UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper router must be configured to prohibit installation of software without explicit privileged status.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91161 JUNI-ND-001060 SV-101261r1_rule Medium
Description
Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices.
STIG Date
Juniper Router NDM Security Technical Implementation Guide 2019-12-10

Details

Check Text ( C-90315r2_chk )
Review the router configuration to verify that it is compliant with this requirement. The configuration example below depicts a class JR_ENGINEER that is not permitted to add or change software installed on the router.

login {
class JR_ENGINEER {
permissions all;
deny-commands "request system software";
}

Note: The following are the options under request system software:
abort -Abort software upgrade
add -Add extension or upgrade package
delete -Remove extension or upgrade package
rollback -Roll back to previous set of packages
validate -Verify package compatibility with current configuration

If the router is not configured to prohibit installation of software without explicit privileged status, this is a finding.
Fix Text (F-97359r3_fix)
Configure one or more classes as shown in the example below whose users will not be permitted to add or change software installed on the router.

[edit system]
set login class JR_ENGINEER permissions all
set login class JR_ENGINEER deny-commands “(request system software)”

Note: The predefined classes operator and Read-only do not have permissions to install software.