,” this is a finding. \n\n3. Select the “User Rights” tab and verify the settings configured under the “User Rights” area. \n\nIf non-authorized users have access to anything other than “Change own password and contact information only”, this is a finding. \n\n4. Select the Other Rights, tab and verify the settings configured under the “Other Rights” area. \n\nIf non-authorized users have access to anything other than \"View-Only\" or \"Hide\", this is a finding.","fixText":"Configure the Trend Deep Security server to enforce access restrictions associated with changes to application configuration.\n\nEnforce access restrictions associated with changes to application configuration. Under Administration >> User Management >> Roles, select a role and click “Properties”. \n\n1. Click Computer Rights >> Computer and Group Rights, and select only the “View” checkbox. \n2. Click Policy Rights >> Policy Rights, and select only the “View” checkbox.\n3. Click User Rights >> User Rights, and select “Change own password and contact information only.”\n4. Click Other Rights >> Other Rights, select \"View-Only\" or \"Hide\" for all options according to local policy for the roles permission.\n5. Click \"OK\".","ccis":["CCI-001813"]},{"vulnId":"V-241165","ruleId":"SV-241165r879754_rule","severity":"medium","ruleTitle":"Trend Deep Security must audit the enforcement actions used to restrict access associated with changes to the application.","description":"Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.","checkContent":"Review the Trend Deep Security server configuration to ensure the enforcement actions used to restrict access associated with changes to the application are audited.\n\nSystem Events include changes to the configuration of an Agent/Appliance, the Deep Security Manager, or Users. They also include errors that may occur during normal operation of the Trend Deep Security system. \n\nTo ensure the necessary events are captured, verify the Administration >> System Settings >> System Events, against the local policy established by the ISSO. \n\nIf the settings configured do not match local policy, this is a finding.","fixText":"Configure the Trend Deep Security server to audit the enforcement actions used to restrict access associated with changes to the application.\n\nTo configure the application to captured the events identified by the ISSO, go to the Administration >> System Settings >> System Events tab.\n\nEnable all applicable policies with “Record” and “Forward.”","ccis":["CCI-001814"]},{"vulnId":"V-241166","ruleId":"SV-241166r879798_rule","severity":"medium","ruleTitle":"Trend Deep Security must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. \n\nThis requirement focuses on communications protection for the application session rather than for the network packet.\n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).","checkContent":"Review the Trend Deep Security server configuration to ensure only the use of DoD PKI established certificate authorities are allowed for verification of the establishment of protected sessions.\n\nVerify the certificate CA and by reviewing the issued to and validity date by clicking the certificate icon in the web browser and selecting View Certificates, Certificate Information, etc. (browser dependent). \n\nIf the certificate is not issued by a DoD CA, this is a finding.","fixText":"Configure the Trend Deep Security server to only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.\n\n1. Run the following command to create a CSR for your CA to sign:\nC:\\Program Files\\Trend Micro\\Deep Security Manager\\jre\\bin>keytool -certreq -keyalg RSA -alias tomcat -file certrequest.csr\n2. Send the certrequest.csr to your CA to sign. In return you will get two files. One is a \"certificate reply\" and the second is the CA certificate itself.\n3. Run the following command to import the CA cert in JAVA trusted keystore:\nC:\\Program Files\\Trend Micro\\Deep Security Manager\\jre\\bin>keytool -import -alias root -trustcacerts -file cacert.crt -keystore \"C:\\Program Files\\Trend Micro\\Deep Security Manager\\jre\\lib\\security\\cacerts\"\n4. Run the following command to import the CA certificate in your keystore:\nC:\\Program Files\\Trend Micro\\Deep Security Manager\\jre\\bin>keytool -import -alias root -trustcacerts -file cacert.crt (say yes to warning message)\n5. Run the following command to import the certificate reply to your keystore:\nC:\\Program Files\\Trend Micro\\Deep Security Manager\\jre\\bin>keytool -import -alias tomcat -file certreply.txt\n6. Run the following command to view the certificate chain in you keystore:\nC:\\Program Files\\Trend Micro\\Deep Security Manager\\jre\\bin>keytool -list -v\n7. Copy the .keystore file from your user home directory C:\\Documents and Settings\\Administrator to C:\\Program Files\\ Trend Micro \\Deep Security Manager\\\n8. Open the configuration.properties file in folder C:\\Program Files\\Trend Micro\\Deep Security Manager. It will look something like:\nkeystore File=C\\:\\\\\\\\Program Files\\\\\\\\Trend Micro\\\\\\\\Deep Security Manager\\\\\\\\.keystore\nport=4119\nkeystorePass=$1$85ef650a5c40bb0f914993ac1ad855f48216fd0664ed2544bbec6de80160b2f\ninstalled=true\nserviceName= Trend Micro Deep Security Manager\n9. Replace the password in the following string:\nkeystorePass=xxxx\nwhere \"xxxx\" is the password you supplied in step five\n10. Save and close the file\n11. Restart the Deep Security Manager service\n12. Connect to the Deep Security Manager with your browser and you will notice that the new SSL certificate is signed by your CA.","ccis":["CCI-002470"]},{"vulnId":"V-241167","ruleId":"SV-241167r879802_rule","severity":"medium","ruleTitle":"Trend Deep Security must maintain a separate execution domain for each executing process.","description":"Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.