Forescout Network Device Management Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2020-12-11
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
a
Forescout must limit the number of concurrent sessions to one for each administrator account.
AC-10 - Low - CCI-000054 - V-230930 - SV-230930r615886_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
FORE-NM-000010
Vuln IDs
  • V-230930
Rule IDs
  • SV-230930r615886_rule
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial of service (DoS) attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.
Checks: C-33860r603629_chk

Determine if Forescout requires a limit of one session per user. This requirement may be verified by demonstration or configuration review. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterAct user profiles >> Password and Sessions >> Session. 3. Verify the "allow only one login session per user", "Terminate existing session upon new login", and "Console and web portal sessions cannot exist concurrently". If Forescout does not enforce one session per user, this is a finding.

Fix: F-33833r603630_fix

Configure Forescout to require a limit of one session per user. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterAct user profiles >> Password and Sessions >> Session. 3. Check "allow only one login session per user". 4. Select the "Terminate existing session upon new login" radio button. 5. Select "Console and web portal sessions cannot exist concurrently".

b
Forescout must terminate the account of last resort password when members with access to the password leave the group.
AC-2 - Medium - CCI-002142 - V-230931 - SV-230931r615886_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002142
Version
FORE-NM-000020
Vuln IDs
  • V-230931
Rule IDs
  • SV-230931r615886_rule
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates.
Checks: C-33861r603632_chk

Review the documentation to verify a procedure exists to change the account of last resort and root account password when users with knowledge of the password leave the group. If a procedure does not exist to change the account of last resort and root account password when users with knowledge of the password leave the group, this is a finding.

Fix: F-33834r603633_fix

Establish and document a procedure that requires the changing of the account of last resort and root account password when users with knowledge of the password leave the group. To change the password: 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> Console Preferences >> Password and Sessions. 3. Click the Password tab. 4. Click "User must change password at next logon if changed by admin user". Note: the next time the account of last resort is accessed, the user will be prompted to change their password. Note: Use of a cryptographically generated password is recommended. Password must be stored in a locked safe and used only when necessary since individual accounts are required to be used to ensure non-repudiation.

b
Forescout must be configured with only one web account and one CLI account of last resort with limited access and used only when the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-230932 - SV-230932r615886_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001358
Version
FORE-NM-000030
Vuln IDs
  • V-230932
Rule IDs
  • SV-230932r615886_rule
Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the "account of last resort" since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit must be added to the envelope as a record. Administrators must secure the credentials and disable the root account (if possible) when not needed for system administration functions.
Checks: C-33862r603635_chk

Verify only one local account exists and that it has full administrator privileges. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles. If local accounts in the CounterACT User profile or CLI exist other than the accounts of last resort, this is a finding.

Fix: F-33835r603636_fix

There are two default accounts. The CLIAdmin root account can only be used with the CLI. To access the CLI, an account must be created that only has access to the CLI. Accounts created in CounterACT user profile in the web management tools do not have access to login to the CLI. The default console account "Admin" allows access to the web management tool. These accounts can be used as the accounts of last resort or two other accounts may be created for this purpose as long as a strong password that meets DoD requirements is used for both. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT user profiles. Remove unauthorized local accounts not identified as the account of last resort.

b
Forescout must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
AC-7 - Medium - CCI-000044 - V-230933 - SV-230933r615886_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
FORE-NM-000040
Vuln IDs
  • V-230933
Rule IDs
  • SV-230933r615886_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Checks: C-33863r603638_chk

Determine if Forescout is configured either to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, or to use an authentication server to perform this function. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Verify the "Lock account after" radio button is selected. 4. Verify that "3" password failures for "15 minutes" is configured. If the limit of three consecutive invalid logon attempts by a user during a 15-minute time period is not enforced, this is a finding.

Fix: F-33836r603639_fix

Configure Forescout or its associated authentication server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Ensure the "Lock account after" radio button is selected. 4. Ensure that "3" password failures for "15" minutes is configured.

a
Forescout must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Low - CCI-000048 - V-230934 - SV-230934r615887_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
FORE-NM-000050
Vuln IDs
  • V-230934
Rule IDs
  • SV-230934r615887_rule
Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users. The banner must be formatted in accordance with DTM-08-060.
Checks: C-33864r603641_chk

1. Log on to the Forescout Administrator UI. 2. Select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Select the Login tab and check the "Display this Notice and Consent Message after login" option. 4. Select the "Before login, prompt user to accept these Terms and Conditions" and view the text. If the banner is not present or not in exact compliance with the current verbiage and spacing in DTM-08-060, this is a finding.

Fix: F-33837r603642_fix

Log on to the Forescout Administrator UI. 1. Select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Select the "Login" tab and check the "Display this Notice and Consent Message after login" option. 3. Select the "Before login, prompt user to accept these Terms and Conditions". 4. Copy the exact text and formatting for the Standard Mandatory DoD and Consent Banner into the white box. Be sure to adhere to the exact line spacing required by DTM-08-060.

a
Forescout must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
AC-8 - Low - CCI-000050 - V-230935 - SV-230935r615886_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000050
Version
FORE-NM-000060
Vuln IDs
  • V-230935
Rule IDs
  • SV-230935r615886_rule
The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement. In the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, then entering the password is also acceptable. The web management tool configuration setting works for both the CLI and the web management tool.
Checks: C-33865r615880_chk

Verify Forescout retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. Attempt to log on to the Forescout device as a system administrator using the web management tool. If Forescout does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.

Fix: F-33838r603645_fix

Log on to the Forescout Administrator UI. 1. Select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Select the "Login" tab and check the "Display this Notice and Consent Message after login" option. 3. Select the "Before login, prompt user to accept these Terms and Conditions". 4. Select "Apply" to save the settings.

a
Forescout must generate log records when successful attempts to access privileges occur.
AU-12 - Low - CCI-000172 - V-230936 - SV-230936r615886_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
FORE-NM-000080
Vuln IDs
  • V-230936
Rule IDs
  • SV-230936r615886_rule
Without generating log records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Log records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-33866r603647_chk

Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under "User Operations", verify "Include user operations" is checked. If Forescout does not generate log records when successful attempts to access privileges occur, this is a finding.

Fix: F-33839r603648_fix

Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under "User Operations", check "Include user operations".

a
Forescout must generate log records when attempts to modify administrator privileges occur.
AU-12 - Low - CCI-000172 - V-230937 - SV-230937r615886_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
FORE-NM-000090
Vuln IDs
  • V-230937
Rule IDs
  • SV-230937r615886_rule
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Log records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-33867r603650_chk

Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when attempts to modify administrator privileges occur, this is a finding.

Fix: F-33840r603651_fix

Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".

a
Forescout must generate log records when attempts to delete administrator privileges occur.
AU-12 - Low - CCI-000172 - V-230938 - SV-230938r615886_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
FORE-NM-000100
Vuln IDs
  • V-230938
Rule IDs
  • SV-230938r615886_rule
Without generating log records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Log records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-33868r603653_chk

Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when attempts to delete administrator privileges occur, this is a finding.

Fix: F-33841r603654_fix

Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".

a
Forescout must generate log records showing when successful logon attempts occur.
AU-12 - Low - CCI-000172 - V-230939 - SV-230939r615886_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
FORE-NM-000110
Vuln IDs
  • V-230939
Rule IDs
  • SV-230939r615886_rule
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Log records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-33869r603656_chk

Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when successful logon attempts occur, this is a finding.

Fix: F-33842r603657_fix

Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".

a
Forescout must generate log records for privileged activities or other system-level access.
AU-12 - Low - CCI-000172 - V-230940 - SV-230940r615886_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
FORE-NM-000120
Vuln IDs
  • V-230940
Rule IDs
  • SV-230940r615886_rule
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Log records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-33870r603659_chk

Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when for privileged activities or other system-level access, this is a finding.

Fix: F-33843r603660_fix

Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".

a
Forescout must generate log records showing starting and ending time for administrator access to the system.
AU-12 - Low - CCI-000172 - V-230941 - SV-230941r615886_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
FORE-NM-000130
Vuln IDs
  • V-230941
Rule IDs
  • SV-230941r615886_rule
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Log records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-33871r603662_chk

Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records showing starting and ending time for administrator access to the system, this is a finding.

Fix: F-33844r603663_fix

Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".

a
Forescout must generate log records when concurrent logons from different workstations occur.
AU-12 - Low - CCI-000172 - V-230942 - SV-230942r615886_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
FORE-NM-000140
Vuln IDs
  • V-230942
Rule IDs
  • SV-230942r615886_rule
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Log records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-33872r603665_chk

Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when concurrent logons from different workstations occur, this is a finding.

Fix: F-33845r603666_fix

Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".

a
The Forescout must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.
AU-4 - Low - CCI-001851 - V-230943 - SV-230943r615886_rule
RMF Control
AU-4
Severity
Low
CCI
CCI-001851
Version
FORE-NM-000150
Vuln IDs
  • V-230943
Rule IDs
  • SV-230943r615886_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-33873r615872_chk

Verify the syslog. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Send Events To. 3. Click the IP address of the site's centralized syslog server. 4. Verify "Use TLS" is checked. 5. Verify OCSP, Identity, Facility, and Severity, as required by the SSP, are configured. If the site's syslog server is not configured or if it is not configure to use TLS and OCSP, this is a finding.

Fix: F-33846r603669_fix

Configure the syslog. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Send Events To. 3. Click "Add". 4. Enter the IP address of the site's centralized syslog. 5. Check "Use TLS". 6. Configure OCSP, Identity, Facility, and Severity as required by the SSP.

b
Forescout must be configured to synchronize internal information system clocks using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-230944 - SV-230944r615886_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
FORE-NM-000160
Vuln IDs
  • V-230944
Rule IDs
  • SV-230944r615886_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while the source synchronizes time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-33874r603671_chk

Determine if Forescout is configured to synchronize internal clocks with the organization's primary and secondary NTP servers. 1. Open an SSH session and authenticate to the Forescout command line. 2. Verify a primary and secondary NTP server has been configured with the command "fstool ntp test". If Forescout is not configured to synchronize internal information system clocks with the organization's primary and secondary NTP servers, this is a finding.

Fix: F-33847r603672_fix

Configure Forescout to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. 1. Open an SSH session and authenticate to the Forescout command line. 2. Configure the primary and secondary NTP servers with the command "fstool ntp setup <ip address>".

b
Forescout must be configured to use Coordinated Universal Time (UTC).
AU-8 - Medium - CCI-001890 - V-230945 - SV-230945r615886_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
FORE-NM-000170
Vuln IDs
  • V-230945
Rule IDs
  • SV-230945r615886_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-33875r603674_chk

Determine if Forescout records time stamps for log records that can be mapped to UTC. This requirement may be verified by demonstration or configuration review. Verify by connecting to the appliance via SSH using standard user/operator privilege. 1. Type "date" at the command prompt. 2. Verify the date references accurate time and "UTC" shows just before the year. If Forescout does not record time stamps for log records that can be mapped to UTC, this is a finding.

Fix: F-33848r603675_fix

Configure Forescout to record time stamps for log records that can be mapped to UTC. Note: Updating time preferences will force Forescout into maintenance mode and the service must be restarted. Use a scheduled outage for planned maintenance and stop Forescout service prior to adjusting time settings. 1. Type the following command at the prompt using the IP address of the required NTP server: fstool ntp <ip address> 2. Ensure the date references accurate time and the time zone points to UTC next to the year.

b
Forescout must prohibit installation of software without explicit privileged permission by only authorized individuals.
CM-11 - Medium - CCI-001812 - V-230946 - SV-230946r615886_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001812
Version
FORE-NM-000190
Vuln IDs
  • V-230946
Rule IDs
  • SV-230946r615886_rule
Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices.
Checks: C-33876r603677_chk

Determine if the network device prohibits installation of software without explicit privileged status. This requirement may be verified by demonstration or configuration review. 1. From the menu, select Tools &gt;&gt; Options &gt;&gt; User Console and Options. 2. Select (highlight) the user profile to be reviewed (group or user) and then select Edit &gt;&gt; Permissions. 3. Check a sampling of users against the current SSP to verify only the users that should have privilege to update software have the Software Upgrade privilege selected. If installation of software is not prohibited without explicit privileged status, this is a finding.

Fix: F-33849r603678_fix

Remove accounts that are not authorized. Do not remove the account of last resort. Compare users with the current SSP and ensure only the users that should have the privilege to update software have the Software Upgrade privilege selected. 1. From the menu, select Tools >> Options >> User Console and Options. 2. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 3. Disable or delete unauthorized users.

b
Forescout must enforce access restrictions associated with changes to device configuration.
CM-5 - Medium - CCI-001813 - V-230947 - SV-230947r615886_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
FORE-NM-000200
Vuln IDs
  • V-230947
Rule IDs
  • SV-230947r615886_rule
Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. For Forescout, ensure only authorized users have access to user profile permissions. All other admins are blocked from access via the console tools and/or web portal based on permissions set on the Edit user profile.
Checks: C-33877r603680_chk

Determine if the network device enforces access restrictions associated with changes to device configuration. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit &gt;&gt; Permissions. 4. Check user against the current SSP and ensure only the users that should have the privilege to make changes have the CounterACT Appliance Configuration; CounterACT Appliance Control; Module Control; Multiple CounterACT Appliance Management; Policy Control; Policy Management; and User Management privileges selected. If the network device does not enforce such access restrictions, this is a finding.

Fix: F-33850r603681_fix

Remove accounts that are not authorized. Do not remove the account of last resort. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users that should have privilege to make changes have the CounterACT Appliance Configuration; CounterACT Appliance Control; Module Control; Multiple CounterACT Appliance Management; Policy Control; Policy Management; and User Management privileges selected. 5. Delete or disable unauthorized users.

a
Forescout must audit the enforcement actions used to restrict access associated with changes to the device.
CM-5 - Low - CCI-001814 - V-230948 - SV-230948r615886_rule
RMF Control
CM-5
Severity
Low
CCI
CCI-001814
Version
FORE-NM-000210
Vuln IDs
  • V-230948
Rule IDs
  • SV-230948r615886_rule
Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. Forescout must only be configures such that only authorized users have access to user profile permissions. All other admins are blocked from access via the console tools and/or web portal based on permissions set on the Edit user profile.
Checks: C-33878r603683_chk

Determine if the network device audits the enforcement actions used to restrict access associated with changes to the device. This requirement may be verified by demonstration, configuration review, or validated test results. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit &gt;&gt; Permissions. 4. Check user against current SSP and ensure only the users with privileges to make changes have the Least Privilege required permissions. If the network device does not audit the enforcement actions used to restrict access associated with changes to the device, this is a finding.

Fix: F-33851r603684_fix

Remove accounts that are not authorized. Do not remove the account of last resort. Ensure a Least Privilege Permission approach is taken with all accounts created. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users that are allowed privileges to make changes have the Least Privilege required permissions. 5. Delete or disable unauthorized users.

a
Forescout must prevent the installation of patches, service packs, plug-ins, or modules without verification the update has been digitally signed using a certificate that is recognized and approved by the organization.
CM-5 - Low - CCI-001749 - V-230949 - SV-230949r615886_rule
RMF Control
CM-5
Severity
Low
CCI
CCI-001749
Version
FORE-NM-000220
Vuln IDs
  • V-230949
Rule IDs
  • SV-230949r615886_rule
Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. Customer portal updates file download section on the vendor website has the MD5 hashes for the updates files. Currently, this is the method used by DoD to pull down files rather than using the internal connection to the Forescout server.
Checks: C-33879r603686_chk

Verify by inspecting the SSP or documentation to determine if there is a procedure for validating the MD5 hash against the Forescout updates.forescout.com portal to ensure that the software has come from the Forescout server. If the site does not have a documented process to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization, this is a finding.

Fix: F-33852r603687_fix

When Forescout updates are downloaded, whether from the DoD update server or the updates.forescout.com portal, each update consists of an MD5 hash. Manually inspect, compare, and verify the MD5 hash against the Forescout website to ensure that the software has come from the Forescout server.

b
Forescout must limit privileges to change the modules and OSs resident within software libraries.
CM-5 - Medium - CCI-001499 - V-230950 - SV-230950r615886_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
FORE-NM-000230
Vuln IDs
  • V-230950
Rule IDs
  • SV-230950r615886_rule
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals must be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.
Checks: C-33880r603689_chk

Determine if there are users defined in Forescout that are not authorized to change the software libraries. Verify that Administrator privileges have been restricted for these users. This is verified by reviewing the administrator account profiles and auditing the assigned privilege for updated Forescout software. 1. Log on to the Forescout Console and select Tools &gt;&gt; Options &gt;&gt; Console User Profiles. 2. Select the user group that is not authorized access according to the SSP. 3. Select "Edit" and the "Permissions" tab 4. Verify the users do not have the "Plugin Management" and "Software Upgrade" options selected. If Forescout is not configured to limit privileges to change the software resident within software libraries for unauthorized users, this is a finding.

Fix: F-33853r615874_fix

Configure Forescout to prevent access to change the software resident within software libraries for unauthorized personnel. View each of the Forescout user group accounts that are associated with the external user directory groups (e.g., RADIUS, Active directory, LDAP). Perform the following actions for each group. 1. Log on to the Forescout Console and select Tools >> Options >> Console User Profiles. 2. Select the user group that is not authorized access according to the SSP. 3. Select "Edit" and the "Permissions" tab. 4. Unselect the options for "Module Management" and "Software Upgrade".

b
Forescout must enforce access restrictions associated with changes to the firmware, OS, USB port, and console port.
CM-5 - Medium - CCI-000345 - V-230951 - SV-230951r615886_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-000345
Version
FORE-NM-000240
Vuln IDs
  • V-230951
Rule IDs
  • SV-230951r615886_rule
Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals must be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters. There is a USB port and a console RJ45 port. The Console port is secured by the CLI security configuration. The USB port is only accessible via the CLI, not the web manager tool. The user will be prompted to see if it should be turned on. It is off by default and requires authorized login from the CLI.
Checks: C-33881r603692_chk

Check Forescout to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles. 3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit". 4. Verify the non-administrator account selected does not have "update" on the "Permissions" tab for "Forescout Appliance Configuration". If unauthorized users are allowed to change the hardware or software, this is a finding.

Fix: F-33854r603693_fix

Configure Forescout to prevent access to change the software resident within software libraries for unauthorized personnel. View each of the Forescout user group accounts associated with the external user directory groups (e.g., RADIUS, Active directory, LDAP). Perform the following actions for each group: 1. Log on to the Forescout Console and select Tools >> Options >> Console User Profiles. 2. Select the user group that is not authorized access according to the SSP. 3. Select "Edit" and the "Permissions" tab. 4. Verify the options for "Module Management" or "Software Upgrade" are not selected.

b
Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
CM-6 - Medium - CCI-000366 - V-230952 - SV-230952r615886_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
FORE-NM-000250
Vuln IDs
  • V-230952
Rule IDs
  • SV-230952r615886_rule
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, log records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Checks: C-33882r603695_chk

Review the Forescout configuration to determine if administrative accounts for device management exist on the device other than the account of last resort and root account. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; Console Preferences. 3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit". 4. Verify each user profile is for an approved administrator. 5. Verify each external LDAP group account profile by verifying on the trusted external directory group membership. If any administrative accounts other than the account of last resort and root account exist on the device, this is a finding.

Fix: F-33855r603696_fix

Remove accounts that are not authorized. Do not remove the account of last resort. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Console Preferences. 3. Select (highlight) the user profile to be reviewed (group or user) and then select "Remove". 4. Remove external group membership, individual users on the Directory service.

b
Forescout must be running an operating system release that is currently supported by the vendor.
CM-6 - Medium - CCI-000366 - V-230953 - SV-230953r615886_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
FORE-NM-000260
Vuln IDs
  • V-230953
Rule IDs
  • SV-230953r615886_rule
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. In Oct 2021, there is plan to make Version 7 end-of-life. This will be stated on the product lifecycle page of the Forescout website. All versions of V8 and above are authorized for use in DoD. Version 8 or later is mandatory after October 2021.
Checks: C-33883r603698_chk

Check that Forescout is still running supported operating system versions and that all vulnerability patches and updates have been applied. Verify the installed version is supported by Forescout by checking the Forescout support website lifecycle page. Currently, Version 8 or later is mandatory after October 2021. If Forescout is running an operating system release that is not supported by the vendor, this is a finding.

Fix: F-33856r603699_fix

Check that Forescout is still running supported operating system versions and that all vulnerability patches and updates have been applied. Establish and document a procedure that requires the auditing of OS versions and any patches and updates have been applied in accordance with Forescout support website lifecycle page.

b
If the network device uses role-based access control, Forescout must enforce organization-defined, role-based access control policies over defined subjects and objects.
CM-6 - Medium - CCI-000366 - V-230954 - SV-230954r616548_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
FORE-NM-000270
Vuln IDs
  • V-230954
Rule IDs
  • SV-230954r616548_rule
Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. Forescout has three predefined user roles: Admin, Web Access, and Console User. The Admin role has access to all data and management functions. By default, the Console role has access to the management console and the Web role has access to the view-only portal. However, both roles may be assigned one or more permissions, each with its own set of privileges to the data and functions.
Checks: C-33884r603701_chk

Check the administrative accounts assigned to each role are documented within the SSP and have been configured correctly with least privilege. 1. Log on to Forescout UI. 2. Select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles. 3. Select username &gt;&gt; Edit &gt;&gt; Permissions. Check the SSP against created users and ensure least privilege has been configured properly. Options include Custom accounts for Console Access and Web Access. Each access account is then further established with permissions based on the user's authorizations. If Forescout does not enforce organization-defined, role-based access control policies over defined subjects and objects, this is a finding.

Fix: F-33857r603702_fix

Login to Forescout UI. 1. Select Tools >> Options >> CounterACT User Profiles. 2. Select username >> Edit >> Permissions. Check the SSP against created users and ensure least privilege has been configured properly. Options include Custom accounts for Console Access and Web Access. Each access account is then further established with permissions based on the user's authorizations.

b
Forescout must generate log records for a locally developed list of auditable events.
AU-12 - Medium - CCI-000169 - V-230955 - SV-230955r615886_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
FORE-NM-000280
Vuln IDs
  • V-230955
Rule IDs
  • SV-230955r615886_rule
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.
Checks: C-33885r603704_chk

Verify the syslog triggers are configured in accordance with SSP requirements. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; Modules &gt;&gt; Syslog &gt;&gt; Syslog Triggers. 3. Ensure the proper NAC events and System Logs and Events are selected in compliance with the SSP. If Forescout does not generate log records for a locally developed list of auditable events, this is a finding.

Fix: F-33858r603705_fix

Configure Forescout auditing messages to ensure auditing is comprehensible for monitoring and analysis. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Ensure the proper NAC events and System Logs and Events are selected.

b
Forescout must be configured to conduct backups of system-level information contained in the information system when changes occur.
CM-6 - Medium - CCI-000366 - V-230956 - SV-230956r615886_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
FORE-NM-000290
Vuln IDs
  • V-230956
Rule IDs
  • SV-230956r615886_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who utilize this critical network component. Perform scheduled backups of the Forescout system to FTP, SFTP, and SCP sites. Using scheduled backups provides extra safety and protection against hard drive failures and data loss. The system backup feature saves all CounterACT device and Console settings. This data includes the following: - Configuration - License - Operating System configuration - Plugins/Modules These categories include, for example: - Forescout platform IP address - License information - Channel - Email - Internal network parameters - Basic and advanced NAC Policy definitions - Legitimate traffic definitions - Report schedules
Checks: C-33886r603707_chk

Check Forescout to determine if the network device is configured to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner. 1. Open the Forescout Console and select Tools &gt;&gt; Advanced &gt;&gt; Backup. 2. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected. 3. Verify the Backup schedule is selected to at least "weekly". If Forescout does not support the organizational requirement to conduct backups of system-level data according to the defined frequency, this is a finding.

Fix: F-33859r615876_fix

Configure Forescout to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. Setup a backup server. 1. Open the Forescout Console and select Tools >> Advanced >> Backup >> Backup Server. 2. Click "SCP" or "SFTP" for the transfer protocol. 3. Add the IP address of the backup destination server. 4. Add the directory to receive the file. 5. Add PKI key (preferred) or add username and DoD compliant password for the backup account to be used. 6. Enable "Authenticate Destination Sever". 7. Test the file transfer. 8. Click "Apply". Generate a backup job. 1. Click the "System Backup" tab. 2. Select "Enable System Backup". 3. Under Backup Schedule, add a "Generate backup at" and enter a time to run the backup in accordance with site procedures. 4. Select "Weekly" for Recurrence Pattern. When changes to the configuration occur, the admin must immediately create a new backup by clicking "Backup Now" on the Backup screen.

b
Forescout must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
CM-6 - Medium - CCI-000366 - V-230957 - SV-230957r616550_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
FORE-NM-000300
Vuln IDs
  • V-230957
Rule IDs
  • SV-230957r616550_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who utilize this critical network component. Perform scheduled backups of the Forescout system to FTP, SFTP, and SCP sites. Using scheduled backups provides extra safety and protection against hard drive failures and data loss. The system backup feature saves all CounterACT device and Console settings. This data includes the following: - Configuration - License - Operating System configuration - Plugins/Modules These categories include, for example: - Forescout platform IP address - License information - Channel - Email - Internal network parameters - Basic and advanced NAC Policy definitions - Legitimate traffic definitions - Report schedules
Checks: C-33887r616549_chk

Check Forescout to determine if the network device is configured to conduct backups. 1. Open the Forescout Console and select Tools &gt;&gt; Advanced &gt;&gt; Backup. 2. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected. 3. Verify the Backup schedule is selected to at least "weekly". If Forescout does not support organizational requirements to conduct backups of information system documentation, including security-related documentation when changes occur or weekly, whichever is sooner, this is a finding.

Fix: F-33860r615878_fix

Configure Forescout to conduct backups. Setup a backup server. 1. Open the Forescout Console and select Tools >> Advanced >> Backup >> Backup Server. 2. Click "SCP" or "SFTP" for the transfer protocol. 3. Add the IP address of the backup destination server. 4. Add the directory to receive the file. 5. Add PKI key (preferred) or add username and DoD compliant password for the backup account to be used. 6. Enable "Authenticate Destination Sever". 7. Test the file transfer. 8. Click "Apply". Generate a backup job. 1. Click the System Backup tab. 2. Select "Enable System Backup". 3. Under Backup Schedule, add a "Generate backup at" and enter a time to run the backup in accordance with site procedures. 4. Select "Weekly" for Recurrence Pattern. When changes to the configuration occur, the admin must immediately create a new backup by clicking "Backup Now" on the Backup screen.

b
Forescout must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-230958 - SV-230958r616552_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
FORE-NM-000320
Vuln IDs
  • V-230958
Rule IDs
  • SV-230958r616552_rule
For user certificates, each organization obtains certificates from an approved shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Checks: C-33888r603713_chk

Determine if Forescout obtains public key certificates from an appropriate certificate policy through an approved service provider. To review the Web server certificate presented for captive portal/authentication: 1. Open a command line SSH to Forescout appliance or Enterprise Manager. 2. Run the following command: &gt;fstool cert test 3. Verify all Web server certificate(s) are printed and reviewable. 4. Verify the signing authority is from an approved certificate authority. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix: F-33861r616551_fix

Generate a certificate signing request by completing the following procedures: 1. Navigate to Tools >> Options >> Certificates >> System Certificates. 2. On the right of the screen click “Generate CSR”. 3. Complete the following fields (bolded fields are necessary for the Common Criteria evaluation and underlined fields have the required selection made): - Common Name – <system hostname> - Organization – <organizational name> - Organizational Unit – <unit name> - Locality – <locality name> - State – <state name> - Country Code – <country code> - Email Address - <email address> - Key Length – <select an approved key length from the drop down list> - Signature Algorithm – <select an approved algorithm from the drop down list> - Key Usages – < Checking all items that apply Client Authentication, Server Authentication and Email Signing> - Validity – <years> 4. Click “Next”. 5. When the CSR is generated, scroll down to ensure the public key and common name are present. 6. Click "Scope option – ALL" and then click "Next". 7. Enter a name for system certificate. 8. Check “Enable presenting this certificate”. 9. Click "Finish". 10. Click "Apply", and then click "Yes" to save the changes.

c
Forescout must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
CM-7 - High - CCI-000382 - V-230959 - SV-230959r615886_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
FORE-NM-000330
Vuln IDs
  • V-230959
Rule IDs
  • SV-230959r615886_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Forescout is capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. Wireless is an example only of a service that is frequently unnecessary in many Forescout implementations. Reword more generically and be sure to look for module that are not part of the UC ACL default and may have been installed by the site and therefore are not authorized for use in DoD.
Checks: C-33889r603716_chk

Navigate to the plugin tool and remove all unneeded or unsecure services. 1. Connect to the Forescout Console and select Tools &gt;&gt; Options &gt;&gt; Plugins. 2. Review the list of plugins. If an unnecessary or nonsecure service is "Enabled", select the plugin and then select "Configure". If no configuration is present, this is a finding. If any unnecessary or nonsecure functions are enabled, this is a finding.

Fix: F-33862r603717_fix

Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. The following is an example of disabling the wireless plugin if no wireless devices are directly managed by Forescout. Example ONLY: 1. Connect to the Forescout Console and select Tools >> Options >> Modules >> Network. 2. Determine if the wireless plugin is running. If it is running, click the option and click "Stop". If the user is logged in to the enterprise manager, this will stop it on all the appliances in the enterprise. This process can be used to disable or remove plugins not being used.

a
Forescout must disable the Request Customer Verification setting.
CM-7 - Low - CCI-000382 - V-230960 - SV-230960r615886_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000382
Version
FORE-NM-000340
Vuln IDs
  • V-230960
Rule IDs
  • SV-230960r615886_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. This option connects to a user verification server at Forescout infrastructure used for verification of customer profiles and must not be used in DoD. If accidentally checked, this must error out.
Checks: C-33890r603719_chk

In the Password and Sessions login options, ensure "request customer verification" is not enabled. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 3. Ensure the option for "request customer verification" is unchecked. If the Request Customer Verification setting is enabled, this is a finding.

Fix: F-33863r603720_fix

In the Password and Sessions login options, disable the "request customer verification" option. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Ensure the option for "request customer verification" is unchecked.

c
Forescout must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
IA-3 - High - CCI-001967 - V-230961 - SV-230961r615886_rule
RMF Control
IA-3
Severity
High
CCI
CCI-001967
Version
FORE-NM-000350
Vuln IDs
  • V-230961
Rule IDs
  • SV-230961r615886_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.
Checks: C-33891r603722_chk

Review the Forescout configuration to determine if the network device authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools &gt;&gt; Options &gt;&gt; Switch. 2. Select a network device and review the "SNMP" tab. 3. Verify that the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Verify that the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box. If Forescout does not authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC), this is a finding.

Fix: F-33864r603723_fix

Configure Forescout to authenticate SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools >> Options >> Switch. 2. Select a network device and review the "SNMP" tab. 3. Ensure the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Ensure the "use privacy" radio button is selected and "AES-128" or higher is selected from the drop-down box.

b
Before establishing a connection with a Network Time Protocol (NTP) server, Forescout must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server.
IA-3 - Medium - CCI-001967 - V-230962 - SV-230962r615886_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
FORE-NM-000361
Vuln IDs
  • V-230962
Rule IDs
  • SV-230962r615886_rule
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source. Currently, AES block cipher algorithm is approved for use in DoD for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption). NTP devices use MD5 authentication keys. The MD5 algorithm is not specified in either the FIPS or NIST recommendation. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The product must be configured to support separate keys for each NTP server. Severs must have a PKI device certificate involved for use in the device authentication process. Configurable to use SHA-1 when SNMPv3 is configured which is recommended by the vendor and required by DoD. Vendor cautions that this may impact performance with other devices. Downgrade to not a finding if correctly configured.
Checks: C-33892r603725_chk

Review the Forescout configuration to determine if Forescout authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools &gt;&gt; Options &gt;&gt; Switch. 2. Select a network device and review the "SNMP" tab. 3. Verify the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Verify the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box. If SNMPv3 with HMAC-SHA is configured, this is not a finding.

Fix: F-33865r603726_fix

Configure Forescout to authenticate SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools >> Options >> Switch. 2. Select a network device and review the "SNMP" tab. 3. Ensure the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Ensure the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box. Note: According to the vendor, this configuration uses SHA-1 for NTP configuration only when in FIPS mode. Use of SHA-2 for integrity processes usually incurs a finding, however this configuration sets AES-128. Thus, this vendor-recommended configuration is considered to mitigate the risk for NTP on Forescout only. This is specifically and only applicable to this requirement.

b
Forescout must enforce password complexity by requiring that at least one uppercase character be used.
IA-5 - Medium - CCI-000192 - V-230963 - SV-230963r615886_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
FORE-NM-000370
Vuln IDs
  • V-230963
Rule IDs
  • SV-230963r615886_rule
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and, where applicable, a root account. Passwords must only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-33893r603728_chk

1. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 2. Verify the first "password must contain at least" is checked. 3. Verify there is a minimum of one in the "upper case alphabetic characters" configuration box. If the Forescout does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.

Fix: F-33866r603729_fix

Configure Forescout to require a minimum of one upper-case character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the first "password must contain at least" option. 3. Add a 1 (or higher) in the "upper case alphabetic characters" configuration box.

b
Forescout must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-230964 - SV-230964r615886_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
FORE-NM-000380
Vuln IDs
  • V-230964
Rule IDs
  • SV-230964r615886_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-33894r603731_chk

1. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 2. Verify the second "password must contain at least" is checked. 3. Verify there is a minimum of one in the "lower case alphabetic characters" configuration box. If the Forescout does not enforce password complexity by requiring that at least one lower-case character be used, this is a finding.

Fix: F-33867r615882_fix

Configure Forescout to require a minimum of one lower-case character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the second "password must contain at least" option. 3. Add a 1 (or higher) in the "lower case alphabetic characters" configuration box.

b
Forescout must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-230965 - SV-230965r615886_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
FORE-NM-000390
Vuln IDs
  • V-230965
Rule IDs
  • SV-230965r615886_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-33895r603734_chk

Determine if the network device enforces a minimum 15-character password length. This requirement may be verified by demonstration or configuration review. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 3. Verify the "minimum length" is configured for "15". If Forescout does not enforce a minimum 15-character password length, this is a finding.

Fix: F-33868r603735_fix

Log on to the Forescout Administrator UI. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Configure the "minimum length" for "15".

b
Forescout must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-230966 - SV-230966r615886_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
FORE-NM-000400
Vuln IDs
  • V-230966
Rule IDs
  • SV-230966r615886_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-33896r603737_chk

1. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 2. Verify the third "password must contain at least" is checked. 3. Verify there is 1 (or higher) in the "digits" configuration box. If the Forescout does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.

Fix: F-33869r603738_fix

Configure Forescout to require a minimum of one numeric character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the third "password must contain at least" option. 3. Add a 1 (or higher) in the "digits" configuration box.

b
Forescout must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-230967 - SV-230967r615886_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
FORE-NM-000410
Vuln IDs
  • V-230967
Rule IDs
  • SV-230967r615886_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-33897r603740_chk

1. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 2. Verify the fourth "password must contain at least" is checked. 3. Verify there is 1 (or higher) in the "in the special character" configuration box. If the Forescout does not enforce password complexity by requiring that at least one special character be used, this is a finding.

Fix: F-33870r603741_fix

Configure Forescout to require a minimum of one special character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the fourth "password must contain at least" option. 3. Add a 1 (or higher) in the "in the special character" configuration box.

a
Forescout must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
IA-5 - Low - CCI-000195 - V-230968 - SV-230968r615886_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000195
Version
FORE-NM-000420
Vuln IDs
  • V-230968
Rule IDs
  • SV-230968r615886_rule
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-33898r603743_chk

1. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 2. Verify the fifth "password must contain at least" is checked. 3. Verify there is 1 (or higher) in the "repeated characters or digits" configuration box. If Forescout does not enforce the requirement that when the password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.

Fix: F-33871r603744_fix

Configure Forescout to be required that when a password is changed, the characters are changed in at least eight of the positions within the password. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the fifth "password must contain at least" option. 3. Add a 1 (or higher) in the "repeated characters or digits" configuration box.

c
Forescout must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
IA-7 - High - CCI-000803 - V-230969 - SV-230969r615886_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
FORE-NM-000430
Vuln IDs
  • V-230969
Rule IDs
  • SV-230969r615886_rule
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.
Checks: C-33899r603746_chk

Log on using the CLIAdmin credentials established upon initial configuration. Verify FIPS mode by typing the command "fstool version". If Forescout does not use FIPS 140-2 approved algorithms for authentication to a cryptographic module, this is a finding.

Fix: F-33872r615884_fix

To enable FIPS mode on the Forescout appliance, start by opening a secure shell to the CLI of the management appliance using Putty or another tool. Log on using the CLIAdmin credentials established upon initial configuration. To enable FIPS mode, type "fstool fips". At the prompt to alert the user FIPS 140-2 will be enabled, type "Yes" to accept. Note: Use of FIPS mode is not mandatory in DoD. However, it is the primary method for mitigation of this requirement and ensuring FIPS compliance.

c
Forescout must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - High - CCI-001133 - V-230970 - SV-230970r615886_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
FORE-NM-000440
Vuln IDs
  • V-230970
Rule IDs
  • SV-230970r615886_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-33900r603749_chk

To verify the device is configured to terminate management sessions after 10 minutes of inactivity, verify the timeout value is configured. 1. Go to the Enterprise Manager Console. 2. From the menu, select Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles &gt;&gt; Password and Sessions. 3. Verify the "User Inactivity Timeout" check box is selected and the associated setting is set to "10 minutes". If applicable, verify exceptions to this requirement are documented and signed. If Forescout does not terminate the connection associated with an Enterprise Manager Console at the end of the session or after 10 minutes of inactivity, this is a finding.

Fix: F-33873r603750_fix

Forescout is inherently designed to terminate upon exit or session disconnection, thus this part of the requirement does not have a fix. To configure Forescout to terminate the connection after 10 minutes of inactivity perform the following steps. 1. Go to the Enterprise Manager Console. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Ensure the "User In-activity Timeout" check box is selected and the associated setting is set to "10 minutes".

c
Forescout must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
SC-28 - High - CCI-001199 - V-230971 - SV-230971r615886_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
FORE-NM-000450
Vuln IDs
  • V-230971
Rule IDs
  • SV-230971r615886_rule
This requirement addresses the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device. Files on the network device or on removable media used by the device must have their permissions set to allow read or write access to those accounts specifically authorized to access or change them. Note that different administrative accounts or roles will have varying levels of access. File permissions must be set so that only authorized administrators can read or change their contents. Whenever files are written to removable media and the media removed from the device, the media must be handled appropriately for the classification and sensitivity of the data stored on the device.
Checks: C-33901r603752_chk

List the contents of Forescout’s local storage, including any drives supporting removable media (such as flash drives), and check the file permissions of all files on those drives. 1. Review accounts with incorrect update privileges to Forescout appliance configuration by selecting Tools &gt;&gt; Options &gt;&gt; CounterACT User Profiles. 2. Select a user to edit. 3. Select the "Permissions" tab. 4. Verify the "CounterAct Appliance Configuration" and "CounterACT Appliance Control" radio buttons are set to "View only". If any files allow read or write access by accounts not specifically authorized access or access using non-privileged accounts, this is a finding.

Fix: F-33874r603753_fix

Review the SSP or other documentation for a list of user accounts and privileges. Set the file permissions on files on Forescout or on removable media used by the device so that only authorized administrators can read or change their contents. This is completed by limiting access to SUDO accounts and command line admin accounts. 1. Review accounts with incorrect update privileges to Forescout appliance configuration by selecting Tools >> Options >> CounterACT User Profiles. 2. Select a user to edit. 3. Select the "Permissions" tab. 4. Ensure the "CounterACT Appliance Configuration" and "CounterACT Appliance Control" radio buttons are set to "View only".

c
Forescout must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the Information System Security Officer (ISSO).
SI-2 - High - CCI-002605 - V-230972 - SV-230972r615886_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
FORE-NM-000460
Vuln IDs
  • V-230972
Rule IDs
  • SV-230972r615886_rule
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
Checks: C-33902r603755_chk

Check the Forescout logs periodically to ensure proper auditing functions are still enabled and have not been changed. A proper security policy performs periodic checks to help ensure the proper information is being gathered in the event of a security breach, or internal/external threat. If the Forescout auditing functions are disabled or have been changed, this is a finding.

Fix: F-33875r603756_fix

Establish and document a procedure that periodically checks to ensure audit logs are in keeping with the security best practices of detailed security audit logs. 1. Log on to the Forescout UI. 2. Select Tools >> Options >> Modules >> Syslog >> Add. 3. Configure the: Server Address Server Port Select Use TLS 4. Configure Identify, Facility, and Severity and then select OK >> Apply.