Title

If the network device uses role-based access control, Forescout must enforce organization-defined, role-based access control policies over defined subjects and objects. (Cat II impact)

Discussion

Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. Forescout has three predefined user roles: Admin, Web Access, and Console User. The Admin role has access to all data and management functions. By default, the Console role has access to the management console and the Web role has access to the view-only portal. However, both roles may be assigned one or more permissions, each with its own set of privileges to the data and functions.

Check Content

Check the administrative accounts assigned to each role are documented within the SSP and have been configured correctly with least privilege. 1. Log on to Forescout UI. 2. Select Tools >> Options >> CounterACT User Profiles. 3. Select username >> Edit >> Permissions. Check the SSP against created users and ensure least privilege has been configured properly. Options include Custom accounts for Console Access and Web Access. Each access account is then further established with permissions based on the user's authorizations. If Forescout does not enforce organization-defined, role-based access control policies over defined subjects and objects, this is a finding.

Fix Text

Login to Forescout UI. 1. Select Tools >> Options >> CounterACT User Profiles. 2. Select username >> Edit >> Permissions. Check the SSP against created users and ensure least privilege has been configured properly. Options include Custom accounts for Console Access and Web Access. Each access account is then further established with permissions based on the user's authorizations.

Additional Identifiers

Rule ID: SV-230954r616548_rule

Vulnerability ID: V-230954

Group Title: SRG-APP-000329-NDM-000287

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.