\n\nAn example is a web browser with process isolation that provides tabs that are separate processes using separate address spaces to prevent one tab crashing the entire browser.","checkContent":"Review the Trend Deep Security server configuration to ensure a separate execution domain for each executing process is maintained.\n\nReview the network topology supporting Deep Security for separation of zones and host OS. \n\nIf the architecture does separate the Deep Security Manager (DSM) from the Database, this is a finding.","fixText":"Configure the Trend Deep Security server to maintain a separate execution domain for each executing process.\n\nInstall the Deep Security Manager on a dedicated server within a management zone. Next, connect the DSM to the assigned database provided. The database should be in separate zone with the necessary firewall rules established for communication between the application server and the DB.","ccis":["CCI-002530"]},{"vulnId":"V-241168","ruleId":"SV-241168r879806_rule","severity":"medium","ruleTitle":"Trend Deep Security must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of applications to mitigate the impact of DoS attacks that have occurred or are ongoing on application availability. For each application, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.","checkContent":"Review the Trend Deep Security server configuration to ensure the effects of all types of Denial of Service (DoS) attacks are protected against or limited by employing organization-defined security safeguards.\n\nPolicies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. \n\nSelect “Computers” from the top menu and double click on any computer from the “Computers” area. \nClick the “Firewall” menu and review the configuration setting under the “General” tab. \n\nIf Firewall >> Configuration is set to \"Off\", this is a finding. \n\nClick the “Intrusion Prevention” menu and review the configuration setting under the “General” tab. \n\nIf Intrusion Prevention >> Configuration is set to “Off”, this is a finding.","fixText":"Configure the Trend Deep Security server to protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.\n\n1. Create a new Policy based on a Recommendation Scan of a computer:\n\n- On the “Computers\" page, Right-click the computer, and select Actions >> Scan for Recommendations.\n- When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option.\n- When prompted, choose to base the new Policy on \"an existing computer's current configuration\".\n- Select \"Recommended Application Types and Intrusion Prevention Rules\", \"Recommended Integrity Monitoring Rules\", and \"Recommended Log Inspection Rules\" from among the computer's properties.\n\n2. Create a new Firewall policy based on a Recommendation Scan of a computer:\n \n- On the “Computers” page, Double-click on a computer, and select Firewall >> Scan for Open Ports.\n- Assign the necessary Firewall rules based on the open ports identified. Repeat for all rules as necessary.","ccis":["CCI-002385"]},{"vulnId":"V-241169","ruleId":"SV-241169r879821_rule","severity":"medium","ruleTitle":"Trend Deep Security must implement organization-defined security safeguards to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Review the Trend Deep Security server configuration to ensure organization-defined security safeguards are implemented to protect its memory from unauthorized code execution.\n\nPolicies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations.\nSelect “Computers” from the top menu and double click on any computer from the “Computers” window.\nClick the “Firewall” option and review the Configuration setting under the “General” tab. \n\nIf this is set to “Off”, this is a finding. \n\nClick the “Intrusion Prevention” option and review the Configuration setting under the “General” tab. \n\nIf this is set to “Off”, this is a finding","fixText":"Configure the Trend Deep Security server to implement organization-defined security safeguards to protect its memory from unauthorized code execution.\n\n1. Create a new Policy based on a Recommendation Scan of a computer:\n\n- On the “Computers\" page, Right-click the computer, and select Actions >> Scan for Recommendations.\n- When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option.\n- When prompted, choose to base the new Policy on \"an existing computer's current configuration\".\n- Select \"Recommended Application Types and Intrusion Prevention Rules\", \"Recommended Integrity Monitoring Rules\", and \"Recommended Log Inspection Rules\" from among the computer's properties.\n\n2. Create a new Firewall policy based on a Recommendation Scan of a computer:\n \n- On the “Computers” page, Double-Click on a computer, and select Firewall >> Scan for Open Ports.\n- Assign the necessary Firewall rules based on the open ports identified. Repeat for all rules as necessary.","ccis":["CCI-002824"]},{"vulnId":"V-241170","ruleId":"SV-241170r879827_rule","severity":"medium","ruleTitle":"Trend Deep Security must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. \n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). \n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Review the Trend Deep Security server configuration to ensure security-relevant software updates are installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).