Free DISA STIG and SRG Library | Vaulted

Bromium Secure Platform 4.x Security Technical Implementation Guide

Version 1 Release 1
2018-05-10
U_Bromium_Secure_Platform_4-x_STIG_V1R1_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (28)

The Bromium Enterprise Controller (BEC) must set the number of concurrent sessions to 1.

Finding ID
BROM-00-000005
Rule ID
SV-95127r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000001
CCI
CCI-000054
Target Key
(None)
Documentable
No
Discussion

Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. Edit the BEC configuration file (C:\ProgramData\Bromium\BMS\settings.json) to set the concurrent session parameter. The options are "unlimited" and "1". Unlimited is not a valid selection in DoD.

Fix Text

Edit the BEC configuration file (C:\ProgramData\Bromium\BMS\settings.json) to set the concurrent session parameter to "1".

Check Content

Inspect the configuration file on the BEC. BEC configuration file (C:\ProgramData\Bromium\BMS\settings.json). Verify the concurrent session parameter is set to "1". If the BEC concurrent session parameter is not set to "1", this is a finding.

The Bromium Enterprise Controller (BEC) lockout_delay_base in the settings.json file must be set to a minimum of 10 and the lockout_delay_scale must be set to 1 at a minimum.

Finding ID
BROM-00-000100
Rule ID
SV-95129r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000065
CCI
CCI-000044
Target Key
(None)
Documentable
No
Discussion

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Fix Text

Edit the BEC configuration file (C:\ProgramData\Bromium\BMS\settings.json) to set lockout_delay_base to "10" and the lockout_delay_scale to "1" at a minimum.

Check Content

Navigate to C:\ProgramData\Bromium\BMS\settings.json on the BEC. Verify the value of lockout_delay_base is set to "10" and the lockout_delay_scale is set to "1" at a minimum. If the BEC lockout_delay_base in the settings.json file is not set to a minimum of "10" and the lockout_delay_scale is not set to a minimum of "1", this is a finding.

The Bromium Enterprise Controller (BEC) must be configured for authorized system administrators to capture and log content related to a Bromium vSentry client.

Finding ID
BROM-00-000155
Rule ID
SV-95131r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000093
CCI
CCI-001462
Target Key
(None)
Documentable
No
Discussion

Without the capability to capture and log all content related to a user session, investigations into suspicious user activity would be hampered. By default, untrusted file, web, and application activity is captured for each user on the BEC. Additional custom rules can be created within the "Policy" section of the BEC. The security administrator can determine if additional rules are needed based on organization-based requirements and the mission. The Bromium monitoring module includes a base monitoring policy that detects malicious file, registry, process, and network activity. The monitoring module also features the ability to create custom rules to monitor user activity, such as: 1. Read operations on files and registry settings; 2. Write operations on files and registry settings; 3. Read/write operations on files and registry settings; and 4. Processes being launched.

Fix Text

Configure a custom rule to view a user's activity. Ensure host monitoring is enabled in the base or applicable delta policy. 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and enable "Host Monitoring". 4. Click "Save and Deploy". Configure the Custom Rule to monitor one or more Bromium vSentry clients. 1. Click the arrow next to "Policies" and select "Monitoring Rules". 2. Click "Rule Options" and select "Create Custom Rule". 3. Create a name for the custom rule. 4. Apply the custom rule to a group. 5. Configure the applications, triggers, and any exclusions associated with the activity to be monitored. 6. Click "Save".

Check Content

If custom rules are required, verify that monitoring rules are enabled. Custom rules may or may not be present on the BEC, depending on the site's need. It is not mandatory to use this feature, just that the feature be configured to be used in case it is needed. 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and verify that "Host Monitoring" is enabled. 4. Click on "Policies" and verify "Monitoring Rules" is checked. If the Bromium Enterprise Controller (BEC) is not configured for authorized users to capture and log content related to a user session, this is a finding.

The Bromium Enterprise Controller (BEC) must generate a log record that can be sent to the central log server, which will alert the system administrator (SA) and Information System Security Officer (ISSO), at a minimum, when a Bromium vSentry client has not connected to the BEC for logging or policy update purposes for an organization-defined time period.

Finding ID
BROM-00-000195
Rule ID
SV-95133r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000108
CCI
CCI-000139
Target Key
(None)
Documentable
No
Discussion

It is critical for the appropriate personnel to be aware if an endpoint fails to connect to the management server within a defined time period. Without this notification, the security personnel may be unaware of an impending failure of the event capture capability, malicious activity, or insider threat. Failure for a vSentry client to report in may be caused by network failures, unauthorized users escalating privileges to disable the security software, altering local hostname resolution settings, etc.

Fix Text

Define the organization-defined time period for when an alert should be generated. Navigate to the management console, click on the selection arrow next to "Events" and verify the organization-defined time period that the vSentry client must connect to the BEC for logging or policy update purposes is configured.

Check Content

Verify that the reporting threshold for endpoints has been documented. Navigate to the management console, click on the selection arrow next to "Events". Verify the organization-defined time period that the vSentry client must connect to the BEC for logging or policy update purposes is configured. If the BEC does not generate a log record when a Bromium vSentry client has not connected to the BEC for logging or policy update purposes for an organization-defined time period, this is a finding.

The Bromium Enterprise Controller (BEC) must protect the BEC Web Console from unauthorized access.

Finding ID
BROM-00-000245
Rule ID
SV-95135r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000121
CCI
CCI-001493
Target Key
(None)
Documentable
No
Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. The BEC Web console can gives a view of events, threat conditions, policies, and client information and thus is considered an audit tool. BEC does not allow the integration of other audit tool provided by third-party vendors. The BEC Web console access is configured in Settings >> Users.

Fix Text

Configure BEC Web console access to permit only authorized users. 1. From the BEC console, click on "Settings". 2. Select "Users". 3. Click User Options >> Add User. 4. Add new user and their Active Directory details, and assign new user to a Group using the drop-down list.

Check Content

Obtain a list of authorized BEC Web console users from the site representative. Verify only these users are configured for access. 1. From the BEC console, click on "Settings". 2. View the list of Users. If unauthorized users are listed in the BEC Web console, this is a finding.

The Bromium Enterprise Controller (BEC) must protect BEC Web console from unauthorized modification.

Finding ID
BROM-00-000250
Rule ID
SV-95137r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000122
CCI
CCI-001494
Target Key
(None)
Documentable
No
Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. The BEC Web console can gives a view of events, threat conditions, policies, and client information and thus is considered an audit tool. BEC does not allow the integration of other audit tool provided by third-party vendors. The BEC Web console access is configured in Settings >> Users.

Fix Text

Configure the BEC Web console to restrict users who are authorized for view (read) permissions only. Configure Role with View privileges only: 1. From the BEC console, click on "Settings". 2. Select "Roles". 3. To create a new Role, click on "User Options" and select "Add Role". 4. Create a name for the Role (with optional description) - select any of the following privileges: - View device events - View policies - View events - View threats - View users - View user groups 5. Click "Save Changes". Configure Group with Read-Only Role assigned to it: 1. From the BEC console, click on "Settings". 2. Select User Groups. 3. To create a new group, click on "User Options" and select "Add User Group". 4. Create a name (with optional description) for the Group. 5. (Optional) - Synchronize Group with existing Group within Active Directory. 6. From the Role drop-down menu, select read-only Role. 7. Click "Add User Group". 1. From the BEC console, click on "Settings". 2. Select "Users". 3. Click User Options >> Add User. 4. Add new user and their Active Directory details. 5. Using the drop-down list, assign new view only user the read-only Group.

Check Content

Obtain a list of users who are authorized read-only permissions to the BEC Web console from the site representative. Verify these users are configured for read-only access. Navigate to the Setting menu and identify Roles with read-only access. These roles will have one or more of the following privileges checked: - View device events - View policies - View events - View threats - View users - View user groups Identify the Groups that are assigned these Roles: 1. From the BEC console, click on "Settings". 2. Select User Groups. 3. Click on each group and see if one of the read-only roles is assigned. Verify the list of users with read-only privileges is assigned only to one of the Groups with a read-only Role. If users who are authorized for read-only privileges are assigned to groups with modification access, this is a finding.

The Bromium Enterprise Controller (BEC) must remove all local Bromium accounts after setup is complete and use the account recovery procedures to recover the local account if network access using the Bromium Account of Last Resort is required.

Finding ID
BROM-00-000300
Rule ID
SV-95139r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000149
CCI
CCI-000765
Target Key
(None)
Documentable
No
Discussion

Since Bromium multifactor authentication is implemented through use of the enclave's directory service, the Bromium account of last resort cannot comply with the DoD requirement for multifactor authentication. Since local account password complexity requirements are not met, a weak password could be hacked, giving immediate privileged access to the BEC. Bromium, Inc. recommends that the setup account and any other local accounts be removed from the BEC application. In the event of a system-wide failure to connect to the authentication server, system recovery, or other organization-defined emergency, an authorized and credentialed administrator of the host server, can recover the setup account or create another account when needed. When the emergency is over, the account must once again be removed. Note: Either create a new account and password or change the password in order to comply with BROM-00-000690.

Fix Text

Remove all local accounts after setup. Use the Bromium system recovery process to either create another account or recover the setup account when needed. 1. Using the BEC server setup application, generate the password for the local Account of Last Resort using a FIPS 140-2 compliant password generator. 2. Configure the BEC and all BEC user accounts to leverage an external authentication server (e.g., Active Directory). 3. Upon successful configuration and connection of the BEC to the authentication server, remove the local BEC account. In the event of a system-wide failure to connect to the authentication server, system recovery, or other organization-defined emergency: 1. Gain access to the Windows Server running BEC. 2. Run the BEC server setup application (BrBMSSettings.exe). 3. Click on "Database Settings". 4. Check the box next to "Request new administrator user". 5. Click "Save". Remove the account once normal operations resume. Either create a new account and password each time the account is retried or change the password each time the same account is recovered in order to comply with BROM-00-000690.

Check Content

Ask the site representatives if they have developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort. Examine the BEC SSP. If the BEC has not developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort, this is a finding.

