The available option of Command classes or command screening is NOT being used to limit system privileges

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8554	DSN06.07	SV-9051r1_rule	ECLP-1 ECSC-1	Low

Description
Requirement: The IAO will ensure that devices that are capable of command screening or command classes are configured to use this feature in conjunction with DAC. Input screening in telecommunications switches is the feature that permits an authorized individual to use one or more command classes. This feature supports DAC requirements and is used for both local and remote administration of the switches. Most switches utilize user password protection to access the operation and configuration of the switch. Most switch designs utilize levels of privileged access, each using password submission and validation at each level, to allow access to that particular function. The lowest privilege level would allow user access to perform various routine maintenance tasks or entry of subscriber data. A second level would give access to perform highly important routines, configuration changes, and change capability of first and second level passwords. Changing a second level password often requires a distinct identification or special password. Discretionary access control for system administration and maintenance access to the switch or peripheral system commands must be restricted based on the required functions or role of the user where technically feasible. Input command screening can be implemented in switches to further control user access and privileges. To do this, individual commands available in the switch are first assigned a specific command class. Each Administrative/Maintenance user is then assigned a primary function that is associated with a collection of input commands that the system accepts from that specific user.

Description

Requirement: The IAO will ensure that devices that are capable of command screening or command classes are configured to use this feature in conjunction with DAC. Input screening in telecommunications switches is the feature that permits an authorized individual to use one or more command classes. This feature supports DAC requirements and is used for both local and remote administration of the switches. Most switches utilize user password protection to access the operation and configuration of the switch. Most switch designs utilize levels of privileged access, each using password submission and validation at each level, to allow access to that particular function. The lowest privilege level would allow user access to perform various routine maintenance tasks or entry of subscriber data. A second level would give access to perform highly important routines, configuration changes, and change capability of first and second level passwords. Changing a second level password often requires a distinct identification or special password. Discretionary access control for system administration and maintenance access to the switch or peripheral system commands must be restricted based on the required functions or role of the user where technically feasible. Input command screening can be implemented in switches to further control user access and privileges. To do this, individual commands available in the switch are first assigned a specific command class. Each Administrative/Maintenance user is then assigned a primary function that is associated with a collection of input commands that the system accepts from that specific user.

STIG	Date
Defense Switched Network STIG	2015-01-02

Details

Check Text ( C-7690r1_chk )
Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix Text (F-7968r1_fix)
Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.