\n\nReview the Scheduled Tasks under Administration >> Scheduled Tasks to see if “Daily Check for Security Updates” is present. \n\nIf “Daily Check for Security Updates” is not present, this is a finding.","fixText":"Configure the Trend Deep Security server to install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).\n\nGo to Scheduled Tasks under the “Administration” tab and click “New”.\nUnder “Type”, select “Check for Security Updates.” Choose the” Daily” option, and click “Next”. \nSelect a start date and time for the daily tasks, then choose “Every Day” and click “Next”.\nSelect the computers or groups according to the organizations custom policy, and click “Next”.\nEnter a unique name for the scheduled task, chose the “Task Enabled” option, and click “Finish”.","ccis":["CCI-002605"]},{"vulnId":"V-241171","ruleId":"SV-241171r879834_rule","severity":"medium","ruleTitle":"Trend Deep Security detection application must detect network services that have not been authorized or approved by the organization-defined authorization or approval processes.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore, may be unreliable or serve as malicious rogues for valid services. \n\nThis requirement can be addressed by a host-based IDS capability or by remote scanning functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure network services that have not been authorized or approved by the organization-defined authorization or approval processes are detected.\n\nReview the Intrusion Detection policy for approved ports, protocols and services associated within a defined group or a selected computer by:\n\n- Selecting “Computers”, on the top menu bar.\n- Choose the appropriate group and within the main page and select a computer for review.\n- Double click the selected computer and click “Intrusion Detection”\n- Verify the following settings are enabled:\n - Configuration: is set to On\n - Intrusion Prevention Behavior is set to Prevent or Detect; review local security policy for appropriate setting. \n - Assigned Intrusion Prevention Rules: review local security policy for appropriate setting\n\nIf the Assigned Intrusion Prevention Rules do not match the local defined policy, this is a finding.","fixText":"Configure the Trend Deep Security server to detect network services that have not been authorized or approved by the organization-defined authorization or approval processes.\n\nTo configure Deep Security to detect unauthorized services through the Intrusion Detection module, go to Policies >> Intrusion Prevention>> Select New >> New intrusion Prevention Rule\n\n- Under Details >> Application type>> Select “New”\n- Enter Name of the network services\n- Choose the appropriate direction \n- Select the appropriate protocol\n- Choose the applicable ports","ccis":["CCI-002683"]},{"vulnId":"V-241172","ruleId":"SV-241172r879835_rule","severity":"medium","ruleTitle":"Trend Deep Security must, when unauthorized network services are detected, log the event and alert the ISSO, ISSM, and other individuals designated by the local organization.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore, may be unreliable or serve as malicious rogues for valid services. The detection of such unauthorized services must be logged and appropriate personnel must be notified. \n\nThis requirement can be addressed by a host-based IDS capability or by remote scanning functionality.","checkContent":"Review the Trend Deep Security server configuration to ensure the event is logged, and the ISSO, ISSM, and other individuals designated by the local organization are alerted when unauthorized network services are detected.\n\nPolicies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. \n\nSelect “Computers” from the top menu and double click on any computer from the list.\n\nUnder Firewall >> General Tab >> Firewall area, verify \"Configuration\" is set to \"On\".\n\nIf \"Configuration\" is set to “Off”, this is a finding. \n\nUnder Intrusion Detection >> General Tab >> Intrusion Detection area, verify \"Configuration\" is set to \"On\".\n\nIf \"Configuration\" is set to “Off”, this is a finding.","fixText":"Configure the Trend Deep Security server to log the event and alert the ISSO, ISSM, and other individuals designated by the local organization, when unauthorized network services are detected.\n\nCreate a new Policy based on a Recommendation Scan of a computer.\n\nTo do so, right click the computer on the “Computers” page and select Actions >> Scan for Recommendations.\n \nWhen the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard.\n\nEnter the policy name and choose “None” from the “Inherit From” option.\n\nWhen prompted, choose to base the new Policy on \"an existing computer's current configuration\".\n \nThen select \"Recommended Application Types and Intrusion Prevention Rules\", \"Recommended Integrity Monitoring Rules\", and \"Recommended Log Inspection Rules\" from among the computer's properties.\n\nFirewall rules should be created for each individual computer in order to prevent services from being disrupted.\n\nYou can create a new Firewall policy based on a Recommendation Scan of a computer.\n\nTo do so, double click on a computer on the Computers page and select Firewall >> Scan for Open Ports.\n\nAssign the necessary Firewall rules based on the open ports identified.