Check: SRG-APP-000231-AAA-000610
Authentication, Authorization, and Accounting Services (AAA) SRG:
SRG-APP-000231-AAA-000610
(in versions v1 r2 through v1 r1)
Title
AAA Services must be configured to protect the confidentiality and integrity of all information at rest. (Cat I impact)
Discussion
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use. This requirement addresses protection of user-generated data, as well as, operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
Check Content
Verify AAA Services are configured to protect the confidentiality and integrity of all information at rest. AAA Services may leverage the capability of an operating system or purpose-built module for this purpose. Potential locations include the local file system where configurations and events are stored or in a related database table. If AAA Services are not configured to protect the confidentiality and integrity of all information at rest, this is a finding.
Fix Text
Configure AAA Services to protect the confidentiality and integrity of all information at rest. AAA Services may leverage the capability of an operating system or require the use of a purpose-built module for this purpose. Potential locations include the local file system where configurations and events are stored or in a related database table.
Additional Identifiers
Rule ID: SV-95643r1_rule
Vulnerability ID: V-80933
Group Title: SRG-APP-000231-AAA-000610
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
Controls
Number | Title |
---|---|
SC-28 |
Protection Of Information At Rest |