Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the network device configuration to verify if the device limits the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types. Review the running-configuration. Verify the configuration includes "login concurrent-session limit" followed by the number of sessions defined by the organization. Note: The default concurrent session limit is 10, so if it is not displayed when viewing the configuration, the limit is set to 10. If the network device does not limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type, this is a finding.
Configure the network device to limit the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types, as in the following example. OS10(config)# login concurrent-session limit 3
If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this requirement. Because the responsibility for meeting this requirement is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review. Verify the Dell OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user. OS10# show running-configuration users username admin password **** role sysadmin priv-lvl 15 username op100 password **** role netoperator priv-lvl 1 OS10# If any users are assigned to the wrong role, this is a finding.
Configure the OS10 Switch to assign appropriate user roles or access levels to authenticated users. OS10(config)# username <name> password ********** role <sysadmin/netoperator/secadmin/netadmin>
Review the OS10 Switch configuration to verify that administrative access to the switch is allowed only from hosts residing in the management network. Step 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM port or front panel data ports: ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Step 2: Review the control plane ACLs to verify traffic is limited appropriately. For example, to restrict the management traffic access to a switch at address 192.168.105.17 to only a subset of the 192.168.105.0 subnet, check for an ACL list such as the following: ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ip 192.168.105.0/28 192.168.105.17/32 seq 20 deny ip any 192.168.105.17/32 log Likewise, to restrict the management traffic arriving to a switch address 10.20.30.1 on the front panel data ports: ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ip 10.20.30.0/24 10.20.31.1/32 seq 20 deny ip any 10.20.31.1 log If the OS10 Switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.
Configure the OS10 Switch to restrict management access to specific IP addresses as shown in the example below. Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM port and from the front panel data ports: OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# seq 10 permit ip 192.168.105.0/28 192.168.105.17/32 OS10(config-ipv4-acl)# seq 20 deny ip any 192.168.105.17/32 log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# seq 10 permit ip 10.20.30.0/24 10.20.31.1/32 OS10(config-ipv4-acl)# seq 20 deny ip any 10.20.31.1 log Step 2: Apply the ACLs to the ingress of the control-plane: OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in
Review the Dell OS10 Switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts and a 15-minute lockout period as shown in the example below: password-attributes lockout-period 15 Note: Since the max-retry value of three is the default value, it will not be displayed when viewing the configuration. So, if the password-attributes max-retry value is not displayed then it is set to three attempts. If the Dell OS10 Switch is not configured to enforce the limit of three consecutive invalid logon attempts and a 15-minute lockout period, this is a finding.
Configure the Dell OS10 Switch to enforce the limit of three consecutive invalid logon attempts and a 15-minute lockout as shown in the example below: OS10(config)# password-attributes max-retry 3 lockout-period 15
Determine if the Dell OS10 device is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Verify the following banner is displayed during login before the password is entered: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If such a banner is not presented, this is a finding.
Configure the Dell OS10 Switch to display the Standard Mandatory DOD Notice and Consent Banner before granting access as follows: OS10(config)# banner motd disable OS10(config)# banner login ^C ***************************************************************** You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ***************************************************************** ^C
Verify the OS10 Switch protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation. Review the OS10 Switch configuration to determine if audit logging is enabled: ! logging audit enable If audit logging is not enabled, this is a finding.
Configure the OS10 Switch to enable audit logging: OS10(config)# logging audit enable
Check the OS10 Switch to determine if it initiates session auditing upon startup: ! logging audit enable If theOS10 Switch does not initiate session auditing upon startup, this is a finding.
Configure the OS10 Switch to initiate session auditing upon startup: OS10(config)# logging audit enable
Determine if the OS10 Switch prevents the installation of patches, service packs, or application components without verifying the software component has been digitally signed using a certificate that is recognized and approved by the organization. Image install commands verify signatures if OS10 secure-boot is enabled. Verify that OS10 secure-boot feature is enabled with the following command: OS10# show secure-boot status Last boot was via secure boot : yes Secure boot configured : yes Latest startup config protected: yes BIOS secure boot: BIOS Secure boot configured: yes If BIOS Secure boot is not configured, this is a finding.
Install OS10 images with digital signature verification using the following command. Enable OS10 secure-boot, if necessary, with the following command. Reload the switch after enabling secure boot. OS10# secure-boot enable With OS10 secure-boot enabled, install OS10 images with the following command: OS10# image secure-install <image-filepath> {sha256 signature <signature-filepath> | gpg signature <signature-filepath> | pki signature <signature-filepath> publickey <key-file>}
Determine if the network device prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. Verify the configuration does not include unnecessary or nonsecure protocols and services: ip telnet server enable rest api restconf eula-consent support-assist accept If any unnecessary or nonsecure functions are permitted, this is a finding.
Configure the OS10 Switch to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services: OS10(config)# no ip telnet server enable OS10(config)# no rest api restconf OS10(config)# eula-consent support-assist reject
Verify the bash shell is disabled. Check the switch configuration for the setting "system-cli disable". If system-cli disable is not configured, this is a finding.
Disable Bash shell from the CLI: OS10# configure terminal OS10(config)# system-cli disable
Review the network device configuration to determine if an account of last resort is configured. Verify default admin and other vendor-provided accounts are disabled, removed, or renamed where possible. Verify the username and password for the account of last resort is contained within a sealed envelope and kept in a safe. Step 1: Verify the Dell OS10 Switch is configured with only a single local user account. If one local account does not exist for use as the account of last resort, this is a finding. Verify the role is sysadmin. OS10# show running-configuration users username alradmin password **** role sysadmin priv-lvl 15 OS10# Step 2: Verify the linuxadmin system user has been disabled: OS10# show running-configuration | grep system-user system-user linuxadmin disable system-user linuxadmin password **** OS10# If one local account does not exist for use as the account of last resort or the linuxadmin system-user has not been disabled, this is a finding.
Configure the OS10 Switch to only allow one local account for use as the account of last resort. Disable the linuxadmin system user: OS10(config)# system-user linuxadmin disable %Warning : Operation is not recommended in absence of console access. Do you want to proceed ? [yes/no(default)]:yes OS10(config)# Delete any extra local users with the following command: OS10(config)# no username admin Note: The account of last resort must be added before the default admin account can be deleted.
Verify the OS10 Switch is configured to use DOD PKI as MFA for interactive logins. Evidence of successful configuration is usually indicated by a prompt for the user to insert a smartcard. If the smartcard is already inserted, the network device will prompt the user to enter the corresponding PIN which unlocks the certificate keystore on the smartcard. Review the running-configuration to verify that X.509v3 authentication is enabled for SSH. Verify the PKI authenticated user is mapped to the effective local user account by ensuring that peer-name-check has not been disabled in the associated security profile ("no peer-name-check" is not present). ip ssh server x509v3-authentication security-profile cacpiv-prof ... crypto security-profile <profile-name> certificate <host-certificate-name> ocsp-check <ocsp-url> ... If the OS10 Switch is not configured to use DOD PKI as MFA for interactive logins, this is a finding. If peer-name-check has been disabled in the security profile this is a finding.
Configure the OS10 Switch to use DOD PKI as MFA for interactive logins. Configure a named security profile to use for MFA. Configure the SSH server to enable authentication by PKI certificate: OS10(config)# OS10(config)# crypto security-profile <profile-name> OS10(config-sec-profile)# certificate <host-certificate-name> OS10(config-sec-profile)# peer-name-check OS10(config-sec-profile)# ocsp-check <ocsp-url> OS10(config-sec-profile)# exit OS10(config)# OS10(config)# ip ssh server x509v3-authentication security-profile <profile-name> OS10(config)#
Review the OS10 Switch configuration to determine if replay-resistant authentication mechanisms are implemented for network access to privileged accounts. Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Verify that SSH is enabled for network access by reviewing the SSH server status: OS10# show ip ssh | grep "SSH Server:" SSH Server: Enabled Verify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: ip telnet server enable If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.