\n\nApply other rules as necessary.","ccis":["CCI-002684"]},{"vulnId":"V-241173","ruleId":"SV-241173r879840_rule","severity":"medium","ruleTitle":"Trend Deep Security must continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.","description":"Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. \n\nThis requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including, but are not limited to, host-based intrusion detection, anti-virus, and malware applications.","checkContent":"Review the Trend Deep Security server configuration to ensure inbound communications traffic is continuously monitored for unusual or unauthorized activities or conditions.\n\nVerify the state of the Intrusion Prevent policies:\n\n- Select “Computers” on the top menu bar\n- Choose the appropriate group and within the main page and select a computer for review.\n- Double click the selected computer and click “Intrusion Prevention”\n- Verify the following settings are enabled:\n - Configuration: is set to Inherit or On\n - “State:” is listing “Activated”\n - Policies are defined under the Assigned Intrusion Prevention Rules. \n\nIf any of these settings are not configured, this is a finding","fixText":"Configure the Trend Deep Security server to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.\n\nTo enable Intrusion Prevent within Deep Security, go to “Computers”, on the top menu bar.\n \n- Choose the appropriate group and within the main page and select a computer for review.\n- Double click the selected computer and click Intrusion Prevention. \n- Enable the following settings:\n - Configuration: Set to Inherit or On (according to local security policies) \n - Verify “State:” is listing “Activated”\n - Assign the appropriate policies under the Assigned Intrusion Prevention Rules.","ccis":["CCI-002661"]},{"vulnId":"V-241174","ruleId":"SV-241174r879842_rule","severity":"medium","ruleTitle":"Trend Deep Security must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.","description":"When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respond appropriately. \n\nAlerts may be generated from a variety of sources, including, audit records or inputs from malicious code protection mechanisms, intrusion detection, or prevention mechanisms. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Individuals designated by the local organization to receive alerts may include, for example, system administrators, mission/business owners, or system owners.\n\nIOCs are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise.\n\nThis requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including, but are not limited to, host-based intrusion detection, anti-virus, and malware applications.","checkContent":"Review the Trend Deep Security server configuration to ensure ISSO, ISSM, and other individuals designated by the local organization are alerted when the following Indicators of Compromise (IOCs) or potential compromise are detected: real time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.\n\n1. Analyze the system using the Administration >> System Settings >> Alerts tab. \nReview the email address listed in the “Alert Event Forwarding (From The Manager).” \n\nIf this email address is not present or does not belong to a distribution group for system administrators and ISSOs, this is a finding.\n\n2. Select Computers from the top menu and double click on any computer from the “Computers” window. Click the “Intrusion Prevention” option and review the Configuration setting under the “General” tab. \n\nIf “Intrusion Prevention” is set to “Off”, this is a finding\n\n3. Select a rule from the “Assigned Intrusion Prevention Rules” and double click to bring up the properties. Click “Options” and verify that the “Alert” tab is set to “On”. \n\nIf “Alert” is set to “Off”, this is a finding.","fixText":"Configure the Trend Deep Security server to alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.\n\nConfigure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.\n\nEnable Intrusion Prevention by selecting the “Computers” tab from the top menu and double click on the computer that is to be configured from list. Click Intrusion Prevention >> General. Select “On” under “Configuration”.\nEnable Alerts by selecting a rule from the “Assigned Intrusion Prevention Rules” by double clicking to bring up the properties. Select the “Options” tab and set the “Alert” tab to “On”.","ccis":["CCI-002664"]},{"vulnId":"V-241175","ruleId":"SV-241175r879866_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful attempts to modify privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify privileges occur.\n\nReview the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. \n\nIf the options for “Record” and “Forward” are not enabled for successful/unsuccessful attempts to delete privileges, this is a finding","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify privileges occur.\n\nConfigure the alert using the Administration >> System Settings >> System Events for the successful/unsuccessful attempts to delete privileges. Select the “Record” and “Forward” options for the following:\n\n- Event ID: 102 Trend Micro Deep Security Customer Account Changed \n- Event ID: 130 Credentials Generated\n- Event ID: 131 Credential Generation Failed\n- Event ID: 290 Group Added \n- Event ID: 291 Group Removed \n- Event ID: 291 Group Removed \n- Event ID: 652 User Updated \n- Event ID: 660 Role Created \n- Event ID: 651 User Deleted \n- Event ID: 661 Role Deleted \n- Event ID: 662 Role Updated \n- Event ID: 663 Roles Imported \n- Event ID: 1900 Cloud Account Added \n- Event ID: 1901 Cloud Account Removed\n- Event ID: 1902 Cloud Account Updated","ccis":["CCI-000172"]},{"vulnId":"V-241176","ruleId":"SV-241176r879867_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful attempts to modify security objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify security objects occur.