Organizationally defined authorizations must be implemented through organizationally defined separation of duties through use of group memberships.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000034-IDPS-000055	SRG-NET-000034-IDPS-000055	SRG-NET-000034-IDPS-000055_rule		Low

Description
The use of AAA affords the best methods for controlling authorization levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege levels establishing what commands and objects the authenticated administrator is authorized to access. This implementation enforces the organization's AAA policy for separation of duties and its responsibility assignments for each administrator. Each account should grant access only to privileges for which the system administrator is authorized. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. This requirement does not apply to the local accounts defined directly on the IDPS devices that are used for emergency or diagnostic configuration.

Description

The use of AAA affords the best methods for controlling authorization levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege levels establishing what commands and objects the authenticated administrator is authorized to access. This implementation enforces the organization's AAA policy for separation of duties and its responsibility assignments for each administrator. Each account should grant access only to privileges for which the system administrator is authorized. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. This requirement does not apply to the local accounts defined directly on the IDPS devices that are used for emergency or diagnostic configuration.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43183_chk )
Examine the configuration of the IDPS. Verify individual administrators are not directly assigned rights and privileges. Verify individuals are assigned to security groups and the groups are assigned permissions. Verify the security groups are managed on the authentication server. If separation of duties is not implemented through use of group memberships on the authentication server, this is a finding.

Check Text ( C-43183_chk )

Examine the configuration of the IDPS.
Verify individual administrators are not directly assigned rights and privileges.
Verify individuals are assigned to security groups and the groups are assigned permissions.
Verify the security groups are managed on the authentication server.

If separation of duties is not implemented through use of group memberships on the authentication server, this is a finding.

Fix Text (F-43183_fix)
Assign all system administrator accounts to groups on the authentication server based on organizationally defined authorizations requirements (e.g., audit administrators group or sensor administrators). Assign permissions and rights to security groups based on authorizations. Remove permissions from individual accounts on the authentication server.