Check: DSN06.07
Defense Switched Network (DSN) STIG:
DSN06.07
(in versions v2 r8 through v2 r7)
Title
The available option of Command classes or command screening is NOT being used to limit system privileges (Cat III impact)
Discussion
Requirement: The IAO will ensure that devices that are capable of command screening or command classes are configured to use this feature in conjunction with DAC. Input screening in telecommunications switches is the feature that permits an authorized individual to use one or more command classes. This feature supports DAC requirements and is used for both local and remote administration of the switches. Most switches utilize user password protection to access the operation and configuration of the switch. Most switch designs utilize levels of privileged access, each using password submission and validation at each level, to allow access to that particular function. The lowest privilege level would allow user access to perform various routine maintenance tasks or entry of subscriber data. A second level would give access to perform highly important routines, configuration changes, and change capability of first and second level passwords. Changing a second level password often requires a distinct identification or special password. Discretionary access control for system administration and maintenance access to the switch or peripheral system commands must be restricted based on the required functions or role of the user where technically feasible. Input command screening can be implemented in switches to further control user access and privileges. To do this, individual commands available in the switch are first assigned a specific command class. Each Administrative/Maintenance user is then assigned a primary function that is associated with a collection of input commands that the system accepts from that specific user.
Check Content
Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.
Fix Text
Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.
Additional Identifiers
Rule ID: SV-9051r1_rule
Vulnerability ID: V-8554
Group Title: Command classes or command screening NOT used
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |