Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Inspect the configuration file on the BEC. BEC configuration file (C:\ProgramData\Bromium\BMS\settings.json). Verify the concurrent session parameter is set to "1". If the BEC concurrent session parameter is not set to "1", this is a finding.
Edit the BEC configuration file (C:\ProgramData\Bromium\BMS\settings.json) to set the concurrent session parameter to "1".
Navigate to C:\ProgramData\Bromium\BMS\settings.json on the BEC. Verify the value of lockout_delay_base is set to "10" and the lockout_delay_scale is set to "1" at a minimum. If the BEC lockout_delay_base in the settings.json file is not set to a minimum of "10" and the lockout_delay_scale is not set to a minimum of "1", this is a finding.
Edit the BEC configuration file (C:\ProgramData\Bromium\BMS\settings.json) to set lockout_delay_base to "10" and the lockout_delay_scale to "1" at a minimum.
If custom rules are required, verify that monitoring rules are enabled. Custom rules may or may not be present on the BEC, depending on the site's need. It is not mandatory to use this feature, just that the feature be configured to be used in case it is needed. 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and verify that "Host Monitoring" is enabled. 4. Click on "Policies" and verify "Monitoring Rules" is checked. If the Bromium Enterprise Controller (BEC) is not configured for authorized users to capture and log content related to a user session, this is a finding.
Configure a custom rule to view a user's activity. Ensure host monitoring is enabled in the base or applicable delta policy. 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and enable "Host Monitoring". 4. Click "Save and Deploy". Configure the Custom Rule to monitor one or more Bromium vSentry clients. 1. Click the arrow next to "Policies" and select "Monitoring Rules". 2. Click "Rule Options" and select "Create Custom Rule". 3. Create a name for the custom rule. 4. Apply the custom rule to a group. 5. Configure the applications, triggers, and any exclusions associated with the activity to be monitored. 6. Click "Save".
Verify that the reporting threshold for endpoints has been documented. Navigate to the management console, click on the selection arrow next to "Events". Verify the organization-defined time period that the vSentry client must connect to the BEC for logging or policy update purposes is configured. If the BEC does not generate a log record when a Bromium vSentry client has not connected to the BEC for logging or policy update purposes for an organization-defined time period, this is a finding.
Define the organization-defined time period for when an alert should be generated. Navigate to the management console, click on the selection arrow next to "Events" and verify the organization-defined time period that the vSentry client must connect to the BEC for logging or policy update purposes is configured.
Obtain a list of authorized BEC Web console users from the site representative. Verify only these users are configured for access. 1. From the BEC console, click on "Settings". 2. View the list of Users. If unauthorized users are listed in the BEC Web console, this is a finding.
Configure BEC Web console access to permit only authorized users. 1. From the BEC console, click on "Settings". 2. Select "Users". 3. Click User Options >> Add User. 4. Add new user and their Active Directory details, and assign new user to a Group using the drop-down list.
Obtain a list of users who are authorized read-only permissions to the BEC Web console from the site representative. Verify these users are configured for read-only access. Navigate to the Setting menu and identify Roles with read-only access. These roles will have one or more of the following privileges checked: - View device events - View policies - View events - View threats - View users - View user groups Identify the Groups that are assigned these Roles: 1. From the BEC console, click on "Settings". 2. Select User Groups. 3. Click on each group and see if one of the read-only roles is assigned. Verify the list of users with read-only privileges is assigned only to one of the Groups with a read-only Role. If users who are authorized for read-only privileges are assigned to groups with modification access, this is a finding.
Configure the BEC Web console to restrict users who are authorized for view (read) permissions only. Configure Role with View privileges only: 1. From the BEC console, click on "Settings". 2. Select "Roles". 3. To create a new Role, click on "User Options" and select "Add Role". 4. Create a name for the Role (with optional description) - select any of the following privileges: - View device events - View policies - View events - View threats - View users - View user groups 5. Click "Save Changes". Configure Group with Read-Only Role assigned to it: 1. From the BEC console, click on "Settings". 2. Select User Groups. 3. To create a new group, click on "User Options" and select "Add User Group". 4. Create a name (with optional description) for the Group. 5. (Optional) - Synchronize Group with existing Group within Active Directory. 6. From the Role drop-down menu, select read-only Role. 7. Click "Add User Group". 1. From the BEC console, click on "Settings". 2. Select "Users". 3. Click User Options >> Add User. 4. Add new user and their Active Directory details. 5. Using the drop-down list, assign new view only user the read-only Group.
