WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -959,29 +959,29 @@ Guidance: This requirement gives the user or integrator of the product the neces
#### 5.2.X.x **MI-SDEE-1**: Document physical access to debug interfaces
All debug/management interfaces accessible to someone with physical access to the device shall be documented as to how to protect or disable them.
All debug/management interfaces accessible to someone with physical access to the product shall be documented as to how to protect or disable them.
Guidance: This is for the use case of selling to an integrator.
* Applicability: Physical network interface
* Reference: TR-SDEF
* Objective: Secure by default
* Preparation: Examine the documentation for how to protect or disable the physically accessible debug/management interfaces of the device
* Activities: Examine the device for undocumented physical management interfaces, then follow the instructions in the documentation to disable or protect each documented interface, then attempt to access the interface without authorization
* Preparation: Examine the documentation for how to protect or disable the physically accessible debug/management interfaces of the product
* Activities: Examine the product for undocumented physical management interfaces, then follow the instructions in the documentation to disable or protect each documented interface, then attempt to access the interface without authorization
* Verdict: All physical debug or management interfaces are documented as to how to disable or protect them, and no interfaces are accessible without authorization after following the documentation t protect or disable them => PASS, otherwise => FAIL
* Evidence: Pictures of the device, list of discovered interfaces, comparison with documentation, notes as to which are documented how to disable/protect, logs of protect/disable actions, logs of attempts to access interfaces after protected or disabled
* Evidence: Pictures of the product, list of discovered interfaces, comparison with documentation, notes as to which are documented how to disable/protect, logs of protect/disable actions, logs of attempts to access interfaces after protected or disabled
#### 5.2.X.x **MI-SDEE-2**: Protect or disable physical access to debug interfaces
All debug/management interfaces accessible to someone with physical access to the device shall be protected or disabled by default, unless necessary for backward compatibility and use by an appropriately sophisticated user who has been sufficiently informed of the risk and how to mitigate it.
All debug/management interfaces accessible to someone with physical access to the product shall be protected or disabled by default, unless necessary for backward compatibility and use by an appropriately sophisticated user who has been sufficiently informed of the risk and how to mitigate it.
Guidance: This is for the use case of an end user in use cases where physical access is possible for a threat actor.
* Applicability: Physical network interface
* Reference: TR-SDEF
* Objective: Secure by default
* Preparation: Examine the documentation to find the physically accessible debug/management interfaces of the device
* Activities: Examine the device for undocumented physical management interfaces, then attempt to access the documented interfaces without authorization
* Preparation: Examine the documentation to find the physically accessible debug/management interfaces of the product
* Activities: Examine the product for undocumented physical management interfaces, then attempt to access the documented interfaces without authorization
* Verdict: No undocumented interfaces are found, no documented interfaces can be used without authorization other than those documented as necessary and the instructions to the user are sufficient => PASS, otherwise => FAIL
* Evidence: List of interfaces, log of examinations, log of attempts to access
@@ -994,7 +994,7 @@ Guidance: This is for the use case of an end user in use cases where local host
* Reference: TR-SDEF
* Objective: Secure by default
* Preparation: Examine the documentation of the network accessible interfaces of the product and follow the instructions to mitigate the risk of any necessary unprotected or enabled interfaces
* Activities: Using a network scanner, scan the device for both documented and undocumented debug or remote management interfaces and determine whether they are enabled or protected
* Activities: Using a network scanner, scan the product for both documented and undocumented debug or remote management interfaces and determine whether they are enabled or protected
* Verdict: No undocumented interfaces are found and no interfaces can be accessed without authorization other than those documented as necessary and the instructions to the user are sufficient => PASS, otherwise => FAIL
* Evidence: List of interfaces, log of attempts to access
@@ -1007,7 +1007,7 @@ Guidance: This is for the use case of an end user in use cases where network acc
* Reference: TR-SDEF
* Objective: Secure by default
* Preparation: Examine the documentation of the network accessible interfaces of the product and follow the instructions to mitigate the risk of any necessary unprotected or enabled interfaces
* Activities: Using a network scanner, scan the device for both documented and undocumented debug or remote management interfaces and determine whether they are enabled or protected
* Activities: Using a network scanner, scan the product for both documented and undocumented debug or remote management interfaces and determine whether they are enabled or protected
* Verdict: No undocumented interfaces are found and no interfaces can be accessed without authorization other than those documented as necessary and the instructions to the user are sufficient => PASS, otherwise => FAIL
* Evidence: List of interfaces, log of attempts to access
