Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify that the CLISH has a max number of SSH sessions enabled. 1. Log in to the Sentry System Manager. 2. Go to Settings >> CLI. 3. Verify a Max SSH Sessions integer (1-10) is set based on security guidance. If the Max SSH Sessions integer is not set correctly, this is a finding.
Configure the CLISH with a max number of SSH sessions. 1. Log in to the Sentry System Manager. 2. Go to Settings >> CLI. 3. Configure a Max SSH Sessions integer (1-10) based on security guidance. 4. Click "Apply" and "Save" in the top right corner.
Verify that a secondary interface has been added for System Manager Portal Access of Sentry. 1. Log in to the Sentry System Manager. 2. Go to Settings >> Network >> Interfaces. 3. Verify a Management Interface for internal access of the System Manager Portal has been added as one of the interfaces. If the Management Interface for internal access of the System Manager Portal has not been added as one of the Interfaces, this is a finding.
Configure a secondary interface for System Manager Portal Access of Sentry. 1. Log in to the Sentry System Manager. 2. Go to Settings >> Network >> Interfaces. 3. Click an open Physical Interface such as GigabitEthernet2. 4. Configure a Management Interface for internal access of the System Manager Portal (refer to the "MobileIron Standalone Sentry 9.8.0 Installation Guide" Physical Interfaces section for more information).
Verify the System manager Timeout is set to 15 minutes. 1. Log in to the Sentry System Manager. 2. Navigate to Settings >> Timeout. 3. Verify the System Manager timeout is set to 15. If the System Manager timeout is not set to 15, this is a finding.
Set the System Manager Timeout to 15 minutes. 1. Log in to the Sentry System Manager. 2. Navigate to Settings >> Timeout. 3. Configure the System Manager timeout to 15. 4. Click "Apply" and "Save" in the top right corner.
Review Sentry configuration to determine if it enforces approved authorizations for controlling the flow of management information within the network. Sentry receives a request from MobileIron Core and enforces verification before handling the request to validate that it is from a trusted MobileIron Core. Therefore, if the deployment uses MobileIron Core, to verify that Sentry trusts MobileIron Core in the deployment: 1. Run the following command in Sentry CLI: show sentry EMM-source-verify If this is set to "false", this is a finding. 2. Run the following command in Sentry CLI: show sentry emm-ips If the Core IP is not specified, this is a finding. 3. Verify Sentry has an ACL for Core in Sentry System Manager. Then: 1. In the Standalone Sentry System Manager, go to Security >> Access Control Lists. 2. Verify that an ACL is created for Core. If it is not, this is a finding. 3. Determine if Sentry is configured with specified backend services such as Exchange Active Sync or App Tunnels. If the backend service is not specified, this is a finding. Refer to section "Configuring Standalone Sentry for ActiveSync" and "Configuring Standalone Sentry for AppTunnel" in "Sentry 9.8 Guide for MobileIron Core" to ensure these services are configured in Sentry settings in Core where applicable.
Configure Sentry to enforce approved authorizations for controlling the flow of management information within the network device. Sentry receives a request from MobileIron Core and enforces verification before handling the request to validate that it is from a trusted MobileIron Core. Therefore, if the deployment uses MobileIron Core, to ensure that Sentry trusts MobileIron Core in the deployment, run the following commands in Sentry CLI: 1. sentry emm-source-verify true 2. sentry emm-ips <subnet_list>> 3. This can further be mitigated by creating ACLs for Sentry System Manager. Then: 1. In the Standalone Sentry System Manager, go to Security >> Access Control Lists. 2. Click "Add". 3. In the "Name" field, enter a name to identify the ACL. 4. In the "Description" field, enter text to clarify the purpose of the ACL. 5. Click "Save". 6. Select the new ACL that was created and click it, which should open a Modify ACL dialog box. 7. Click "Add" to add an access control entry (ACE) to the ACL. Each ACE consists of a combination of the network hosts and services that were configured for use in ACLs. 8. Use the following guidelines to complete the form: Source Network Destination Network Service Action - Select Permit or Deny from the dropdown list. Connections Per Minute 9. Click "Save". 10. Configure Sentry with specified backend services such as Exchange Active Sync or App Tunnels. Refer to section "Configuring Standalone Sentry for ActiveSync" and "Configuring Standalone Sentry for AppTunnel" in "Sentry 9.8 Guide for MobileIron Core" to ensure these services are configured in Sentry settings in Core where applicable.
