View STIG - Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide V1R1

b

MobileIron Sentry must limit the number of concurrent sessions for the CLISH interface to an organization-defined number for each administrator account and/or administrator account type.

AC-10 - Medium - CCI-000054 - V-250982 - SV-250982r802168_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

MOIS-ND-000020

Vuln IDs

V-250982

Rule IDs

SV-250982r802168_rule

Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.

Checks: C-54417r802166_chk

Verify that the CLISH has a max number of SSH sessions enabled. 1. Log in to the Sentry System Manager. 2. Go to Settings >> CLI. 3. Verify a Max SSH Sessions integer (1-10) is set based on security guidance. If the Max SSH Sessions integer is not set correctly, this is a finding.

Fix: F-54371r802167_fix

Configure the CLISH with a max number of SSH sessions. 1. Log in to the Sentry System Manager. 2. Go to Settings >> CLI. 3. Configure a Max SSH Sessions integer (1-10) based on security guidance. 4. Click "Apply" and "Save" in the top right corner.

b

MobileIron Sentry must be configured to limit the network access of the Sentry System Manager Portal behind the corporate firewall and whitelist source IP range.

AC-10 - Medium - CCI-000054 - V-250983 - SV-250983r802171_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

MOIS-ND-000030

Vuln IDs

V-250983

Rule IDs

SV-250983r802171_rule

Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.

Checks: C-54418r802169_chk

Verify that a secondary interface has been added for System Manager Portal Access of Sentry. 1. Log in to the Sentry System Manager. 2. Go to Settings >> Network >> Interfaces. 3. Verify a Management Interface for internal access of the System Manager Portal has been added as one of the interfaces. If the Management Interface for internal access of the System Manager Portal has not been added as one of the Interfaces, this is a finding.

Fix: F-54372r802170_fix

Configure a secondary interface for System Manager Portal Access of Sentry. 1. Log in to the Sentry System Manager. 2. Go to Settings >> Network >> Interfaces. 3. Click an open Physical Interface such as GigabitEthernet2. 4. Configure a Management Interface for internal access of the System Manager Portal (refer to the "MobileIron Standalone Sentry 9.8.0 Installation Guide" Physical Interfaces section for more information).

b

MobileIron Sentry must initiate a session lock after a 15-minute period of inactivity.

AC-11 - Medium - CCI-000057 - V-250984 - SV-250984r802174_rule

RMF Control

AC-11

Severity

Medium

CCI

CCI-000057

Version

MOIS-ND-000050

Vuln IDs

V-250984

Rule IDs

SV-250984r802174_rule

A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock shall remain in place until the administrator reauthenticates. No other system activity aside from reauthentication shall unlock the management session. Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time. So this requirement may only apply to local administrative sessions.

Checks: C-54419r802172_chk

Verify the System manager Timeout is set to 15 minutes. 1. Log in to the MobileIron Sentry System Manager. 2. Navigate to Settings >> Timeout. 3. Verify the System Manager timeout is set to 15. If the System Manager timeout is not set to 15, this is a finding.

Fix: F-54373r802173_fix

Set the System Manager Timeout to 15 minutes. 1. Log in to the MobileIron Sentry System Manager. 2. Navigate to Settings >> Timeout. 3. Configure the System Manager timeout to 15. 4. Click "Apply" and "Save" in the top right corner.

a

MobileIron Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.

AC-4 - Low - CCI-001368 - V-250985 - SV-250985r802177_rule

RMF Control

AC-4

Severity

Low

CCI

CCI-001368

Version

MOIS-ND-000130

Vuln IDs

V-250985

Rule IDs

SV-250985r802177_rule

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.

Checks: C-54420r802175_chk

Review MobileIron Sentry configuration to determine if it enforces approved authorizations for controlling the flow of management information within the network. Sentry receives a request from MobileIron Core and enforces verification before handling the request to validate that it is from a trusted MobileIron Core. Therefore, if the deployment uses MobileIron Core, to verify that Sentry trusts MobileIron Core in the deployment: 1. Run the following command in MobileIron Sentry CLI: show sentry EMM-source-verify If this is set to "false", this is a finding. 2. Run the following command in MobileIron Sentry CLI: show sentry emm-ips If the Core IP is not specified, this is a finding. 3. Verify MobileIron Sentry has an ACL for Core in MobileIron Sentry System Manager. Then: 1. In the Standalone Sentry System Manager, go to Security >> Access Control Lists. 2. Verify that an ACL is created for Core. If it is not, this is a finding. 3. Determine if MobileIron Sentry is configured with specified backend services such as Exchange Active Sync or App Tunnels. If the backend service is not specified, this is a finding. Refer to section "Configuring Standalone Sentry for ActiveSync" and "Configuring Standalone Sentry for AppTunnel" in "MobileIron Sentry 9.8 Guide for MobileIron Core" to ensure these services are configured in MobileIron Sentry settings in Core where applicable.

Fix: F-54374r802176_fix

Configure MobileIron Sentry to enforce approved authorizations for controlling the flow of management information within the network device. Sentry receives a request from MobileIron Core and enforces verification before handling the request to validate that it is from a trusted MobileIron Core. Therefore, if the deployment uses MobileIron Core, to ensure that Sentry trusts MobileIron Core in the deployment, run the following commands in MobileIron Sentry CLI: 1. sentry emm-source-verify true 2. sentry emm-ips <subnet_list>> 3. This can further be mitigated by creating ACLs for MobileIron Sentry System Manager. Then: 1. In the Standalone Sentry System Manager, go to Security >> Access Control Lists. 2. Click "Add". 3. In the "Name" field, enter a name to identify the ACL. 4. In the "Description" field, enter text to clarify the purpose of the ACL. 5. Click "Save". 6. Select the new ACL that was created and click it, which should open a Modify ACL dialog box. 7. Click "Add" to add an access control entry (ACE) to the ACL. Each ACE consists of a combination of the network hosts and services that were configured for use in ACLs. 8. Use the following guidelines to complete the form: Source Network Destination Network Service Action - Select Permit or Deny from the dropdown list. Connections Per Minute 9. Click "Save". 10. Configure Sentry with specified backend services such as Exchange Active Sync or App Tunnels. Refer to section "Configuring Standalone Sentry for ActiveSync" and "Configuring Standalone Sentry for AppTunnel" in "MobileIron Sentry 9.8 Guide for MobileIron Core" to ensure these services are configured in MobileIron Sentry settings in Core where applicable.

a

MobileIron Sentry must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.

AC-7 - Low - CCI-000044 - V-250986 - SV-250986r802180_rule

RMF Control

AC-7

Severity

Low

CCI

CCI-000044

Version

MOIS-ND-000140

Vuln IDs

V-250986

Rule IDs

SV-250986r802180_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

Checks: C-54421r802178_chk

Review MobileIron Sentry configuration to verify that it enforces the limit of three consecutive invalid logon attempts. 1. Log in to MobileIron Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to "Password Policy". 4. Look for "Number of Failed Attempts" and determine if the value is set to 3. If it is not, this is a finding. 5. Verify the Auto-Lock Time value is set to 900 seconds or more. If the Auto-Lock Time is not set to 900 seconds or more, this is a finding.

Fix: F-54375r802179_fix

Configure MobileIron Sentry to enforce the limit of three consecutive invalid login attempts during a 15-minute time period. 1. Log in to MobileIron Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to "Password Policy". 4. For "Number of Failed Attempts", set value to 3. 5. For "Auto-Lock Time", set value to 900 seconds or more.

b

MobileIron Sentry must display the Standard Mandatory DoD Notice and Consent Banner in the Sentry web interface before granting access to the device.

AC-8 - Medium - CCI-000048 - V-250987 - SV-250987r802183_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000048

Version

MOIS-ND-000150

Vuln IDs

V-250987

Rule IDs

SV-250987r802183_rule

Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.

Checks: C-54422r802181_chk

Verify that MobileIron Sentry displays "I've read and consent to terms in IS user agreem't" when logging in to the command line. 1. Log in to the Sentry System Manager or the CLI interface. 2. Verify the required login banner is displayed. If the banner is not shown, this is a finding.

Fix: F-54376r802182_fix

Configure MobileIron Sentry to display "I've read and consent to terms in IS user agreem't" when logging in to the command line. 1. Log in to the Sentry System Manager. 2. Go to Settings >> Login. 3. Add the required login banner to the "Text to Display" box. 4. Click "Apply".

c

MobileIron Sentry must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.

IA-2 - High - CCI-000765 - V-250988 - SV-250988r802186_rule

RMF Control

IA-2

Severity

High

CCI

CCI-000765

Version

MOIS-ND-000390

Vuln IDs

V-250988

Rule IDs

SV-250988r802186_rule

Multi-factor authentication (MFA) is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user’s biometric digital presence. Private industry recognizes and uses a wide variety of MFA solutions. However, DoD public key infrastructure (PKI) is the only prescribed method approved for DoD organizations to implement MFA. For authentication purposes, centralized DoD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DoD, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DoD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.

Checks: C-54423r802184_chk

Review the MobileIron Sentry Configuration to ensure Certificate Authentication has been configured. 1. Log in to the MobileIron Sentry System Manager. 2. Go to Security tab >> Advanced >> Sign-in Authentication. 3. Determine if Certificate Authentication is activated and configured. If Certificate Authentication is not activated and configured, this is a finding.

Fix: F-54377r802185_fix

Configure the MobileIron Sentry with DoD PKI-based Certificate Authentication. 1. Log in to the MobileIron Sentry System Manager. 2. Go to Security tab >> Advanced >> Sign-in Authentication. 3. Select the Certificate Authentication checkbox. 4. Select the CAC or PIV checkbox. 5. Map user certificate fields in the Certificate Attribute Mapping section based on the organization's certificates. 6. Upload the Issuing CA Certificate chain. 7. Click "Apply" and "Save" in the top right corner. 8. If using DoD PKI, ensure an EDIPI attribute is assigned to the user in the Security >> Local Users section.

b

MobileIron Sentry device must enforce a minimum 15-character password length.

IA-5 - Medium - CCI-000205 - V-250989 - SV-250989r802189_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000205

Version

MOIS-ND-000420

Vuln IDs

V-250989

Rule IDs

SV-250989r802189_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-54424r802187_chk

Review MobileIron Sentry configuration to verify that a minimum 15-character password is set. 1. Log in to MobileIron Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to Identity Source >> Password Policy. 4. Verify the "Minimum Password Length" is set to 15 or more. If the password character length is not set 15 or more, this is a finding.

Fix: F-54378r802188_fix

Configure the MobileIron Sentry Local User Password Policy to enforce a minimum 15-character password. 1. Log in to MobileIron Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to Password Policy. 4. Set the "Minimum Password Length" value to 15 or more.

b

MobileIron Sentry must enforce password complexity by requiring that at least one upper-case character be used.

IA-5 - Medium - CCI-000192 - V-250990 - SV-250990r802192_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

MOIS-ND-000430

Vuln IDs

V-250990

Rule IDs

SV-250990r802192_rule

Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-54425r802190_chk

Where passwords are used, verify that MobileIron Sentry server enforces password complexity by requiring that at least one uppercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If MobileIron Sentry server does not require that at least one uppercase character be used in each password, this is a finding. Verify the local Password Policy enforces an uppercase value: 1. Log in to the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Upper Case" is checked. If "Upper Case" is not checked, this is a finding.

Fix: F-54379r802191_fix

Configure MobileIron Sentry server to enforce password complexity by requiring that at least one uppercase character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Upper Case". 4. Select "Apply".

b

MobileIron Sentry must enforce password complexity by requiring that at least one lower-case character be used.

IA-5 - Medium - CCI-000193 - V-250991 - SV-250991r802195_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000193

Version

MOIS-ND-000440

Vuln IDs

V-250991

Rule IDs

SV-250991r802195_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-54426r802193_chk

Where passwords are used, confirm that MobileIron Sentry server enforces password complexity by requiring that at least one lowercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If MobileIron Sentry does not require that at least one lowercase character be used in each password, this is a finding. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Lower Case" is checked. If "Lower Case" is not checked, this is a finding.

Fix: F-54380r802194_fix

Configure MobileIron Sentry server to enforce password complexity by requiring that at least one lowercase character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Lower Case". 4. Select "Apply".

b

MobileIron Sentry must enforce password complexity by requiring that at least one numeric character be used.

IA-5 - Medium - CCI-000194 - V-250992 - SV-250992r802198_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000194

Version

MOIS-ND-000450

Vuln IDs

V-250992

Rule IDs

SV-250992r802198_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-54427r802196_chk

Where passwords are used, confirm that MobileIron Sentry server enforces password complexity by requiring that at least one numeric character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If MobileIron Sentry server does not require that at least one numeric character be used in each password, this is a finding. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Numeric" is checked. If "Numeric" is not checked, this is a finding.

Fix: F-54381r802197_fix

Configure MobileIron Sentry server to enforce password complexity by requiring that at least one numeric character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Numeric". 4. Select "Apply".

b

MobileIron Sentry must enforce password complexity by requiring that at least one special character be used.

IA-5 - Medium - CCI-001619 - V-250993 - SV-250993r802201_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-001619

Version

MOIS-ND-000460

Vuln IDs

V-250993

Rule IDs

SV-250993r802201_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-54428r802199_chk

Where passwords are used, confirm that MobileIron Sentry server enforces password complexity by requiring that at least one special character be used. If MobileIron Sentry server does not require that at least one special character be used in each password, this is a finding. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Special Character" is checked. If "Special Character" is not checked, this is a finding.

Fix: F-54382r802200_fix

Configure MobileIron Sentry server to enforce password complexity by requiring that at least one special character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Special Character". 4. Select "Apply".

c

MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

AU-10 - High - CCI-000166 - V-250994 - SV-250994r802204_rule

RMF Control

AU-10

Severity

High

CCI

CCI-000166

Version

MOIS-ND-000510

Vuln IDs

V-250994

Rule IDs

SV-250994r802204_rule

Without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or the status of their non-repudiation is considerably impacted during forensic analysis. A strength of using PKI as MFA is that it can help ensure only the assigned individual is using their associated user account. This can only be accomplished if the network device is configured to enforce the relationship which binds PKI certificates to unique user accounts. Local accounts (accounts created, stored, and maintained locally on the network device) should be avoided in lieu of using a centrally managed directory service. Local accounts empower the same workgroup who will be operating the network infrastructure to also control and manipulate access methods, thus creating operational autonomy. This undesirable approach breaks the concept of separation of duties. Additionally, local accounts are susceptible to poor cyber hygiene because they create another user database that must be maintained by the operator, whose primary focus is on running the network. Such examples of poor hygiene include dormant accounts that are not disabled or deleted, employees who have left the organization but whose accounts are still present, periodic password and hash rotation, password complexity shortcomings, increased exposure to insider threat, etc. For reasons such as this, local users on network devices are frequently the targets of cyber-attacks. Instead, organizations should explore examples of centrally managed account services. These examples include the implementation of AAA concepts like the use of external RADIUS and LDAP directory service brokers.

Checks: C-54429r802202_chk

Verify that an EDIPI is mapped to the Sentry Admin user accounts. 1. Log in to the Sentry System Manager. 2. Verify "Certificate Based Authentication" under Security Tab >> Sign-In Authentication. 3. Verify that a Certificate Attribute Mapping is mapped to EDIPI. 4. Go to Security tab >> Local Users. Click on an active Local User and configure an EDIPI. 5. Click "Apply". 6. Repeat step 4 for all local users. If EDIPI is not mapped to the Sentry Admin user accounts, this is a finding.

Fix: F-54383r802203_fix

Ensure that an EDIPI is mapped to the Sentry Admin user accounts. 1. Log in to the Sentry System Manager. 2. Ensure "Certificate Based Authentication" under Security Tab >> Sign-In Authentication. 3. Ensure that a Certificate Attribute Mapping is mapped to EDIPI. 4. Go to Security tab >> Local Users. Click on an active Local User and configure an EDIPI. 5. Click "Apply". 6. Repeat step for 4 for all local users.

c

MobileIron Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.

IA-7 - High - CCI-000803 - V-250995 - SV-250995r802207_rule

RMF Control

IA-7

Severity

High

CCI

CCI-000803

Version

MOIS-ND-000530

Vuln IDs

V-250995

Rule IDs

SV-250995r802207_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Sentry utilizing encryption is required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.

Checks: C-54430r802205_chk

Verify the Sentry uses encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. On the MobileIron Sentry CLI console, do the following: 1. SSH to MobileIron Sentry Server from any SSH client. 2. Enter the administrator credentials set at MobileIron Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at MobileIron Sentry installation. 5. Enter "show FIPS". 6. Verify "FIPS 140 mode is enabled" is displayed. If the MobileIron Sentry Server does not report that FIPS mode is "enabled", this is a finding.

Fix: F-54384r802206_fix

Configure the MobileIron Sentry server to use a FIPS 140-2-validated cryptographic module. On the MobileIron Sentry console, do the following: 1. SSH to MobileIron Sentry Server from any SSH client. 2. Enter the administrator credentials set at MobileIron Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at MobileIron Sentry installation. 5. Enter "configure terminal". 6. Enter the following command to enable FIPS: FIPS 7. Enter the following command to proceed with the necessary reload: do reload 8. Enter "Yes" at saved configuration modified prompt. 9. Enter "Yes" at proceed do reload.

c

MobileIron Sentry must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirement.

SC-10 - High - CCI-001133 - V-250996 - SV-250996r802210_rule

RMF Control

SC-10

Severity

High

CCI

CCI-001133

Version

MOIS-ND-000550

Vuln IDs

V-250996

Rule IDs

SV-250996r802210_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-54431r802208_chk

The MobileIron Sentry System Manager has two interfaces, a CLI restricted shell and web-based GUI. In the MobileIron Sentry MICS portal, verify that the MobileIron Sentry CLI timeout is set to 10 minutes. 1. Log in to MobileIron Sentry. 2. Go to Settings >> CLI. 3. Within CLI Configuration, verify the CLI Session Timeout(minutes) is set to greater than 10 minutes. If the CLI Session Timeout(minutes) is not set to greater than 10 minutes, this is a finding.

Fix: F-54385r802209_fix

Configure the Sentry to terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity. 1. Log in to MobileIron Sentry. 2. Go to Settings >> CLI. 3. Within CLI Configuration, input "10" for CLI Session Timeout(minutes). 4. Click "Apply".

b

MobileIron Sentry must generate unique session identifiers using a FIPS 140-2 approved random number generator.

SC-23 - Medium - CCI-001188 - V-250997 - SV-250997r802213_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-001188

Version

MOIS-ND-000580

Vuln IDs

V-250997

Rule IDs

SV-250997r802213_rule

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. This requirement is applicable to devices that use a web interface for device management.

Checks: C-54432r802211_chk

Verify the Sentry uses encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. On the MobileIron Sentry CLI console, do the following: 1. SSH to MobileIron Sentry Server from any SSH client. 2. Enter the administrator credentials set at MobileIron Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at MobileIron Sentry installation. 5. Enter "show FIPS". 6. Verify "FIPS 140 mode is enabled" is displayed. If the MobileIron Sentry Server does not report that FIPS mode is "enabled", this is a finding.

Fix: F-54386r802212_fix

Configure the MobileIron Sentry server to use a FIPS 140-2-validated cryptographic module. On the MobileIron Sentry console, do the following: 1. SSH to MobileIron Sentry Server from any SSH client. 2. Enter the administrator credentials set at MobileIron Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at MobileIron Sentry installation. 5. Enter "configure terminal". 6. Enter the following command to enable FIPS: FIPS 7. Enter the following command to proceed with the necessary reload: do reload 8. Enter "Yes" at saved configuration modified prompt. 9. Enter "Yes" at proceed do reload.

a

MobileIron Sentry must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

AU-5 - Low - CCI-001858 - V-250998 - SV-250998r802216_rule

RMF Control

AU-5

Severity

Low

CCI

CCI-001858

Version

MOIS-ND-000690

Vuln IDs

V-250998

Rule IDs

SV-250998r802216_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

Checks: C-54433r802214_chk

Verify the MobileIron Sentry is configured to send alerts for failure events in MobileIron Sentry System Manager web GUI. 1. Log in to MobileIron Sentry. 2. Go to Monitoring >> Alert Configuration. 3. Verify Alert monitoring is configured. If Alert Configuration settings are not configured, this is a finding. Refer to the "Alert Configuration" section of the "MobileIron Sentry 9.8.0 Guide for MobileIron Core" for more information.

Fix: F-54387r802215_fix

Configure the MobileIron Sentry to send alerts for failure events in MobileIron Sentry System Manager web GUI. 1. Log in to MobileIron Sentry. 2. Go to Monitoring >> Alert Configuration. 3. Check "Send Notification". 4. Apply Email List. 5. Enter Alerts Per Hour. 6. Enter Batch Time Interval (min). 7. Select "Default Alert Action". 8. Apply. 9. Add Alert Notification Management. 10. Add Alert ID. 11. Add "Action" from dropdown. 12. Click "Apply" and "Save" in the top right corner. Refer to the "Alert Configuration" section of the "MobileIron Sentry 9.8.0 Guide for MobileIron Core" for more information.

b

MobileIron Sentry must be configured to synchronize internal information system clocks using redundant authoritative time sources.

CM-6 - Medium - CCI-000366 - V-250999 - SV-250999r802219_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

MOIS-ND-000700

Vuln IDs

V-250999

Rule IDs

SV-250999r802219_rule

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Checks: C-54434r802217_chk

Verify the MobileIron Sentry is configured with multiple date and time servers (NTP). 1. Log in to MobileIron Sentry. 2. Go to Settings >> Date and Time (NTP). 3. Verify the NTP servers are configured. If NTP servers are not configured, this is a finding. Refer to the "Date and Time (NTP)" section of the "MobileIron Sentry 9.8.0 Guide for MobileIron Core" for more information.

Fix: F-54388r802218_fix

Configure the MobileIron Sentry with multiple date and time servers (NTP). 1. Log in to MobileIron Sentry. 2. Go to Settings >> Date and Time (NTP). 3. Under Time Source dropdown, select "NTP". 4. Enter at least Primary and Secondary NTP servers. 5. Click "Apply" and "Save" in the top right corner. Refer to the "Date and Time (NTP)" section of the "MobileIron Sentry 9.8.0 Guide for MobileIron Core" for more information.

b

The MobileIron Sentry must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

IA-3 - Medium - CCI-001967 - V-251000 - SV-251000r802222_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-001967

Version

MOIS-ND-000760

Vuln IDs

V-251000

Rule IDs

SV-251000r802222_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network).

Checks: C-54435r802220_chk

On the MobileIron Sentry console, do the following to verify FIPS mode is enabled: 1. SSH to MobileIron Sentry Server from any SSH client. 2. Enter the administrator credentials set at MobileIron Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at MobileIron Sentry installation. 5. Enter "show FIPS". 6. Verify "FIPS 140 mode is enabled" is displayed. If it is not, this is a finding. Then: 1. Log in to MobileIron Sentry. 2. Go to Settings >> SNMP. 3. Verify SNMP server has been added. a. If SNMP server is not added, this is a finding. b. If SNMP server is added, go to step 4. 4. Verify SNMP Control is not disabled. a. If SNMP Control is disabled, this is a finding. b. If SNMP Control is not disabled, go to step 5. 5. Verify Protocol v3 is selected. a. If Protocol v3 is not selected, this is a finding. b. If Protocol v3 is selected, go to step 6. 6. Verify the SNMP v3 User has been added. a. If SNMP v3 User has not been added, this is a finding.

Fix: F-54389r802221_fix

On MobileIron Sentry console, do the following to configure FIPS mode: 1. SSH to the MobileIron Sentry. 2. At the prompt, enter "enable" mode with the secret credentials. 3. Type Configure command. 4. Type FIPS. 5. Once reloaded, SSH to the MobileIron Sentry. 6. Run the "show FIPS". Then: 1. Log in to MobileIron Sentry. 2. Go to Settings >> SNMP. 3. Add SNMP Trap Receiver. 4. Enable SNMP Service. 5. Select Protocol v3. 6. Add SNMP v3 Users. 7. Enter User Name. 8. Select Security Level from dropdown. 9. Select AUTH Protocol from dropdown. 10. Enter AUTH Password. 11. Select Privacy Protocol from dropdown. 12. Enter Privacy Password. 13. Click "Save". 14. Enable Link Up/Down Trap. 15. Click "Apply" to save changes.

c

MobileIron Sentry must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

MA-4 - High - CCI-003123 - V-251001 - SV-251001r802225_rule

RMF Control

MA-4

Severity

High

CCI

CCI-003123

Version

MOIS-ND-000810

Vuln IDs

V-251001

Rule IDs

SV-251001r802225_rule

This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.

Checks: C-54436r802223_chk

On MobileIron Sentry console, do the following to verify FIPS mode is activated to protect the confidentiality of remote maintenance sessions: 1. SSH to the MobileIron Sentry. 2. Run the "show FIPS" command. 3. Verify FIPS 140 mode is not disabled. If FIPS 140-2 mode is disabled, this is a finding.

