Check: AXOS-00-000025
Axonius Federal Systems Ax-OS STIG:
AXOS-00-000025
(in versions v1 r2 through v1 r1)
Title
Ax-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. (Cat II impact)
Discussion
Strong access controls are critical to securing the application server. The application server must employ access control policies (e.g., identity-based, role-based, and attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, and cryptography) to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, and application domains) in the application server. Without stringent logical access and authorization controls, an adversary may have the ability, with little effort, to compromise the application server and associated supporting infrastructure. Satisfies: SRG-APP-000033, SRG-APP-000158, SRG-APP-000211, SRG-APP-000233, SRG-APP-000340, SRG-APP-000342, SRG-APP-000328, SRG-APP-000380, SRG-APP-000386, SRG-APP-000472, SRG-APP-000473, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735
Check Content
Role-Based Access Control hierarchy is to be defined by the authorizing official (AO). Separation of duties must be configured. Select the gear icon (System Settings) >> Access Management >> LDAP & SAML. Depending on the multifactor type configured, under LDAP or SAML, locate "User Assignment Settings". If only one assigned role exists, this is a finding.
Fix Text
Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured. Select the gear icon (System Settings) >> Access Management >> LDAP & SAML. Depending on the multifactor type configured, under LDAP or SAML, locate "User Assignment Settings". Assign two or more roles as defined by the AO and tie them to an LDAP/SAML user or group.
Additional Identifiers
Rule ID: SV-276005r1122665_rule
Vulnerability ID: V-276005
Group Title: SRG-APP-000033
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000778 |
Uniquely identify organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection. |
| CCI-001082 |
Separate user functionality, including user interface services, from system management functionality. |
| CCI-001084 |
Isolate security functions from nonsecurity functions. |
| CCI-001774 |
Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system. |
| CCI-001813 |
Enforce access restrictions using organization-defined mechanisms. |
| CCI-002165 |
Enforce organization-defined discretionary access control policies over defined subjects and objects. |
| CCI-002233 |
Prevent the organization-defined software from executing at higher privilege levels than users executing the software. |
| CCI-002235 |
Prevent non-privileged users from executing privileged functions. |
| CCI-002696 |
Verify correct operation of organization-defined security functions. |
| CCI-002699 |
Perform verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency. |
| CCI-003638 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects. |
| CCI-003639 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects. |
| CCI-003640 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system's components. |
| CCI-003641 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects. |
| CCI-003642 |
Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can change the rules governing access control. |
Controls
| Number | Title |
|---|---|
| AC-3 |
Access Enforcement |
| AC-3(4) |
Discretionary Access Control |
| AC-6(8) |
Privilege Levels for Code Execution |
| AC-6(10) |
Prohibit Non-privileged Users from Executing Privileged Functions |
| CM-5(1) |
Automated Access Enforcement and Audit Records |
| CM-7(5) |
Authorized Software — Allow-by-exception |
| IA-3 |
Device Identification and Authentication |
| SC-2 |
Separation of System and User Functionality |
| SC-3 |
Security Function Isolation |
| SI-6 |
Security and Privacy Function Verification |