Details

Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure one or more classes as shown in the example below whose users will not be permitted to add or change software installed on the router.

[edit system]
set login class JR_ENGINEER permissions all
set login class JR_ENGINEER deny-commands ‘(request system software)’

Note: The predefined classes operator and Read-only do not have permissions to install software.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y21M02_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Juniper.

References

• 800-53|CM-11(2)
• CAT|II
• CCI|CCI-001812
• Rule-ID|SV-101261r1_rule
• STIG-ID|JUNI-ND-001060
• Vuln-ID|V-91161

Source

• Tenable.com/audits