Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
SRG-NET-000034-IDPS-000055 | SRG-NET-000034-IDPS-000055 | SRG-NET-000034-IDPS-000055_rule | Low |
Description |
---|
The use of AAA affords the best methods for controlling authorization levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege levels establishing what commands and objects the authenticated administrator is authorized to access. This implementation enforces the organization's AAA policy for separation of duties and its responsibility assignments for each administrator. Each account should grant access only to privileges for which the system administrator is authorized. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. This requirement does not apply to the local accounts defined directly on the IDPS devices that are used for emergency or diagnostic configuration. |
STIG | Date |
---|---|
IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Check Text ( C-43183_chk ) |
---|
Examine the configuration of the IDPS. Verify individual administrators are not directly assigned rights and privileges. Verify individuals are assigned to security groups and the groups are assigned permissions. Verify the security groups are managed on the authentication server. If separation of duties is not implemented through use of group memberships on the authentication server, this is a finding. |
Fix Text (F-43183_fix) |
---|
Assign all system administrator accounts to groups on the authentication server based on organizationally defined authorizations requirements (e.g., audit administrators group or sensor administrators). Assign permissions and rights to security groups based on authorizations. Remove permissions from individual accounts on the authentication server. |