Google Search Appliance Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2015-07-07
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Developed by Microsoft in coordination with DISA for use in the DoD. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
Google Search Appliances providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions.
AC-17 - Medium - CCI-000068 - V-60395 - SV-74825r1_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
GSAP-00-000030
Vuln IDs
  • V-60395
Rule IDs
  • SV-74825r1_rule
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.
Checks: C-61359r2_chk

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Log on to the GSA management interface. Click Administration >> Remote Support. If "Enable SSH for Remote Support" is unchecked, this is not a finding.

Fix: F-66053r3_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Click Administration >> Remote Support. Uncheck the option "Enable SSH for Remote Support". Click Update.

b
Google Search Appliances must provide automated mechanisms for supporting user account management. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities.
AC-2 - Medium - CCI-000015 - V-60717 - SV-75169r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
GSAP-00-000075
Vuln IDs
  • V-60717
Rule IDs
  • SV-75169r1_rule
A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. Examples include but are not limited to using automation to take action on multiple accounts designated as inactive, suspended or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. Enterprise environments make application user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements.
Checks: C-61663r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Click Administration &gt;&gt; LDAP Setup. If valid LDAP information is entered, this is not a finding.

Fix: F-66397r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Click Administration >> LDAP Setup. Click Create. In the LDAP Directory Server Address section, enter the following information: Host - LDAP directory server's host name, which is a fully-qualified domain name or an IPv4 address. Port number (optional) - the port number where the LDAP server listens for requests. If the LDAP server does not allow anonymous users to search, enter the following user credentials that the search appliance uses when logging into the LDAP server: Distinguished Name (DN) - A login on the LDAP server to which the search appliance connects to send authentication requests. If the LDAP server supports anonymous binds (authentication requests), the site does not need to specify a DN. Password (optional) - The password for the DN. Click Continue. The search appliance attempts to auto-detect the settings of the LDAP Search Base, the User Search Filter, the Group Search Filter, the Returned group format, and if SSL Support exists and displays what it has detected. The advanced settings appear. If the LDAP server is used to authenticate administrators to the search appliance, specify the LDAP groups against which they will be authenticated: Superuser Group - Any member of this group is considered an Admin Console administrator. Manager Group - Any member of this group is considered an Admin Console manager. An example of a superuser group name is "GSAAdmins" and an example of a manager group name is "GSAManagers." As shown in these examples, do not specify the entire DN in group names. Test the LDAP server settings for a potential search user by entering the following information in the LDAP Search User Authentication Test box and clicking Test LDAP Settings: Username - The user name that enables the search appliance to connect to the LDAP server (relative to the search base). Password - The password the user name that enables the search appliance to connect to the LDAP server. Configuring one or more LDAP servers on a search appliance. Editing an LDAP server configuration. Deleting an LDAP server configuration. Notes: Configure LDAP server if possible. LDAP (Lightweight Directory Access Protocol) is used to authenticate users before returning secure search results. When a user connects to the Google Search Appliance and requests a search for secure results, the search appliance asks for credentials from the user. These credentials are then forwarded to the LDAP server for validation. The user can use either LDAP or Kerberos, but not both.

b
Google Search Appliance users must utilize a separate, distinct administrative account when accessing application security functions or security-relevant information. Non-privileged accounts must be utilized when accessing non-administrative application functions. The application must provide this functionality itself or leverage an existing technology providing this capability.
AC-6 - Medium - CCI-000040 - V-60719 - SV-75171r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-000040
Version
GSAP-00-000135
Vuln IDs
  • V-60719
Rule IDs
  • SV-75171r1_rule
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy such as Role Based Access Control (RBAC) is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Audit of privileged activity may require physical separation employing information systems on which the user does not have privileged access. To limit exposure and provide forensic history of activity when operating from within a privileged account or role, the application must support organizational requirements that users of information system accounts, or roles, with access to organization-defined list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions. If feasible, applications should provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
Checks: C-61665r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Log on to the GSA Admin Console. Select "Administration". Select "User Accounts". If there are appropriate "manager" and "admin" accounts per site specific organizational requirement guidance, this is not a finding.

