Ensuring maintenance functions are restricted
Rule Title: RiOS performing maintenance functions must restrict use of these functions to authorized personnel only.
STIG ID: RICX-DM-000133
Rule ID: SV-77469r1_rule Severity: CAT II
Vuln ID: V-62979 Class: Unclass
Security-related issues arise from software brought into the network device specifically for diagnostic and repair actions (for example, a software packet sniffer installed on a device in order to troubleshoot system traffic, or a vendor installing or running a diagnostic application in order to troubleshoot an issue with a vendor-supported device). If maintenance tools are used by unauthorized personnel, they might accidentally or intentionally damage or compromise the system.
This requirement addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational network devices. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This requirement does not cover hardware/software components that might support information system maintenance yet are a part of the system (for example, the software implementing ping, ls, ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch).
Verifying that maintenance functions are restricted
Verify that RiOS is configured so that performing maintenance functions is restricted to authorized personnel only.
1. Connect to the Management Console.
2. Choose Administration > Security: User Permissions to display the User Permissions page.
3. Verify that only authorized personnel have the permissions to perform maintenance functions. If user permissions for authorized personnel are not set to authorize maintenance functions, this is a security vulnerability finding.
Configuring the system so that maintenance functions are restricted
Configure RiOS to restrict use of maintenance functions to authorized personnel only.
1. Connect to the Management Console.
2. Choose Administration > Security: User Permissions to display the User Permissions page.
3. Under Role Based Accounts, click Add New User Account to expand the page.
4. Set User Permissions of authorized personnel to allow performance of maintenance functions.
5. Click Add.