Review Sentry configuration to verify that it enforces the limit of three consecutive invalid logon attempts. 1. Log in to Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to "Password Policy". 4. Look for "Number of Failed Attempts" and determine if the value is set to 3. If it is not, this is a finding. 5. Verify the Auto-Lock Time value is set to 900 seconds or more. If the Auto-Lock Time is not set to 900 seconds or more, this is a finding.
Configure Sentry to enforce the limit of three consecutive invalid login attempts during a 15-minute time period. 1. Log in to Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to "Password Policy". 4. For "Number of Failed Attempts", set value to 3. 5. For "Auto-Lock Time", set value to 900 seconds or more.
Verify that Sentry displays "I've read and consent to terms in IS user agreem't" when logging in to the command line. 1. Log in to the Sentry System Manager or the CLI interface. 2. Verify the required login banner is displayed. If the banner is not shown, this is a finding.
Configure Sentry to display "I've read and consent to terms in IS user agreem't" when logging in to the command line. 1. Log in to the Sentry System Manager. 2. Go to Settings >> Login. 3. Add the required login banner to the "Text to Display" box. 4. Click "Apply".
Review the Sentry Configuration to ensure Certificate Authentication has been configured. 1. Log in to the Sentry System Manager. 2. Go to Security tab >> Advanced >> Sign-in Authentication. 3. Determine if Certificate Authentication is activated and configured. If Certificate Authentication is not activated and configured, this is a finding.
Configure the Sentry with DOD PKI-based Certificate Authentication. 1. Log in to the Sentry System Manager. 2. Go to Security tab >> Advanced >> Sign-in Authentication. 3. Select the Certificate Authentication checkbox. 4. Select the CAC or PIV checkbox. 5. Map user certificate fields in the Certificate Attribute Mapping section based on the organization's certificates. 6. Upload the Issuing CA Certificate chain. 7. Click "Apply" and "Save" in the top right corner. 8. If using DOD PKI, ensure an EDIPI attribute is assigned to the user in the Security >> Local Users section.
Review Sentry configuration to verify that a minimum 15-character password is set. 1. Log in to Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to Identity Source >> Password Policy. 4. Verify the "Minimum Password Length" is set to 15 or more. If the password character length is not set 15 or more, this is a finding.
Configure the Sentry Local User Password Policy to enforce a minimum 15-character password. 1. Log in to Sentry System Manager portal. 2. Go to the "Security" tab. 3. Go to Password Policy. 4. Set the "Minimum Password Length" value to 15 or more.
Where passwords are used, verify that Sentry Server enforces password complexity by requiring that at least one uppercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If Sentry Server does not require that at least one uppercase character be used in each password, this is a finding. Verify the local Password Policy enforces an uppercase value: 1. Log in to the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Upper Case" is checked. If "Upper Case" is not checked, this is a finding.
Configure Sentry Server to enforce password complexity by requiring that at least one uppercase character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Upper Case". 4. Select "Apply".
Where passwords are used, confirm that Sentry Server enforces password complexity by requiring that at least one lowercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If Sentry does not require that at least one lowercase character be used in each password, this is a finding. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Lower Case" is checked. If "Lower Case" is not checked, this is a finding.
Configure Sentry Server to enforce password complexity by requiring that at least one lowercase character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Lower Case". 4. Select "Apply".
Where passwords are used, confirm that Sentry Server enforces password complexity by requiring that at least one numeric character be used. This requirement may be verified by demonstration, configuration review, or validated test results. If Sentry Server does not require that at least one numeric character be used in each password, this is a finding. 1. Log into the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Numeric" is checked. If "Numeric" is not checked, this is a finding.
