An error occurred:

Check: FORE-NM-000210

Forescout Network Device Management STIG: FORE-NM-000210 (in version v1 r1)

Title

Forescout must audit the enforcement actions used to restrict access associated with changes to the device. (Cat III impact)

Discussion

Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. Forescout must only be configures such that only authorized users have access to user profile permissions. All other admins are blocked from access via the console tools and/or web portal based on permissions set on the Edit user profile.

Check Content

Determine if the network device audits the enforcement actions used to restrict access associated with changes to the device. This requirement may be verified by demonstration, configuration review, or validated test results. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users with privileges to make changes have the Least Privilege required permissions. If the network device does not audit the enforcement actions used to restrict access associated with changes to the device, this is a finding.

Fix Text

Remove accounts that are not authorized. Do not remove the account of last resort. Ensure a Least Privilege Permission approach is taken with all accounts created. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users that are allowed privileges to make changes have the Least Privilege required permissions. 5. Delete or disable unauthorized users.

Additional Identifiers

Rule ID: SV-230948r615886_rule

Vulnerability ID: V-230948

Group Title: SRG-APP-000381-NDM-000305

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001814

The Information system supports auditing of the enforcement actions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-5 (1)

Automated Access Enforcement / Auditing