FGFW-ND-000190 - FortiGate devices performing maintenance functions must restrict use of these functions to authorized personnel only.

Information

There are security-related issues arising from software brought into the network device specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a device to troubleshoot system traffic, or a vendor installing or running a diagnostic application to troubleshoot an issue with a vendor-supported device). If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system.

This requirement addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational network devices. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing 'ping,' 'ls,' 'ipconfig,' or the hardware and software implementing the monitoring port of an Ethernet switch).

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Log in to the FortiGate GUI with Super-Admin privilege.

First, set one admin profile with access to System Maintenance.
1. Click System.
2. Click Admin Profiles.
3. Click +Create New (Admin Profile).
4. Assign a meaningful name to the Profile.
5. Set System Access Permissions to Read/Write or Custom with Maintenance set to Read/Write.
6. Click OK to save this Profile.

Then,
1. Click System.
2. Click Administrators.
3. Click +Create New (Administrator).
4. Configure Administrator settings with unique Username, Type, and Password.
5. Assign the Administrator Profile that was configured above.
6. Click OK to save.

Note: Do not assign this admin profile to any other users other than the authorized administrator.

To limit the System access to existing low-privilege administrators:

1. Click System.
2. Click Administrators.
3. Identify the admin role that has unauthorized access to System settings.
4. Select the admin role and hover over the profile assigned to the role.
5. Click Edit.
6. On System access permission, click Read or None.
7. Click OK to save.

Repeat this process to define all the Administrators needed to meet privilege separation requirements for the organization.

or

1. Open a CLI console, via SSH or available from the GUI
2. First edit the admin profile by running the following command:

# config system accprofile
# edit {PROFILE NAME}
# set sysgrp read or none
# next
# end
Then, assign this admin profile to the authorized administrator account.
# config system admin
# edit {ADMIN NAME}
# set accprofile {PROFILE NAME}
# next
# end
Note: Do not assign this admin profile to any other users other than the authorized administrator.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-6b., 800-53|MA-3(4), CAT|II, CCI|CCI-000366, CCI|CCI-002883, Rule-ID|SV-234197r879781_rule, STIG-ID|FGFW-ND-000190, Vuln-ID|V-234197

Plugin: FortiGate

Control ID: 12b4faa2908e24dd2b4913ed990684bb8cb82cc419b6e6451723c129964adc0f