Ask the site representatives if they have developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort. Examine the BEC SSP. If the BEC has not developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort, this is a finding.
Remove all local accounts after setup. Use the Bromium system recovery process to either create another account or recover the setup account when needed. 1. Using the BEC server setup application, generate the password for the local Account of Last Resort using a FIPS 140-2 compliant password generator. 2. Configure the BEC and all BEC user accounts to leverage an external authentication server (e.g., Active Directory). 3. Upon successful configuration and connection of the BEC to the authentication server, remove the local BEC account. In the event of a system-wide failure to connect to the authentication server, system recovery, or other organization-defined emergency: 1. Gain access to the Windows Server running BEC. 2. Run the BEC server setup application (BrBMSSettings.exe). 3. Click on "Database Settings". 4. Check the box next to "Request new administrator user". 5. Click "Save". Remove the account once normal operations resume. Either create a new account and password each time the account is retried or change the password each time the same account is recovered in order to comply with BROM-00-000690.
Review documentation for test system or mission need that justifies an exception to this setting in order to collect forensics about the malicious code. If this documentation exists, this is not a finding. Review base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and inspect the "Alert user on a threat event?" policy setting. Check every applicable Delta Policy using the same procedure to verify that the Base Policy has not been superseded. If the Bromium vSentry client is not configured to automatically terminate a micro-VM when any malicious activities are detected within the micro-VM, this is a finding.
Review base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity. Document test system or mission needs that justifies an exception to this setting in order to collect forensics about the malicious code. Also document circumstances under this function that can temporarily be used to collect forensics information. 1. Using the management console, navigate to "Policies" and select the Base Policy. 2. Navigate to "Security". 3. Navigate to the "Alert user on a threat event?" policy setting. 4. Choose the "Stop operation and alert user" setting. 5. Click "Save and Deploy". Note: Do not supersede this policy in any Delta Policy.
Review base policy to ensure that the micro-virtual machine (VM) will capture the malware manifest upon the detection of malicious activity. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and inspect the "Generate isolated threat malware manifests?" policy setting. If the Bromium vSentry client is not configured to automatically capture and forward payloads that were downloaded and determined to be malicious to the management console, this is a finding.
Modify the base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and enable the check box and radio button for the "Generate isolated threat malware manifests?" policy setting. 4. Click "Save and Deploy".
Inspect the BEC user settings for a role with no privileges and a group that is tied to that role. 1. From the management console, click on the arrow next to "Settings". 2. Click on "Roles". 3. Identify and select the role that has no privileges assigned to it. 4. Inspect the "Role" settings to ensure that a group has been assigned. If the BEC is not configured to immediately disconnect or disable remote access to the information system, this is a finding.
Disable access for the user account by assigning a role with zero privileges enabled. A role that has zero privileges assigned to it must exist, along with a group that is assigned to the role. 1. From the management console, click on the arrow next to "Settings". 2. Click on "Users". 3. Select the user that has been identified for disabling. 4. Add the user to the group that is associated with the role that carries zero privileges. 5. Delete/remove all other groups for that user. 6. Click "Save".
If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice (BROM-00-000300), this is not a finding. Examine the site's documentation. Verify there is a documented procedure for changing the password for the Account of Last Resort when an individual with knowledge of the password leaves the group. An acceptable practice is to either create a new account and password each time or change the password. If a procedure for changing the password for the Account of Last Resort when an individual with knowledge of the password leaves the group is not documented or implemented, this is a finding.
Modify the password for the Account of Last Resort. 1. Using the management console, navigate to "Settings". 2. Select "Users". 3. Click on the local account name representing the Account of Last Resort. 4. In the "Edit User" section, enter and confirm the new password. 5. Click "Save Settings". If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice (BROM-00-000300), either create a new account and password or change the password.
Review each role and verify that at least one role has the "Edit Policies" privilege. Also verify that not all roles have the "Edit Policies" permission. 1. Using the management console, navigate to "Settings" and click on "Roles". 2. Inspect each role to ensure that the "Edit Policies" permission is enabled/disabled for the appropriate roles (e.g., the site's read-only role must not have permission to edit policies). Inspect the default policy to ensure that the proper log level has been selected. 1. Select the site's default policy. 2. Navigate to the "Manageability" tab. 3. Verify "Events" log level is selected. If the BEC is not configured for organization-identified roles that have permission to change, based on selectable criteria, the types of endpoint events that are captured in the Event log and stored in the SQL database, this is a finding.
