Ensuring that the monitor and shark accounts are disabled
Rule Title: RiOS must disable the local monitor and shark accounts so they cannot be used as shared accounts by users.
STIG ID: RICX-DM-000003
Rule ID: SV-77327r1_rule Severity: CAT II
Vuln ID: V-62837 Class: Unclass
The monitor and shark accounts are default group accounts with shared credentials. Monitor and shark accounts are not enabled by default, but cannot be deleted because these network tools are designed to look for that account. Monitor is a read-only account for auditor's configuration management. Shark is used to access packet captures. If the credentials for these accounts are changed, the function of the system will not be adversely impacted.
Verifying that the monitor and shark accounts are disabled
Verify that the local monitor and shark accounts are disabled so they cannot be used as shared accounts by users.
1. Connect to the Management Console.
2. Choose Administration > Security: User Permissions to display the User Permissions page.
3. Click monitor to expand the page.
4. Verify that the Enable Account check box is selected. If the check box is not selected, this is a security vulnerability finding.
5. Under Role-Based Accounts, click shark to expand the page.
6. Make sure all the shark permissions are set to Deny. If all privileges for the shark account are not set to Deny, this is a security vulnerability finding.
Disabling the monitor and shark accounts
Disable the local monitor and shark accounts so they cannot be used as shared accounts by users.
1. Connect to the Management Console.
2. Choose Administration > Security: User Permissions to display the User Permissions page.
3. Click monitor to expand the page.
4. Make sure that the Enable Account check box is not selected.
5. Click Apply.
6. Under Role-Based Accounts, click shark to expand the page.
7. Above the Deny column, click Select All to disable the shark account.
8. Click Apply.