DISA Juniper SRX Services Gateway NDM v3r2

Audit Details

Name: DISA Juniper SRX Services Gateway NDM v3r2

Updated: 11/22/2024

Authority: DISA STIG

Plugin: Juniper

Revision: 1.0

Estimated Item Count: 69

File Details

Filename: DISA_STIG_Juniper_SRX_Services_Gateway_NDM_v3r2.audit

Size: 188 kB

MD5: 8698cdd7a79a039d05bbf8f8e8444430
SHA256: 1ce361f33f8d5b39fbd234a289b47b590e8e2c4758b20b5c9bcf337d5518ff57

Audit Items

DescriptionCategories
JUSX-DM-000001 - The Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH.

ACCESS CONTROL

JUSX-DM-000007 - The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

JUSX-DM-000015 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events.

ACCESS CONTROL

JUSX-DM-000016 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events.

ACCESS CONTROL

JUSX-DM-000017 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events.

ACCESS CONTROL

JUSX-DM-000018 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events.

ACCESS CONTROL

JUSX-DM-000019 - For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

JUSX-DM-000020 - The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

JUSX-DM-000021 - The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

JUSX-DM-000022 - The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

JUSX-DM-000023 - The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled.

ACCESS CONTROL

JUSX-DM-000024 - The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

JUSX-DM-000025 - The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.

ACCESS CONTROL

JUSX-DM-000029 - The Juniper SRX Services Gateway must generate a log event when privileged commands are executed.

ACCESS CONTROL

JUSX-DM-000030 - For local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

ACCESS CONTROL

JUSX-DM-000032 - The Juniper SRX Services Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access.

ACCESS CONTROL

JUSX-DM-000039 - The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs - or administrators/roles appointed by the ISSM to select which auditable events are to be generated and forwarded to the syslog and/or local logs.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

JUSX-DM-000040 - The Juniper SRX Services Gateway must generate log records when successful attempts to configure the device and use commands occur.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000041 - The Juniper SRX Services Gateway must generate log records when changes are made to administrator privileges.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000042 - The Juniper SRX Services Gateway must generate log records when administrator privileges are deleted.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000043 - The Juniper SRX Services Gateway must generate log records when logon events occur.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000044 - The Juniper SRX Services Gateway must generate log records when privileged commands are executed.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000046 - The Juniper SRX Services Gateway must generate log records when concurrent logons from different workstations occur.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000055 - The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000056 - For local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000059 - The Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected.

AUDIT AND ACCOUNTABILITY

JUSX-DM-000060 - For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

JUSX-DM-000061 - In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

JUSX-DM-000065 - The Juniper SRX Services Gateway must record time stamps for log records using Coordinated Universal Time (UTC).

AUDIT AND ACCOUNTABILITY

JUSX-DM-000077 - The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.

CONFIGURATION MANAGEMENT

JUSX-DM-000084 - If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface.

CONFIGURATION MANAGEMENT

JUSX-DM-000087 - The Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more.

CONFIGURATION MANAGEMENT

JUSX-DM-000094 - The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

JUSX-DM-000095 - The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

CONFIGURATION MANAGEMENT

JUSX-DM-000096 - The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

JUSX-DM-000097 - The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

JUSX-DM-000098 - The Juniper SRX Services Gateway must specify the order in which authentication servers are used.

CONFIGURATION MANAGEMENT

JUSX-DM-000099 - The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum.

CONFIGURATION MANAGEMENT

JUSX-DM-000105 - The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-DM-000106 - The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected.

CONFIGURATION MANAGEMENT

JUSX-DM-000108 - The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CONFIGURATION MANAGEMENT

JUSX-DM-000109 - For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.

CONFIGURATION MANAGEMENT

JUSX-DM-000110 - The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based.

IDENTIFICATION AND AUTHENTICATION

JUSX-DM-000111 - If SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3.

CONFIGURATION MANAGEMENT

JUSX-DM-000112 - The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.

CONFIGURATION MANAGEMENT

JUSX-DM-000113 - The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.

CONFIGURATION MANAGEMENT

JUSX-DM-000114 - The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.

CONFIGURATION MANAGEMENT

JUSX-DM-000115 - The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.

CONFIGURATION MANAGEMENT

JUSX-DM-000124 - The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.

IDENTIFICATION AND AUTHENTICATION

JUSX-DM-000128 - For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length.

IDENTIFICATION AND AUTHENTICATION