The logging level is changed by selecting the "Manageability" level. Groups/roles that have permission to edit policies are allowed to change log event criteria. 1. Using the management console, navigate to "Policies". 2. Select the site's default policy. 3. Navigate to the "Manageability" tab. 4. Select the desired logging level. The default setting is "Event" (e.g., Debug, Trace, Event, Warning). DoD requires a setting of "Event" in the default policy. 5. Click "Save and Deploy".
Ask the site representative for a list of administrators who are authorized to view Bromium vSentry client activity. Verify unauthorized users are not members of groups that have been assigned roles that have the "View Events" and "View Threats" privilege. 1. From the BEC console, navigate to "Settings". 2. Select "Roles". 3. Click on each Role to see which ones have "View Events" and "View Threats" checked. 4. For the Roles which have enabled for "View Events" or "View Threats", navigate to the Groups area and check which Groups they are assigned to. 5. Navigate to "Settings" and "User Groups" to verify that users who are not on the list are not assigned to Groups with Roles that have "View Events" or "View Threats" enabled. If the BEC is not configured to permit only authorized users to remotely view, in real time (within seconds of event occurring), all content related to an established Bromium vSentry client session, this is a finding.
The administrator must be in a group that has a role with permissions to view Events and Threats. To give an administrator permission to view Event and Threat configured us the following threat. 1. Using the management console, navigate to "Settings". 2. Select "Roles". 3. Select the role(s) that need permission to view user sessions and activity. 4. Under the "Events" section, enable the "View Events" permission. 5. Under the "Threats" section, enable the "View Threats" permission. 6. Click "Save Changes".
Verify that a syslog destination is configured on the BEC server. 1. From the management console, click the selection arrow next to "Events". 2. Click "Destinations". 3. Inspect the list of configured syslog destinations. If the BEC does not automatically forward events to a syslog destination, this is a finding.
Configure the BEC to automatically forward events to the desired syslog destination. 1. From the management console, click on the selection arrow next to "Events". 2. Click on "Destinations". 3. Click on "Add Syslog Destination". 4. Configure syslog server parameters and select severity levels to forward. 5. Click "Save ". Additional syslog destinations may be configured for forwarding events to multiple destinations simultaneously.
Ask the site representatives if they have developed and implemented a solution for storing the contents of "history.log". Check that the backup solution has been configured to include the "history.log" files residing on the BEC. If the BEC does not send "history.log" records to a central log server (i.e., syslog server), this is a finding.
Automatically forward all contents of "history.log" to the site's central log server in real time. Install the file monitoring agent that is provided by the site's centralized events server (e.g., syslog, SIEM) and configure to monitor and forward "history.log" (example: C:\Program Data\Bromium\BMS\Logs\history.log). Follow the instructions included with the central log server.
Ask the site representatives if they have developed and implemented a solution for storing the contents of "history.log" to minimize the risk of exceeding the system's storage capacity. If the option to forward the contents of "history.log" to a centralized events server was implemented, check that the agent associated with the central log server has been installed on the BEC. If the option to back up the contents of "history.log" was implemented, check that the backup solution has been configured to include the "history.log" files residing on the BEC. If the BEC does not manage log record storage capacity so "history.log" does not exceed physical drive space capacity allocated by the DBA and system administrator, this is a finding.
The BEC administrator must work with the site DBA and system administrator to obtain storage allocation requirements for "history.log". The "history.log" default size threshold is 5 MB. The system administrator has two options for managing storage of "history.log" contents. Option 1: (Preferred) 1. Automatically forward all contents of "history.log" to the site's central log server in real time. 2. Install the file monitoring agent that is provided by the site's centralized events server (e.g., syslog, SIEM) and configure to monitor and forward "history.log" (example: C:\Program Data\Bromium\BMS\Logs\history.log). Follow the instructions included with the central log server. Option 2 (use only with documentation of mission need): 1. Automatically back up all "history.log" files that have been aged out due to reaching maximum size threshold. Then delete the archived copies to free up room. NOTE: By default, the BEC server creates up to 5 archives. Though not recommended, the default maximum number of archives can be changed by editing the "audit_log_backup_count" parameter in "settings.json". (C:\ProgramData\Bromium\BMS\settings.json) 2. Follow the instructions included with the backup solution. Some solutions include an agent that must be installed on the BEC and some do not.
