STIGQter: STIG Summary: Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020:

AAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization.

DISA Rule

SV-95559r1_rule

Vulnerability Number

V-80849

Group Title

SRG-APP-000329-AAA-000190

Rule Version

SRG-APP-000329-AAA-000190

Severity

CAT III

CCI(s)

CCI-002169 - The information system enforces a role-based access control policy over defined subjects and objects.

Weight

Fix Recommendation

Configure AAA Services to use RBAC policy for levels of access authorization. Configure AAA Services with standard accounts and assign them to privilege levels that meet their job description.

Check Contents

Verify AAA Services are configured to use RBAC policy for levels of access authorization. Confirm the RBAC groups have tiered privileges, and users are in the appropriate groups. In the following TACACS+ example the user (test-user) is a member of the group “test-group”.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u user-test
User Profile Information
user = test-user{
profile_id = 66
profile_cycle = 1
member = test-group
password = des "********"
}

Below is an example of CiscoSecure TACACS+ server defining the privilege level.
user = test-user{
password = clear "xxxxx"
service = shell {
set priv-lvl = 7
}
}

If AAA Services are not configured to use RBAC policy for levels of access authorization, this is a finding.

AAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments