_policy_CLI MK4 cmd->DELETE

The policy command is used to configure and manage security policy settings. Policies are needed to define security criteria such as the required quality, length and composition of passwords. The security policies are: Password, Session, and Cryptographic Strength.

Security policies may be applied to bring the Makito X4 device to its Common Criteria (CC) evaluated configuration. During the hardening procedure, it is important for the administrator to set the policies before creating accounts.

Note

The policy command can only be used by an administrator.

Synopsis

policy password set [quality=basic] [minlen=6] [minuppers=0] [mindigits=0]
  [minsymbols=0] [expiry=yes] [lifetime=90] [remember=5]
policy session set [autologout=yes] [idletimeout=15]
policy crypto set [compliance=None] [tlsv1.{0|1|2}=yes] [sslv3=no]
policy https set hsts=no
policy pname/all get

Actions

Action	Description
password set	Modifies the password policy parameters. A series of one or more `parameter=value` pairs can be specified at once. See "password" under Parameters below.
session set	Modifies the session policy parameters. A series of one or more `parameter=value` pairs can be specified at once. See "session" under Parameters below.
crypto set	Specifies the cryptographic policy. The `compliance` parameter can be specified. See "crypto" under Parameters below.
https set	Enables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP.
pname/all get	Displays the policy information for either the policy (i.e., password, session, or crypto) or the Makito X4.

Parameters

Parameter	Default	Description/Values
crypto
compliance	None	Specifies the required cryptographic compliance, either: None NDPP11: Activates cryptographic security to a level compliant with the Network Device Protection Profile v1.1. FIPS140: All management cryptography is operated in the FIPS 140-2 mode. Sp800-52r1(Deprecated): All management cryptography follows the guidelines of NIST Special Publication 800-52 Rev 1. SP800-52r2 Note Either selection reinforces security for all management functions of the device in terms of cryptography. This setting takes effect upon the next reboot.
sslv3	See Note	Enables or disables SSLv3 as a supported TLS version: Yes, No Note SSLv3 is disabled on factory new systems. On upgraded systems, SSLv3 is enabled only if upgrading a system where no (None) cryptographic compliance is configured. SSLv3 can be enabled only if compliance is set to None.
Specifies which TLS (Transport Layer Security) versions are accepted from the HTTPS client. At least one TLS version must be enabled.
tlsv1.0	Yes	Enables or disables TLSv1.0 as a supported TLS version: Yes, No
tlsv1.1	Yes	Enables or disables TLSv1.1 as a supported TLS version: Yes, No
tlsv1.2	Yes	Enables or disables TLSv1.2 as a supported TLS version: Yes, No
https	No	Enables or disables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP. Note When preparing a Makito X4 device for hardening, you need to enable the HSTS policy.
password
quality	Basic	Specifies the required password strength, either: Basic Strong
minlen	6	Specifies the minimum password length. Range: 6–40
minuppers	See Note	(quality must be Strong) Specifies the minimum number of uppercase letters. Range: 0 –40 Note Default is N/A if quality=Basic, 0 if quality=Strong.
mindigits	See Note	(quality must be Strong) Specifies the minimum number of digits. Range: 0 –40 Note Default is N/A if quality=Basic, 0 if quality=Strong.
minsymbols	See Note	(quality must be Strong) Specifies the minimum number of symbols. Range: 0 –40 Note Default is N/A if quality=Basic, 0 if quality=Strong.
expiry	No	Enables or disables password expiration: Yes, No
lifetime	90 days	(expiry must be Yes) Specifies the number of days after which users must change their passwords. Range: 1 –180 days
remember		(quality must be Strong) Saves the specified last number of passwords used for the Makito X4, and prevents users from changing their password to any password used within the specified history count. Range: 5 –400
session
autologout	No	Enables or disables auto-logou: Yes, No
idletimeout	15 minutes	(autologout must be Yes) Specifies the maximum length of time the system may be idle before the user will be logged out. Range: 1 –1440 minutes

Examples

# policy crypto set compliance=NDPP11

Sets the required cryptographic compliance to Network Device Protection Profile v1.1.

# policy password set quality=strong minlen=10 minuppers=1 minsymbols=1
   expiry=yes lifetime=30

Sets the password policy to be Strong, requiring passwords to be at least 10 characters in length, with one uppercase letter, one symbol. Passwords will expire in 30 days.

# policy all get

Returns policy information for the Makito X4 such as:

Crypto:
  Compliance  : NDPP11
  SSLv3       : Disallowed
  TLSv1.0     : Yes
  TLSv1.1     : Yes
  TLSv1.2     : Yes
HTTPS:
  HSTS        : Yes
Password:
  Quality     : Strong
  MinLen      : 10
  MinUppers   : 1
  MinDigits   : 0
  MinSymbols  : 1
  Remember    : 5
  Expiry      : Yes
  Lifetime    : 30 days
Session:
  Autologout  : Yes
  IdleTimeout : 20 minutes