Configure Sentry Server to enforce password complexity by requiring that at least one numeric character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Numeric". 4. Select "Apply".
Where passwords are used, confirm that Sentry Server enforces password complexity by requiring that at least one special character be used. If Sentry Server does not require that at least one special character be used in each password, this is a finding. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Identity Source >> Password. 3. Verify "Special Character" is checked. If "Special Character" is not checked, this is a finding.
Configure Sentry Server to enforce password complexity by requiring that at least one special character be used. 1. Log in to the System Manager of Sentry. 2. Go to Security >> Password. 3. Check "Special Character". 4. Select "Apply".
Verify that an EDIPI is mapped to the Sentry Admin user accounts. 1. Log in to the Sentry System Manager. 2. Verify "Certificate Based Authentication" under Security Tab >> Sign-In Authentication. 3. Verify that a Certificate Attribute Mapping is mapped to EDIPI. 4. Go to Security tab >> Local Users. Click on an active Local User and configure an EDIPI. 5. Click "Apply". 6. Repeat step 4 for all local users. If EDIPI is not mapped to the Sentry Admin user accounts, this is a finding.
Ensure that an EDIPI is mapped to the Sentry Admin user accounts. 1. Log in to the Sentry System Manager. 2. Ensure "Certificate Based Authentication" under Security Tab >> Sign-In Authentication. 3. Ensure that a Certificate Attribute Mapping is mapped to EDIPI. 4. Go to Security tab >> Local Users. Click on an active Local User and configure an EDIPI. 5. Click "Apply". 6. Repeat step for 4 for all local users.
Verify the Sentry uses encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. On the Sentry CLI console, do the following: 1. SSH to Sentry Server from any SSH client. 2. Enter the administrator credentials set at Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at Sentry installation. 5. Enter "show FIPS". 6. Verify "FIPS 140 mode is enabled" is displayed. If the Sentry Server does not report that FIPS mode is "enabled", this is a finding.
Configure the Sentry Server to use a FIPS 140-2-validated cryptographic module. On the Sentry console, do the following: 1. SSH to Sentry Server from any SSH client. 2. Enter the administrator credentials set at Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at Sentry installation. 5. Enter "configure terminal". 6. Enter the following command to enable FIPS: FIPS 7. Enter the following command to proceed with the necessary reload: do reload 8. Enter "Yes" at saved configuration modified prompt. 9. Enter "Yes" at proceed do reload.
The Sentry System Manager has two interfaces, a CLI restricted shell and web-based GUI. In the Sentry MICS portal, verify that the Sentry CLI timeout is set to 10 minutes. 1. Log in to Sentry. 2. Go to Settings >> CLI. 3. Within CLI Configuration, verify the CLI Session Timeout(minutes) is set to greater than 10 minutes. If the CLI Session Timeout(minutes) is not set to greater than 10 minutes, this is a finding.
Configure the Sentry to terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity. 1. Log in to Sentry. 2. Go to Settings >> CLI. 3. Within CLI Configuration, input "10" for CLI Session Timeout(minutes). 4. Click "Apply".
Verify the Sentry uses encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. On the Sentry CLI console, do the following: 1. SSH to Sentry Server from any SSH client. 2. Enter the administrator credentials set at Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at Sentry installation. 5. Enter "show FIPS". 6. Verify "FIPS 140 mode is enabled" is displayed. If the Sentry Server does not report that FIPS mode is "enabled", this is a finding.
Configure the Sentry Server to use a FIPS 140-2-validated cryptographic module. On the Sentry console, do the following: 1. SSH to Sentry Server from any SSH client. 2. Enter the administrator credentials set at Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at Sentry installation. 5. Enter "configure terminal". 6. Enter the following command to enable FIPS: FIPS 7. Enter the following command to proceed with the necessary reload: do reload 8. Enter "Yes" at saved configuration modified prompt. 9. Enter "Yes" at proceed do reload.
