The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.

From Juniper SRX SG NDM Security Technical Implementation Guide

Part of SRG-APP-000378-NDM-000302

Associated with: CCI-001812

SV-80975r1_rule The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.

Vulnerability discussion

Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices.For example audit admins and the account of last resort are not allowed to perform this task.

Check content

To verify role-based access control has been configured, view the settings for each login class defined. [edit] show system login View all login classes to see which roles are assigned the "Maintenance" or "request system software add" permissions. If login classes for user roles that are not authorized to install and update software are configured, this is a finding.

Fix text

Configure the Juniper SRX to allow only the ISSM user account (or administrators/roles appointed by the ISSM) to select which auditable events are to be audited. To ensure this is the case, each ISSM-appointed role on the AAA must be configured for least privilege using the following stanzas for each role. [edit] show system login Use the delete command or retype the command to remove the permission "Maintenance" or "request system software add" from any class that is not authorized to upgrade software on the device. An explicitly Deny for the command "request system software add" can also be used if some Maintenance commands are permitted.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer