Riverbed Optimization System (RiOS) must generate alerts that can be forwarded to the administrators and ISSO when local accounts are created.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62847	RICX-DM-000011	SV-77337r1_rule		Medium

Description
An authorized insider or individual who maliciously creates a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously created. RiOS can be configured to send an SNMP trap to the SNMP server. It also sends a message to the Syslog and the local log. Either of these methods results in an alert that can be forwarded to authorized accounts.

Description

An authorized insider or individual who maliciously creates a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously created. RiOS can be configured to send an SNMP trap to the SNMP server. It also sends a message to the Syslog and the local log. Either of these methods results in an alert that can be forwarded to authorized accounts.

STIG	Date
Riverbed SteelHead CX v8 NDM Security Technical Implementation Guide	2015-11-30

Details

Check Text ( C-63641r1_chk )
Verify that RiOS captures an SNMP trap for user creation events that can be sent to the ISSO and designated administrators by the SNMP server. Navigate to the device CLI Type: show rbm users Verify that the privilege level is correct for each administrator -- or -- Navigate to the device Management Console Navigate to Configure >> Security >> User Permissions Verify that the privilege level is correct for each administrator If the privilege level settings are not in accordance with applicable policy, this is a finding.

Check Text ( C-63641r1_chk )

Verify that RiOS captures an SNMP trap for user creation events that can be sent to the ISSO and designated administrators by the SNMP server.

Navigate to the device CLI
Type: show rbm users

Verify that the privilege level is correct for each administrator

-- or --

Navigate to the device Management Console
Navigate to Configure >> Security >> User Permissions

Verify that the privilege level is correct for each administrator

If the privilege level settings are not in accordance with applicable policy, this is a finding.

Fix Text (F-68765r1_fix)
Configure RiOS to capture an SNMP trap for user creation events that can be sent to the ISSO and designated administrators by the SNMP server. Navigate to the device CLI Type: rbm user role permissions Set the value of username, role, and permissions according to the privilege level of the applicable policy. Type: write memory to save the current configuration settings to memory -- or -- Navigate to the device Management Console Navigate to Configure >> Security >> User Permissions Set the values of "Roles and Permissions" according to the privilege level in accordance with applicable policy Click "Apply" to save the changes Navigate to the top of the web page and click "Save" to write changes to memory

Fix Text (F-68765r1_fix)

Configure RiOS to capture an SNMP trap for user creation events that can be sent to the ISSO and designated administrators by the SNMP server.

Navigate to the device CLI
Type: rbm user role permissions

Set the value of username, role, and permissions according to the privilege level of the applicable policy.

Type: write memory
to save the current configuration settings to memory

-- or --

Navigate to the device Management Console
Navigate to Configure >> Security >> User Permissions

Set the values of "Roles and Permissions" according to the privilege level in accordance with applicable policy

Click "Apply" to save the changes
Navigate to the top of the web page and click "Save" to write changes to memory