Network Device Management Rules : Generating SNMP alerts when accounts are modified
  
Generating SNMP alerts when accounts are modified
Rule Title: RiOS must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
STIG ID: RICX-DM-000012
Rule ID: SV-77339r1_rule Severity: CAT III
Vuln ID: V-62849 Class: Unclass
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the modification of device administrator accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be secretly modified and provides logging that can be used for forensic purposes.
The network device must generate the alert. A management server might do the notification.
Verifying servers are configured as trap receivers
Verify that RiOS uses automated mechanisms to alert security personnel to threats identified by authoritative sources.
To verify SNMP settings
1. Connect to the Management Console.
2. Choose Administration > System Settings: SNMP Basic to display the SNMP Basic page.
3. Under Trap Receivers, verify that the host servers in your deployment are listed in the table. If there are no Host Servers defined in Trap Receivers, this is a security vulnerability finding.
Configuring servers as trap receivers
Configure RiOS to use automated mechanisms to alert security personnel to threats identified by authoritative sources.
To configure servers as trap receivers
1. Connect to the Management Console.
2. Choose Administration > System Settings: SNMP Basic to display the SNMP Basic page.
3. Click Add a New Trap Receiver to expand the page.
4. Complete the configuration as described in this table.
Control
Description
Receiver
Specify the destination IPv4 or IPv6 address or hostname for the SNMP trap.
Destination Port
Specify the destination port the receiver is listening on.
Receiver Type
Select SNMP v3 (user-based security model).
Remote User
Specify a remote username on the trap receiver.
Authentication
Optionally, select Supply a Key to use while authenticating users.
Authentication Protocol
Select an authentication method from the drop-down list:
SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
Security Level
Determines whether a single atomic message exchange is authenticated. Select this level from the drop-down list:
AuthPriv - Authenticates packets using AES 128 and DES to encrypt messages for privacy.
A security level applies to a group, not to an individual user.
Privacy Protocol
Select the AES protocol from the drop-down list. AES uses the AES128 algorithm.
Privacy
Select Same as Authentication Key to use while authenticating users. The default setting is Same as Authentication Key.
MD5/SHA Key
Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Privacy MD5/SHA Key
Specify the privacy authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Enable Receiver
Select to enable the new trap receiver. Clear to disable the receiver.
Add
Adds a new trap receiver to the list.
Remove Selected
Select the check box next to the name and click Remove Selected.