17:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Riverbed NetIM NDM Security Technical Implementation Guide"}],false,["$","$L21",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Sep 29, 2025"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"RB_NetIM_STIG","children":"RB_NetIM_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":15}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",4]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",9]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",2]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Riverbed%20NetIM%20NDM%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Riverbed%20NetIM%20NDM%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Riverbed%20NetIM%20NDM%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RB_NetIM_Y25M09_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L22",null,{"checks":[{"id":"cec8e293-544f-4a62-8f25-7d3a45d3bbc9","vulnId":"V-275452","severity":"high","ruleTitle":"The Riverbed NetIM must enable and configure user audit logging.","description":"$23","checkContent":"Verify user audit logging is enabled. \n\n1. From the GUI menu, navigate to Configure >> All Settings >> Administer >> User Audit. \n2. Under the User Audit Logging section, verify \"Yes\" is selected.\n\nIf user audit logging is not enabled and assigned, this is a finding.","fixText":"Enable the User Audit role and assign to a user.\n\n1. From the GUI, navigate to Configure >> All Settings >> Administer >> User Audit. \n2. On the Settings tab, select \"Yes\" under the User Audit Logging section.\n3. Assign the role to an admin user account.\n\nNote: The user auditor role removes all other admin roles and functions from the users assigned the role of audit administrator. Other types of administrators, including the default admin of last resort, will not be able to access the auditing functions or local audit log."},{"id":"a50f6838-60d1-4653-8acd-445230e6755b","vulnId":"V-275453","severity":"medium","ruleTitle":"The Riverbed NetIM must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.","description":"Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.","checkContent":"Verify only the account of last resort, \"admin\", exists on the device.\n\nIn the GUI, navigate to Configure >> All Settings >> Administer >> User Management.\n\nIf local user accounts exist other than the account of last resort, this is a finding.","fixText":"Use of the default GUI account \"admin\" as the account of last resort is strongly recommended. It must have a DOD-compliant password and be securely stored in a safe for emergency, but not day-to-day, use. The \"NetIMAdmin\" default shell account cannot be changed but must be the only user shell account. It must have a DOD-compliant password.\n\nRemove all GUI local accounts other than the default admin account.\n\n1. In the GUI, navigate to Configure >> All Settings >> Administer >> User Management.\n2. In the Local Users section, click the \"X\" icon in the Actions column of the user's entry.\n\nThe NetIMAdmin shell account must remain the only local login account at this level."},{"id":"ade00566-013e-45a7-ab51-c8341ca2eba8","vulnId":"V-275454","severity":"high","ruleTitle":"The Riverbed NetIM must be configured to assign appropriate user roles or access levels to authenticated users.","description":"Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.","checkContent":"Review the user role assignments on the NetIM.\n\n1. In the GUI, navigate to Configure >> All Settings >> User Management. \n2. In the TACACS+ pane, inspect the Last Login Server column. Verify all users except for the account of last resort are listed and the role assigned for nonprivileged users is \"USERS\". Verify the admins are assigned admin roles, and the single audit administrator is assigned the role AUDIT_ADMIN. The audit admin role must be defined for DOD sites.\n\nIf NetIM account roles are not configured or if the roles assigned are not compliant, this is a finding.","fixText":"$24"},{"id":"436a1911-22b1-4535-abb2-73de9cffac5d","vulnId":"V-275455","severity":"medium","ruleTitle":"NetIM must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.","description":"Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users.","checkContent":"$25","fixText":"$26"},{"id":"39a082f6-d69e-438a-9fa7-d5f9d53ea737","vulnId":"V-275456","severity":"medium","ruleTitle":"NetIM must retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.","description":"The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DOD will not be in compliance with system use notifications required by law. \n\nTo establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement.\n\nIn the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, then entering the password is also acceptable.","checkContent":"Determine if NetIM is configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. \n\n1. From the GUI, go to Configure >> All Settings.\n2. From the Administrator group, select \"Login settings\". \n3. Verify the \"Require Acknowledgement\" box is checked.\n\nIf NetIM does not retain the banner on the screen until the administrator acknowledges the banner this is a finding.","fixText":"Configure NetIM to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. \n\n1. From the top menu, navigate to Configure >> All Settings.\n2. From the Administrator group, select \"Login settings\". \n3. Check \"Require Acknowledgement\"."