Configure the OS10 Switch to implement replay-resistant authentication mechanisms for network access to privileged accounts: OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Disable telnet if it has been enabled: OS10(config)# no ip telnet server enable Enable SSH if it has been disabled: OS10(config)# ip ssh server enable
Determine if the OS10 Switch or its associated authentication server enforces a minimum 15-character password length. Review the configuration to verify that the min-length password-attribute is set to 15: OS10# show running-configuration password-attributes ! password-attributes min-length 15 If the OS10 Switch or its associated authentication server does not enforce a minimum 15-character password length, this is a finding.
Configure the OS10 Switch or its associated authentication server to enforce a minimum 15-character password length: OS10(config)# password-attributes min-length 15
Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one uppercase character be used. Review the configuration to verify that the upper password-attribute is set to 1: OS10# show running-configuration password-attributes ! password-attributes character-restriction upper 1 If the OS10 Switch and associated authentication server does not require that at least one uppercase character be used in each password, this is a finding.
Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one uppercase character be used: OS10(config)# password-attributes character-restriction upper 1
Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one lower-case character be used. Review the configuration to verify that the lower password-attribute is set to 1: OS10# show running-configuration password-attributes ! password-attributes character-restriction lower 1 If the OS10 Switch and associated authentication server does not require that at least one lowercase character be used in each password, this is a finding.
Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one lowercase character be used: OS10(config)# password-attributes character-restriction lower 1
Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one numeric character be used. Review the configuration to verify that the numeric password-attribute is set to 1: OS10# show running-configuration password-attributes ! password-attributes character-restriction numeric 1 If the OS10 Switch and associated authentication server does not require that at least one numeric character be used in each password, this is a finding.
Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one numeric character be used: OS10(config)# password-attributes character-restriction numeric 1
Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one special character be used. Review the configuration to verify that the special-char password-attribute is set to 1: OS10# show running-configuration password-attributes ! password-attributes character-restriction special-char 1 If the OS10 Switch and associated authentication server does not require that at least one special character be used in each password, this is a finding.
Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one special character be used: OS10(config)# password-attributes character-restriction special-char 1
Verify the OS10 Switch is configured to validate certificates used for PKI-based authentication using DOD-approved OCSP or CRL resources. Verify that OSCP validation using the appropriate DOD OCSP responder is enabled in the security profile: ip ssh server x509v3-authentication security-profile cacpiv-prof ... crypto security-profile <profile-name> ... ocsp-check <ocsp-url> ... If the OS10 Switch is not configured to validate certificates used for PKI-based authentication using DOD approved OCSP or CRL sources, this is a finding.
Configure the OS10 Switch to validate certificates used for PKI-based authentication using DOD approved OCSP or CRL sources: OS10(config)# OS10(config)# crypto security-profile <profile-name> OS10(config-sec-profile)# ocsp-check <ocsp-url> OS10(config-sec-profile)# exit OS10(config)#
If PKI-based authentication is not used as the MFA solution for interactive logins, this requirement is not applicable. OS10 maps certificates to valid usernames by comparing the common name and user principal name in the certificate to the unique user account name. This check is applied by default unless name checking has been disabled in the security profile with the "no peer-name-check" setting. Review the running-configuration to verify that X.509v3 authentication is enabled for SSH. Verify the PKI authenticated user is mapped to the effective local user account by ensuring that peer-name-check has not been disabled in the associated security profile ("no peer-name-check" is not present). ip ssh server x509v3-authentication security-profile cacpiv-prof ... crypto security-profile <profile-name> certificate <host-certificate-name> ocsp-check <ocsp-url> ... If peer-name-check has been disabled in the security profile this is a finding.
