Check: AXOS-00-000060
Axonius Federal Systems Ax-OS STIG:
AXOS-00-000060
(in version v1 r2)
Title
Ax-OS must have no local accounts for the user interface. (Cat I impact)
Discussion
To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: (i) Something you know (e.g., password/PIN); (ii) Something you have (e.g., cryptographic identification device, token); or (iii) Something you are (e.g., biometric). A nonprivileged account is any information system account with authorizations of a nonprivileged user. Network access is any access to an application by a user (or process acting on behalf of a user) that is obtained through a network connection. Applications that integrate with the DOD Active Directory and use the DOD common access card (CAC) are examples of compliant multifactor authentication solutions. Satisfies: SRG-APP-000150, SRG-APP-000023, SRG-APP-000024, SRG-APP-000025, SRG-APP-000065, SRG-APP-000148, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000178, SRG-APP-000180, SRG-APP-000183, SRG-APP-000318, SRG-APP-000345, SRG-APP-000389, SRG-APP-000391, SRG-APP-000392, SRG-APP-000394, SRG-APP-000395, SRG-APP-000400, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000410, SRG-APP-000427, SRG-APP-000580, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000740, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000880, SRG-APP-000885, SRG-APP-000890
Check Content
Role-Based Access Control hierarchy is to be defined by the authorizing official (AO). Separation of duties must be configured. Select the gear icon (System Settings) >> User and Role Management >> Users. In the list of users, verify there are no users with "Internal" listed in the Source column. If there are any users with "Internal" in the Source column that have not been documented and approved by the AO, this is a finding. If all users with "Internal" in the Source column are documented and approved by the AO, or if no users with "Internal" in the Source column exist, this is not a finding.
Fix Text
Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured. Select the gear icon (System Settings) >> User and Role Management >> Users. After Lightweight Directory Access Protocol (LDAP)/Single Sign-On (SSO) has been configured, remove all local users.
Additional Identifiers
Rule ID: SV-276012r1156548_rule
Vulnerability ID: V-276012
Group Title: SRG-APP-000150
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
| CCI-000016 |
Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account. |
| CCI-000017 |
Disable accounts when the accounts have been inactive for the organization-defined time-period. |
| CCI-000044 |
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-000185 |
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
| CCI-000186 |
For public key-based authentication, enforce authorized access to the corresponding private key. |
| CCI-000187 |
For public key-based authentication, map the authenticated identity to the account of the individual or group. |
| CCI-000206 |
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. |
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000766 |
Implement multifactor authentication for access to non-privileged accounts. |
| CCI-000804 |
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. |
| CCI-000884 |
Protect nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant. |
| CCI-001632 |
Protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by either physically separated communications paths or logically separated communications paths based upon encryption. |
| CCI-001941 |
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts. |
| CCI-001953 |
Accept Personal Identity Verification-compliant credentials. |
| CCI-001954 |
Electronically verify Personal Identity Verification-compliant credentials. |
| CCI-001958 |
Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection. |
| CCI-001967 |
Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
| CCI-002007 |
Prohibit the use of cached authenticators after an organization-defined time period. |
| CCI-002009 |
Accept Personal Identity Verification-compliant credentials from other federal agencies. |
| CCI-002010 |
Electronically verify Personal Identity Verification-compliant credentials from other federal agencies. |
| CCI-002038 |
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
| CCI-002145 |
Enforce organization-defined circumstances and/or usage conditions for organization-defined system accounts. |
| CCI-002238 |
Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
| CCI-002470 |
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |
| CCI-003627 |
Disable accounts when the accounts have expired. |
| CCI-003628 |
Disable accounts when the accounts are no longer associated to a user. |
| CCI-003629 |
Disable accounts when the accounts are in violation of organizational policy. |
| CCI-003747 |
Implement organization-defined mechanisms to authenticate organization-defined remote commands. |
| CCI-004045 |
Require users to be individually authenticated before granting access to the shared accounts or resources. |
| CCI-004046 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| CCI-004047 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements. |
| CCI-004058 |
For password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. |
| CCI-004059 |
For password-based authentication, update the list of passwords on an organization-defined frequency. |
| CCI-004060 |
For password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. |
| CCI-004061 |
For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
| CCI-004062 |
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |
| CCI-004063 |
For password-based authentication, require immediate selection of a new password upon account recovery. |
| CCI-004064 |
For password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. |
| CCI-004065 |
For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. |
| CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
| CCI-004068 |
For public key-based authentication, implement a local cache of revocation data to support path discovery and validation. |
| CCI-004083 |
Accept only external credentials that are NIST compliant. |
| CCI-004085 |
Conform to organization-defined identity management profiles for identity management. |
| CCI-004192 |
Protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. |
| CCI-004901 |
Associate organization-defined privacy attributes with information exchanged between systems. |
| CCI-004902 |
Associate organization-defined privacy attributes with information exchanged between system components. |
Controls
| Number | Title |
|---|---|
| AC-2(1) |
Automated System Account Management |
| AC-2(2) |
Automated Temporary and Emergency Account Management |
| AC-2(3) |
Disable Accounts |
| AC-2(11) |
Usage Conditions |
| AC-7 |
Unsuccessful Logon Attempts |
| AC-17(10) |
Authenticate Remote Commands |
| IA-2 |
Identification and Authentication (Organizational Users) |
| IA-2(2) |
Multi-factor Authentication to Non-privileged Accounts |
| IA-2(5) |
Individual Authentication with Group Authentication |
| IA-2(6) |
Access to Accounts —separate Device |
| IA-2(8) |
Access to Accounts — Replay Resistant |
| IA-2(12) |
Acceptance of PIV Credentials |
| IA-3 |
Device Identification and Authentication |
| IA-3(1) |
Cryptographic Bidirectional Authentication |
| IA-5(1) |
Password-based Authentication |
| IA-5(2) |
Public Key-based Authentication |
| IA-5(13) |
Expiration of Cached Authenticators |
| IA-6 |
Authentication Feedback |
| IA-8 |
Identification and Authentication (Non-organizational Users) |
| IA-8(1) |
Acceptance of PIV Credentials from Other Agencies |
| IA-8(2) |
Acceptance of External Authenticators |
| IA-8(4) |
Use of Defined Profiles |
| IA-11 |
Re-authentication |
| MA-4(4) |
Authentication and Separation of Maintenance Sessions |
| SC-16 |
Transmission of Security and Privacy Attributes |
| SC-23(5) |
Allowed Certificate Authorities |