Verify the Sentry is configured to send alerts for failure events in Sentry System Manager web GUI. 1. Log in to Sentry. 2. Go to Monitoring >> Alert Configuration. 3. Verify Alert monitoring is configured. If Alert Configuration settings are not configured, this is a finding. Refer to the "Alert Configuration" section of the "Sentry 9.8.0 Guide for MobileIron Core" for more information.
Configure the Sentry to send alerts for failure events in Sentry System Manager web GUI. 1. Log in to Sentry. 2. Go to Monitoring >> Alert Configuration. 3. Check "Send Notification". 4. Apply Email List. 5. Enter Alerts Per Hour. 6. Enter Batch Time Interval (min). 7. Select "Default Alert Action". 8. Apply. 9. Add Alert Notification Management. 10. Add Alert ID. 11. Add "Action" from dropdown. 12. Click "Apply" and "Save" in the top right corner. Refer to the "Alert Configuration" section of the "Sentry 9.8.0 Guide for MobileIron Core" for more information.
Verify the Sentry is configured with multiple date and time servers (NTP). 1. Log in to Sentry. 2. Go to Settings >> Date and Time (NTP). 3. Verify the NTP servers are configured. If NTP servers are not configured, this is a finding. Refer to the "Date and Time (NTP)" section of the "Sentry 9.8.0 Guide for MobileIron Core" for more information.
Configure the Sentry with multiple date and time servers (NTP). 1. Log in to Sentry. 2. Go to Settings >> Date and Time (NTP). 3. Under Time Source dropdown, select "NTP". 4. Enter at least Primary and Secondary NTP servers. 5. Click "Apply" and "Save" in the top right corner. Refer to the "Date and Time (NTP)" section of the "Sentry 9.8.0 Guide for MobileIron Core" for more information.
On the Sentry console, do the following to verify FIPS mode is enabled: 1. SSH to Sentry Server from any SSH client. 2. Enter the administrator credentials set at Sentry installation. 3. Enter "enable". 4. When prompted, enter the "enable secret" set at Sentry installation. 5. Enter "show FIPS". 6. Verify "FIPS 140 mode is enabled" is displayed. If it is not, this is a finding. Then: 1. Log in to Sentry. 2. Go to Settings >> SNMP. 3. Verify SNMP server has been added. a. If SNMP server is not added, this is a finding. b. If SNMP server is added, go to step 4. 4. Verify SNMP Control is not disabled. a. If SNMP Control is disabled, this is a finding. b. If SNMP Control is not disabled, go to step 5. 5. Verify Protocol v3 is selected. a. If Protocol v3 is not selected, this is a finding. b. If Protocol v3 is selected, go to step 6. 6. Verify the SNMP v3 User has been added. a. If SNMP v3 User has not been added, this is a finding.
On Sentry console, do the following to configure FIPS mode: 1. SSH to the Sentry. 2. At the prompt, enter "enable" mode with the secret credentials. 3. Type Configure command. 4. Type FIPS. 5. Once reloaded, SSH to the Sentry. 6. Run the "show FIPS". Then: 1. Log in to Sentry. 2. Go to Settings >> SNMP. 3. Add SNMP Trap Receiver. 4. Enable SNMP Service. 5. Select Protocol v3. 6. Add SNMP v3 Users. 7. Enter User Name. 8. Select Security Level from dropdown. 9. Select AUTH Protocol from dropdown. 10. Enter AUTH Password. 11. Select Privacy Protocol from dropdown. 12. Enter Privacy Password. 13. Click "Save". 14. Enable Link Up/Down Trap. 15. Click "Apply" to save changes.
On Sentry console, do the following to verify FIPS mode is activated to protect the confidentiality of remote maintenance sessions: 1. SSH to the Sentry. 2. Run the "show FIPS" command. 3. Verify FIPS 140 mode is not disabled. If FIPS 140-2 mode is disabled, this is a finding.