The Bromium vSentry client must automatically terminate a micro-virtual machine (VM) when any malicious activities are detected within the micro-VM.

Finding ID
BROM-00-000645
Rule ID
SV-95141r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000295
CCI
CCI-002361
Target Key
(None)
Documentable
No
Discussion

Execution of malicious code represents an immediate threat to the security posture of the endpoint. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. The DoD has selected automatic termination as the default response. However, this does not fully leverage Bromium's ability to capture near-real-time forensic data as an attack occurs. Note that the malicious code is in a micro-VM, thus it cannot impact the endpoint processes outside of the VM. Note: Letting a known harmful program run is restricted to testing platforms, for forensics collection, or when justified by mission needs. STIG provides guidance to prevent the vClients from running known malicious applications or closing the micro-VM with malicious code is detected.

Fix Text

Review base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity. Document test system or mission needs that justifies an exception to this setting in order to collect forensics about the malicious code. Also document circumstances under this function that can temporarily be used to collect forensics information. 1. Using the management console, navigate to "Policies" and select the Base Policy. 2. Navigate to "Security". 3. Navigate to the "Alert user on a threat event?" policy setting. 4. Choose the "Stop operation and alert user" setting. 5. Click "Save and Deploy". Note: Do not supersede this policy in any Delta Policy.

Check Content

Review documentation for test system or mission need that justifies an exception to this setting in order to collect forensics about the malicious code. If this documentation exists, this is not a finding. Review base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and inspect the "Alert user on a threat event?" policy setting. Check every applicable Delta Policy using the same procedure to verify that the Base Policy has not been superseded. If the Bromium vSentry client is not configured to automatically terminate a micro-VM when any malicious activities are detected within the micro-VM, this is a finding.

The Bromium vSentry client must automatically capture and forward payloads (Malware Manifest) that were downloaded and determined to be malicious to the management console.

Finding ID
BROM-00-000650
Rule ID
SV-95143r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000295
CCI
CCI-002361
Target Key
(None)
Documentable
No
Discussion

Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Forensic analysis is essential in discovering the tools, tactics, and methodologies used by the attacker, which aids in the prevention of future attacks.

Fix Text

Modify the base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and enable the check box and radio button for the "Generate isolated threat malware manifests?" policy setting. 4. Click "Save and Deploy".

Check Content

Review base policy to ensure that the micro-virtual machine (VM) will capture the malware manifest upon the detection of malicious activity. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and inspect the "Generate isolated threat malware manifests?" policy setting. If the Bromium vSentry client is not configured to automatically capture and forward payloads that were downloaded and determined to be malicious to the management console, this is a finding.

The Bromium Enterprise Controller (BEC) must be configured to immediately disconnect or disable remote access to the BEC.

Finding ID
BROM-00-000685
Rule ID
SV-95145r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000316
CCI
CCI-002322
Target Key
(None)
Documentable
No
Discussion

Without the ability to immediately disconnect or disable remote access, an attack or other compromise would not be immediately stopped. Applications must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems. The remote access application (e.g., VPN client) may implement features, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.

Fix Text

Disable access for the user account by assigning a role with zero privileges enabled. A role that has zero privileges assigned to it must exist, along with a group that is assigned to the role. 1. From the management console, click on the arrow next to "Settings". 2. Click on "Users". 3. Select the user that has been identified for disabling. 4. Add the user to the group that is associated with the role that carries zero privileges. 5. Delete/remove all other groups for that user. 6. Click "Save".

Check Content

Inspect the BEC user settings for a role with no privileges and a group that is tied to that role.  1. From the management console, click on the arrow next to "Settings". 2. Click on "Roles". 3. Identify and select the role that has no privileges assigned to it. 4. Inspect the "Role" settings to ensure that a group has been assigned. If the BEC is not configured to immediately disconnect or disable remote access to the information system, this is a finding.

The Bromium Enterprise Controller (BEC) must change the password for the Account of Last Resort when an individual with knowledge of the password leaves the group.

Finding ID
BROM-00-000690
Rule ID
SV-95147r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000317
CCI
CCI-002142
Target Key
(None)
Documentable
No
Discussion

If shared/group account credentials are not terminated when individuals leave the group, the user who left the group can still gain access even though they are no longer authorized. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the application using a single account. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. Examples of credentials include passwords and group membership certificates. Note: Other passwords that should be considered for rotation or changes include the password to decrypt the malware manifest and the service account used to connect BEC to SQL Server.-Note: If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice, there is no need to rotate this password.   Note: If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice, there is no need to rotate this password.

Fix Text

Modify the password for the Account of Last Resort. 1. Using the management console, navigate to "Settings". 2. Select "Users". 3. Click on the local account name representing the Account of Last Resort. 4. In the "Edit User" section, enter and confirm the new password. 5. Click "Save Settings". If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice (BROM-00-000300), either create a new account and password or change the password.

Check Content

If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice (BROM-00-000300), this is not a finding. Examine the site's documentation. Verify there is a documented procedure for changing the password for the Account of Last Resort when an individual with knowledge of the password leaves the group. An acceptable practice is to either create a new account and password each time or change the password. If a procedure for changing the password for the Account of Last Resort when an individual with knowledge of the password leaves the group is not documented or implemented, this is a finding.