Ask the site representatives if they have developed and implemented a solution for storing the contents of "default.log" and "worker.log" to receive alerts if SQL Server becomes unavailable. The contents of "default.log" and "worker.log" should be sent to a centralized events server. Check that the agent associated with the event server has been installed on the BEC. If the BEC does not generate an immediate log entry that can be sent to the central log server, which will alert the SA and ISSO, at a minimum, when it is unable to connect to the SQL database, this is a finding.
Automatically forward all contents of "default.log" and "worker.log" to the site's central log server in real time. Install the file monitoring agent that is provided by the site's centralized events server (e.g., syslog, SIEM) and configure to monitor and forward "default.log" and "worker.log" (example: C:\Program Data\Bromium\BMS\Logs\default.log). Follow the instructions included with the event log server.
Examine the site System Security Plan (SSP) or other appropriate documentation. Verify there is a documented procedure for when security incident reports need to be exported. From a web browser, log on to the Bromium Enterprise Controller. Upon successful authentication, on-demand reports for all threats are available throughout the administrator interface. If a procedure does not exist for providing on-demand reports for threat events, this is a finding.
From a web browser, log on to the Bromium Enterprise Controller. Upon successful authentication, the Dashboard View is the default view displayed. Select ad hoc reports based on SSP or other documented organizational requirements for reporting. Reports can be in the form of screen output or ".csv" files.
Examine the site System Security Plan (SSP) or other documentation. Verify there is a documented procedure for when security incident reports need to be exported. If a procedure for providing report generation that supports after-the-fact investigations of security incidents has not been documented, this is a finding.
From the management console, navigate to the "Threats" menu. 1. Select the security incident in question. View all after-the-fact information. 2. Click "Generate Report" to create a report in Security Threat Information Exchange (STIX) or Malware Attribution Enumeration and Characterization (MAEC) format. 3. Click "Threat Information" to export security incident-related information such as file hashes and IP addresses (in ".csv" format).
Inspect the base and delta policy on the Bromium Enterprise Controller (BEC) that is responsible for the analysis of executables. 1. From the management console, navigate to "Policies". 2. Inspect the base and all delta policy used for analyzing executables (e.g., "SOC Mode"). 3. Verify parameter "mimehandler.executable.open" has a value of "1". 4. Verify parameter "LAVA.ExecutableVMVisible" has a value of "0". 5. Verify parameter "LAVA.ExecutableVMTime" has a value (in seconds) for the desired time that the executable should run for the purposes of analysis (e.g., "300"). 6. For clients that are allowed to install software, verify a separate delta policy exists for these clients. This will override the base policy for these specific devices only (e.g., management workstations use by the system administrators). If Bromium vSentry does not prohibit user installation of software without explicit privileged status, this is a finding.
Isolate the execution and installation of untrusted and unauthorized applications within a micro-virtual machine (VM): 1. From the management console, navigate to "Policies". 2. Create or modify a base and/or delta policy used for analyzing executables (e.g., "SOC Mode"). 3. Add parameter "mimehandler.executable.open" with a value of "1" to enable the isolation of untrusted executables. 4. Add parameter "LAVA.ExecutableVMVisible" with a value of "0" to conceal the untrusted executable from the user's view. 5. Add parameter "LAVA.ExecutableVMTime" with a value (in seconds) for the desired time that the executable should run for the purposes of analysis (e.g., "300"). 6. For clients that are allowed to install software, verify a separate delta policy exists for these clients. This will override the base policy for these specific devices only (e.g., management workstations use by the system administrators).
Verify the Update Interval is set to one hour. 1. From the management console, navigate to the "Policies" menu. 2. Select the Base policy. 3. Click the "Manageability" tab. 4. Inspect the "Update Interval" parameter to reflect the desired interval (1 hour/3600 seconds is the maximum). If the BEC Update Interval is set to more than one hour, this is a finding.
Configure the Update Internal for the BEC/vSentry client update of event data, remote commands, policy updates, and reauthenication. 1. From the management console, navigate to the "Policies" menu. 2. Select the Base policy. 3. Click the "Manageability" tab. 4. Edit the "Update Interval" parameter to reflect "3600" seconds. 5. Click "Save and Deploy". Note: A value of 1 hour/3600 seconds is the recommended setting; however, the setting may be changed to a lower interval based on mission needs.
If HBSS is installed and configured to monitor the BEC application, processes, and registry settings, this is not a finding. 1. From the management console, select "Devices". 2. Click on "Add Filter" and select "Contains Text". 3. Click on the down arrow and enter the device name to search for the BEC server. 4. Once the desired BEC server is located, click on the device and inspect the "Monitoring Version" column to verify that the monitoring module is installed and enabled. If the Bromium Protection agent is not installed and configured on the BEC server, this is a finding.