\n\nReview the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security objects.\n\nIf the options for “Record” and “Forward” are not enabled for successful/unsuccessful attempts to modify security objects, this is a finding","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify security objects occur.\n\nConfigure the alert using the Administration >> System Settings >> System Events for successful/unsuccessful attempts to modify security objects. Select the “Record” and “Forward” options for the following:\n\n- Event ID: 116 Rule Update Applied \n- Event ID: 180 Alert Type Updated \n- Event ID: 191 Alert Changed \n- Event ID: Relay Group Assigned to Computer\n- Event ID: 290 Group Added \n- Event ID: 292 Group Updated\n- Event ID: 306 Rebuild Baseline Requested \n- Event ID: 352 Policy Updated \n- Event ID: 378 Virtual Machine unprotected after move to another ESXi \n- Event ID: 412 Firewall Rule Updated \n- Event ID: 422 Firewall Stateful Configuration Updated \n- Event ID: 462 Application Type Updated \n- Event ID: 472 Intrusion Prevention Rule Updated \n- Event ID: 482 Integrity Monitoring Rule Updated \n- Event ID: 492 Log Inspection Rule Updated \n- Event ID: 507 Context Updated \n- Event ID: 512 IP List Updated \n- Event ID: 522 Port List Updated \n- Event ID: 532 MAC List Updated \n- Event ID: 542 Proxy Updated \n- Event ID: 552 Schedule Updated \n- Event ID: 575 Asset Value Updated \n- Event ID: 622 Access from Primary Tenant Enabled \n- Event ID: 623 Access from Primary Tenant Disabled \n- Event ID: 711 Agent Software Deployed \n- Event ID: 713 Agent Software Removed \n- Event ID: 720 Policy Sent \n- Event ID: 734 Computer Clock Change \n- Event ID: 942 Auto-Tag Rule Updated \n- Event ID: 1502 Malware Scan Configuration Updated \n- Event ID: 1512 File Extension List Updated \n- Event ID: 1517 File List Updated \n- Event ID: 1550 Web Reputation Settings Updated \n- Event ID: 1554 Firewall Stateful Configuration Updated \n- Event ID: 1555 Intrusion Prevention Configuration Updated \n- Event ID: 2002 Scan Cache Configuration Object Updated","ccis":["CCI-000172"]},{"vulnId":"V-241177","ruleId":"SV-241177r879868_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful attempts to modify security levels occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify security levels occur.\n\nReview the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security levels. \n\nIf the “Record” and “Forward” options for successful/unsuccessful attempts to modify security levels are not enabled, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify security levels occur.\n\nConfigure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security levels. Select the “Record” and “Forward” options for the following:\n\n- Event ID: 253 Policy Assigned to Computer\n- Event ID: 350 Policy Created \n- Event ID: 352 Policy Updated \n- Event ID: 720 Policy Sent \n- Event ID: 410 Firewall Rule Created \n- Event ID: 420 Firewall Stateful Configuration Created \n- Event ID: 460 Application Type Created \n- Event ID: 470 Intrusion Prevention Rule Created \n- Event ID: 480 Integrity Monitoring Rule Created \n- Event ID: 490 Log Inspection Rule Created \n- Event ID: 495 Log Inspection Decoder Created \n- Event ID: 573 Asset Value Created \n- Event ID: 1500 Malware Scan Configuration Created \n- Event ID: 1510 File Extension List Created","ccis":["CCI-000172"]},{"vulnId":"V-241178","ruleId":"SV-241178r879870_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful attempts to delete privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to delete privileges occur.\n\nReview the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. \n\nIf the “Record” and “Forward” options for successful/unsuccessful attempts to delete privileges are not enabled, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to delete privileges occur.\n\nConfigure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. Select the “Record” and “Forward” options for the following:\n\n- Event ID: 124 Rule Update Deleted \n- Event ID: 661 Role Deleted \n- Event ID: 671 Contact Deleted \n- Event ID: 291 Group Removed \n- Event ID: 1901 Cloud Account Removed","ccis":["CCI-000172"]},{"vulnId":"V-241179","ruleId":"SV-241179r879872_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful attempts to delete security objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to delete security objects occur.\n\nReview the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete security objects. \n\nIf the “Record” and “Forward\" options for are not enabled for successful/unsuccessful attempts to delete security objects, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to delete security objects occur.