STIGQter STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Juniper Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.

DISA Rule

SV-15472r4_rule

Vulnerability Number

V-3057

Group Title

Accounts assigned least privileges necessary to perform duties.

Rule Version

NET0465

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.

Check Contents

Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties.

If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.

Below is an example configuration with three levels of authorization followed by account templates.

[edit system login]
class tier1 {
idle-timeout 15;
permissions [configure interface network routing snmp system trace view firewall ];
}
class tier2 {
idle-timeout 15;
permissions [admin clear configure interface network reset routing routing-control
snmp snmp-control system system-control trace trace-control view maintenance firewall
firewall-control secret rollback ];
}
class tier3 {
idle-timeout 15;
permissions all;
}

/* This is our local superuser account with a local password. */
user admin {
full-name Administrator;
uid 2000;
class tier3;
authentication {
encrypted-password xxxxxxx;
}
}

/* TACACS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
user tier3 {
uid 2003;
class tier3;
}

Using the example JUNOS configuration above and TACACS configuration below, when a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account. The CLI username is sent to the authentication server with the correct password. The server returns the local username (i.e., “tier2”) to the JUNOS software as specified in the authentication server (local-user-name for TACACS+, Juniper-Local-User for RADIUS).

user = simon {
.
.
.
.
service = junos-exec {
local-user-name = tier2
allow-commands = "configure"
deny-commands = "shutdown"
}
}

'allow-commands' and 'deny-commands' override permissions of the class of the template that the local-user-name is associated with.

Vulnerability Number

V-3057

Documentable

False

Rule Version

NET0465

Severity Override Guidance

Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties.

If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.

Below is an example configuration with three levels of authorization followed by account templates.

[edit system login]
class tier1 {
idle-timeout 15;
permissions [configure interface network routing snmp system trace view firewall ];
}
class tier2 {
idle-timeout 15;
permissions [admin clear configure interface network reset routing routing-control
snmp snmp-control system system-control trace trace-control view maintenance firewall
firewall-control secret rollback ];
}
class tier3 {
idle-timeout 15;
permissions all;
}

/* This is our local superuser account with a local password. */
user admin {
full-name Administrator;
uid 2000;
class tier3;
authentication {
encrypted-password xxxxxxx;
}
}

/* TACACS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
user tier3 {
uid 2003;
class tier3;
}

Using the example JUNOS configuration above and TACACS configuration below, when a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account. The CLI username is sent to the authentication server with the correct password. The server returns the local username (i.e., “tier2”) to the JUNOS software as specified in the authentication server (local-user-name for TACACS+, Juniper-Local-User for RADIUS).

user = simon {
.
.
.
.
service = junos-exec {
local-user-name = tier2
allow-commands = "configure"
deny-commands = "shutdown"
}
}

'allow-commands' and 'deny-commands' override permissions of the class of the template that the local-user-name is associated with.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

510

Comments