Fix: F-66399r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Log on to the GSA Admin Console. Select "Administration". Select "User Accounts". Create the appropriate "manager" and "admin" accounts per site specific organizational requirement guidance.

b
Google Search Appliances must have the capability to limit the number of failed logon attempts to 3 attempts in 15 minutes.
AC-7 - Medium - CCI-000044 - V-60721 - SV-75173r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
GSAP-00-000140
Vuln IDs
  • V-60721
Rule IDs
  • SV-75173r1_rule
Anytime an authentication method is exposed so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-61667r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66401r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
The Google Search Appliance must enforce the 15 minute time period during which the limit of consecutive invalid access attempts by a user is counted.
AC-7 - Medium - CCI-001452 - V-60723 - SV-75175r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-001452
Version
GSAP-00-000145
Vuln IDs
  • V-60723
Rule IDs
  • SV-75175r1_rule
Anytime an authentication method is exposed, so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To aid in defeating these attempts, organizations define the number of times that a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-61669r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66403r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
Google Search Appliances, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account/node for an organization-defined time period or lock the account/node until released by an administrator IAW organizational policy.
AC-7 - Medium - CCI-000047 - V-60725 - SV-75177r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000047
Version
GSAP-00-000150
Vuln IDs
  • V-60725
Rule IDs
  • SV-75177r1_rule
Anytime an authentication method is exposed so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-61671r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66405r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
Google Search Appliances must display an approved system use notification message or banner before granting access to the system.
AC-8 - Medium - CCI-000048 - V-60727 - SV-75179r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
GSAP-00-000155
Vuln IDs
  • V-60727
Rule IDs
  • SV-75179r1_rule
Applications are required to display an approved system use notification message or banner before granting access to the system providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) the use of the system indicates consent to monitoring and recording. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." For Blackberries and other PDAs/PEDs with severe character limitations use the following: "I've read & consent to terms in IS user agreem't."
Checks: C-61673r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Login Terms". If "Enable Login Terms Banner" is checked, this is not a finding.

Fix: F-66407r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Login Terms". Enable option "Enable Login Terms Banner". Enter banner information. Click Save. Notes: DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.

b
The Google Search Appliance must retain the notification message or banner on the screen until users take explicit actions to logon to or further access.
AC-8 - Medium - CCI-000050 - V-60729 - SV-75181r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
GSAP-00-000160
Vuln IDs
  • V-60729
Rule IDs
  • SV-75181r1_rule
To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner must prevent further activity on the application unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". The text of this banner should be customizable in the event of future user agreement changes.
Checks: C-61675r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Login Terms". If "Enable Login Terms Banner" is checked, this is not a finding.

Fix: F-66409r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Login Terms". Enable option "Enable Login Terms Banner". Enter banner information. Click Save. Notes: DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

b
Google Search Appliances must display an approved system use notification message or banner before granting access to the system.
AC-8 - Medium - CCI-001384 - V-60731 - SV-75183r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-001384
Version
GSAP-00-000165
Vuln IDs
  • V-60731
Rule IDs
  • SV-75183r1_rule
Applications must display an approved system use notification message or banner before granting access to the system. The banner must be formatted in accordance with the DoD policy "Use of DoD Information Systems - Standard Consent and User Agreement". The message banner shall provide privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and shall state that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and is subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; (iv) the use of the system indicates consent to monitoring and recording; (v) in the notice given to public users of the information system, shall provide a description of the authorized uses of the system. System use notification messages are implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. The banner shall state: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Checks: C-61677r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Login Terms". If "Enable Login Terms Banner" is checked, this is not a finding.

