From Infrastructure Router Security Technical Implementation Guide Juniper
Part of Accounts assigned least privileges necessary to perform duties.
By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personell are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding. Below is an example configuration with three levels of authorization followed by account templates. [edit system login] class tier1 { idle-timeout 15; permissions [configure interface network routing snmp system trace view firewall ]; } class tier2 { idle-timeout 15; permissions [admin clear configure interface network reset routing routing-control snmp snmp-control system system-control trace trace-control view maintenance firewall firewall-control secret rollback ]; } class tier3 { idle-timeout 15; permissions all; } /* This is our local superuser account with a local password. */ user admin { full-name Administrator; uid 2000; class tier3; authentication { encrypted-password xxxxxxx; } } /* TACACS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } user tier3 { uid 2003; class tier3; } Using the example JUNOS configuration above and TACACS configuration below, when a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account. The CLI username is sent to the authentication server with the correct password. The server returns the local username (i.e., “tier2”) to the JUNOS software as specified in the authentication server (local-user-name for TACACS+, Juniper-Local-User for RADIUS). user = simon { . . . . service = junos-exec { local-user-name = tier2 allow-commands = "configure" deny-commands = "shutdown" } } 'allow-commands' and 'deny-commands' override permissions of the class of the template that the local-user-name is associated with.
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer