UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3057 NET0465 SV-15472r3_rule ECSC-1 Medium
Description
By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personell are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2016-12-23

Details

Check Text ( C-12938r4_chk )
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the greatest privilege level unless deemed necessary for assigned duties.

If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.

Below is an example configuration with three levels of authorization followed by account templates.

[edit system login]
class tier1 {
idle-timeout 15;
permissions [configure interface network routing snmp system trace view firewall ];
}
class tier2 {
idle-timeout 15;
permissions [admin clear configure interface network reset routing routing-control
snmp snmp-control system system-control trace trace-control view maintenance firewall
firewall-control secret rollback ];
}
class tier3 {
idle-timeout 15;
permissions all;
}

/* This is our local superuser account with a local password. */
user admin {
full-name Administrator;
uid 2000;
class tier3;
authentication {
encrypted-password xxxxxxx;
}
}

/* TACACS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
user tier3 {
uid 2003;
class tier3;
}

Using the example JUNOS configuration above and TACACS configuration below, when a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account. The CLI username is sent to the authentication server with the correct password. The server returns the local username (i.e., “tier2”) to the JUNOS software as specified in the authentication server (local-user-name for TACACS+, Juniper-Local-User for RADIUS).

user = simon {
.
.
.
.
service = junos-exec {
local-user-name = tier2
allow-commands = "configure"
deny-commands = "shutdown"
}
}

'allow-commands' and 'deny-commands' override permissions of the class of the template that the local-user-name is associated with.
Fix Text (F-3082r5_fix)
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.