Administrators in the role of either Security Administrator or Cryptographic Administrator must not also have the role of Audit Administrator.

From Palo Alto Networks NDM Security Technical Implementation Guide

Associated with: CCI-001314

SV-77235r1_rule Administrators in the role of either Security Administrator or Cryptographic Administrator must not also have the role of Audit Administrator.

Vulnerability discussion

The Palo Alto Networks security platform has both pre-configured and configurable Administrator roles. Administrator roles determine the functions that the administrator is permitted to perform after logging in. Roles can be assigned directly to an administrator account, or define role profiles, which specify detailed privileges, and assign those to administrator accounts.There are three preconfigured roles designed to comply with Common Criteria requirements - Security Administrator, Audit Administrator, and Cryptographic Administrator. Of the three, only the Audit Administrator can delete audit records. The Palo Alto Networks security platform can use both pre-configured and configurable Administrator roles.

Check content

If the Palo Alto Networks security platform has any accounts where the same person is in the role of both Security Administrator and Cryptographic Administrator, this is a finding. Note: Each account can only have one role, but individuals, either accidentally or intentionally, may have more than one account.

Fix text

Do not assign or configure more than one account to the same Administrator.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.