Fix: F-66411r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Login Terms". Enable option "Enable Login Terms Banner". Enter banner information. Click Save. Notes: DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.

b
To support DoD requirements to centrally manage the content of audit records, Google Search Appliances must provide the ability to write specified audit record content to a centralized audit log repository.
AU-3 - Medium - CCI-000136 - V-60733 - SV-75185r1_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000136
Version
GSAP-00-000265
Vuln IDs
  • V-60733
Rule IDs
  • SV-75185r1_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes but is not limited: time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. When organizations define application components requiring centralized audit log management, applications need to support that requirement.
Checks: C-61679r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". If a valid Syslog server is entered, this is not a finding.

Fix: F-66413r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". Enter a valid Syslog server information. Click Save. Notes: Centralized logging provides the search appliance logs user search queries. If the Syslog Server value is set, the search appliance sends the log messages to the syslog server every five minutes, assigning the messages the priority "Informational." If there weren't any new searches between the previous run and the new run, the search appliance doesn't send anything to the syslog server.

b
The Google Search Appliance must provide a real-time alert when all audit failure events occur.
AU-5 - Medium - CCI-000144 - V-60747 - SV-75199r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000144
Version
GSAP-00-000275
Vuln IDs
  • V-60747
Rule IDs
  • SV-75199r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations must define audit failure events requiring an application to send an alarm. When those defined events occur, the application will provide a real-time alert to the appropriate personnel.
Checks: C-61681r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If only valid emails addresses are entered, this is not a finding.

Fix: F-66427r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Enter valid email addresses that the audit failures need to be sent to be reviewed.

b
The Google Search Appliance must alert designated organizational officials in the event of an audit processing failure.
AU-5 - Medium - CCI-000139 - V-60749 - SV-75201r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
GSAP-00-000280
Vuln IDs
  • V-60749
Rule IDs
  • SV-75201r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include; software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Checks: C-61683r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If valid email addresses are entered, this is not a finding.

Fix: F-66429r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Enter valid email addresses that the audit failures need to be sent to be reviewed.

b
The Google Search Appliance must be capable of taking organization-defined actions upon audit failure (e.g., overwrite oldest audit records, stop generating audit records, cease processing, notify of audit failure).
AU-5 - Medium - CCI-000140 - V-60751 - SV-75203r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
GSAP-00-000285
Vuln IDs
  • V-60751
Rule IDs
  • SV-75203r1_rule
It is critical when a system is at risk of failing to process audit logs as required; it detects and takes action to mitigate the failure. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Applications are required to be capable of either directly performing or calling system level functionality performing defined actions upon detection of an application audit log processing failure.
Checks: C-61685r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If valid email addresses are entered, this is not a finding.

Fix: F-66431r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Enter valid email addresses that the audit failures need to be sent to be reviewed.

b
The Google Search Appliance must synchronize with internal information system clocks which in turn, are synchronized on a 24 hour frequency with a 24 hour authoritative time source.
AU-8 - Medium - CCI-000160 - V-60753 - SV-75205r1_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-000160
Version
GSAP-00-000325
Vuln IDs
  • V-60753
Rule IDs
  • SV-75205r1_rule
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. To meet that requirement the organization will define an authoritative time source and frequency to which each system will synchronize its internal clock. An example is utilizing the NTP protocol to synchronize with centralized NTP servers. Time stamps generated by the information system must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Applications not purposed to provide NTP services should not try to compete with or replace NTP functionality and should synchronize with internal information system clocks that are in turn synchronized with an organization defined authoritative time source.
Checks: C-61687r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". If there are valid entries for all DNS servers, DNS suffixes, SMTP servers, NTP servers, this is not a finding.

Fix: F-66433r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". Ensure that valid entries for all DNS servers, DNS suffixes, SMTP servers, NTP servers.

b
The Google Search Appliance must support the requirement to back up audit data and records onto a different system or media than the system being audited at least every seven days.
AU-9 - Medium - CCI-001348 - V-60767 - SV-75219r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
GSAP-00-000360
Vuln IDs
  • V-60767
Rule IDs
  • SV-75219r1_rule
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.
Checks: C-61689r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". If the "Facility" setting is enabled, this is not a finding.

Fix: F-66447r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". Ensure that "Facility" setting is enabled. Click Save.

b
The Google Search Appliance must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - V-60769 - SV-75221r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
GSAP-00-000455
Vuln IDs
  • V-60769
Rule IDs
  • SV-75221r1_rule
To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization which outlines specific user actions that can be performed on the information system without identification or authentication.
Checks: C-61691r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Log on to the GSA Admin Console. Select "Administration". Select "User Accounts". If there are individual "manager" and "admin" accounts per site specific organizational requirements, this is not a finding.

Fix: F-66449r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Log on to the GSA Admin Console. Select "Administration". Select "User Accounts". Create appropriate "manager" and "admin" accounts per site specific organizational requirement guidance.

c
The Google Search Appliance must be configured to prevent browsers from saving user credentials.
CM-6 - High - CCI-000366 - V-60771 - SV-75223r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
GSAP-00-000515
Vuln IDs
  • V-60771
Rule IDs
  • SV-75223r1_rule
Web services are web applications providing a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. The W3C defines a web service as: "a software system designed to support interoperable machine to machine interaction over a network. It has an interface described in a machine processable format (specifically Web Services Description Language or WSDL). Other systems interact with the web service in a manner prescribed by its description using SOAP messages typically conveyed using HTTP with an XML serialization in conjunction with other web-related standards". Web services provide different challenges in managing access than what is presented by typical user based applications. In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization. In contrast to conventional approaches to identification and authentication which employ static information system accounts for preregistered users, many service-oriented architecture implementations rely on establishing identities at run time for entities that were previously unknown. Dynamic establishment of identities and association of attributes and privileges with these identities are anticipated and provisioned. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.
Checks: C-61693r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Prevent browsers from saving user credentials on the Admin Console and Version Manager login pages" is checked, this is not a finding.

Fix: F-66451r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Prevent browsers from saving user credentials on the Admin Console and Version Manager login pages". Click Save.

b
The Google Search Appliance must support DoD requirements to enforce minimum password length.
IA-5 - Medium - CCI-000205 - V-60773 - SV-75225r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
GSAP-00-000525
Vuln IDs
  • V-60773
Rule IDs
  • SV-75225r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-61695r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66453r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
The Google Search Appliance must support DoD requirements to enforce password complexity by the number of upper case characters used.
IA-5 - Medium - CCI-000192 - V-60775 - SV-75227r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
GSAP-00-000535
Vuln IDs
  • V-60775
Rule IDs
  • SV-75227r1_rule
Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password.
Checks: C-61697r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66455r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
The Google Search Appliance must support DoD requirements to enforce password complexity by the number of lower case characters used.
IA-5 - Medium - CCI-000193 - V-60777 - SV-75229r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
GSAP-00-000540
Vuln IDs
  • V-60777
Rule IDs
  • SV-75229r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password.
Checks: C-61699r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66457r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
The Google Search Appliance must support DoD requirements to enforce password complexity by the number of numeric characters used.
IA-5 - Medium - CCI-000194 - V-60779 - SV-75231r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
GSAP-00-000545
Vuln IDs
  • V-60779
Rule IDs
  • SV-75231r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password.
Checks: C-61701r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66459r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
The Google Search Appliance must support DoD requirements to enforce password complexity by the number of special characters used.
IA-5 - Medium - CCI-001619 - V-60783 - SV-75235r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
GSAP-00-000550
Vuln IDs
  • V-60783
Rule IDs
  • SV-75235r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password.
Checks: C-61707r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66465r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
The Google Search Appliance must support organizational requirements to enforce password encryption for transmission.
IA-5 - Medium - CCI-000197 - V-60785 - SV-75237r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
GSAP-00-000565
Vuln IDs
  • V-60785
Rule IDs
  • SV-75237r1_rule
Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.
Checks: C-61709r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "SSL Settings". Under "Other Settings" - If "Use HTTPS when serving both public and secure results" is checked, this is not a finding.

