JUNI-ND-001060 - The Juniper router must be configured to prohibit installation of software without explicit privileged status.

Information

Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure one or more classes as shown in the example below whose users will not be permitted to add or change software installed on the router.

[edit system]
set login class JR_ENGINEER permissions all
set login class JR_ENGINEER deny-commands '(request system software)'

Note: The predefined classes operator and Read-only do not have permissions to install software.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-11(2), CAT|II, CCI|CCI-003980, Rule-ID|SV-217336r991993_rule, STIG-ID|JUNI-ND-001060, STIG-Legacy|SV-101261, STIG-Legacy|V-91161, Vuln-ID|V-217336

Plugin: Juniper

Control ID: ad9e1de62abd3afda868bb33c8557e393a3ee35186e3fae8341dd75950321a33