STIGQter: STIG Summary: Bromium Secure Platform 4.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 May 2018:

The Bromium vSentry client must automatically terminate a micro-virtual machine (VM) when any malicious activities are detected within the micro-VM.

DISA Rule

SV-95141r1_rule

Vulnerability Number

V-80437

Group Title

SRG-APP-000295

Rule Version

BROM-00-000645

Severity

CAT I

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Review base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity. Document test system or mission needs that justifies an exception to this setting in order to collect forensics about the malicious code. Also document circumstances under this function that can temporarily be used to collect forensics information.

1. Using the management console, navigate to "Policies" and select the Base Policy.
2. Navigate to "Security".
3. Navigate to the "Alert user on a threat event?" policy setting.
4. Choose the "Stop operation and alert user" setting.
5. Click "Save and Deploy".

Note: Do not supersede this policy in any Delta Policy.

Check Contents

Review documentation for test system or mission need that justifies an exception to this setting in order to collect forensics about the malicious code. If this documentation exists, this is not a finding.

Review base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity.

1. Using the management console, navigate to "Policies" and select the base policy.
2. Navigate to "Security".
3. Navigate to and inspect the "Alert user on a threat event?" policy setting.

Check every applicable Delta Policy using the same procedure to verify that the Base Policy has not been superseded.

If the Bromium vSentry client is not configured to automatically terminate a micro-VM when any malicious activities are detected within the micro-VM, this is a finding.

Vulnerability Number

V-80437

Documentable

False

Rule Version

BROM-00-000645

Severity Override Guidance

Review documentation for test system or mission need that justifies an exception to this setting in order to collect forensics about the malicious code. If this documentation exists, this is not a finding.

Review base policy to ensure that the micro-VM will terminate the user session upon the detection of malicious activity.

1. Using the management console, navigate to "Policies" and select the base policy.
2. Navigate to "Security".
3. Navigate to and inspect the "Alert user on a threat event?" policy setting.

Check every applicable Delta Policy using the same procedure to verify that the Base Policy has not been superseded.

If the Bromium vSentry client is not configured to automatically terminate a micro-VM when any malicious activities are detected within the micro-VM, this is a finding.

Check Content Reference

M

Target Key

3375

Comments