TOSS must protect wireless access to the system using authentication of users and/or devices.

STIG ID: TOSS-04-020160  |  SRG: SRG-OS-000299-GPOS-00117 |  Severity: medium |  CCI: CCI-001443,CCI-001444,CCI-002418 |  Vulnerability Id: V-252956

Vulnerability Discussion

Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack.

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

This requirement applies to those operating systems that control wireless devices.

Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000481-GPOS-00481

Check

Verify there are no wireless interfaces configured on the system with the following command:

Note: This requirement is Not Applicable for systems that do not have physical wireless network radios.

$ sudo nmcli device status
DEVICE TYPE STATE CONNECTION
virbr0 bridge connected virbr0
wlp7s0 wifi connected wifiSSID
enp6s0 ethernet disconnected --
p2p-dev-wlp7s0 wifi-p2p disconnected --
lo loopback unmanaged --
virbr0-nic tun unmanaged --

If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.

Fix

Configure the system to disable all wireless network interfaces with the following command:

$ sudo nmcli radio all off
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.