\n\nConfigure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete security objects. Select the “Record” and “Forward” options for the following:\n\n- Event ID: 124 Rule Update Deleted \n- Event ID: 152 Software Deleted \n- Event ID: 295 Interface Deleted \n- Event ID: 296 Interface IP Deleted \n- Event ID: 331 SSL Configuration Deleted \n- Event ID: 351 Policy Deleted \n- Event ID: 411 Firewall Rule Deleted \n- Event ID: 421 Firewall Stateful Configuration Deleted \n- Event ID: 461 Application Type Deleted \n- Event ID: 471 Intrusion Prevention Rule Deleted \n- Event ID: 481 Integrity Monitoring Rule Deleted \n- Event ID: 491 Log Inspection Rule Deleted \n- Event ID: 496 Log Inspection Decoder Deleted \n- Event ID: 506 Context Deleted \n- Event ID: 574 Asset Value Deleted \n- Event ID: 593 Relay Group Deleted \n- Event ID: 595 Event-Based Task Deleted \n- Event ID: 931 Certificate Deleted \n- Event ID: 941 Auto-Tag Rule Deleted \n- Event ID: 943 Tag Deleted \n- Event ID: 1501 Malware Scan Configuration Deleted \n- Event ID: 1501 Malware Scan Configuration Deleted \n- Event ID: 1511 File Extension List Deleted \n- Event ID: 1516 File List Deleted \n- Event ID: 1951 Tenant Deleted \n- Event ID: 1954 Tenant Database Server Deleted","ccis":["CCI-000172"]},{"vulnId":"V-241180","ruleId":"SV-241180r879874_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful logon attempts occur.\n\nReview the system using the Administration >> System Settings >> System Events for successful/unsuccessful attempts for \"User Signed In\" (Event ID 600). \n\nIf the options for “Record” and “Forward” are not enabled, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful logon attempts occur.\n\nConfigure the alert using the Administration >> System Settings >> System Events for successful/unsuccessful for \"User Signed In\" (Event ID 600). Select “Record” and “Forward”.","ccis":["CCI-000172"]},{"vulnId":"V-241181","ruleId":"SV-241181r879875_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records for privileged activities or other system-level access.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server configuration to ensure audit records are generated for privileged activities or other system-level access.\n\nInterview the ISSO for a list of functions identified as privileged within the application “System Events.” Privileged functions within the system events will include but are not limited to: Computer Created, Computer Deleted, User Added, etc.\nVerify the list against the Administration >> System Settings >> System Events tab. \n\nIf the events are not set to “Record” and “Forward”, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records for privileged activities or other system-level access.\n\nEnable the necessary privileged functions by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.","ccis":["CCI-000172"]},{"vulnId":"V-241182","ruleId":"SV-241182r879878_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records when successful/unsuccessful accesses to objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server to ensure audit records are generated when successful/unsuccessful accesses to objects occur.\n\nInterview the ISSO for a list of functions identified as objects that should be audited within the application “System Events.”\n\nVerify the list against the Administration >> System Settings >> System Events tab. \n\nIf the events are not set to “Record” and “Forward”, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records when successful/unsuccessful accesses to objects occur.\n\nEnable the necessary objects required for audit by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.","ccis":["CCI-000172"]},{"vulnId":"V-241183","ruleId":"SV-241183r879879_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records for all direct access to the information system.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server to ensure audit records are generated for all direct access to the information system.\n\nInterview the ISSO for a list of direct access objects that should be audited within the application “System Events.”\n\nVerify the list against the Administration >> System Settings >> System Events tab. \n\nIf the events are not set to “Record” and “Forward”, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records for all direct access to the information system.\n\nEnable the necessary audit setting to capture direct access to the system by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.","ccis":["CCI-000172"]},{"vulnId":"V-241184","ruleId":"SV-241184r879880_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records for all account creations, modifications, disabling, and termination events.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server to ensure audit records are generated for all account creations, modifications, disabling, and termination events.\n\nVerify all creations, modifications, disabling, and termination events identified within the Trend Deep Security System Events are set to “Record” and “Forward”. \n\nIf the events are not set to “Record” and “Forward”, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records for all account creations, modifications, disabling, and termination events.\n\nEnable the necessary setting required for audit by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.","ccis":["CCI-000172"]},{"vulnId":"V-241185","ruleId":"SV-241185r879881_rule","severity":"medium","ruleTitle":"Trend Deep Security must generate audit records for all kernel module load, unload, and restart events and, also for all program initiations.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the Trend Deep Security server to ensure audit records are generated for all kernel module load, unload, and restart events and, also for all program initiations.\n\nVerify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog:\n\n1. Go to the Administration >> System Settings >> SIEM tab.