STIGQter: STIG Summary: Palo Alto Networks NDM Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jan 2020:

The Palo Alto Networks security platform must allow only the ISSM (or individuals or roles appointed by the ISSM) in the Audit Administrator (auditadmin) role, or in a custom role with full access to audit logs, or any account that has full access to audit logs.

DISA Rule

SV-77199r1_rule

Vulnerability Number

V-62709

Group Title

SRG-APP-000090-NDM-000222

Rule Version

PANW-NM-000023

Severity

CAT II

CCI(s)

• CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.

Weight

10

Fix Recommendation

To create a separate administrative account for each person who needs full (read and write) access to the reporting functions of the firewall:
Go to Device >> Administrators
Select "Add" (in the lower-left corner of the pane).
Complete the required information -
In the "Name" field, enter the name of the administrator.
Note: Accounts must identify a single person; the only exception allowed is the emergency administration account.

In the "Authentication Profile" field, enter the name of the authentication profile that will be used to control that person's authentication process.
For the Role, select either "Dynamic" or "Role Based".
If selecting "Dynamic", then select the role assigned for this person: Superuser, Device administrator, or Virtual system administrator.
If using the "Role Based" option, then select auditadmin or a custom profile with full access to audit logs.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.

Check Contents

Obtain the list of personnel who are authorized full access to audit logs; these are the ISSM or individuals or roles appointed by the ISSM.
Go to Device >> Administrators
View each configured account in turn.
Note: The Role or Profile for each account.
If unauthorized personnel have a Superuser, Device administrator, or Virtual system administrator account, this is a finding.

If there are accounts Role of Custom role-based administrator, the following checks apply.
View the accounts with the Role of Custom role-based administrator and Profile of auditadmin; if unauthorized personnel are assigned this type of account, this is a finding.

View the accounts with the Role of Custom role-based administrator and a custom administrative profile; if this profile allows full access to audit logs and unauthorized personnel are assigned this type of account, this is a finding.

Vulnerability Number

V-62709

Documentable

False

Rule Version

PANW-NM-000023

Severity Override Guidance

Obtain the list of personnel who are authorized full access to audit logs; these are the ISSM or individuals or roles appointed by the ISSM.
Go to Device >> Administrators
View each configured account in turn.
Note: The Role or Profile for each account.
If unauthorized personnel have a Superuser, Device administrator, or Virtual system administrator account, this is a finding.

If there are accounts Role of Custom role-based administrator, the following checks apply.
View the accounts with the Role of Custom role-based administrator and Profile of auditadmin; if unauthorized personnel are assigned this type of account, this is a finding.

View the accounts with the Role of Custom role-based administrator and a custom administrative profile; if this profile allows full access to audit logs and unauthorized personnel are assigned this type of account, this is a finding.

Check Content Reference

M

Target Key

2811

Comments