Check: JUEX-NM-000460
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000460
(in versions v1 r5 through v1 r1)
Title
The Juniper EX switch must be configured to enforce access restrictions associated with changes to device configuration. (Cat II impact)
Discussion
Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device can potentially have significant effects on the overall security of the device. Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).
Check Content
Determine if the network device enforces access restrictions associated with changes to device configuration. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Configuration changes require permissions sets appropriate for each stanza. For example, the "system" bit permits one to view [edit system] and the "system-control" bit permits editing (add, delete, modify). Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If the network device does not enforce such access restrictions, this is a finding.
Fix Text
Configure the network device to enforce access restrictions associated with changes to device configuration. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Additional Identifiers
Rule ID: SV-253923r879753_rule
Vulnerability ID: V-253923
Group Title: SRG-APP-000380-NDM-000304
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001783 |
The organization defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system. |
CCI-001813 |
The information system enforces access restrictions. |