STIGQter: STIG Summary: Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019:SV-75343r2_rule
V-60885
SRG-APP-000516-NDM-000336
AMLS-NM-000430
CAT I
10
Configure AAA services via a remote AAA server for all nonlocal accounts.
Configuration:
aaa group server [radius/tacacs] [name]
[radius/tacacs]-server host [IP Address] vrf [name] key [key]
aaa authentication login default group [group name] [radius/tacacs] [local]
aaa authentication login console [group] [group name/radius/tacacs+] [local]
aaa authentication dot1x default group [group] [radius]
aaa authentication policy on-success log
aaa authentication policy on-failure log
aaa authorization console
aaa authorization exec default [radius/tacacs] local
aaa authorization commands all default local
aaa accounting exec default start-stop logging
aaa accounting system default start-stop logging
aaa accounting commands all default start-stop logging
no aaa root
Example RBAC roles:
role administrator
10 permit command .*
role operator
10 permit command show running-config [all|detail] sanitized
20 deny command >|>>|extension|\||session|do|delete|copy|rmdir|mkdir|python-shell|bash|platform|scp|append|redirect|tee|more|less|who|show run.*
25 deny command bash
30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*)
40 permit command .*
30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*)
40 permit command .*
Review the device's configuration and verify the use of an AAA server for Account Management. Configuration must include at least one authenticated remote AAA server and verification that authentication, authorization, and accounting are enabled. In order for AAA to execute authorizations, role-based access control (RBAC) must also be configured on the switch, as shown in the configuration example. User roles do not need to follow these exact permissions, but they must comply with organizational policies for access-control. If the AAA server is not configured to centrally manage authentication settings, this is a finding.
Using the "show running-config" command will display all configured AAA commands, which must include the following commands with the variables completed:
aaa group server [radius/tacacs] [name]
[radius/tacacs]-server host [IP Address] vrf [name] key [key]
aaa authentication login default group [group name] [radius/tacacs] [local]
aaa authentication login console [group] [group name/radius/tacacs+] [local]
aaa authentication dot1x default group [group] [radius]
aaa authentication policy on-success log
aaa authentication policy on-failure log
aaa authorization console
aaa authorization exec default [radius/tacacs] local
aaa authorization commands all default local
aaa accounting exec default start-stop logging
aaa accounting system default start-stop logging
aaa accounting commands all default start-stop logging
no aaa root
Executing the "Show aaa sessions" command will verify the operation of AAA for any connected sessions. This will include the username, role, state, authentication method, and remote host information, which must match the configured remote AAA server.
Verify Role Based Access Control is enabled by executing the "show roles" command, and review the configured roles to ensure they meet organization-defined requirements.
V-60885
False
AMLS-NM-000430
Review the device's configuration and verify the use of an AAA server for Account Management. Configuration must include at least one authenticated remote AAA server and verification that authentication, authorization, and accounting are enabled. In order for AAA to execute authorizations, role-based access control (RBAC) must also be configured on the switch, as shown in the configuration example. User roles do not need to follow these exact permissions, but they must comply with organizational policies for access-control. If the AAA server is not configured to centrally manage authentication settings, this is a finding.
Using the "show running-config" command will display all configured AAA commands, which must include the following commands with the variables completed:
aaa group server [radius/tacacs] [name]
[radius/tacacs]-server host [IP Address] vrf [name] key [key]
aaa authentication login default group [group name] [radius/tacacs] [local]
aaa authentication login console [group] [group name/radius/tacacs+] [local]
aaa authentication dot1x default group [group] [radius]
aaa authentication policy on-success log
aaa authentication policy on-failure log
aaa authorization console
aaa authorization exec default [radius/tacacs] local
aaa authorization commands all default local
aaa accounting exec default start-stop logging
aaa accounting system default start-stop logging
aaa accounting commands all default start-stop logging
no aaa root
Executing the "Show aaa sessions" command will verify the operation of AAA for any connected sessions. This will include the username, role, state, authentication method, and remote host information, which must match the configured remote AAA server.
Verify Role Based Access Control is enabled by executing the "show roles" command, and review the configured roles to ensure they meet organization-defined requirements.
M
2825