\n2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)\" box is checked. \n3. Verify the IP address to the selected host name is entered.\n4. Verify UDP port 514 or agency selected port is provided.\n5. Verify the appropriate Syslog facility and Common Event Settings\n\nIf any of these settings are missing from the SIEM configuration, this is a finding.","fixText":"Configure the Trend Deep Security server to generate audit records for all kernel module load, unload, and restart events and, also for all program initiations.\n\nTo configure the Manager to instruct all managed computers to use Syslog:\n\n1. Go to the Administration >> System Settings >> SIEM tab.\n2. In the “System Event Notification (from the Manager)” area, check the “Forward System Events to a remote computer (via Syslog)” box.\n3. Type the hostname or the IP address of the Syslog computer.\n4. Enter which UDP port to use (usually 514).\n5. Select which Syslog facility to use.\n6. Select the \"Common Event Format\" log format. (The \"Basic Syslog\" format is listed only for legacy support and should not be used for new integrations).","ccis":["CCI-000172"]},{"vulnId":"V-241186","ruleId":"SV-241186r879886_rule","severity":"medium","ruleTitle":"Trend Deep Security must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Review the Trend Deep Security server configuration to ensure, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.\n\nVerify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog:\n\n1. Go to the Administration >> System Settings >> SIEM tab.\n2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)\" box is checked. \n3. Verify the IP address to the selected host name is entered.\n4. Verify UDP port 514 or agency selected port is provided.\n5. Verify the appropriate Syslog facility and Common Event Settings\n\nIf any of these settings are missing from the SIEM configuration, this is a finding.","fixText":"Configure the Trend Deep Security server to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.\n\nTo configure the Manager to instruct all managed computers to use Syslog:\n\n1. Go to the Administration >> System Settings >> SIEM tab.\n2. In the “System Event Notification (from the Manager)” area, check the “Forward System Events to a remote computer (via Syslog)” box.\n3. Type the hostname or the IP address of the Syslog computer.\n4. Enter which UDP port to use (usually 514).\n5. Select which Syslog facility to use.\n6. Select the \"Common Event Format\" log format. (The \"Basic Syslog\" format is listed only for legacy support and should not be used for new integrations).","ccis":["CCI-001851"]},{"vulnId":"V-241187","ruleId":"SV-241187r879845_rule","severity":"medium","ruleTitle":"Trend Deep Security must notify the system administrator when anomalies in the operation of the security functions are discovered.","description":"If anomalies are not acted upon, security functions may fail to secure the system. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing.","checkContent":"Review the Trend Deep Security server configuration to ensure the system administrator is notified when anomalies in the operation of the security functions are discovered.\n\nVerify Intrusion Prevention is enabled for all connected host systems by navigating to Policy >> Policy Editor. \n\nNavigate to Intrusion Prevention >> General, verify that the intrusion prevention module is \"On\" and configured with assigned rules. If \"Intrusion Prevention\" is not set to \"On\", this is a finding.","fixText":"Configure the Trend Deep Security sever to notify the system administrator when anomalies in the operation of the security functions are discovered.\n\nTo enable Intrusion Prevention functionality on a computer:\nIn the Policy/Computer editor, go to Intrusion Prevention >> General\n\nSelect \"On\", and then click \"Assign/Unassign\".\n\nSelect the appropriate rules applicable to the information system being monitored.\n\nClick \"Save\".","ccis":["CCI-002702"]},{"vulnId":"V-241188","ruleId":"SV-241188r879851_rule","severity":"medium","ruleTitle":"Trend Deep Security must implement security safeguards when integrity violations are discovered.","description":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Information includes metadata, such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.\n\nOrganizations may define different integrity checking and anomaly responses by type of information (e.g., firmware, software, user data); by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, restarting the information system, notification to the appropriate personnel or roles, or triggering audit alerts when unauthorized modifications to critical security files occur.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response.","checkContent":"Review the Trend Deep Security server configuration to ensure security safeguards are implemented when integrity violations are discovered.\n\nVerify Integrity Monitoring is enabled for all connected host systems by navigating to Policy >> Policy Editor. \n\nNavigate to Integrity Monitoring >> General, verify that the Integrity Monitoring module is \"On\" and configured with assigned rules.\n\nIf \"Integrity Monitoring\" is not set to \"On\", this is a finding.","fixText":"Configure the Trend Deep Security server to implement security safeguards when integrity violations are discovered.\n\nTo enable Integrity Monitoring functionality on a computer:\n\nIn the Policy/Computer editor, go to Integrity Monitoring >> General\n\nSelect \"On\", and then click \"Assign/Unassign\".