Rule ID
SV-284522r1244928_rule
Version
V1R1
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable nonauthorized users to make changes to software libraries, audit tools, and system software, these changes could be implemented without undergoing testing, validation, and approval. Satisfies: SRG-APP-000133-NDM-000244, SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000231-NDM-000271
1. In the Ivanti Policy Secure Web UI, navigate to Administrators >> Admin Realms >> Admin Realms. 2. Click the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins. 3. View the "Role Mapping" tab. If there are not two group definitions to Role Assignments for Admin and Read-Only, this is a finding.
Configure the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins. 1. In the Ivanti Policy Secure Web UI, navigate to Administrators >> Admin Realms >> Admin Realms. 2. Select the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins. 3. Click "Role Mappings". 4. Click "New Rule". 5. Click "Rule Based" on Group Membership". 6. Click "Update". 7. Type a name for the admin group. 8. Under available groups, select the LDAP group for admins (e.g., "ivanti.admins.gsg"). If no groups currently exist in the window, click "Groups" and add the group from the LDAP directory window that pops up. 9. Under "Available Roles", select ".Administrators". 10. Click "Save Changes". 11. Click "New Rule". 12. Click "Rule Based" on "Group Membership". 13. Click "Update". 14. Type a name for the read-only group. 15. Under available groups, select the LDAP group for nonadmins (e.g., "ivanti.ROadmin.gsg"). If no groups currently exist in the window, click "Groups" and add the group from the LDAP directory window that pops up. 16. Under "Available Roles", select ".Read-Only Administrators". 17. Click "Save Changes".