Title

The Juniper EX switch must be configured to enforce access restrictions associated with changes to the system components. (Cat II impact)

Discussion

Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, firewall filters, and policy filters.

Check Content

Check the network device to determine if only authorized administrators have permissions for changes, deletions and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If unauthorized users are allowed to change the hardware or software, this is a finding.

Fix Text

Configure the network device to enforce access restrictions associated with changes to the system components. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>

Additional Identifiers

Rule ID: SV-253940r879887_rule

Vulnerability ID: V-253940

Group Title: SRG-APP-000516-NDM-000335

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.