The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access.

From Network Devices Security Technical Implementation Guide

Part of AAA server is not configured to use tier groups

SV-32517r1_rule The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access.

Vulnerability discussion

The foundation of a good security scheme in the network is the protection of the user interfaces of the networking devices from unauthorized access. Protecting access to the user interfaces on your network devices prevents unauthorized users from making configuration changes that can disrupt the stability of your network or compromise your network security.

Check content

Review the AAA server implemented and determine if user profiles are members of a group. Determine if the groups have different privileges and the users are in the appropriate groups. In the following TACACS example the user (rtr-test) is a member of the group “rtr-basic”. $/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test User Profile Information user = rtr_test{ profile_id = 66 profile_cycle = 1 member = rtr_basic password = des "********" } Below is an example of CiscoSecure TACACS+ server defining the privilege level. user = junior-engineer1 { password = clear "xxxxx" service = shell { set priv-lvl = 7 } }

Fix text

The administrator will configure the authentication server with standard accounts and assign them to privilege levels that meet their job description

Pro Tips

Powered by sagemincer