Skip to main content

_policy_CLI MX1_4DISA cmd

The policy command is used to configure and manage security policy settings for passwords, session timeout, cryptographic strength, and other security criteria for user accounts. These policies apply to all user accounts; therefore, it is recommended to set the policies before beginning to create accounts.

Security policies may be applied to bring the Makito X Series device to its Common Criteria (CC) evaluated configuration. 

Note

The policy command can only be used by an administrator.

Synopsis

policy account set [disableinactive=no] [inactivitytimeout=90]
policy password set [quality=basic] [minlen=6] [minuppers=0] [mindigits=0] [minsymbols=0] [expiry=yes] [lifetime=90] [remember=5]
policy session set [autologout=yes] [idletimeout=15] [limitpwdretries=no] [maxpwdretries=3] [pwdfailinterval=15]
policy crypto set [compliance=None] [tlsv1.{0|1|2}=yes] [sslv3=no]
policy https set hsts=no
policy pname/all get

Actions

ActionDescription
account setConfigures the Makito X device to automatically disable user accounts after the specified number of days of account inactivity.

password set

Modifies the password policy parameters. A series of one or more parameter=value pairs can be specified at once. See "password" under Parameters below.

session set

Modifies the session policy parameters. A series of one or more parameter=value pairs can be specified at once. See "session" under Parameters below.

crypto set

Specifies the cryptographic policy. The compliance parameter can be specified. See "crypto" under Parameters below.

https setEnables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP. 

pname/all get

Displays the policy information for either the policy (i.e., password, session, or crypto) or the Makito X device.


Parameters

ParameterDefaultDescription/Values

crypto

compliance 

None 

 Specifies the required cryptographic compliance, either:

  • None
  • NDPP11: Activates cryptographic security to a level compliant with the Network Device Protection Profile v1.1.
  • FIPS140: All management cryptography is operated in the FIPS 140-2 mode.
  • Sp800-52r1(Deprecated): All management cryptography follows the guidelines of NIST Special Publication 800-52 Rev 1.
  • SP800-52r2

Note

Either selection reinforces security for all management functions of the device in terms of cryptography. This setting takes effect upon the next reboot.

sslv3

See Note

Enables or disables SSLv3 as a supported TLS version: Yes, No

Note

SSLv3 is disabled on factory new systems. On upgraded systems, SSLv3 is enabled only if upgrading a system where no (None) cryptographic compliance is configured. SSLv3 can be enabled only if compliance is set to None.

Specifies which TLS (Transport Layer Security) versions are accepted from the HTTPS client. At least one TLS version must be enabled.

tlsv1.0

Yes

Enables or disables TLSv1.0 as a supported TLS version: Yes, No

tlsv1.1

Yes

Enables or disables TLSv1.1 as a supported TLS version: Yes, No

tlsv1.2

Yes

Enables or disables TLSv1.2 as a supported TLS version: Yes, No
https

hsts

No

Enables or disables HTTP Strict Transport Security (HSTS). When enabled, HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP. 

Note

When preparing a Makito X Series device for hardening, you need to enable the HSTS policy.

account
disableinactivenoEnables or disables automatic disabling of user accounts after the specified number of days of account inactivity: Yes, No
inactivitytimeout90

Specifies the number of days (since the last login) after which the user account will be disabled: 1..365 days

Disabled accounts can be re-enabled either via the “account <uname> enable” CLI command or from the Web Interface Admin>Accounts List View where the Action drop-down list will include an option to re-enable a disabled account.

Tip

The system adds one (1) day (or 24hour grace period) to the setting configured by the user.

password

quality

Basic

Specifies the required password strength, either:

  • Basic
  • Strong

minlen

6

Specifies the minimum password length. Range: 6..40

minuppers

See Note

(quality must be Strong) Specifies the minimum number of uppercase letters. Range: 0..40

Note

Default is N/A if quality=Basic, 0 if quality=Strong.

mindigits

See Note

(quality must be Strong) Specifies the minimum number of digits. Range: 0..40

Note

Default is N/A if quality=Basic, 0 if quality=Strong.

minsymbols

See Note

(quality must be Strong) Specifies the minimum number of symbols. Range: 0..40

Note

Default is N/A if quality=Basic, 0 if quality=Strong.

expiry

No

Enables or disables password expiration: Yes, No 

lifetime

90 days

(expiry must be Yes) Specifies the number of days after which users must change their passwords. Range: 1..180 days

minlifetime0(quality must be Strong) Specifies the minimum number of days before a password can be changed, i.e., the minimum lifetime of the password. Range: 0 (no restriction)..7 days

remember

5

(quality must be Strong) Saves the specified last number of passwords used for the Makito X device, and prevents users from changing their password to any password used within the specified history count. Range: 5..400 

session

autologout

No

Enables or disables Auto-Logout after the specified length of time: Yes, No

Note

Enabling the Auto-Logout Session policy also limits the number of concurrent sign-ins per account to 4.

idletimeout

15 minutes

(autologout must be Yes) Specifies the maximum length of time the system must be idle before the user is logged out: Range: 1..1440 minutes

limitpwdretriesNo

Enables or disables limiting the number of consecutive failed sign-in attempts by a user during the specified time period. This may be used to reduce the risk of unauthorized system access via user password guessing: Yes, No 

maxpwdretries3

(limitpwdretries must be Yes) Specifies the maximum number of consecutive failed sign-in attempts allowed during the specified time interval. Range: 3..10

pwdfailinterval15

(limitpwdretries must be Yes) Specifies the time period during which the consecutive failed sign-in attempts will be counted to lock out the account. Range: 5..60 minutes


Examples

# policy crypto set compliance=NDPP11

Sets the required cryptographic compliance to Network Device Protection Profile v1.1.

# policy password set quality=strong minlen=10 minuppers=1 minsymbols=1
expiry=yes lifetime=30

Sets the password policy to be Strong, requiring passwords to be at least 10 characters in length, with one uppercase letter, one symbol. Passwords will expire in 30 days.

# policy all get

Returns policy information for the Makito X device such as:

Crypto:
  Compliance            : (None)
  SSLv3                 : No
  TLSv1.0               : Yes
  TLSv1.1               : Yes
  TLSv1.2               : Yes
HTTPS:
  HSTS                  : No
Account:
  DisableInactive       : No
Password:
  Quality               : Strong
  MinLen                : 6
  MinUppers             : 1
  MinDigits             : 15
  MinSymbols            : 3
Remember              : 5
  Expiry                : No
Session:
  Autologout            : Yes
  IdleTimeout           : 15 minutes
  LimitPwdRetries       : Yes
  MaxPwdRetries         : 3
  PwdFailInterval       : 15 minutes


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.