2.4.3 Ensure admin accounts with different privileges have their correct profiles assigned

Information

Verify that users with access to the Fortinet should only have the minimum privileges required for that particular user.

In some organizations, it is necessary to create different levels of administrative accounts. For example, technicians from tier 1 support should not have total access to the system compared to a tier 3 support.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

In this example, the goal is to provide the profile "tier_1" the ability to view and modify address objects. This sub-privilege is under fwgrp privilege.

In CLI:

FGT1 # config system accprofile
FGT1 (accprofile) # edit "tier_1"
FGT1 (tier_1) # set fwgrp custom
FGT1 (tier_1) # config fwgrp-permission
FGT1 (fwgrp-permission) # set address read-write
FGT1 (fwgrp-permission) # end
FGT1 (tier_1) # end
FGT1 #

For the GUI, go to:

1. System > Admin Profiles, select "tier_1" and click "Edit".
2. On "Firewall", click on "Custom".
3. Click on "Read/Write" option for "Address".

In the next example, assign the profile "tier_1" to the account "support1".

In the CLI:

FGT1 # config system admin
FGT1 (admin) # edit "support1"
FGT1 (support1) # set accprofile "tier_1"
FGT1 (support1) # end
FGT1 #

For the GUI, go to:

1. System > Administrators.
2. Select "support1" and click "Edit".
3. Under "Administrator Profile", select "tier_1".

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: FortiGate

Control ID: 1c159c00fcd3b9664aaab555b68742202fdaeb1284c1f8277bc17781eaca30a4