Fix: F-54390r802224_fix

Configure MobileIron Sentry to use FIPS 140-2 approved algorithms to protect the confidentiality of remote maintenance sessions: 1. SSH to the MobileIron Sentry. 2. At the prompt, enter "enable" mode with the secret credentials. 3. Type Configure command. 4. Type FIPS. 5. Once reloaded, SSH to the MobileIron Sentry. 6. Run the "show FIPS" command. FIPS 140 mode is enabled.

a

MobileIron Sentry must off-load audit records onto a different system or media than the system being audited.

AU-4 - Low - CCI-001851 - V-251002 - SV-251002r802228_rule

RMF Control

AU-4

Severity

Low

CCI

CCI-001851

Version

MOIS-ND-000900

Vuln IDs

V-251002

Rule IDs

SV-251002r802228_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Checks: C-54437r802226_chk

Verify MobileIron Sentry is configured to offload audit records to a different system. 1. Log in to MobileIron Sentry. 2. Go to Settings >> Syslog. 3. Verify that a syslog server is configured. If the syslog server is not configured, this is a finding.

Fix: F-54391r802227_fix

Configure MobileIron Sentry to forward/offload audit to a different system. 1. Log in to MobileIron Sentry. 2. Go to Settings >> Syslog. 3. Configure a new syslog server if not already added. 4. Click on the syslog server(s) and in the "Modify Syslog"/"Add Syslog" pop-up dialog, under the "Facility Type", click the checkbox for "Audit". 5. Set the Admin State to "Enable". 6. Click "Apply".

a

MobileIron Sentry must enforce access restrictions associated with changes to the system components.

CM-5 - Low - CCI-000345 - V-251003 - SV-251003r802231_rule

RMF Control

CM-5

Severity

Low

CCI

CCI-000345

Version

MOIS-ND-000930

Vuln IDs

V-251003

Rule IDs

SV-251003r802231_rule

Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.

Checks: C-54438r802229_chk

Verify that only authorized administrators have permissions for changes, deletions, and updates on the MobileIron Sentry. 1. Log in to System Manager. 2. Go to Security >> Local Users. 3. Verify no unauthorized users are listed. If unauthorized users are listed, this is a finding.

Fix: F-54392r802230_fix

Configure that only authorized administrators have permissions for changes, deletions, and updates on the MobileIron Sentry. 1. Log in to System Manager. 2. Go to Security >> identity Source >> Local Users. 3. Click "Add" to add authorized users. 4. If unauthorized users are listed, click the check box next to the unauthorized user and click "Delete".

a

MobileIron Sentry must be configured to conduct backups of system level information contained in the information system when changes occur.

CM-6 - Low - CCI-000366 - V-251004 - SV-251004r802234_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

MOIS-ND-000950

Vuln IDs

V-251004

Rule IDs

SV-251004r802234_rule

This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Checks: C-54439r802232_chk

Identify/validate MobileIron Sentry support for periodic backups. This is done via the virtual machine. Check with the virtual team to verify backups are scheduled. If the backups are not scheduled, this is a finding.

Fix: F-54393r802233_fix

Ensure the virtual solution provides periodic backups. Refer to "MobileIron Sentry Installation Guide", section "Periodic backups for VMware", pages 6-7.

b

MobileIron Sentry must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

CM-6 - Medium - CCI-000366 - V-251005 - SV-251005r802237_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

MOIS-ND-000970

Vuln IDs

V-251005

Rule IDs

SV-251005r802237_rule

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.

Checks: C-54440r802235_chk

Determine if the MobileIron Sentry has a public certificate from an approved Certificate Authority. From MobileIron Core: 1. Log in to the MobileIron Core. 2. Navigate to "Services". 3. Select "Sentry". 4. On each configured Sentry, select "View Certificate". 5. Validate the Public Key is issued from an approved Certificate Authority. From MobileIron Sentry: 1. Log in to the MobileIron Sentry. 2. Navigate to "Security". 3. Scroll down to "Certificate Mgmt". 4. Select "View Certificate". If approved certificates have not been uploaded, this is a finding.

Fix: F-54394r802236_fix

Configure the MobileIron Sentry with a certificate from an approved Certificate Authority. From MobileIron Core: 1. Log in to the MobileIron Core. 2. Navigate to "Services". 3. Select "Sentry". 4. On each configured Sentry, select "Manage Certificate". 5. Upload appropriate certificate. From MobileIron Sentry: 1. Log in to the MobileIron Sentry. 2. Navigate to "Security". 3. Select "Certificate Management". 4. Select "Manage Certificate". 5. Upload appropriate certificate. Reference "MobileIron Sentry Guide for MobileIron Core" for uploading a certificate to MobileIron Sentry, section "Standalone Sentry Certificate".

c

MobileIron Sentry must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.