},{"id":"c053cd74-0bf2-43a9-97ac-b70ce50d01aa","vulnId":"V-275457","severity":"low","ruleTitle":"The Riverbed NetIM must generate an alert of all audit failure events.","description":"To ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. \n\nThe value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.","checkContent":"Verify the system administrator (SA) and information system security officer (ISSO) are notified in the event of an audit processing failure by using the following command: \n \n $ sudo grep -i action_mail_acct /etc/rsyslog.d\n action_mail_acct = \n \nIf \"action_mail_acct\" is not set to the email address of the SA and/or ISSO, is commented out, or is missing, this is a finding.","fixText":"Configure the \"/etc/rsyslog.d\" service to notify the SA and ISSO in the event of an audit processing failure.\n\n1. Add or modify the following line in the \"/etc/rsyslog.d\" file: \n \naction_mail_acct = \n \nNote: Change \"administrator_email_account\" to the email address of the SA and/or ISSO. \n \n2. Restart rsyslog service.\n\n $ sudo service rsyslog restart\n\nNote: An email package must be installed on the system for email notifications to be sent."},{"id":"8c8073f8-7dea-4b96-93ad-df82884bdd64","vulnId":"V-275461","severity":"high","ruleTitle":"The Riverbed NetIM must be configured to use an authentication server configured for multifactor authentication (MFA) using DOD PKI for the purpose of authenticating users prior to granting administrative access.","description":"$27","checkContent":"Review the AAA configuration.\n\nNavigate to the GUI portal admin user login screen. If TACACS+ is configured, the NetIM login screen presents only the option to use TACACS.\n\nIf TACACS+ is not configured, this is a finding.","fixText":"$28"},{"id":"95126664-477e-4d60-9b92-c4dbff7be63f","vulnId":"V-275462","severity":"medium","ruleTitle":"The Riverbed NetIM must support organizational requirements to back up the NetIM application and security configuration when changes occur.","description":"System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who utilize this critical network component.\n\nThis control requires the Riverbed NetIM to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.","checkContent":"Review the system security plan (SSP) to determine the site's network device backup policy. \n\nCheck the backup log repository identified by the site. Verify regular backups are being performed.\n\nIf NetIM does not backup the information system documentation, including security-related documentation, when changes occur, this is a finding.","fixText":"Manually back up the application when changes occur in accordance with the SSP. This requirement normally gives an option for weekly, however since the backup requires the halting of system processes, weekly may not be operationally possible.\n\n1. From the NetIM core/manager node, navigate to , by entering a command similar to the following:\n\ncd /data1/riverbed/NetIM/ \n\n2. Log in to the shell of each node and run the following command:\n\n$ app.sh SAVE_RESTORE export \n\n = backup repository that is off the NETIM hosts.\n\nNote: VM snapshots of each node may be preferred by the site and are an acceptable alternative mitigation."},{"id":"e203a303-8f23-438f-a0dd-66bde23136fa","vulnId":"V-275465","severity":"medium","ruleTitle":"The Riverbed NetIM must enforce a minimum 15-character password length.","description":"Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.","checkContent":"Verify Password Rules is configured to use a 15-character password. \n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select \"Password Rules\".\n3. View the Maximum Password Length box.\n\nIf a 15-character password is not required, this is a finding.","fixText":"Configure Password Rules to use a 15-character password. \n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select \"Password Rules\".\n3. Check the Maximum Password Length box.\n4. Enter \"15\" in the option box and click \"Submit\"."},{"id":"dc7dd749-a52d-4a7d-8c2e-cd4b4aec5bac","vulnId":"V-275466","severity":"low","ruleTitle":"The Riverbed NetIM must be configured to require immediate selection of a new password upon account recovery for password-based authentication.","description":"Specify a temporary password to improve security. A temporary password can be enabled only if Account Control is enabled. If a temporary password is set, then the password set by Admin/Sys Admin for the new user shall expire on the first log in of the new user. A password expired page will appear for new users after the first login.","checkContent":"Verify Password Rules is configured to expire temporary passwords.\n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select \"Password Rules\".\n3. View the Maximum age of temporary password in hours.\n\nIf the Maximum age of temporary password in hours is not set, this is a finding.","fixText":"Configure Password Rules to expire temporary passwords.\n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select \"Password Rules\".\n3. Check \"Maximum age of temporary password in hours\".\n4. Enter an organization-defined number in the option box and click \"Submit\".\n\nLocal users must not be created; however, setting these requirements is a best practice."},{"id":"804f041e-7e43-49cd-bbee-b2351e45d043","vulnId":"V-275467","severity":"medium","ruleTitle":"The Riverbed NetIM must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"Verify Password Rules is configured to use all available options.