If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251342	NET-IDPS-029	SV-251342r805981_rule	CCI-000366	medium
Description
In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated SFTP server within the management network. The SFTP server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the SFTP server periodically to look for the new signature packs and to update themselves once they have been tested.
STIG			Date
Network Infrastructure Policy Security Technical Implementation Guide			2024-08-02

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

CM-6

1.00

DISA · V10R7 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.4.1

1.00

DISA · V10R7 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.4.2

1.00

DISA · V10R7 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000366

1.00

DISA · V10R7 · disa_xccdf · related

Details

Check Text (C-251342r805981_chk)

If the signatures are located on a server, verify that the directories on which the signature packs are placed are protected by read-only access. If the directories are not set for read-only access, this is a finding.

Fix Text (F-54730r805980_fix)

Modify the access restrictions to prevent the signatures from being updated.