Bandolier Compliance Check Categories

From SCADApedia

The Bandolier compliance checks are generally divided into two separate audit files, one for the operating system (OS) and one for the control system application. Each of the files is developed and tested in conjunction with the vendor and/or an asset owner. See the Bandolier SCADApedia article for more details on the development process.

The OS checks are based on best practice benchmarks such as those developed by Tenable Network Security, the Center for Internet Security (CIS), NIST, and others. They are customized and tested to remove any recommendations that are known to interfere with reliable operation of the control system application.

The application checks contain settings that are specific to the application itself. They also contain application dependencies and vendor-specified OS-level settings. Application checks are related to control system applications as well as database, web server and other applications used in conjunction with the control system applications.

The categories and examples below further define how the checks are organized.

Contents 1 OS Checks 1.1 Network Communication Settings 1.1.1 Unix Example 1.1.2 Windows Example 1.2 Ownership and Permissions 1.2.1 Unix Example 1.2.2 Windows Example 1.3 Services and Processes 1.3.1 Unix Example 1.3.2 Windows Example 1.4 User Management 1.4.1 Unix Example 1.4.2 Windows Example 1.5 Other Security Settings 1.5.1 Unix Example 1.5.2 Windows Example 2 Application Checks 2.1 Network Communication Settings 2.1.1 Unix Example 2.1.2 Windows Example 2.2 Ownership and Permissions 2.2.1 Unix Example 2.2.2 Windows Example 2.3 Service and Process Dependencies 2.3.1 Unix Example 2.3.2 Windows Example 2.4 User Account Management 2.4.1 Unix Example 2.4.2 Windows Example 2.5 Other Security Settings 2.5.1 Unix Example 2.5.2 Windows Example

OS Checks

Network Communication Settings

This category covers any setting that enhances the security of network communications.

Unix Example

Verify that the kernel tuning parameter for tcp_syncookies is set correctly in /etc/sysctl.conf

<custom_item>
  type		 : FILE_CONTENT_CHECK
  description	 : "Verify that the kernel tuning parameter for tcp_syncookies is set correctly in /etc/sysctl.conf"
  file		 : "/etc/sysctl.conf"
  expect	 : "net.ipv4.tcp_syncookies=*"
  regex          : "net.ipv4.tcp_syncookies=1"
</custom_item>

Windows Example

Ownership and Permissions

This category covers any ownership and permissions issues. Primarily this relates to files but could also be Windows registry keys, services, etc.

Unix Example

Verify that the permission and ownership is set correctly for /etc/sysctl.conf

<custom_item>
  type        : FILE_CHECK
  description : "Verify that the permission and ownership is set correctly for /etc/sysctl.conf"
  file        : "/etc/sysctl.conf"
  owner       : "root"
  group       : "root"
  mode        : "0600"
</custom_item>

Windows Example

Services and Processes

This category covers anything related to the services and processes that should or should not be running. Usually this will mean checking for unnecessary services.

Unix Example

Verify that a tftp process is not running

<custom_item>
  type		: PROCESS_CHECK
  description	: "Verify that a tftp process is not running"  
  name		: "tftp"
  status	: OFF
</custom_item>

Windows Example

User Management

This category covers anything related to user account management and security. This could include a variety of things including password characteristics, checks for built-in accounts, etc.

Unix Example

Verify that the password length requirement is at least eight characters

<item>
  name		: "minimum_password_length"
  description	: "Verify that the password length requirement is at least eight characters"
  value         : "8..MAX"
</item>

Windows Example

Other Security Settings

This category serves as a catch-all for anything that doesn't fit well into the other categories.

Unix Example

Windows Example

Application Checks

Network Communication Settings

This category covers network communication settings that affect security of the application. This may be in the form of application-specific configuration files but may also be vendor-recommended settings that go beyond what is included in the OS-level Network Communications settings category.

Unix Example

Windows Example

Ownership and Permissions

This will generally be a validation that the application files and services have the appropriate ownership and permissions.

Unix Example

Windows Example

Service and Process Dependencies

This category checks for service and processes that are required to run the application. It also looks for processes that the vendor specifically mentions are undesirable or not necessary. In this regard, it has the potential to overlap with the OS-level audit file.

Unix Example

Windows Example

User Account Management

This category contains checks for account management settings that can exist at the application and OS levels. There is potential overlap with the OS-level category of the same name but the differentiating factors are if the settings are application-specific or if they are specifically recommended by the application vendor.

Unix Example

Windows Example

Other Security Settings

This category serves as a catch-all for application-level security settings that do not fit well in any of the other categories.

Unix Example

Windows Example