UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Organizationally defined authorizations must be implemented through organizationally defined separation of duties through use of group memberships.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000034-IDPS-000055 SRG-NET-000034-IDPS-000055 SRG-NET-000034-IDPS-000055_rule Low
Description
The use of AAA affords the best methods for controlling authorization levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege levels establishing what commands and objects the authenticated administrator is authorized to access. This implementation enforces the organization's AAA policy for separation of duties and its responsibility assignments for each administrator. Each account should grant access only to privileges for which the system administrator is authorized. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. This requirement does not apply to the local accounts defined directly on the IDPS devices that are used for emergency or diagnostic configuration.
STIG Date
IDPS Security Requirements Guide (SRG) 2012-03-08

Details

Check Text ( C-43183_chk )
Examine the configuration of the IDPS.
Verify individual administrators are not directly assigned rights and privileges.
Verify individuals are assigned to security groups and the groups are assigned permissions.
Verify the security groups are managed on the authentication server.

If separation of duties is not implemented through use of group memberships on the authentication server, this is a finding.
Fix Text (F-43183_fix)
Assign all system administrator accounts to groups on the authentication server based on organizationally defined authorizations requirements (e.g., audit administrators group or sensor administrators).
Assign permissions and rights to security groups based on authorizations.
Remove permissions from individual accounts on the authentication server.