Configure Sentry to use FIPS 140-2 approved algorithms to protect the confidentiality of remote maintenance sessions: 1. SSH to the Sentry. 2. At the prompt, enter "enable" mode with the secret credentials. 3. Type Configure command. 4. Type FIPS. 5. Once reloaded, SSH to the Sentry. 6. Run the "show FIPS" command. FIPS 140 mode is enabled.
Verify Sentry is configured to offload audit records to a different system. 1. Log in to Sentry. 2. Go to Settings >> Syslog. 3. Verify that a syslog server is configured. If the syslog server is not configured, this is a finding.
Configure Sentry to forward/offload audit to a different system. 1. Log in to Sentry. 2. Go to Settings >> Syslog. 3. Configure a new syslog server if not already added. 4. Click on the syslog server(s) and in the "Modify Syslog"/"Add Syslog" pop-up dialog, under the "Facility Type", click the checkbox for "Audit". 5. Set the Admin State to "Enable". 6. Click "Apply".
Verify that only authorized administrators have permissions for changes, deletions, and updates on the Sentry. 1. Log in to System Manager. 2. Go to Security >> Local Users. 3. Verify no unauthorized users are listed. If unauthorized users are listed, this is a finding.
Configure that only authorized administrators have permissions for changes, deletions, and updates on the Sentry. 1. Log in to System Manager. 2. Go to Security >> identity Source >> Local Users. 3. Click "Add" to add authorized users. 4. If unauthorized users are listed, click the check box next to the unauthorized user and click "Delete".
Identify/validate Sentry support for periodic backups. This is done via the virtual machine. Check with the virtual team to verify backups are scheduled. If the backups are not scheduled, this is a finding.
Ensure the virtual solution provides periodic backups. Refer to "Sentry Installation Guide", section "Periodic backups for VMware", pages 6-7.
Determine if the Sentry has a public certificate from an approved Certificate Authority. From MobileIron Core: 1. Log in to the MobileIron Core. 2. Navigate to "Services". 3. Select "Sentry". 4. On each configured Sentry, select "View Certificate". 5. Validate the Public Key is issued from an approved Certificate Authority. From Sentry: 1. Log in to the Sentry. 2. Navigate to "Security". 3. Scroll down to "Certificate Mgmt". 4. Select "View Certificate". If approved certificates have not been uploaded, this is a finding.
Configure the Sentry with a certificate from an approved Certificate Authority. From MobileIron Core: 1. Log in to the MobileIron Core. 2. Navigate to "Services". 3. Select "Sentry". 4. On each configured Sentry, select "Manage Certificate". 5. Upload appropriate certificate. From Sentry: 1. Log in to the Sentry. 2. Navigate to "Security". 3. Select "Certificate Management". 4. Select "Manage Certificate". 5. Upload appropriate certificate. Reference "Sentry Guide for MobileIron Core" for uploading a certificate to Sentry, section "Standalone Sentry Certificate".
To identify/validate Sentry support for syslog forwarding, follow the navigation steps below. 1. Log in to the Sentry. 2. Navigate to "Settings". 3. Scroll down to "Syslog". 4. Verify that a syslog server has been configured correctly. a. Verify Server IP address. b. Verify Port. c. Verify Facility Types. d. Verify Admin state is enabled. If syslog forwarding has not been implemented, this is a finding.
Configure the Sentry to forward syslog data using the steps below Refer to "Sentry Guide for Core", section "Syslog", page 140. 1. Log in to the Sentry. 2. Navigate to "Settings". 3. Scroll down to "Syslog". 4. If there is no syslog server entry, ADD the server: a. Add Server IP address. b. Add Port. c. Select/add Facility Types and Log Levels. d. Enable Admin state.
Verify the Sentry is a supported version. 1. Enter the Sentry System Manager Portal URL in a web browser. 2. View the version number in the top right corner. 3. Check the MI Support page (help.mobileiron.com) to ensure the MI Sentry is a supported version. If the version number of the Sentry appliance is not supported, this is a finding.
Install the most current MobileIron supported version of Sentry.