AAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization.
From Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide
Part of SRG-APP-000329-AAA-000190
Associated with:
CCI-002169
SV-95559r1_rule
AAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization.
Vulnerability discussion
RBAC is an access control policy that restricts information system access to authorized users. Without these security policies, access control and enforcement mechanisms will not prevent unauthorized access.Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control.
Check content
Verify AAA Services are configured to use RBAC policy for levels of access authorization. Confirm the RBAC groups have tiered privileges, and users are in the appropriate groups. In the following TACACS+ example the user (test-user) is a member of the group “test-group”.
$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u user-test
User Profile Information
user = test-user{
profile_id = 66
profile_cycle = 1
member = test-group
password = des "********"
}
Below is an example of CiscoSecure TACACS+ server defining the privilege level.
user = test-user{
password = clear "xxxxx"
service = shell {
set priv-lvl = 7
}
}
If AAA Services are not configured to use RBAC policy for levels of access authorization, this is a finding.
Fix text
Configure AAA Services to use RBAC policy for levels of access authorization. Configure AAA Services with standard accounts and assign them to privilege levels that meet their job description.
Pro Tips
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer