STIGQter: STIG Summary: Network Device Management Security Requirements Guide Version: 4 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Network Device Management Security Requirements Guide Version: 4 Release: 1 Benchmark Date: 23 Apr 2021:SV-237781r663942_rule
V-237781
SRG-APP-000177
SRG-APP-000177-NDM-000263
CAT I
10
Configure the network device to use a AAA service account whereby the remote AAA broker will map the validated certificate used for PKI-based authentication to a centrally managed, interactive user account.
Alternatively, for organizations who choose to accept the risk and permanent finding, configure the network device to map the validated certificate used for PKI-based authentication to a unique, local, interactive user account.
If PKI-based authentication is not used as the MFA solution for interactive logins, this requirement is not applicable.
If the network device is configured to use a AAA service account, and the AAA broker is configured to map validated certificates to centralized user accounts on behalf of the network device, that will satisfy this objective. Because the responsibility for meeting this objective is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review.
Verify the network device is configured to map each validated certificate to a unique, centralized user account for all interactive users. If the network device is not configured to map each validated certificate to a unique, centralized user account for all interactive users, this is a finding.
Note: If local user accounts are used on the device, this requirement cannot be met in its entirety and it is a permanent finding. This may be the case if AO’s choose to accept the risk of using local accounts on network devices for small, isolated environments where centralized directory services are not available in the infrastructure or where they are not cost effective to implement and maintain. In such cases, this requirement can be mitigated to a CAT III if the network device is configured to map each validated certificate to a unique, local user account for all interactive users.
Note: This requirement is not applicable to the emergency account of last resort nor for service accounts (non-interactive users). Examples of service accounts include remote service brokers such as AAA, syslog, etc.
V-237781
False
SRG-APP-000177-NDM-000263
If PKI-based authentication is not used as the MFA solution for interactive logins, this requirement is not applicable.
If the network device is configured to use a AAA service account, and the AAA broker is configured to map validated certificates to centralized user accounts on behalf of the network device, that will satisfy this objective. Because the responsibility for meeting this objective is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review.
Verify the network device is configured to map each validated certificate to a unique, centralized user account for all interactive users. If the network device is not configured to map each validated certificate to a unique, centralized user account for all interactive users, this is a finding.
Note: If local user accounts are used on the device, this requirement cannot be met in its entirety and it is a permanent finding. This may be the case if AO’s choose to accept the risk of using local accounts on network devices for small, isolated environments where centralized directory services are not available in the infrastructure or where they are not cost effective to implement and maintain. In such cases, this requirement can be mitigated to a CAT III if the network device is configured to map each validated certificate to a unique, local user account for all interactive users.
Note: This requirement is not applicable to the emergency account of last resort nor for service accounts (non-interactive users). Examples of service accounts include remote service brokers such as AAA, syslog, etc.
M
2890