UCF STIG Viewer Logo

The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223186 JUSX-DM-000025 SV-223186r513253_rule Medium
Description
To mitigate the risk of unauthorized privileged access to the device, administrators must be assigned only the privileges needed to perform the tasked assigned to their roles. Although use of an AAA server is required for non-local access for device management, the SRX must also be configured to implement the corresponding privileges upon user login. Each externally authenticated user is assigned a template that maps to a configured login class. AAA servers are usually configured to send a Vendor Specific Attribute (VSA) to the Juniper SRX. The device uses this information to determine the login class to assign to the authenticated user. Unless a VSA is returned from the AAA server, externally-authenticated users are mapped to the “remote” user by default. Remote user is a special default account in Junos OS. If this default account, or another designated remote user account, is not configured, then only externally-authenticated users with a returned VSA of a local template account are permitted login. If the remote user is configured, all externally-authenticated users without a returned VSA default to the remote user account's configured login class. All externally-authenticated users with a returned VSA inherit the login class configured for each respective template account. Junos OS provides four built-in login classes: super-user (all permissions), operator (limited permissions), read-only (no change permissions), and unauthorized (prohibits login). Because these classes are not configurable by the system administrator, they should not be used except for the unauthorized class which may be used for the remote user to deterministically prohibit logins from externally-authenticated users without a returned VSA. Therefore, all template user accounts, and the local account of last resort, should use custom, user-defined, login classes. Externally-authenticated users maintain two account names in Junos OS: the user and login names. The user name is the local template account name and the login name is the authenticated user’s external account name. Junos OS links the names to determine permissions, based upon login class, but uses the external account name for logging. Doing so permits multiple, individually-authenticated users, to be mapped to the same template account, and therefore enforce uniform permissions for each group of administrators, while also attributing any logged changes to the appropriate individual user. Template accounts are differentiated from local accounts by the presence of an authentication stanza; only the local account of last resort should have an authentication stanza.
STIG Date
Juniper SRX SG NDM Security Technical Implementation Guide 2021-03-25

Details

Check Text ( C-24859r513251_chk )
Verify all accounts are assigned a user-defined (not built-in) login class with appropriate permissions configured. If the remote user is configured, it may have a user-defined, or the built-in unauthorized login class.

[edit]
show system login

Junos OS supports groups, which are centrally located snippets of code. This allows common configuration to be applied at one or more hierarchy levels without requiring duplicated stanzas. If there are no login-classes defined at [edit system login], then check for an apply-groups statement and verify appropriate configuration at the [edit groups] level.

[edit]
show groups

If one or more account templates are not defined with an appropriate login class, this is a finding.

If more than one local account has an authentication stanza and is not documented, this is a finding.

Note: Template accounts are differentiated from local accounts by the presence of an authentication stanza.
Fix Text (F-24847r513252_fix)
User accounts, including the account of last resort must be assigned to a login class.

Configure the class parameters and privileges.

[edit]
Set system login class idle-timeout 10
set system login class permissions

Commit for the changes to take effect.

Create and configure template user (s).

[edit]
set system login user