The Bromium Enterprise Controller (BEC) must be configured so that organization-identified administrator roles have permission to change, based on selectable criteria, the types of Bromium vSentry client events that are captured in the events log and stored in the SQL database with immediate effect.

Finding ID
BROM-00-000740
Rule ID
SV-95149r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000353
CCI
CCI-001914
Target Key
(None)
Documentable
No
Discussion

If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to respond effectively and important forensic information may be lost. This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed (for example, near real-time, within minutes, or within hours). DoD requires that privileges be assigned to roles and groups rather than individual user accounts. The BEC audit log ("history.log") is configured by default to capture all administrator activity. This cannot be disabled. Roles/Groups: Users are assigned to groups, and groups are assigned to roles. Roles can be customized to include or disable all admin privileges on the Controller. The Administrator role is configured by default; additional roles can be customized and defined by the site. The event log setting within the endpoint policy editor is selectable via list. Filtering log events is recommended via the event server (e.g., SIEM or syslog). Any modifications to the event criteria take effect immediately upon change. A default policy must be created for each BEC. DoD requires the Logging level in the default policy to be set to "Event" at a minimum unless there are overriding operational and incident requirements.

Fix Text

The logging level is changed by selecting the "Manageability" level. Groups/roles that have permission to edit policies are allowed to change log event criteria. 1. Using the management console, navigate to "Policies". 2. Select the site's default policy. 3. Navigate to the "Manageability" tab. 4. Select the desired logging level. The default setting is "Event" (e.g., Debug, Trace, Event, Warning). DoD requires a setting of "Event" in the default policy. 5. Click "Save and Deploy".

Check Content

Review each role and verify that at least one role has the "Edit Policies" privilege. Also verify that not all roles have the "Edit Policies" permission. 1. Using the management console, navigate to "Settings" and click on "Roles". 2. Inspect each role to ensure that the "Edit Policies" permission is enabled/disabled for the appropriate roles (e.g., the site's read-only role must not have permission to edit policies). Inspect the default policy to ensure that the proper log level has been selected. 1. Select the site's default policy. 2. Navigate to the "Manageability" tab. 3. Verify "Events" log level is selected. If the BEC is not configured for organization-identified roles that have permission to change, based on selectable criteria, the types of endpoint events that are captured in the Event log and stored in the SQL database, this is a finding.

The Bromium Enterprise Controller (BEC) must be configured to permit only authorized users to remotely view, in real time (within seconds of event occurring), all content related to an established Bromium vSentry client session.

Finding ID
BROM-00-000755
Rule ID
SV-95151r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000355
CCI
CCI-001920
Target Key
(None)
Documentable
No
Discussion

Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel to take action before additional damage is done. The ability to observe user sessions as they are happening allows for interceding in ongoing events that after-the-fact review of captured content would not allow. The Bromium monitoring module can capture end-user activity related to applications, processes, files, registry activity, and file activity. Custom rules can also be created to report on desired activity and conditions. Event data is sent back to the BEC without having to access the endpoint.

Fix Text

The administrator must be in a group that has a role with permissions to view Events and Threats. To give an administrator permission to view Event and Threat configured us the following threat. 1. Using the management console, navigate to "Settings". 2. Select "Roles". 3. Select the role(s) that need permission to view user sessions and activity. 4. Under the "Events" section, enable the "View Events" permission. 5. Under the "Threats" section, enable the "View Threats" permission. 6. Click "Save Changes".

Check Content

Ask the site representative for a list of administrators who are authorized to view Bromium vSentry client activity. Verify unauthorized users are not members of groups that have been assigned roles that have the "View Events" and "View Threats" privilege. 1. From the BEC console, navigate to "Settings". 2. Select "Roles". 3. Click on each Role to see which ones have "View Events" and "View Threats" checked. 4. For the Roles which have enabled for "View Events" or "View Threats", navigate to the Groups area and check which Groups they are assigned to. 5. Navigate to "Settings" and "User Groups" to verify that users who are not on the list are not assigned to Groups with Roles that have "View Events" or "View Threats" enabled. If the BEC is not configured to permit only authorized users to remotely view, in real time (within seconds of event occurring), all content related to an established Bromium vSentry client session, this is a finding.

The Bromium Enterprise Controller (BEC) must send log records to a central log server (i.e., syslog server).

Finding ID
BROM-00-000760
Rule ID
SV-95153r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000356
CCI
CCI-001844
Target Key
(None)
Documentable
No
Discussion

Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. This requirement requires that the content captured in audit records be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application components requiring centralized audit log management must have the capability to support centralized management. Note: The central log server must be configured with alerts and notifications that are required by the various requirements in this STIG. It must also be configured to alert the ISSO and system administrator when communications is lost with the BEC.

Fix Text

Configure the BEC to automatically forward events to the desired syslog destination. 1. From the management console, click on the selection arrow next to "Events". 2. Click on "Destinations". 3. Click on "Add Syslog Destination". 4. Configure syslog server parameters and select severity levels to forward. 5. Click "Save ". Additional syslog destinations may be configured for forwarding events to multiple destinations simultaneously.

Check Content

Verify that a syslog destination is configured on the BEC server. 1. From the management console, click the selection arrow next to "Events". 2. Click "Destinations". 3. Inspect the list of configured syslog destinations. If the BEC does not automatically forward events to a syslog destination, this is a finding.

The Bromium Enterprise Controller (BEC) must send history.log records to a central log server (i.e., syslog server).

Finding ID
BROM-00-000765
Rule ID
SV-95155r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000356
CCI
CCI-001844
Target Key
(None)
Documentable
No
Discussion

Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. History.log contains log records of administrative actions such as adding users or changing user privileges. This requirement requires that the content captured in audit records be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application components requiring centralized audit log management must have the capability to support centralized management. Note: The central log server must be configured with alerts and notifications that are required by the various requirements in this STIG. It must also be configured to alert the ISSO and system administrator when communications is lost with the BEC.

Fix Text

Automatically forward all contents of "history.log" to the site's central log server in real time.  Install the file monitoring agent that is provided by the site's centralized events server (e.g., syslog, SIEM) and configure to monitor and forward "history.log" (example: C:\Program Data\Bromium\BMS\Logs\history.log). Follow the instructions included with the central log server.

Check Content

Ask the site representatives if they have developed and implemented a solution for storing the contents of "history.log". Check that the backup solution has been configured to include the "history.log" files residing on the BEC. If the BEC does not send "history.log" records to a central log server (i.e., syslog server), this is a finding.

The Bromium Enterprise Controller (BEC) must manage log record storage capacity so history.log does not exceed physical drive space capacity allocated by the database administrator (DBA) and system administrator.

Finding ID
BROM-00-000770
Rule ID
SV-95157r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000357
CCI
CCI-001849
Target Key
(None)
Documentable
No
Discussion

To ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of the application and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both. The BEC administrator must work with site DBA and system administrator to obtain storage allocation requirements for "history.log". Typical database disk storage consumption is 5 K per day per device. See "Database and Network Usage Guidelines" section in the Bromium Secure Platform Deployment Guide at https://documentation.bromium.com/4_0/Deployment%20Guide/Bromium_Secure_Platform_Deployment_Guide_4_0_Update_3.pdf.

Fix Text

The BEC administrator must work with the site DBA and system administrator to obtain storage allocation requirements for "history.log". The "history.log" default size threshold is 5 MB. The system administrator has two options for managing storage of "history.log" contents. Option 1: (Preferred) 1. Automatically forward all contents of "history.log" to the site's central log server in real time.  2. Install the file monitoring agent that is provided by the site's centralized events server (e.g., syslog, SIEM) and configure to monitor and forward "history.log" (example: C:\Program Data\Bromium\BMS\Logs\history.log). Follow the instructions included with the central log server. Option 2 (use only with documentation of mission need): 1. Automatically back up all "history.log" files that have been aged out due to reaching maximum size threshold. Then delete the archived copies to free up room. NOTE: By default, the BEC server creates up to 5 archives. Though not recommended, the default maximum number of archives can be changed by editing the "audit_log_backup_count" parameter in "settings.json". (C:\ProgramData\Bromium\BMS\settings.json) 2. Follow the instructions included with the backup solution. Some solutions include an agent that must be installed on the BEC and some do not.

Check Content

Ask the site representatives if they have developed and implemented a solution for storing the contents of "history.log" to minimize the risk of exceeding the system's storage capacity. If the option to forward the contents of "history.log" to a centralized events server was implemented, check that the agent associated with the central log server has been installed on the BEC. If the option to back up the contents of "history.log" was implemented, check that the backup solution has been configured to include the "history.log" files residing on the BEC. If the BEC does not manage log record storage capacity so "history.log" does not exceed physical drive space capacity allocated by the DBA and system administrator, this is a finding.

The Bromium Enterprise Controller (BEC) must generate a log record that can be sent to the central log server, which will alert the system administrator (SA) and Information System Security Officer (ISSO), at a minimum, when it is unable to connect to the SQL database.

Finding ID
BROM-00-000785
Rule ID
SV-95159r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000360
CCI
CCI-001858
Target Key
(None)
Documentable
No
Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Upon loss of connection to the SQL Server, BEC will: 1. Immediately create a number of log entries in "default.log" and "worker.log"; 2. Refuse connections from the endpoints, which will result in the endpoints automatically storing local events (for future transfer when the SQL connection is restored); and 3. Immediately notify the BEC administrator during logon via the management console interface.

Fix Text

Automatically forward all contents of "default.log" and "worker.log" to the site's central log server in real time. Install the file monitoring agent that is provided by the site's centralized events server (e.g., syslog, SIEM) and configure to monitor and forward "default.log" and "worker.log" (example: C:\Program Data\Bromium\BMS\Logs\default.log). Follow the instructions included with the event log server.

Check Content

Ask the site representatives if they have developed and implemented a solution for storing the contents of "default.log" and "worker.log" to receive alerts if SQL Server becomes unavailable. The contents of "default.log" and "worker.log" should be sent to a centralized events server. Check that the agent associated with the event server has been installed on the BEC. If the BEC does not generate an immediate log entry that can be sent to the central log server, which will alert the SA and ISSO, at a minimum, when it is unable to connect to the SQL database, this is a finding.

The Bromium Enterprise Controller (BEC) must be configured to provide report generation that supports on-demand reporting requirements for threat events.

Finding ID
BROM-00-000815
Rule ID
SV-95161r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000367
CCI
CCI-001879
Target Key
(None)
Documentable
No
Discussion

The report generation function must support on-demand review and analysis to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective.

Fix Text

From a web browser, log on to the Bromium Enterprise Controller. Upon successful authentication, the Dashboard View is the default view displayed. Select ad hoc reports based on SSP or other documented organizational requirements for reporting. Reports can be in the form of screen output or ".csv" files.

Check Content

Examine the site System Security Plan (SSP) or other appropriate documentation. Verify there is a documented procedure for when security incident reports need to be exported. From a web browser, log on to the Bromium Enterprise Controller. Upon successful authentication, on-demand reports for all threats are available throughout the administrator interface. If a procedure does not exist for providing on-demand reports for threat events, this is a finding.

The Bromium Enterprise Controller (BEC) must be configured to provide report generation that supports after-the-fact investigations of security incidents.

Finding ID
BROM-00-000825
Rule ID
SV-95163r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000368
CCI
CCI-001880
Target Key
(None)
Documentable
No
Discussion

If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. The report generation capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools.

Fix Text

From the management console, navigate to the "Threats" menu. 1. Select the security incident in question. View all after-the-fact information. 2. Click "Generate Report" to create a report in Security Threat Information Exchange (STIX) or Malware Attribution Enumeration and Characterization (MAEC) format. 3. Click "Threat Information" to export security incident-related information such as file hashes and IP addresses (in ".csv" format).

Check Content

Examine the site System Security Plan (SSP) or other documentation. Verify there is a documented procedure for when security incident reports need to be exported. If a procedure for providing report generation that supports after-the-fact investigations of security incidents has not been documented, this is a finding.

The Bromium vSentry client must prohibit user installation of software except for clients that are explicitly approved by the ISSM or other authorizing official.

Finding ID
BROM-00-000865
Rule ID
SV-95165r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000378
CCI
CCI-001812
Target Key
(None)
Documentable
No
Discussion

Allowing regular users to install software without explicit privileges creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user. Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository. The application must enforce software installation by users based on what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. This requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications.

Fix Text

Isolate the execution and installation of untrusted and unauthorized applications within a micro-virtual machine (VM): 1. From the management console, navigate to "Policies". 2. Create or modify a base and/or delta policy used for analyzing executables (e.g., "SOC Mode"). 3. Add parameter "mimehandler.executable.open" with a value of "1" to enable the isolation of untrusted executables. 4. Add parameter "LAVA.ExecutableVMVisible" with a value of "0" to conceal the untrusted executable from the user's view. 5. Add parameter "LAVA.ExecutableVMTime" with a value (in seconds) for the desired time that the executable should run for the purposes of analysis (e.g., "300"). 6. For clients that are allowed to install software, verify a separate delta policy exists for these clients. This will override the base policy for these specific devices only (e.g., management workstations use by the system administrators).

Check Content

Inspect the base and delta policy on the Bromium Enterprise Controller (BEC) that is responsible for the analysis of executables. 1. From the management console, navigate to "Policies". 2. Inspect the base and all delta policy used for analyzing executables (e.g., "SOC Mode"). 3. Verify parameter "mimehandler.executable.open" has a value of "1". 4. Verify parameter "LAVA.ExecutableVMVisible" has a value of "0". 5. Verify parameter "LAVA.ExecutableVMTime" has a value (in seconds) for the desired time that the executable should run for the purposes of analysis (e.g., "300"). 6. For clients that are allowed to install software, verify a separate delta policy exists for these clients. This will override the base policy for these specific devices only (e.g., management workstations use by the system administrators). If Bromium vSentry does not prohibit user installation of software without explicit privileged status, this is a finding.

The Bromium Enterprise Controller (BEC) Update Interval must be set to a maximum of one hour.

Finding ID
BROM-00-000905
Rule ID
SV-95167r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000390
CCI
CCI-002039
Target Key
(None)
Documentable
No
Discussion

Without reauthenticating the endpoint, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. The BEC Update Interval setting controls the frequency of check-ins for policy updates, remote commands and a Bromium vSentry event data. The value set is in seconds. During the update connection with the BEC, the Bromium vSentry client's device certificate is reauthenticated.

Fix Text

Configure the Update Internal for the BEC/vSentry client update of event data, remote commands, policy updates, and reauthenication. 1. From the management console, navigate to the "Policies" menu. 2. Select the Base policy. 3. Click the "Manageability" tab. 4. Edit the "Update Interval" parameter to reflect "3600" seconds. 5. Click "Save and Deploy". Note: A value of 1 hour/3600 seconds is the recommended setting; however, the setting may be changed to a lower interval based on mission needs.

Check Content

Verify the Update Interval is set to one hour. 1. From the management console, navigate to the "Policies" menu. 2. Select the Base policy. 3. Click the "Manageability" tab. 4. Inspect the "Update Interval" parameter to reflect the desired interval (1 hour/3600 seconds is the maximum). If the BEC Update Interval is set to more than one hour, this is a finding.

If the Host Based Security System (HBSS) is not installed to monitor the Bromium Enterprise Controller (BEC) application, processes, and registry settings, the Bromium Protection agent must be installed on the BEC server.

Finding ID
BROM-00-001080
Rule ID
SV-95169r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000450
CCI
CCI-002824
Target Key
(None)
Documentable
No
Discussion

Installing the Bromium Protection agent on the BEC server will allow for monitoring and alerting on attempts to attack critical files, applications, processes, and registry settings on the BEC server, as well as attempts at executing unauthorized code in memory. All alerts will be sent to the BEC management server (along with any designated syslog destinations). Upon receipt of the alert, the system administrator must investigate and take appropriate action. DoD requires the use of HBSS on all hosts, thus the Bromium Protection agent cannot be used to fulfill the requirement for HBSS. The Bromium Protection agent does not provide signature based antivirus or IDPS functions. However, it will monitor and notify the device memory as required by this CCI. The agent is compatible with HBSS and can be run at the same time. Installation of the agent is not mandatory unless there is a mission essential reason HBSS cannot be installed on the BEC host.

Fix Text

If HBSS is not installed to monitor the BEC application, processes, and registry settings, install the Bromium Protection agent on the BEC server. 1. Install the Bromium agent on the BEC server (follow the on-screen instructions when deploying the ".msi" installation package). 2. Add the BEC server to a device group (this group may contain other/additional BEC servers). 3. Enable the monitoring policy for the BEC server.

Check Content

If HBSS is installed and configured to monitor the BEC application, processes, and registry settings, this is not a finding. 1. From the management console, select "Devices". 2. Click on "Add Filter" and select "Contains Text". 3. Click on the down arrow and enter the device name to search for the BEC server. 4. Once the desired BEC server is located, click on the device and inspect the "Monitoring Version" column to verify that the monitoring module is installed and enabled. If the Bromium Protection agent is not installed and configured on the BEC server, this is a finding.

The Bromium vSentry client must include exceptions for HBSS to ensure interoperability and protect from attacks on critical files, applications, processes, registry settings, and attempts at executing unauthorized code in memory.

Finding ID
BROM-00-001085
Rule ID
SV-95171r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000450
CCI
CCI-002824
Target Key
(None)
Documentable
No
Discussion

The monitoring agent will monitor and alert on attempts to attack critical files, applications, processes, and registry settings associated with the Bromium vSentry application itself, as well as attempts at executing unauthorized code in memory. All alerts will be sent to the BEC management server (along with any designated syslog destinations). Upon receipt of the alert, the system administrator must investigate and take appropriate action. HBSS must be tuned to allow exceptions for the Bromium protection agent. Exceptions are detailed in the Bromium Secure Platform Deployment Guide at https://documentation.bromium.com/4_0/Deployment%20Guide/Bromium_Secure_Platform_Deployment_Guide_4_0_Update_3.pdf. Alert on attempts to attack critical files, applications, processes, registry settings, and attempts at executing unauthorized code in memory.

Fix Text

Refer to the Bromium Secure Platform Deployment Guide at https://documentation.bromium.com/4_0/Deployment%20Guide/Bromium_Secure_Platform_Deployment_Guide_4_0_Update_3.pdf for detailed instructions on creating exceptions for HBSS. Obtain approval from the ISSM or other approving authority for exceptions to HBSS.

Check Content

Inspect the HBSS configuration policy to verify exceptions for the Bromium directory and related settings. If the endpoint running Bromium vSentry does include exceptions for HBSS ensure interoperability, this is a finding.

The Bromium Enterprise Controller (BEC) must have the base policy Logging Level set to Debug.

Finding ID
BROM-00-001135
Rule ID
SV-95173r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000471
CCI
CCI-002664
Target Key
(None)
Documentable
No
Discussion

The default policy logging level captures the maximum level of data available to the administrator for forensic purposes and troubleshooting. This is required for analyzing Indicators of Compromise (IOCs) that may necessitate an alert from the events server and action by the system administrator.

Fix Text

Enable the Debug Logging level. 1. From the management console, click on "Policies". 2. Select the base policy. 3. Select the "Manageability" tab. 4. Set the Logging level to "Debug". 5. Click "Save and Deploy".

Check Content

Inspect the base policy for all endpoints. 1. From the management console, click on "Policies". 2. Select the base policy. 3. Select the "Manageability" tab. 4. Inspect the Logging level setting. If the BEC base policy Logging level has not been set to "Debug", this is a finding.

The Bromium monitoring module installed on the Bromium Enterprise Controller (BEC) or Bromium vSentry must generate an event and forward to the central log server when anomalies in the operation of security functions of the BEC or Bromium vSentry application are discovered.