Fix: F-66467r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "SSL Settings". Under "Other Settings" - Enable option "Use HTTPS when serving both public and secure results". Click Save.

b
Google Search Appliances must enforce password minimum lifetime restrictions.
IA-5 - Medium - CCI-000198 - V-60787 - SV-75239r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
GSAP-00-000570
Vuln IDs
  • V-60787
Rule IDs
  • SV-75239r1_rule
Password minimum lifetime is defined as: the minimum period of time, (typically in days) a user's password must be in effect before the user can change it. Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals, however if the application allows the user to immediately and continually change their password then the password could be repeatedly changed in a short period of time so as to defeat the organizations policy regarding password reuse. This would allow users to keep using the same password over and over again by immediately changing their password X number of times. This would effectively negate password policy.
Checks: C-61711r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - If "Use strict password checking" is checked, this is not a finding.

Fix: F-66469r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "User Accounts". Under "Other Settings" - Enable option "Use strict password checking". Click Save.

b
The Google Search Appliances must respond to security function anomalies by notifying the system administrator.
SI-6 - Medium - CCI-001674 - V-60789 - SV-75241r1_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001674
Version
GSAP-00-000660
Vuln IDs
  • V-60789
Rule IDs
  • SV-75241r1_rule
The need to verify security functionality applies to all security functions. For those security functions not able to execute automated self-tests the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include startup, restart, shutdown, and abort.
Checks: C-61713r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". Ensure that a valid Syslog server is entered correctly. If events are sent and recorded on the Syslog server, this is not a finding.

Fix: F-66471r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". Enter a valid Syslog server. Ensure that events are sent and recorded on the Syslog server.

b
Google Search Appliance must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication.
SC-23 - Medium - CCI-001184 - V-60791 - SV-75243r1_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
GSAP-00-000745
Vuln IDs
  • V-60791
Rule IDs
  • SV-75243r1_rule
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addressed man-in-the-middle attacks including session hijacking or insertion of false information into a session. This control is only implemented where deemed necessary by the organization (e.g., sessions in service-oriented architectures providing web-based services).
Checks: C-61715r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "SSL Settings". If "Enable Server Certificate Authentication" is checked, this is not a finding.

Fix: F-66473r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "SSL Settings". Enable the option "Enable Server Certificate Authentication".

b
The Google Search Appliance must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.
SI-4 - Medium - CCI-001274 - V-60793 - SV-75245r1_rule
RMF Control
SI-4
Severity
Medium
CCI
CCI-001274
Version
GSAP-00-000820
Vuln IDs
  • V-60793
Rule IDs
  • SV-75245r1_rule
Applications will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within the application. This information can then be used for diagnostic purposes, forensics purposes or other purposes relevant to ensuring the availability and integrity of the application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Solutions that include a manual notification procedure do not offer the reliability and speed of an automated notification solution. Applications must employ automated mechanisms to alert security personnel of inappropriate or unusual activities that have security implications. If this capability is not built directly into the application, the application must be able to integrate with existing security infrastructure that provides this capability.
Checks: C-61717r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If "Enable Daily Status Email Messages" is checked and a valid administrator email address is entered, this is not a finding.

Fix: F-66475r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Select "Enable Daily Status Email Messages" and enter a valid administrator email address.

b
The Google Search Appliance must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
SC-9 - Medium - CCI-001131 - V-60795 - SV-75247r1_rule
RMF Control
SC-9
Severity
Medium
CCI
CCI-001131
Version
GSAP-00-000910
Vuln IDs
  • V-60795
Rule IDs
  • SV-75247r1_rule
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include, Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS.
Checks: C-61719r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "SSL Settings". Under "Other Settings" - If "Use HTTPS when serving both public and secure results" is checked, this is not a finding.

