Information
Verify that users with access to the Fortinet should only have the minimum privileges required for that particular user.
Rationale:
In some organizations, there are needs to create different levels of administrative accounts. For example, technicians from tier 1 support should not have total access to the system as compared with a tier 3 support.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
In this example, I would like to provide the profile 'tier_1' the ability to view and modify address objects. This sub-privilege is under fwgrp privilege.
In CLI
FGT1 # config system accprofile
FGT1 (accprofile) # edit 'tier_1'
FGT1 (tier_1) # set fwgrp custom
FGT1 (tier_1) # config fwgrp-permission
FGT1 (fwgrp-permission) # set address read-write
FGT1 (fwgrp-permission) # end
FGT1 (tier_1) # end
FGT1 #
For the GUI, go to System -> Admin Profiles, select 'tier_1' and click 'Edit'. On 'Firewall', click on 'Custom' and then click on 'Read/Write' option for 'Address'.
In the next example, I would like to assign the profile 'tier_1' to the account 'support1'.
In the CLI
FGT1 # config system admin
FGT1 (admin) # edit 'support1'
FGT1 (support1) # set accprofile 'tier_1'
FGT1 (support1) # end
FGT1 #
For the GUI, go to System -> Adminstrators, select 'support1' and click 'Edit'. Under 'Administrator Profile', select 'tier_1'.
Default Value:
By default, there are only 2 profiles: prof_admin and super_admin. You have to select a profile to create an admin account, the system will not automatically choose for you.