Skip to main content

policy

The policy command is used to configure and manage security policy settings. Policies are needed to define security criteria such as the required quality, length and composition of passwords. The security policies are: Password, Session, and Cryptographic Strength.

Security policies may be applied to bring the Makito X4 device to its Common Criteria (CC) evaluated configuration. During the hardening procedure, it is important for the administrator to set the policies before creating accounts.

Note

The policy command can only be used by an administrator.

Synopsis

policy password set [quality=basic] [minlen=6] [minuppers=0] [mindigits=0]
[minsymbols=0] [expiry=yes] [lifetime=90] [remember=5]
policy session set [autologout=yes] [idletimeout=15]
policy crypto set [compliance=None] [tlsv1.{0|1|2}=yes] [sslv3=no]
policy https set hsts=no
policy pname/all get

Actions

ActionDescription

password set

Modifies the password policy parameters. A series of one or more parameter=value pairs can be specified at once. See "password" under Parameters below.

session set

Modifies the session policy parameters. A series of one or more parameter=value pairs can be specified at once. See "session" under Parameters below.

crypto set

Specifies the cryptographic policy. The compliance parameter can be specified. See "crypto" under Parameters below.

https setEnables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP. 

pname/all get

Displays the policy information for either the policy (i.e., password, session, or crypto) or the Makito X4.

Parameters

ParameterDefaultDescription/Values

crypto

compliance 

None 

 Specifies the required cryptographic compliance, either:

  • None
  • NDPP11: Activates cryptographic security to a level compliant with the Network Device Protection Profile v1.1.
  • FIPS140: All management cryptography is operated in the FIPS 140-2 mode.
  • Sp800-52r1(Deprecated): All management cryptography follows the guidelines of NIST Special Publication 800-52 Rev 1.
  • SP800-52r2

Note

Either selection reinforces security for all management functions of the device in terms of cryptography. This setting takes effect upon the next reboot.

sslv3

See Note

Enables or disables SSLv3 as a supported TLS version: Yes, No

Note

SSLv3 is disabled on factory new systems. On upgraded systems, SSLv3 is enabled only if upgrading a system where no (None) cryptographic compliance is configured. SSLv3 can be enabled only if compliance is set to None.

Specifies which TLS (Transport Layer Security) versions are accepted from the HTTPS client. At least one TLS version must be enabled.

tlsv1.0

Yes

Enables or disables TLSv1.0 as a supported TLS version: Yes, No

tlsv1.1

Yes

Enables or disables TLSv1.1 as a supported TLS version: Yes, No

tlsv1.2

Yes

Enables or disables TLSv1.2 as a supported TLS version: Yes, No

https

No

Enables or disables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP. 

Note

When preparing a Makito X4 device for hardening, you need to enable the HSTS policy. 

password

quality

Basic

Specifies the required password strength, either:

  • Basic
  • Strong

minlen

6

Specifies the minimum password length. Range: 6–40

minuppers

See Note

(quality must be Strong) Specifies the minimum number of uppercase letters. Range: 0 –40

Note

Default is N/A if quality=Basic, 0 if quality=Strong.

mindigits

See Note

(quality must be Strong) Specifies the minimum number of digits. Range: 0 –40

Note

Default is N/A if quality=Basic, 0 if quality=Strong.

minsymbols

See Note

(quality must be Strong) Specifies the minimum number of symbols. Range: 0 –40

Note

Default is N/A if quality=Basic, 0 if quality=Strong.

expiry

No

Enables or disables password expiration: Yes, No

lifetime

90 days

(expiry must be Yes) Specifies the number of days after which users must change their passwords. Range: 1 –180 days

remember


(quality must be Strong) Saves the specified last number of passwords used for the Makito X4, and prevents users from changing their password to any password used within the specified history count. Range: 5 –400 

session

autologout

No

Enables or disables auto-logou: Yes, No

idletimeout

15 minutes

(autologout must be Yes) Specifies the maximum length of time the system may be idle before the user will be logged out. Range: 1 –1440 minutes


Examples

# policy crypto set compliance=NDPP11

Sets the required cryptographic compliance to Network Device Protection Profile v1.1.

# policy password set quality=strong minlen=10 minuppers=1 minsymbols=1
expiry=yes lifetime=30

Sets the password policy to be Strong, requiring passwords to be at least 10 characters in length, with one uppercase letter, one symbol. Passwords will expire in 30 days.

# policy all get

Returns policy information for the Makito X4 such as:

Crypto:
Compliance : NDPP11
SSLv3 : Disallowed
TLSv1.0 : Yes
TLSv1.1 : Yes
TLSv1.2 : Yes
HTTPS:
HSTS : Yes
Password:
Quality : Strong
MinLen : 10
MinUppers : 1
MinDigits : 0
MinSymbols : 1
Remember : 5
Expiry : Yes
Lifetime : 30 days
Session:
Autologout : Yes
IdleTimeout : 20 minutes

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.