Check: CYLN-OP-000010
Arctic Wolf CylanceON-PREM STIG:
CYLN-OP-000010
(in version v1 r1)
Title
CylanceON-PREM must be configured to use a third-party identity provider. (Cat III impact)
Discussion
Configuring CylanceON-PREM to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns CylanceON-PREM with enterprise standards and contributes to a more efficient and secure environment. Satisfies: SRG-APP-000001, SRG-APP-000023, SRG-APP-000025, SRG-APP-000033, SRG-APP-000065, SRG-APP-000118, SRG-APP-000121, SRG-APP-000148, SRG-APP-000149, SRG-APP-000150, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000176, SRG-APP-000177, SRG-APP-000183, SRG-APP-000185, SRG-APP-000345, SRG-APP-000400, SRG-APP-000401, SRG-APP-000404, SRG-APP-000405, SRG-APP-000461, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000715, SRG-APP-000720, SRG-APP-000730, SRG-APP-000735, SRG-APP-000740, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875
Check Content
Verify Identity Provider (IDP) settings. Administrator privileges are required. Using LDAP: 1. Log in to the admin console. 2. Navigate to Configuration >> Settings. 3. Locate the LDAP section. If LDAP (an authorized IDP) is not configured correctly or is disabled, this is not a finding. Not using LDAP: 1. Log in to the admin console. 2. Navigate to Configuration >> Settings. 3. Locate Identity Provider Settings. Review documentation of allowed IDPs. If IDP settings are not configured correctly or the IDP is disabled or not authorized, this is a finding.
Fix Text
Configure CylanceON-PREM to accept authentication from an external identity provider. Administrator privileges are required. Using LDAP: 1. Log in to the admin console. 2. Navigate to Configuration >> Settings. 3. Locate the LDAP section. 4. Enable Identity Provider Settings. 5. Enter the identity provider information. 6. Test the connection. 7. Click the green check. Not using LDAP: 1. Log in to the admin console. 2. Navigate to Configuration >> Settings. 3. Locate Identity Provider Settings. 4. Enable the Identity Provider toggle. 5. Enter the identity provider information. - Single Sign-On: This is the single sign-on or SAML response URL that is provided by the identity provider. - Entity ID: This is the entity ID, issuer, or application name that is provided by the identity provider. - x.509 Certificate: This is provided by the identity provider. 6. Click the green check. CylanceON-PREM will generate a Service Provider Entity ID that the identity provider will need to complete the single sign-on configuration.
Additional Identifiers
Rule ID: SV-272627r1113422_rule
Vulnerability ID: V-272627
Group Title: SRG-APP-000001
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
| CCI-000017 |
Disable accounts when the accounts have been inactive for the organization-defined time-period. |
| CCI-000044 |
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-000054 |
Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number. |
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000186 |
For public key-based authentication, enforce authorized access to the corresponding private key. |
| CCI-000187 |
For public key-based authentication, map the authenticated identity to the account of the individual or group. |
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
| CCI-000205 |
The information system enforces minimum password length. |
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000765 |
Implement multifactor authentication for access to privileged accounts. |
| CCI-000766 |
Implement multifactor authentication for access to non-privileged accounts. |
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
| CCI-000877 |
Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions. |
| CCI-000884 |
Protect nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant. |
| CCI-001493 |
Protect audit tools from unauthorized access. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
| CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-002007 |
Prohibit the use of cached authenticators after an organization-defined time period. |
| CCI-002011 |
The information system accepts FICAM-approved third-party credentials. |
| CCI-002014 |
The information system conforms to FICAM-issued profiles. |
| CCI-002238 |
Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
| CCI-003627 |
Disable accounts when the accounts have expired. |
| CCI-003628 |
Disable accounts when the accounts are no longer associated to a user. |
| CCI-003629 |
Disable accounts when the accounts are in violation of organizational policy. |
| CCI-003638 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects. |
| CCI-003639 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects. |
| CCI-003641 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects. |
| CCI-003642 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can change the rules governing access control. |
| CCI-003747 |
Implement organization-defined mechanisms to authenticate organization-defined remote commands. |
| CCI-004045 |
Require users to be individually authenticated before granting access to the shared accounts or resources. |
| CCI-004046 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| CCI-004047 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements. |
| CCI-004058 |
For password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. |
| CCI-004059 |
For password-based authentication, update the list of passwords on an organization-defined frequency. |
| CCI-004060 |
For password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. |
| CCI-004061 |
For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
| CCI-004062 |
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |
| CCI-004063 |
For password-based authentication, require immediate selection of a new password upon account recovery. |
| CCI-004064 |
For password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. |
| CCI-004065 |
For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. |
| CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
| CCI-004068 |
For public key-based authentication, implement a local cache of revocation data to support path discovery and validation. |
Controls
| Number | Title |
|---|---|
| AC-2(1) |
Automated System Account Management |
| AC-2(3) |
Disable Inactive Accounts |
| AC-3 |
Access Enforcement |
| AC-7 |
Unsuccessful Logon Attempts |
| AC-10 |
Concurrent Session Control |
| AU-9 |
Protection of Audit Information |
| IA-2 |
Identification and Authentication (organizational Users) |
| IA-2(1) |
Network Access to Privileged Accounts |
| IA-2(2) |
Network Access to Non-privileged Accounts |
| IA-2(5) |
Group Authentication |
| IA-2(9) |
Network Access to Non-privileged Accounts - Replay Resistant |
| IA-4 |
Identifier Management |
| IA-5(1) |
Password-based Authentication |
| IA-5(2) |
Pki-based Authentication |
| IA-5(13) |
Expiration of Cached Authenticators |
| IA-8(2) |
Acceptance of Third-party Credentials |
| IA-8(4) |
Use of Ficam-issued Profiles |
| MA-4 |
Nonlocal Maintenance |
| MA-4(4) |
Authentication / Separation of Maintenance Sessions |