\n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select all available boxes and configure in compliance with DOD requirements.\n\nIf any of the options is not selected, this is a finding.","fixText":"Configure Password Rules to use all available options.\n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select all available boxes, configure in compliance with DOD requirements, and click \"Submit\".\n\nLocal users must not be created; however, setting these requirements is a best practice."},{"id":"6d9cee66-9e11-40f0-9d0d-26b197946ffe","vulnId":"V-275473","severity":"high","ruleTitle":"The Riverbed NetIM must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting.","description":"The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.","checkContent":"Verify NetIM uses version 2.10 or later.\n\nIn the GUI, view the version at the top above the main menu on the right.\n\nIf the installed NetIM version is not version 2.10 or later, this is a finding.","fixText":"Upgrade NetIM to use a version 2.10 or later.\n\nTo upgrade NetIM, access the NetIM Software License and Download portal (SLD) and navigate to the Software Download page, then follow the specific instructions for the upgrade version, including checking for release notes and alerts."},{"id":"7273b856-4a88-44b9-a8f1-121ed2b5a896","vulnId":"V-275481","severity":"medium","ruleTitle":"The Riverbed NetIM must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.","checkContent":"Verify Password Rules are configured for \"Maximum failed login attempts allowed\".\n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select \"Password Rules\".\n3. Verify \"Maximum failed login attempts allowed\" is checked and set to \"3\".\n4. Verify \"Time interval for max failed login attempts in minutes\" is set to \"15\".\n\nIf both \"Maximum failed login attempts allowed\" is not set to \"3\" and the \"Time interval for max failed login attempts in minutes\" is set to \"15\", this is a finding.","fixText":"Configure the Password Rules for Maximum failed login attempts allowed.\n\n1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer.\n2. On the User Management screen, select \"Password Rules\".\n3. Check the box for \"Maximum failed login attempts allowed\".\n4. Enter \"3\" in the option box.\n5. Check the box for \"Time interval for max failed login attempts in minutes\".\n6. Enter \"15\" in the option box and click \"Submit\".\n\nNote: Local users must not be created; however, setting these requirements are a good best practice."},{"id":"bdd4248b-7285-47b3-a738-c34f54b14d93","vulnId":"V-275482","severity":"medium","ruleTitle":"The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited.","description":"Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration.\n\nThe ability to off-load those files is a common process used while managing information systems.","checkContent":"Verify auditing is configured to send events to a central log server by using the following command: \n \n $ sudo grep -i action(type=\"omfwd\" target=\" \" port=\"3514\" protocol=\"tcp\"\n action.resumeRetryCount=\"100\"\n queue.type=\"linkedList\" queue.size=\"10000\")\n\nIf auditing is configured to send events to a central log server, this is a finding.","fixText":"Configure \"rsyslog.d\" service to send NetIM audit logs to central syslog. \n\n1. Add or modify the following line in the \"/etc/rsyslog.d\" file: \n\n $ sudo nano /etc/rsyslog.d/60-netim.conf\n\n2. Add the following text:\n\n *.* action(type=\"omfwd\" target=\" \" port=\"3514\" protocol=\"tcp\"\n action.resumeRetryCount=\"100\"\n queue.type=\"linkedList\" queue.size=\"10000\")\n\n3. Restart rsyslog service.\n\n $ sudo service rsyslog restart"},{"id":"c9cbc420-90cb-442f-bb33-0e161a821e97","vulnId":"V-275488","severity":"medium","ruleTitle":"The Riverbed NetIM must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).","description":"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nThe IP Detection Service tracks IP addresses (IPs) in the network and allows a user to query an IP address to determine the switch port to which a network device is connected. SNMP access to devices and a read-only community string (or equivalent SNMP v3 credentials) are required for the IP Detection Service to function. Community strings/credentials stored on NetIM are encrypted.","checkContent":"Verify NetIM is configured to authenticate SNMP messages using a FIPS-validated HMAC.\n\n1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings.\n2. Click \"SNMP v3 Credentials\". \n3. In the Add SNMP v3 Credentials box, verify the following is configured:\n Security Level menu = AUTH_PRIV\n Auth Protocol = \n\n Where is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512\n\n Priv Protocol = \n\nWhere is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256\n\nIf SNMP messages are not authenticated using a FIPS-validated HMAC, this is a finding.","fixText":"Configure NetIM to authenticate SNMP messages using a FIPS-validated HMAC.\n\n1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings.\n2. Click \"SNMP v3 Credentials\". \n3. In the Add SNMP v3 Credentials box, select the following:\n Security Level menu = AUTH_PRIV\n Auth Protocol = \n\nWhere is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512.\n\n Priv Protocol = \n\nWhere is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256\n\nNote: FIPS compliance requires Version 2.10 or higher and a Ubuntu Pro license, both of which are covered in other CAT 1 requirements."}]}]]}]

Riverbed NetIM NDM Security Technical Implementation Guide

Checks (15)