Title

The ALG that is part of a CDS must allow privileged administrators to enable/disable all security policy filters used to enforce information flow control. (Cat II impact)

Discussion

A crucial part of any information flow control solution is the ability to enable and disable policy filters in order to respond to changes in organizational security posture and mission conditions. This is not a requirement to restrict the capability to privileged administrators, but rather to ensure there is some means of enabling/disabling policy filters (e.g., command line or user console). Policy filters enforce organizational security policy as it pertains to controlling data flow. Security policy filters can address data structures and content. These filters may include dirty word filters, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters.

Check Content

If the ALG is not part of a CDS, this is not applicable. Verify the ALG allows privileged administrators to enable/disable all security policy filters used to enforce information flow control. If the ALG is not configured to allow privileged administrators to enable/disable all security policy filters used to enforce information flow control, this is a finding.

Fix Text

If the ALG is part of a CDS, configure the ALG to allow privileged administrators to enable/disable all security policy filters used to enforce information flow control.

Additional Identifiers

Rule ID: SV-68711r1_rule

Vulnerability ID: V-54465

Group Title: SRG-NET-000021-ALG-000068

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.