The network device must provide finer-grained allocation of account privileges through the use of separate processing domains.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000036-NDM-000023 | SRG-NET-000036-NDM-000023 | SRG-NET-000036-NDM-000023_rule | Low |
| Description |
|---|
| Processes must operate at privilege levels no higher than necessary to accomplish the required function or unauthorized access to security functionality may result. Providing separate processing domains for finer-grained allocation of account privileges includes the following examples. (i) Using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) Employing hardware and/or software domain separation mechanisms; and (iii) Implementing separate physical domains. One method of accomplishing is through use of network device administrator roles. The roles are assigned granular access to the commands needed to perform the given role. The commands for each role are executed in separate processing domains. Domains are separated using one of the methods discussed above. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000036-NDM-000023_chk ) |
|---|
| Verify the network device provides separate processing domains for finer-grained allocation of account privileges. If the network device does not provide separate processing domains for finer-grained allocation of account privileges, this is a finding. |
| Fix Text (F-SRG-NET-000036-NDM-000023_fix) |
|---|
| Configure the network device to provide finer-grained allocation of account privileges through the use of separate processing domains. |