Title

The Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users. (Cat I impact)

Discussion

Successful identification and authentication must not automatically give an entity full access to a Cisco ACI or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Security domains allow fabric administrators to expose resources selectively to a set of users and provide those users with the required level of permissions to read and modify those resources. By using security domains, multiple sets of users can share the underlying infrastructure while having separated management access to their resources. Although out of scope for this STIG, the authentication server will also need to be configured with the security groups or access levels available on the Cisco ACIs and convey that information to the AAA operator of the Cisco ACI. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator will then create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the Cisco ACI. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000910-NDM-000300

Check Content

Verify node rules are configured to Assign Access to each Node: 1. On the menu bar, choose Admin >> AAA. 2. In the Navigation pane, click "Security". 3. In the Work pane, select the RBAC Rules tab >> Node Rules subtab >> Actions. 4. View the RBAC Node Rules assigned to ports and domains. If the Cisco ACI fabric is not configured to assign appropriate user roles or access levels to authenticated users, this is a finding.

Fix Text

Create a Security Domain: 1. On the GUI menu bar select Admin >> AAA. 2. In the Navigation pane, click "Security". 3. In the Work pane, select the Security Domains tab >> Actions >> Create Security Domain. 4. In the Create Security Domain dialog box, fill out the form. - In the Name field, type a name for the security domain. - Enter a Description. - To set the security domain as a Restricted RBAC Domain, put a check in the Enabled checkbox. - If the security domain is configured as a restricted domain, users who are assigned to this domain cannot view policies, profiles, or users configured by users associated with other security domains. - Click "Save". Create node rules to Assign Access to each Node: 1. On the menu bar, choose Admin >> AAA. 2. In the Navigation pane, click "Security". 3. In the Work pane, select the RBAC Rules tab >> Node Rules subtab >> Actions >> Create RBAC Node Rule. The screen is displayed. 4. In the Create RBAC Rule for Node screen that is displayed, enter the following details: - Click "Select Node ID" to select a node from the drop-down list. - To assign an RBAC Rule for a port, click "Add RBAC Rule for Port", enter a name, and associate a domain to the rule by clicking "Select Domain". Click the tick-mark after choosing the domain. More than one RBAC rule can be assigned for the selected port by clicking "Add RBAC Rule for Port" again. - Click "Save". Note: This procedure uses preconfigured rules and privileges. Refer to the vendor documentation to create custom rules and privileges combinations.

Additional Identifiers

Rule ID: SV-271927r1067361_rule

Vulnerability ID: V-271927

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.