An error occurred:

Check: CACI-ND-000014

Cisco ACI NDM STIG: CACI-ND-000014 (in version v1 r0.1)

Title

The Cisco ACI must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. (Cat II impact)

Discussion

Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. In the initial configuration script for the Cisco ACI, the admin account is configured and the admin is the only user when the system starts. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.

Check Content

Verify only the local site designated account of last resort is present: 1. In the GUI menu bar, navigate to Admin >> AAA. 2. In the navigation pane, click "Users". 3. In the Work pane, click "View the Local Users" tab. If local accounts other than the account of last resort are present, this is a finding.

Fix Text

Remove accounts that are not the account of last resort: 1. In the GUI menu bar, navigate to Admin >> AAA. 2. In the navigation pane, click "Users". 3. In the Work pane, click "View the Local Users" tab. 4. Select any unauthorized user accounts that are not the account of last resort and deactivate the user account by using the Account Status control.

Additional Identifiers

Rule ID: SV-271929r1064324_rule

Vulnerability ID: V-271929

Group Title: SRG-APP-000148-NDM-000346

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001358

Establish privileged user accounts in accordance with a role-based access scheme; or an attribute-based access scheme.
CCI-002111

The organization identifies and selects the organization-defined information system account types of information system accounts which support organizational missions/business functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-2

Account Management
AC-2(7)

Role-based Schemes