Fix: F-66477r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "SSL Settings". Under "Other Settings" - Select "Use HTTPS when serving both public and secure results".

b
The Google Search Appliance must notify appropriate individuals when accounts are created.
AC-2 - Medium - CCI-001683 - V-60797 - SV-75249r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001683
Version
GSAP-00-001025
Vuln IDs
  • V-60797
Rule IDs
  • SV-75249r1_rule
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure that an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Examples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP. Applications must support the requirement to notify appropriate individuals upon account creation.
Checks: C-61721r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If "Enable Daily Status Email Messages" is checked and a valid administrator email address is entered, this is not a finding.

Fix: F-66479r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Select "Enable Daily Status Email Messages" and enter a valid administrator email address.

b
The Google Search Appliance must notify appropriate individuals when accounts are modified.
AC-2 - Medium - CCI-001684 - V-60799 - SV-75251r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001684
Version
GSAP-00-001030
Vuln IDs
  • V-60799
Rule IDs
  • SV-75251r1_rule
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify or copy an existing account. Notification of account modification is one method and best practice for mitigating this risk. A comprehensive account management process will ensure that an audit trail which documents the modification of application user accounts and notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created or modified and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Examples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP. Applications must support the requirement to notify appropriate individuals when accounts are modified.
Checks: C-61723r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If "Enable Daily Status Email Messages" is checked and a valid administrator email address is entered, this is not a finding.

Fix: F-66481r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Select "Enable Daily Status Email Messages" and enter a valid administrator email address.

b
The Google Search Appliance must notify appropriate individuals when account disabling actions are taken.
AC-2 - Medium - CCI-001685 - V-60801 - SV-75253r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001685
Version
GSAP-00-001035
Vuln IDs
  • V-60801
Rule IDs
  • SV-75253r1_rule
When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user accessibility and application processing, applications must audit account disabling actions and, as required, notify as required the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Examples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP. Applications must notify, or leverage other mechanisms that notify, the appropriate individuals when accounts disabling actions are taken.
Checks: C-61725r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If "Enable Daily Status Email Messages" is checked and a valid administrator email address is entered, this is not a finding.

Fix: F-66483r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Select "Enable Daily Status Email Messages" and enter a valid administrator email address.

b
The Google Search Appliance must notify appropriate individuals when accounts are terminated.
AC-2 - Medium - CCI-001686 - V-60803 - SV-75255r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001686
Version
GSAP-00-001040
Vuln IDs
  • V-60803
Rule IDs
  • SV-75255r1_rule
When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals when an account is terminated so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address the multitude of policy based audit requirements, and to ease the burden of meeting these requirements, many application developers choose to integrate their applications with enterprise level authentication/access/audit mechanisms that meet or exceed access control policy requirements. Examples include but are not limited to Active Directory and LDAP. The application must automatically notify the appropriate individuals when accounts are terminated.
Checks: C-61727r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". If "Enable Daily Status Email Messages" is checked and a valid administrator email address is entered, this is not a finding.

Fix: F-66485r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "System Settings". Select "Enable Daily Status Email Messages" and enter a valid administrator email address.

b
The Google Search Appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. IP restriction must be implemented.
CM-6 - Medium - CCI-000366 - V-60805 - SV-75257r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GSAP-00-001045
Vuln IDs
  • V-60805
Rule IDs
  • SV-75257r1_rule
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Checks: C-61729r1_chk

Open the GSA Web Admin Console at https:&lt;your GSA IP or hostname&gt;:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". In the "Static Routes" field, ensure the required static routes are entered with one route per line. If proper destination host or network IP address, netmask, and destination gateway for a particular static route are entered, this is not a finding.

Fix: F-66487r1_fix

Open the GSA Web Admin Console at https:<your GSA IP or hostname>:8443. Login to the GSA management interface. Navigate to "Administration", select "Network Settings". In the "Static Routes" field, ensure the required static routes are entered with one route per line. Ensure that the destination host or network IP address, netmask, and destination gateway for a particular static route are entered on one line with a space between each part of the route. Click Update Setting and Perform Diagnostics.