Check: RINP-DM-000029
Riverbed NetProfiler STIG:
RINP-DM-000029
(in version v1 r1)
Title
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles. (Cat I impact)
Discussion
The lack of role-based access control could result in the immediate compromise of and unauthorized access to sensitive information. Additionally, without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or assert nonrepudiation is lost. Individual accountability mandates that each administrator is uniquely identified. For public key infrastructure (PKI)-based authentication, the device must be configured to map validated certificates to unique user accounts. This requirement applies to accounts or roles created and managed on or by the network device. Satisfies: SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000033-NDM-000212
Check Content
Review the site's System Security Plan (SSP) to determine which personnel are assigned to each NetProfiler role. Go to Administration >> Account Management >> User Accounts. Go to the Roles-Attributes Mapping section of the RADIUS, TACACS+, or SAML tab of the Configuration >> Account Management >> Remote Authentication page. If account roles are not configured, or if the roles assigned do not match the site's SSP, this is a finding.
Fix Text
Although all individual admin accounts must be configured on an authentication server, the NetProfiler must be configured to point to a PKI-based authentication server and the NetProfiler roles must be mapped to the authorization attributes on the authentication server. The following is an example using RADIUS. Refer to the user's guide for instructions for TACACS+ or SAML. Users who do not have a NetProfiler or NetExpress account must have both their authentication information (login name, password) and authorization information (user role indicated by the value of the Class attribute or the Cascade-User-Role attribute) specified on the RADIUS server. The values of the RADIUS authorization attributes must be mapped to their corresponding user roles on NetProfiler or NetExpress. The values on the RADIUS server and the values on NetProfiler or NetExpress must match for the user to be logged on. To map the NetProfiler or NetExpress user roles to RADIUS authorization attributes: 1. Click "Edit" in the Roles-Attributes Mapping section of the RADIUS tab of the Configuration >> Account Management >> Remote Authentication page. 2. For the first user role, click "Add new attribute" to display an edit box. 3. Select the RADIUS authorization attribute (Class or Cascade-User-Role). (If assigning the Restricted user account role, use the Restricted-Filter attribute to limit the account to traffic specified by traffic expressions. Refer to the in-product help system for additional information about Restricted user accounts.) 4. Enter the value of the attribute that is required for a RADIUS-authorized user to be logged on in this user role. 5. If applicable, click "Add new attribute" to add another mapping. 6. Continue with the next user role that is to be authorized by RADIUS. 7. When the RADIUS authorization attributes have been mapped to their corresponding NetProfiler user roles, click "Save".
Additional Identifiers
Rule ID: SV-256079r882745_rule
Vulnerability ID: V-256079
Group Title: SRG-APP-000153-NDM-000249
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
| CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
| CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
| CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |
| CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| CCI-001493 |
The information system protects audit tools from unauthorized access. |
| CCI-001494 |
The information system protects audit tools from unauthorized modification. |
| CCI-001495 |
The information system protects audit tools from unauthorized deletion. |
| CCI-002169 |
The information system enforces a role-based access control policy over defined subjects and objects. |
Controls
| Number | Title |
|---|---|
| AC-3 |
Access Enforcement |
| AC-3 (7) |
Role-Based Access Control |
| AU-9 |
Protection Of Audit Information |
| AU-10 |
Non-Repudiation |
| CM-6 |
Configuration Settings |
| CM-6 (1) |
Automated Central Management / Application / Verification |
| IA-2 |
Identification And Authentication (Organizational Users) |
| IA-2 (5) |
Group Authentication |
| IA-5 (2) |
Pki-Based Authentication |