The firewall implementation must provide finer-grained allocation of account privileges through the use of separate processing domains.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000036-FW-000031 | SRG-NET-000036-FW-000031 | SRG-NET-000036-FW-000031_rule | Low |
| Description |
|---|
| This control applies the concept of least privilege to information system processes. Processes must operate at privilege levels no higher than necessary to accomplish the required function or unauthorized access to security functionality may result. Providing separate processing domains for finer-grained allocation of account privileges includes the following examples. (i) Using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) Employing hardware and/or software domain separation mechanisms; and (iii) Implementing separate physical domains. One method of accomplishing this would be firewall administrator roles. The roles are assigned granular access to the commands needed to perform the given role. The commands for each role are executed in separate processing domains. Domains are separated using one of the methods discussed above. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-000036-FW-000031_chk ) |
|---|
| Verify the firewall implementation provides separate processing domains for finer-grained allocation of account privileges. If the firewall implementation does not provide separate processing domains for finer-grained allocation of account privileges, this is a finding. |
| Fix Text (F-SRG-NET-000036-FW-000031_fix) |
|---|
| Configure the firewall implementation to provide finer-grained allocation of account privileges through the use of separate processing domains. |