The Juniper EX switch must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253916	JUEX-NM-000390	SV-253916r879706_rule		Medium

Description
Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. The RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.

Description

Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. The RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.

STIG	Date
Juniper EX Series Switches Network Device Management Security Technical Implementation Guide	2023-03-23

Details

Check Text ( C-57368r843779_chk )
Determine if the network device enforces role-based access control policy over defined subjects and objects. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class { idle-timeout 10; permissions all; deny-commands "^clear (log\|security log)\|^(clear\|show) security alarms alarm-type idp\|^request (security\|system set-encryption-key\|system firmware upgrade re\|system decrypt)\|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike\|ipsec) (policy\|proposal)" "security ipsec ^vpn$ .* manual (authentication\|encryption\|protocol\|spi)" "security log" "system fips self-test after-key-generation" "system (archival\|syslog\|root-authentication\|authentication-order\|master-password)" "system services ssh (protocol-version\|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication\|class)" "system login class [a-zA-Z0-9_-]+ (permissions\|deny-\|allow-)" ]; } class { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log\|security log)\|^show cli authorization"; deny-commands "^clear (security alarms\|system login lockout)\|^file (copy\|delete\|list\|rename\|show)\|^request (security\|system set-encryption-key\|system firmware upgrade re)\|^rollback\|^set date\|^show security (alarms\|dynamic-policies\|match-policies\|policies)\|^start shell\|^request system (decrypt\|halt\|reboot\|software\|zeroize)"; deny-configuration-regexps [ "system (login\|internet-options\|scripts\|services\|time-zone\|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user { uid 2000; class ; authentication { encrypted-password "$6$HEQnJP/W$/QD......5r./"; ## SECRET-DATA } } user { uid 2015; class ; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If role-based access control policy is not enforced over defined subjects and objects, this is a finding.

Check Text ( C-57368r843779_chk )

Determine if the network device enforces role-based access control policy over defined subjects and objects. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server.

Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator.

Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all.

[edit system login]
class {
idle-timeout 10;
permissions all;
deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback";
deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ];
}
class {
idle-timeout 10;
permissions [ configure maintenance security system-control trace view-configuration ];
allow-commands "^clear (log|security log)|^show cli authorization";
deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)";
deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ];
security-role audit-administrator;
}

Example local and template accounts:

user {
uid 2000;
class ;
authentication {
encrypted-password "$6$HEQnJP/W$/QD......5r./"; ## SECRET-DATA
}
}
user {
uid 2015;
class ;
}
Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally.

If role-based access control policy is not enforced over defined subjects and objects, this is a finding.

Fix Text (F-57319r843780_fix)
Configure the network device or its associated authentication server to enforce role-based access control policy over defined subjects and objects. set system login class permissions set system login class deny-commands set system login class deny-configuration-regexps set system login user class