The IDPS must prevent the installation of organizationally defined critical software programs not signed with a certificate that is recognized and approved by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000121-IDPS-000112 | SRG-NET-000121-IDPS-000112 | SRG-NET-000121-IDPS-000112_rule | Medium |
| Description |
|---|
| Changes to any software components of the IDPS can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Software must be obtained from a trusted patch server not from the vendor. The IDPS sensors should not have to verify the software again. Additional services should not be installed on the sensors. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43243_chk ) |
|---|
| Inspect the certificate configuration. Verify the system is configured to verify software has a valid, signed certificate before installation can begin. If the system is not configured to Verify software updates and signatures are signed with a certificated and obtained from a trusted source, this is a finding. |
| Fix Text (F-43243_fix) |
|---|
| Obtain software updated from an approved trusted patch server. Configure the IDPS components to check for signed software programs when installation is attempted. |