\n\nSelect the appropriate rules applicable to the information system being monitored.\n\nClick \"Save\".","ccis":["CCI-002715"]},{"vulnId":"V-241189","ruleId":"SV-241189r879887_rule","severity":"medium","ruleTitle":"Trend Deep Security must synchronize with Active Directory on a daily (or AO-defined) basis.","description":"Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.","checkContent":"Review the Trend Deep Security server to ensure synchronization occurs with Active Directory on a daily (or AO-defined) basis.\n\nUnder Administration >> Scheduled Tasks, review the scheduled tasks listed for \"Daily Sync Users\".\n\nIf a task for syncing user's accounts with AD does not exist, this is a finding.","fixText":"Configure the Trend Deep Security server to synchronize with Active Directory on a daily (or AO-defined) basis.\n\nUnder Administration >> Scheduled Tasks, click \"New\".\n\nFrom the \"Type\" drop down menu, select \"Synchronize Users/Contacts\".\n\nSelect \"Daily\", and click \"Next\".\n\nEnter start date, start time, and select \"Every Day\".\n\nClick \"Next\".\n\nEnter a unique name for this scheduled task or leave the default.\n\nCheck the box for\" Task Enabled\", click \"Finish\".","ccis":["CCI-000366"]},{"vulnId":"V-241190","ruleId":"SV-241190r879887_rule","severity":"high","ruleTitle":"Trend Deep Security must reside on a Web Server configured for multifactor authentication.","description":"Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.","checkContent":"Review the Web Server hosting Trend Deep Security to ensure multifactor authentication has been configured.\n\n1. Open Internet Information Services (IIS) Manager.\n2. In the console tree, expand the server name.\n3. In the server Home page, double-click Authentication to open the Authentication page.\n4. In the Authentication page, right-click AD Client Certificate Authentication, and ensure \"Enable\" is selected.\n5. Close the Authentication page.\n6. In the server Home page, double-click SSL Settings to open the SSL Settings page.\n7. Ensure the \"Require SSL\" Checkbox is checked, and \"Require\" radio button is selected.\n8. Close the SSL Settings page.\n9. Close IIS Manager.\n\nIf \"Enable\" is not selected in the Authentication page, this is a finding.\nIf \"Require SSL\" is not selected in the SSL Settings page, this is a finding.\nIf \"Ignore\" or \"Accept\" radio buttons are selected in the SSL settings page, this is a finding.","fixText":"Configure the Web Server hosting Trend Deep Security for multifactor authentication.\n\nTo configure the authentication method in IIS:\n1. Open Internet Information Services (IIS) Manager.\n2. In the console tree, expand the server name.\n3. In the server Home page, double-click Authentication to open the Authentication page.\n4. In the Authentication page, right-click AD Client Certificate Authentication, and click \"Enable\".\n5. Close the Authentication page.\n6. In the server Home page, double-click SSL Settings to open the SSL Settings page.\n7. Select the \"Require SSL\" Checkbox, and \"Require\" radio button.\n8. Close the SSL Settings page.\n9. Close IIS Manager.","ccis":["CCI-000366"]},{"vulnId":"V-241191","ruleId":"SV-241191r879594_rule","severity":"high","ruleTitle":"Trend Deep Security must ensure users are authenticated with an individual authenticator prior to using a group authenticator.","description":"To assure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. \n\nIndividual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. \n\nIf an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. \n\nSome applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply.\n\nThere may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. An example of this type of access is a web server which contains publicly releasable information.","checkContent":"Review the Trend Deep Security server to ensure users are authenticated with an individual authenticator prior to using a group authenticator.\n\nReview the settings to ensure identify management is being performed through the organizations Active Directory. \n\nNavigate to Administration >> User Management >> Users and click \"Synchronize with Directory\".\n\nSelect \"Re-Synchronize (Using previous settings)\", and click \"Next\".\n\nIf the synchronization fails, this is a finding.","fixText":"Configure the Trend Deep Security server to authenticate users with an individual authenticator prior to using a group authenticator.\n\nNavigate to Administration >> User Management >> Users and click \"Synchronize with Directory\".\n\nUnder Server, enter the following information:\n\nServer Address (IP of the AD Server) \nAccess Method (UserID/Password StartTLS)\nUserName (Authorized, site-defined, service account used for synchronizing with Trend Deep Security)\nPassword\n\nClick \"Next\".\n\nSelect the authorized AD group used for managing the Trend Deep Security accounts, and Click \"Next\".\n\nUnder \"New User\" Options, select the appropriate Role, click \"Next\".\n\nClick \"Finish\".","ccis":["CCI-000770"]},{"vulnId":"V-259713","ruleId":"SV-259713r942481_rule","severity":"high","ruleTitle":"The version of Trend Deep Security running on the system must be a supported version.","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Trend Deep Security 9.x is no longer supported by the vendor. If the system is running Trend Deep Security 9.x, this is a finding.","fixText":"Upgrade to a supported version.","ccis":["CCI-002605"]}]}