Title

The Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users. (Cat I impact)

Discussion

Successful identification and authentication must not automatically give an entity full access to a Cisco ACI or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Security domains allow fabric administrators to expose resources selectively to a set of users and provide those users with the required level of permissions to read and modify those resources. By using security domains, multiple sets of users can share the underlying infrastructure while having separated management access to their resources. Although out of scope for this STIG, the authentication server will also need to be configured with the security groups or access levels available on the Cisco ACIs and convey that information to the AAA operator of the Cisco ACI. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator will then create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the Cisco ACI. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000910-NDM-000300

Check Content

Verify users are assigned roles based on the SSP. This requirement does not apply to the account of last resort. From the GUI, navigate to Admin >> AAA >> Security Management >> Roles or have the site demonstrate the method used for role and privilege separation. Verify that the roles are associated with the users in compliance with the SSP required roles and privileges. Read and write access rights must match the level of granularity required by the SSP. If any user/group or service account are assigned to roles with privileges that are beyond those required and authorized by the organization, this is a finding.

Fix Text

View the SSP to determine the required organization-defined roles and the least privilege policies required for each role. For example, audit administrator, crypto administrator, system administrator, etc. Assign remote users to roles based on SSP and least privileges. Carefully assign capabilities to each role based on SSP role assignments. Remote authentication server is required, but roles can be created, deleted, or associated access privileges to nodes and resources update in the APIC. To create a new role with reduced permissions, do the following: To create or modify roles: 1. From the GUI, navigate to Admin >> AAA >> Security Management >> Roles. 2. Create custom roles with appropriate privileges (e.g., read-write access to specific objects). 3. Associate users with these roles, allowing them to perform specific tasks within the ACI fabric. Note: This procedure may use preconfigured rules and privileges. Security Domains, Rules, and Custom Roles may also be used depending on the desired architecture and complexity of the implementation. Refer to the vendor documentation to create custom rules, privileges combinations, Rules, and Security domains. These roles are assigned to the remote users in the external authentication server.

Additional Identifiers

Rule ID: SV-271927r1114337_rule

Vulnerability ID: V-271927

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.