STIGQter: STIG Summary: Juniper SRX SG NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.

DISA Rule

SV-223186r513253_rule

Vulnerability Number

V-223186

Group Title

SRG-APP-000033-NDM-000212

Rule Version

JUSX-DM-000025

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

User accounts, including the account of last resort must be assigned to a login class.

Configure the class parameters and privileges.

[edit]
Set system login class <class name> idle-timeout 10
set system login class <class name> permissions <appropriate permissions>

Commit for the changes to take effect.

Create and configure template user (s).

[edit]
set system login user <template account name> login-class <appropriate class>

Note: Junos does not permit account creation without login-class assignment.

Note: There are 4 pre-defined classes which should not be uses used for <class name>: Super-user, Operator, Read-only, and unauthorized. However, the Unauthorized class may be used for the remote user account to prevent logins from externally-authenticated users when a VSA is not returned from the AAA server.

Check Contents

Verify all accounts are assigned a user-defined (not built-in) login class with appropriate permissions configured. If the remote user is configured, it may have a user-defined, or the built-in unauthorized login class.

[edit]
show system login

Junos OS supports groups, which are centrally located snippets of code. This allows common configuration to be applied at one or more hierarchy levels without requiring duplicated stanzas. If there are no login-classes defined at [edit system login], then check for an apply-groups statement and verify appropriate configuration at the [edit groups] level.

[edit]
show groups

If one or more account templates are not defined with an appropriate login class, this is a finding.

If more than one local account has an authentication stanza and is not documented, this is a finding.

Note: Template accounts are differentiated from local accounts by the presence of an authentication stanza.

Vulnerability Number

V-223186

Documentable

False

Rule Version

JUSX-DM-000025

Severity Override Guidance

Verify all accounts are assigned a user-defined (not built-in) login class with appropriate permissions configured. If the remote user is configured, it may have a user-defined, or the built-in unauthorized login class.

[edit]
show system login

Junos OS supports groups, which are centrally located snippets of code. This allows common configuration to be applied at one or more hierarchy levels without requiring duplicated stanzas. If there are no login-classes defined at [edit system login], then check for an apply-groups statement and verify appropriate configuration at the [edit groups] level.

[edit]
show groups

If one or more account templates are not defined with an appropriate login class, this is a finding.

If more than one local account has an authentication stanza and is not documented, this is a finding.

Note: Template accounts are differentiated from local accounts by the presence of an authentication stanza.

Check Content Reference

M

Target Key

4098

Comments