Finding ID
BROM-00-001155
Rule ID
SV-95175r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000474
CCI
CCI-002702
Target Key
(None)
Documentable
No
Discussion

If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Event generation is enabled by default; configuration is required for the BEC server to automatically forward events to the site's event server (e.g., syslog, SIEM).

Fix Text

The BEC administrator must work with the site administrator to forward contents of "worker.log" and "default.log" to a central log server in real time. 1. Automatically forward all contents of "worker.log" and "default.log" to the site's centralized log server in real time.  2. Install the file monitoring agent that is provided by the site's central log server (e.g., syslog, SIEM) and configure to monitor and forward "worker.log" and "default.log" (e.g., C:\Program Data\Bromium\BMS\Logs\default.log). Note: Follow the instructions included with the event server.

Check Content

Ask the site representatives if they have developed and implemented a solution for forwarding the contents of "worker.log" and "default.log" to a central log server. If the BEC and Bromium vSentry does not generate an event and forward to the events server when anomalies in the operation of security functions of the BEC or Bromium vSentry application are discovered, this is a finding.

The Bromium Enterprise Controller (BEC) must forward an event to the central log server when isolation is disabled on any protected Bromium vSentry client.

Finding ID
BROM-00-001305
Rule ID
SV-95187r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000516
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Disabling isolation on the endpoint is a potential indicator of compromise of insider threat. In production deployments, the ability to disable Bromium isolation is not available to non-privileged users.

Fix Text

Configure the BEC server to automatically forward events to the desired syslog destination. 1. From the management console, click on the selection arrow next to "Events". 2. Click on "Destinations". 3. Click on "Add Syslog Destination". 4. Configure syslog server parameters and verify that the Severity level for the source Isolation Host is minimally set to "Warning". 5. Click "Save". Additional syslog destinations may be configured for forwarding events to multiple destinations simultaneously.

Check Content

Verify that a syslog destination is configured on the BEC server. 1. From the management console, click on the selection arrow next to "Events". 2. Click on "Destinations". 3. Inspect the list of configured syslog destinations. 4. Verify that the Severity level for the source Isolation Host is minimally set to "Warning". If the Bromium monitoring module installed on the BEC or Bromium vSentry does not generate an event and forward to the events server when anomalies in the operation of the application are discovered, this is a finding.

The Bromium Enterprise Controller (BEC) must be configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements.

Finding ID
BROM-00-001310
Rule ID
SV-95189r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000516
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Without the capability to create custom rules specific to the business and mission needs of the organization, detection of suspicious user activity would be hampered. Additional custom rules can be created within the "Policy" section of the BEC. The security administrator can determine if additional rules are needed based on organization requirements and mission. The Bromium monitoring module includes a base monitoring policy that detects malicious file, registry, process, and network activity. The monitoring module also features the ability to create custom rules to monitor such user activity as: 1. Read operations on files and registry settings; 2. Write operations on files and registry settings; 3. Read/write operations on files and registry settings; and 4. Processes being launched.

Fix Text

Create an SSP document that contains requirements for implementing Bromium vSentry policy settings and workflows for the endpoint. Bromium vSentry policy settings are accessible in the "Policy" section of the BEC. Custom monitoring rules are available in the "Monitoring Rules" section under "Policy". 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and enable "Host Monitoring". 4. Click "Save and Deploy". 5. Click the arrow next to "Policies" and select "Monitoring Rules". 6. Click "Rule Options" and select "Create Custom Rule". 7. Create a name for the custom rule. 8. Apply the custom rule to a group. 9. Configure the applications, triggers, and any exclusions associated with the activity to be monitored. 10. Click "Save ".

Check Content

Ask the site representative for the System Security Policy (SSP) document that includes the security policy settings required for endpoint security and monitoring. If custom monitoring rules are required, verify that monitoring rules are enabled and that custom rules are configured within the policy and applied to the appropriate devices. 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and verify that "Host Monitoring" is enabled. 4. Click the arrow next to "Policies" and select "Monitoring Rules". 5. Review custom rules and the device groups they are applied to.  If the BEC is not configured for authorized users to capture and log content related to a user session, this is a finding. If the BEC is not configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements, this is a finding.

The Bromium Enterprise Controller (BEC) must have Threat Intelligence lookup disabled.

Finding ID
BROM-00-001315
Rule ID
SV-95191r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000516
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The Enable Threat Intelligence lookup setting controls whether the controller obtains and displays threat information from Bromium Threat Intelligence, which needs an external connection to Bromium resources, which is not allowed. Optionally, the site can deploy an internal/trusted instance of the Threat Intelligence server.

Fix Text

Modify the base policy to ensure that the Bromium Threat Intelligence service is disabled. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and disable the "Enable Bromium Threat Intelligence?" policy setting.

Check Content

Review the base policy to ensure that the Bromium Threat Intelligence service is disabled. 1. Using the management console, navigate to "Policies" and select the base policy. 2. Navigate to "Security". 3. Navigate to and inspect the "Enable Bromium Threat Intelligence?" policy setting. If the Bromium Threat Intelligence service is enabled, this is a finding.