Forescout must audit the enforcement actions used to restrict access associated with changes to the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230948	FORE-NM-000210	SV-230948r615886_rule		Low

Description
Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. Forescout must only be configures such that only authorized users have access to user profile permissions. All other admins are blocked from access via the console tools and/or web portal based on permissions set on the Edit user profile.

Description

Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. Forescout must only be configures such that only authorized users have access to user profile permissions. All other admins are blocked from access via the console tools and/or web portal based on permissions set on the Edit user profile.

STIG	Date
Forescout Network Device Management Security Technical Implementation Guide	2020-12-11

Details

Check Text ( C-33878r603683_chk )
Determine if the network device audits the enforcement actions used to restrict access associated with changes to the device. This requirement may be verified by demonstration, configuration review, or validated test results. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users with privileges to make changes have the Least Privilege required permissions. If the network device does not audit the enforcement actions used to restrict access associated with changes to the device, this is a finding.

Check Text ( C-33878r603683_chk )

Determine if the network device audits the enforcement actions used to restrict access associated with changes to the device. This requirement may be verified by demonstration, configuration review, or validated test results.

1. Log on to the Forescout Administrator UI with admin or operator credentials.
2. From the menu, select Tools >> Options >> User Console and Options.
3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions.
4. Check user against current SSP and ensure only the users with privileges to make changes have the Least Privilege required permissions.

If the network device does not audit the enforcement actions used to restrict access associated with changes to the device, this is a finding.

Fix Text (F-33851r603684_fix)
Remove accounts that are not authorized. Do not remove the account of last resort. Ensure a Least Privilege Permission approach is taken with all accounts created. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users that are allowed privileges to make changes have the Least Privilege required permissions. 5. Delete or disable unauthorized users.

Fix Text (F-33851r603684_fix)

Remove accounts that are not authorized. Do not remove the account of last resort. Ensure a Least Privilege Permission approach is taken with all accounts created.

1. Log on to the Forescout Administrator UI with admin or operator credentials.
2. From the menu, select Tools >> Options >> User Console and Options.
3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions.
4. Check user against current SSP and ensure only the users that are allowed privileges to make changes have the Least Privilege required permissions.
5. Delete or disable unauthorized users.