If HBSS is not installed to monitor the BEC application, processes, and registry settings, install the Bromium Protection agent on the BEC server. 1. Install the Bromium agent on the BEC server (follow the on-screen instructions when deploying the ".msi" installation package). 2. Add the BEC server to a device group (this group may contain other/additional BEC servers). 3. Enable the monitoring policy for the BEC server.
Inspect the HBSS configuration policy to verify exceptions for the Bromium directory and related settings. If the endpoint running Bromium vSentry does include exceptions for HBSS ensure interoperability, this is a finding.
Refer to the Bromium Secure Platform Deployment Guide at https://documentation.bromium.com/4_0/Deployment%20Guide/Bromium_Secure_Platform_Deployment_Guide_4_0_Update_3.pdf for detailed instructions on creating exceptions for HBSS. Obtain approval from the ISSM or other approving authority for exceptions to HBSS.
Inspect the base policy for all endpoints. 1. From the management console, click on "Policies". 2. Select the base policy. 3. Select the "Manageability" tab. 4. Inspect the Logging level setting. If the BEC base policy Logging level has not been set to "Debug", this is a finding.
Enable the Debug Logging level. 1. From the management console, click on "Policies". 2. Select the base policy. 3. Select the "Manageability" tab. 4. Set the Logging level to "Debug". 5. Click "Save and Deploy".
Ask the site representatives if they have developed and implemented a solution for forwarding the contents of "worker.log" and "default.log" to a central log server. If the BEC and Bromium vSentry does not generate an event and forward to the events server when anomalies in the operation of security functions of the BEC or Bromium vSentry application are discovered, this is a finding.
The BEC administrator must work with the site administrator to forward contents of "worker.log" and "default.log" to a central log server in real time. 1. Automatically forward all contents of "worker.log" and "default.log" to the site's centralized log server in real time. 2. Install the file monitoring agent that is provided by the site's central log server (e.g., syslog, SIEM) and configure to monitor and forward "worker.log" and "default.log" (e.g., C:\Program Data\Bromium\BMS\Logs\default.log). Note: Follow the instructions included with the event server.
Verify that a syslog destination is configured on the BEC server. 1. From the management console, click on the selection arrow next to "Events". 2. Click on "Destinations". 3. Inspect the list of configured syslog destinations. 4. Verify that the Severity level for the source Isolation Host is minimally set to "Warning". If the Bromium monitoring module installed on the BEC or Bromium vSentry does not generate an event and forward to the events server when anomalies in the operation of the application are discovered, this is a finding.
Configure the BEC server to automatically forward events to the desired syslog destination. 1. From the management console, click on the selection arrow next to "Events". 2. Click on "Destinations". 3. Click on "Add Syslog Destination". 4. Configure syslog server parameters and verify that the Severity level for the source Isolation Host is minimally set to "Warning". 5. Click "Save". Additional syslog destinations may be configured for forwarding events to multiple destinations simultaneously.
Ask the site representative for the System Security Policy (SSP) document that includes the security policy settings required for endpoint security and monitoring. If custom monitoring rules are required, verify that monitoring rules are enabled and that custom rules are configured within the policy and applied to the appropriate devices. 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and verify that "Host Monitoring" is enabled. 4. Click the arrow next to "Policies" and select "Monitoring Rules". 5. Review custom rules and the device groups they are applied to. If the BEC is not configured for authorized users to capture and log content related to a user session, this is a finding. If the BEC is not configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements, this is a finding.
Create an SSP document that contains requirements for implementing Bromium vSentry policy settings and workflows for the endpoint. Bromium vSentry policy settings are accessible in the "Policy" section of the BEC. Custom monitoring rules are available in the "Monitoring Rules" section under "Policy". 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and enable "Host Monitoring". 4. Click "Save and Deploy". 5. Click the arrow next to "Policies" and select "Monitoring Rules". 6. Click "Rule Options" and select "Create Custom Rule". 7. Create a name for the custom rule. 8. Apply the custom rule to a group. 9. Configure the applications, triggers, and any exclusions associated with the activity to be monitored. 10. Click "Save ".
Review the base policy to ensure that the Bromium Threat Intelligence service is disabled. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and inspect the "Enable Bromium Threat Intelligence?" policy setting. If the Bromium Threat Intelligence service is enabled, this is a finding.
Modify the base policy to ensure that the Bromium Threat Intelligence service is disabled. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and disable the "Enable Bromium Threat Intelligence?" policy setting.