SI-2 - High - CCI-002605 - V-251006 - SV-251006r802240_rule

RMF Control

SI-2

Severity

High

CCI

CCI-002605

Version

MOIS-ND-000980

Vuln IDs

V-251006

Rule IDs

SV-251006r802240_rule

Without syslog enabled it will be difficult for an ISSO to correlate the users behavior and identify potential threats within the logs.

Checks: C-54441r802238_chk

To identify/validate MobileIron Sentry support for syslog forwarding, follow the navigation steps below. 1. Log in to the MobileIron Sentry. 2. Navigate to "Settings". 3. Scroll down to "Syslog". 4. Verify that a syslog server has been configured correctly. a. Verify Server IP address. b. Verify Port. c. Verify Facility Types. d. Verify Admin state is enabled. If syslog forwarding has not been implemented, this is a finding.

Fix: F-54395r802239_fix

Configure the MobileIron Sentry to forward syslog data using the steps below Refer to "MobileIron Sentry Guide for Core", section "Syslog", page 140. 1. Log in to the MobileIron Sentry. 2. Navigate to "Settings". 3. Scroll down to "Syslog". 4. If there is no syslog server entry, ADD the server: a. Add Server IP address. b. Add Port. c. Select/add Facility Types and Log Levels. d. Enable Admin state.

c

MobileIron Sentry must be running an operating system release that is currently supported by MobileIron.

CM-6 - High - CCI-000366 - V-251007 - SV-251007r802243_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

MOIS-ND-000990

Vuln IDs

V-251007

Rule IDs

SV-251007r802243_rule

Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.

Checks: C-54442r802241_chk

Verify the MobileIron Sentry is a supported version. 1. Enter the MobileIron Sentry System Manager Portal URL in a web browser. 2. View the version number in the top right corner. 3. Check the MI Support page (help.mobileiron.com) to ensure the MI Sentry is a supported version. If the version number of the Sentry appliance is not supported, this is a finding.

Fix: F-54396r802242_fix

Install the most current MobileIron supported version of Sentry.

Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide

Compare

View

Checks: C-54417r802166_chk

Fix: F-54371r802167_fix

Checks: C-54418r802169_chk

Fix: F-54372r802170_fix

Checks: C-54419r802172_chk

Fix: F-54373r802173_fix

Checks: C-54420r802175_chk

Fix: F-54374r802176_fix

Checks: C-54421r802178_chk

Fix: F-54375r802179_fix

Checks: C-54422r802181_chk

Fix: F-54376r802182_fix

Checks: C-54423r802184_chk

Fix: F-54377r802185_fix

Checks: C-54424r802187_chk

Fix: F-54378r802188_fix

Checks: C-54425r802190_chk

Fix: F-54379r802191_fix

Checks: C-54426r802193_chk

Fix: F-54380r802194_fix

Checks: C-54427r802196_chk

Fix: F-54381r802197_fix

Checks: C-54428r802199_chk

Fix: F-54382r802200_fix

Checks: C-54429r802202_chk

Fix: F-54383r802203_fix

Checks: C-54430r802205_chk

Fix: F-54384r802206_fix

Checks: C-54431r802208_chk

Fix: F-54385r802209_fix

Checks: C-54432r802211_chk

Fix: F-54386r802212_fix

Checks: C-54433r802214_chk

Fix: F-54387r802215_fix

Checks: C-54434r802217_chk

Fix: F-54388r802218_fix

Checks: C-54435r802220_chk

Fix: F-54389r802221_fix

Checks: C-54436r802223_chk

Fix: F-54390r802224_fix

Checks: C-54437r802226_chk

Fix: F-54391r802227_fix

Checks: C-54438r802229_chk

Fix: F-54392r802230_fix

Checks: C-54439r802232_chk

Fix: F-54393r802233_fix

Checks: C-54440r802235_chk

Fix: F-54394r802236_fix

Checks: C-54441r802238_chk

Fix: F-54395r802239_fix

Checks: C-54442r802241_chk

Fix: F-54396r802242_fix