800-53|AC-4(8)

Title

SECURITY POLICY FILTERS

Description

The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].

Supplemental

Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives).

Reference Item Details

Category: ACCESS CONTROL

Parent Title: INFORMATION FLOW ENFORCEMENT

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.4 Use Secure Upstream Caching DNS ServersUnixCIS BIND DNS v1.0.0 L2 Caching Only Name Server
1.62 Ensure 'Configure the list of names that will bypass the HSTS policy check' is set to 'Disabled'WindowsCIS Microsoft Edge L1 v2.0.0
6.9 Ensure that PAN-DB URL Filtering is usedPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.10 Ensure that URL Filtering uses the action of block or override on the URL categoriesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the InternetPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2
19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
ARST-RT-000060 - The Arista BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.AristaDISA STIG Arista MLS EOS 4.2x Router v1r1
ARST-RT-000100 - The Arista BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.AristaDISA STIG Arista MLS EOS 4.2x Router v1r1
CIS Control 7 (7.7) Use of DNS Filtering ServicesUnixCAS Implementation Group 1 Audit File
CISC-RT-000540 - The Cisco BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.CiscoDISA STIG Cisco IOS XE Router RTR v2r9
CISC-RT-000540 - The Cisco BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.CiscoDISA STIG Cisco IOS-XR Router RTR v2r4
CISC-RT-000540 - The Cisco BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.CiscoDISA STIG Cisco IOS Router RTR v2r6
CISC-RT-000540 - The Cisco BGP switch must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.CiscoDISA STIG Cisco IOS XE Switch RTR v2r5
CISC-RT-000540 - The Cisco BGP switch must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.CiscoDISA STIG Cisco NX-OS Switch RTR v2r3
CISC-RT-000550 - The Cisco BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer - ip as-path access-listCiscoDISA STIG Cisco IOS Router RTR v2r6
CISC-RT-000550 - The Cisco BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer - route-policyCiscoDISA STIG Cisco IOS-XR Router RTR v2r4
CISC-RT-000550 - The Cisco BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.CiscoDISA STIG Cisco IOS-XR Router RTR v2r4
CISC-RT-000550 - The Cisco BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.CiscoDISA STIG Cisco IOS XE Router RTR v2r9
CISC-RT-000550 - The Cisco BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.CiscoDISA STIG Cisco IOS Router RTR v2r6
CISC-RT-000550 - The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer.CiscoDISA STIG Cisco IOS XE Switch RTR v2r5
CISC-RT-000550 - The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer.CiscoDISA STIG Cisco NX-OS Switch RTR v2r3
Determine if a host has passwords saved or not saved for specific sites with Mozilla Firefox.FileContentTNS File Analysis - Adult Media Browser Usage
Determine if host has bookmarked adult content with Internet Explorer.FileContentTNS File Analysis - Adult Media Browser Usage
Determine if host has browsed adult content with Internet Explorer.FileContentTNS File Analysis - Adult Media Browser Usage
GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.UnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX00040 - The securetcpip command must be usedUnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX00040 - The securetcpip command must be used - /etc/security/config has been configuredUnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX00040 - The securetcpip command must be used.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX0200 - The system must not allow directed broadcasts to gateway.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX0200 - The system must not allow directed broadcasts to gateway.UnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX0210 - The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX0210 - The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.UnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX0220 - The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX0220 - The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks.UnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX0230 - The system must provide protection against IP fragmentation attacks.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX0230 - The system must provide protection against IP fragmentation attacks.UnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX0300 - The system must not have the bootp service active.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX0300 - The system must not have the bootp service active.UnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX0310 - The /etc/ftpaccess.ctl file must exist.UnixDISA STIG AIX 5.3 v1r2
GEN000000-AIX0310 - The /etc/ftpaccess.ctl file must exist.UnixDISA STIG AIX 6.1 v1r14
GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.highUnixDISA STIG Solaris 10 SPARC v2r4
GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.highUnixDISA STIG Solaris 10 X86 v2r4
GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.lowUnixDISA STIG Solaris 10 X86 v2r4
GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.lowUnixDISA STIG Solaris 10 SPARC v2r4