Check: BROM-00-000755
Bromium Secure Platform 4.x STIG:
BROM-00-000755
(in version v1 r1)
Title
The Bromium Enterprise Controller (BEC) must be configured to permit only authorized users to remotely view, in real time (within seconds of event occurring), all content related to an established Bromium vSentry client session. (Cat III impact)
Discussion
Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel to take action before additional damage is done. The ability to observe user sessions as they are happening allows for interceding in ongoing events that after-the-fact review of captured content would not allow. The Bromium monitoring module can capture end-user activity related to applications, processes, files, registry activity, and file activity. Custom rules can also be created to report on desired activity and conditions. Event data is sent back to the BEC without having to access the endpoint.
Check Content
Ask the site representative for a list of administrators who are authorized to view Bromium vSentry client activity. Verify unauthorized users are not members of groups that have been assigned roles that have the "View Events" and "View Threats" privilege. 1. From the BEC console, navigate to "Settings". 2. Select "Roles". 3. Click on each Role to see which ones have "View Events" and "View Threats" checked. 4. For the Roles which have enabled for "View Events" or "View Threats", navigate to the Groups area and check which Groups they are assigned to. 5. Navigate to "Settings" and "User Groups" to verify that users who are not on the list are not assigned to Groups with Roles that have "View Events" or "View Threats" enabled. If the BEC is not configured to permit only authorized users to remotely view, in real time (within seconds of event occurring), all content related to an established Bromium vSentry client session, this is a finding.
Fix Text
The administrator must be in a group that has a role with permissions to view Events and Threats. To give an administrator permission to view Event and Threat configured us the following threat. 1. Using the management console, navigate to "Settings". 2. Select "Roles". 3. Select the role(s) that need permission to view user sessions and activity. 4. Under the "Events" section, enable the "View Events" permission. 5. Under the "Threats" section, enable the "View Threats" permission. 6. Click "Save Changes".
Additional Identifiers
Rule ID: SV-95151r1_rule
Vulnerability ID: V-80447
Group Title: SRG-APP-000355
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001920 |
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. |
Controls
Number | Title |
---|---|
AU-14 (3) |
Remote Viewing / Listening |