800-53|AC-2(7)

Title

ROLE-BASED SCHEMES

Description

The organization:

Supplemental

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: ACCESS CONTROL

Parent Title: ACCOUNT MANAGEMENT

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
3.1 - Roles, Applications, and Authentication - Review custom roles	Netapp_API	NetApp Security Hardening Guide for ONTAP 9 v1.7.0
4.04 init.ora - 'remote_os_roles = FALSE'	Windows	CIS v1.1.0 Oracle 11g OS Windows Level 1
4.04 init.ora - 'remote_os_roles = FALSE'	Unix	CIS v1.1.0 Oracle 11g OS L1
4.08 init.ora - 'os_roles = FALSE'	Windows	CIS v1.1.0 Oracle 11g OS Windows Level 1
4.08 init.ora - 'os_roles = FALSE'	Unix	CIS v1.1.0 Oracle 11g OS L1
6.3.1 Ensure external AAA is used	Juniper	CIS Juniper OS Benchmark v2.0.0 L1
6.6.4 Ensure Custom Login Classes have Permissions Defined	Juniper	CIS Juniper OS Benchmark v2.0.0 L1
6.6.7 Ensure Remote Login Class for Authorization through External AAA - login class	Juniper	CIS Juniper OS Benchmark v2.0.0 L2
ARST-ND-000350 - The Arista network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Arista	DISA STIG Arista MLS EOS 4.2x NDM v1r1
Brocade : 'administrator account is enabled with admin role assigned'	Brocade	TNS Brocade FabricOS Best Practices
Brocade : 'Review admin user listings'	Brocade	TNS Brocade FabricOS Best Practices
Brocade : 'root account is enabled with root role assigned'	Brocade	TNS Brocade FabricOS Best Practices
CASA-ND-000450 - The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - serial	Cisco	DISA STIG Cisco ASA NDM v1r6
CASA-ND-000450 - The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - ssh	Cisco	DISA STIG Cisco ASA NDM v1r6
CASA-ND-000450 - The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - username	Cisco	DISA STIG Cisco ASA NDM v1r6
CISC-ND-000490 - The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - username groups	Cisco	DISA STIG Cisco IOS-XR Router NDM v2r2
CISC-ND-000490 - The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - username groups	Cisco	DISA STIG Cisco IOS-XR Router NDM v2r1
CISC-ND-000490 - The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Cisco	DISA STIG Cisco IOS Router NDM v2r8
CISC-ND-000490 - The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Cisco	DISA STIG Cisco IOS-XR Router NDM v2r5
CISC-ND-000490 - The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Cisco	DISA STIG Cisco IOS XE Router NDM v2r9
CISC-ND-000490 - The Cisco switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Cisco	DISA STIG Cisco NX-OS Switch NDM v2r8
CISC-ND-000490 - The Cisco switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Cisco	DISA STIG Cisco IOS XE Switch NDM v2r9
CISC-ND-000490 - The Cisco switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Cisco	DISA STIG Cisco IOS Switch NDM v2r9
Citrix ADC - System Parameters - Local Authentication	Citrix_Application_Delivery	Tenable Best Practice Citrix ADC v1.0.0
FGFW-ND-000030 - The FortiGate device must have only one local account to be used as the account of last resort in the event the authentication server is unavailable.	FortiGate	DISA Fortigate Firewall NDM STIG v1r4
JUEX-NM-000240 - The Juniper EX switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.	Juniper	DISA Juniper EX Series Network Device Management v1r5
JUNI-ND-000380 - The Juniper router must be configured to protect audit information from unauthorized modification.	Juniper	DISA STIG Juniper Router NDM v1r4
JUNI-ND-000380 - The Juniper router must be configured to protect audit information from unauthorized modification.	Juniper	DISA STIG Juniper Router NDM v1r5
JUNI-ND-000390 - The Juniper router must be configured to protect audit information from unauthorized deletion.	Juniper	DISA STIG Juniper Router NDM v1r4
JUNI-ND-000390 - The Juniper router must be configured to protect audit information from unauthorized deletion.	Juniper	DISA STIG Juniper Router NDM v1r5
JUNI-ND-000460 - The Juniper router must be configured to limit privileges to change the software resident within software libraries.	Juniper	DISA STIG Juniper Router NDM v1r4
JUNI-ND-000460 - The Juniper router must be configured to limit privileges to change the software resident within software libraries.	Juniper	DISA STIG Juniper Router NDM v1r5
JUNI-ND-000490 - The Juniper router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable	Juniper	DISA STIG Juniper Router NDM v2r3
JUNI-ND-000490 - The Juniper router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - auth order	Juniper	DISA STIG Juniper Router NDM v1r5
JUNI-ND-000490 - The Juniper router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - auth order	Juniper	DISA STIG Juniper Router NDM v1r4
JUNI-ND-000490 - The Juniper router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - login class	Juniper	DISA STIG Juniper Router NDM v1r5
JUNI-ND-000490 - The Juniper router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable - login class	Juniper	DISA STIG Juniper Router NDM v1r4
JUNI-ND-001060 - The Juniper router must be configured to prohibit installation of software without explicit privileged status.	Juniper	DISA STIG Juniper Router NDM v1r4
JUNI-ND-001060 - The Juniper router must be configured to prohibit installation of software without explicit privileged status.	Juniper	DISA STIG Juniper Router NDM v1r5
JUNI-ND-001360 - The Juniper router must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access - order	Juniper	DISA STIG Juniper Router NDM v1r4
JUNI-ND-001360 - The Juniper router must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access - order	Juniper	DISA STIG Juniper Router NDM v1r5
SYMP-NM-000010 - Symantec ProxySG must be configured with only one local account that is used as the account of last resort.	BlueCoat	DISA Symantec ProxySG Benchmark NDM v1r2

Detections

Analytics