Configure the OS10 Switch to use DOD PKI as MFA for interactive logins. Configure a named security profile to use for MFA. Configure the SSH server to enable authentication by PKI certificate. OS10(config)# OS10(config)# crypto security-profile <profile-name> OS10(config-sec-profile)# certificate <host-certificate-name> OS10(config-sec-profile)# peer-name-check OS10(config-sec-profile)# ocsp-check <ocsp-url> OS10(config-sec-profile)# exit OS10(config)# OS10(config)# ip ssh server x509v3-authentication security-profile <profile-name> OS10(config)#
Determine if the network device uses FIPS 140-2 approved algorithms for authentication to a cryptographic module. Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# If the network device is not configured to use a FIPS-approved authentication algorithm to a cryptographic module, this is a finding.
Configure the network device to use FIPS 140-2 approved algorithms for authentication to a cryptographic module: OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)#
Determine if the network device terminates the connection associated with a device management session at the end of the session or after five minutes of inactivity. Review the running-configuration. Verify the configuration includes "exec-timeout 300" which disconnects sessions after five minutes of inactivity. If the network device does not terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity, this is a finding.
Configure the OS10 Switch to terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity: OS10(config)# exec-timeout 300
Determine if the OS10 Switch prevents nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Access to privileged functions is restricted by OS10 to users with the appropriate role. Verify the OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user: OS10# show running-configuration users username admin password **** role sysadmin priv-lvl 15 username op100 password **** role netoperator priv-lvl 1 OS10# If the OS10 Switch does not prevent nonprivileged users from executing privileged functions, this is a finding.
Configure the OS10 Switch to assign appropriate user roles or access levels to authenticated users: OS10(config)# username <name> password ********** role <sysadmin/netoperator/secadmin/netadmin>
Determine if the OS10 Switch generates an immediate alert of all audit failure events requiring real-time alerts. Verify that syslog is configured to use a connection-based protocol, either TCP or TLS, when connecting to a remote syslog server: OS10# show running-configuration logging ! ... logging server 100.94.75.111 tcp 514 If the OS10 Switch is not configured to use either TCP or TLS for connection to the remote syslog servers, this is a finding.
Configure the OS10 Switch to use either TCP or TLS for connection to the remote syslog servers: OS10(config)# logging server 100.94.75.111 tcp
Review the OS10 Switch configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-HMAC. Step 1: Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Step 2: Review the SNMP configuration to verify that the server is configured to enforce authentication ({auth|priv} {name}). Verify the SNMP user is configured for SHA authentication (auth sha): OS10(config)# show running-configuration snmp ! ... snmp-server group Group3 3 priv notify NOTIFY snmp-server host 10.10.10.10 traps version 3 priv User3 snmp-server user User3 Group3 3 encrypted auth sha **** priv aes **** If SNMP is not configured to enforce authentication or FIPS mode is not enabled, this is a finding.
Configure the OS10 Switch to authenticate SNMP messages using a FIPS-validated Keyed-HMAC. Ensure FIPS mode is enabled. OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Configure an SNMP user to enforce SHA authentication. OS10(config)# snmp-server group Group3 3 priv notify NOTIFY OS10(config)# snmp-server user User3 Group3 3 auth sha ********** priv aes ********** Configure the SNMP server to use version 3 and enforce SHA authentication (auth) or both SHA authentication and AES encryption (priv). OS10(config)# snmp-server host 10.10.10.10 version 3 priv User3 snmp
Review the OS10 Switch configuration to determine if the network device authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based. Review the configuration to verify that NTP authentication is configured when communicating with the NTP servers with the following commands: OS10# show running-configuration ntp ! ntp authenticate ntp authentication-key 345 sha2-256 9 **** ntp server 192.0.2.1 key 345 prefer ntp server 192.0.2.5 key 345 ntp trusted-key 345 If the OS10 Switch not authenticate NTP sources using authentication that is cryptographically based, this is a finding.
Configure the OS10 Switch to authenticate NTP sources using authentication that is cryptographically based: OS10(config)# ntp authenticate OS10(config)# ntp trusted-key 345 OS10(config)# ntp authentication-key 345 sha2-256 0 <key> OS10(config)# ntp server 192.0.2.1 key 345 preferred OS10(config)# ntp server 192.0.2.5 key 345
Review the OS10 Switch configuration to determine if it prohibits the use of cached authenticators after an organization-defined time period. Verify the rest authentication token validity setting is configured. If no entry is displayed, the default is 120 minutes. OS10# show running-configuration | grep "rest authentication token validity" rest authentication token validity 60 If cached authenticators are used after an organization-defined time period, this is a finding.
Configure the OS10 Switch to prohibit the use of cached authenticators after an organization-defined time period: OS10(config)# rest authentication token validity {minutes}
Verify the OS10 Switch uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Verify that SSH is enabled for network access by reviewing the SSH server status: OS10# show ip ssh | grep "SSH Server:" SSH Server: Enabled Verify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: ip telnet server enable If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.
Configure the OS10 Switch to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Disable telnet if it has been enabled: OS10(config)# no ip telnet server enable Enable SSH if it has been disabled: OS10(config)# ip ssh server enable
Review the OS10 Switch configuration to determine if cryptographic mechanisms are implemented using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions. Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Verify that SSH is enabled for network access by reviewing the SSH server status: OS10# show ip ssh | grep "SSH Server:" SSH Server: Enabled Verify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: ip telnet server enable If FIPS mode is not enabled, if the SSH is not enabled, or if telnet is enabled in the OS10 Switch, this is a finding.
Configure the OS10 Switch to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm: OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Disable telnet if it has been enabled: OS10(config)# no ip telnet server enable Enable SSH if it has been disabled: OS10(config)# ip ssh server enable
Determine if the OS10 Switch protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. Dell OS10 Switches provide DoS protection via control plane ACLs and Control Plane Policing (CoPP). Use the show control-plane info command to verify that the CoPP queue rate limits are appropriate to implement the organization-defined security safeguards: OS10# show control-plane info Queue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocols 0 600 600 ISCSI UNKNOWN UNICAST 1 1000 1000 OPEN_FLOW SFLOW 2 400 400 IGMP PIM 3 600 1000 VLT NDS 4 500 1000 IPV6_ICMP IPV4_ICMP 5 500 1000 ICMPV6_RS ICMPV6_NS ICMPV6_RA ICMPV6_NA 6 500 1000 ARP_REQ SERVICEABILITY 7 500 1000 ARP_RESP 8 500 500 SSH TELNET TACACS NTP FTP 9 600 600 FCOE NVME 10 600 1000 LACP 11 400 400 RSTP PVST MSTP 12 500 500 DOT1X LLDP FEFD 13 600 1000 IPV6_OSPF IPV4_OSPF 14 600 1000 OSPF_HELLO 15 600 1000 BGP 16 500 500 IPV6_DHCP IPV4_DHCP 17 600 1000 VRRP 18 700 700 BFD 19 1400 2000 REMOTE CPS 20 300 300 MCAST DATA 21 100 100 ACL LOGGING 22 300 300 MCAST KNOWN DATA 23 100 100 PTP 24 100 100 PORT_SECURITY OS10# Use the show running-configuration class-map and policy-map to review configured CoPP policies: OS10# show running-configuration class-map ! class-map type application class-iscsi ! class-map type control-plane example-copp-class-map-name OS10# OS10# show running-configuration policy-map ! policy-map type application policy-iscsi ! policy-map type control-plane example-copp-policy-map-name ! class example-copp-class-map-name set qos-group 2 police cir 100 pir 100 Examine the interface configuration for the control plane ACLs applied to the traffic destined to the control plane from the OOBM management port or front panel data ports: OS10# show running-configuration control-plane ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Review the control plane ACLs and verify traffic is limited appropriately: OS10# show running-configuration access-list ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log If the OS10 Switch does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.
Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards. Create an appropriate QoS policy for CoPP: OS10(config)# class-map type control-plane example-copp-class-map-name OS10(config-cmap-control-plane)# exit OS10(config)# policy-map type control-plane example-copp-policy-map-name OS10(config-pmap-control-plane)# class example-copp-class-map-name OS10(config-pmap-c)# set qos-group 2 OS10(config-pmap-c)# police cir 100 pir 100 Assign the control-plane service-policy: OS10(config)# control-plane OS10(conf-control-plane)# service-policy input example-copp-policy-map-name Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports: OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log Apply the ACLs to the ingress of the control-plane: OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in
Verify the OS10 Switch version by entering the following command: OS10# show version Verify the release is the most recent approved release available on Dell.com. All OS10 releases supported by Dell can be found at https://www.dell.com/support. If the OS10 Switch is not running an approved release within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs), this is a finding.
Upgrade the network device to the latest version of the desired LTS version of OS10 available from Dell support. Step 1: Download the OS10 image file and GPG signature using secure file transfer from a trusted local server: OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Download started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:52:54Z Task End: 2024-04-26T16:53:18Z Transfer Progress: 100 % Transfer Bytes: 959310070 bytes File Size: 959310070 bytes Transfer Rate: 44447 kbps Installation State: idle -------------------------------------------------- State Detail: No install information available Task Start: 0000-00-00T00:00:00Z Task End: 0000-00-00T00:00:00Z OS10# OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# OS10# OS10# dir image Directory contents for folder: image Date (modified) Size (bytes) Name --------------------- ------------ ------------------------------------------ 2024-04-26T16:53:16Z 959310070 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin 2024-04-26T16:57:36Z 566 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# Step 2: Load the Dell GPG signing key and verify the image GPG signature: OS10# image gpg-key key-server keyserver.ubuntu.com key-id 7FDA043B OS10# OS10# image verify image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin gpg signature image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg Image verified successfully. OS10# Step 3: install the new OS10 image into the backup image partition: OS10# image install image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Info: Take the Backup of the configs which can be used during downgrade Install started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:58:01Z Task End: 2024-04-26T16:58:01Z Transfer Progress: 100 % Transfer Bytes: 350 bytes File Size: 350 bytes Transfer Rate: 3 kbps Installation State: install-success -------------------------------------------------- State Detail: Completed: Success Task Start: 2024-04-26T17:04:48Z Task End: 2024-04-26T17:22:03Z OS10# Step 4: Switch the standby image to be the boot image and reboot the switch: OS10# OS10# boot system standby OS10# OS10# reload Proceed to reboot the system? [confirm yes/no]:yes
Determine if the OS10 Switch generates audit log events for a locally developed list of auditable events. Review the OS10 Switch configuration to determine if audit logging is enabled: ! logging audit enable For the locally developed list of audit items review the auditd rule set with the following command: OS10# system "sudo auditctl -l" -a never,user -a never,task -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /usr/bin/dpkg -p x -k software_mgmt -w /usr/bin/apt-add-repository -p x -k software_mgmt -w /usr/bin/apt-get -p x -k software_mgmt -w /usr/bin/aptitude -p x -k software_mgmt OS10# If audit logging is not enabled or auditctl does not list rules for the desired auditable events, this is a finding. Review the OS10 Switch configuration to determine if audit logging is enabled: ! logging audit enable If audit logging is not enabled, this is a finding.
Configure the OS10 Switch to enable audit logging: OS10(config)# logging audit enable Configure the switch to log a locally developed list of auditable events by adding appropriate configuration for audit as shown in the example below. From a shell as root, add desired audit rules to a file in the /etc/audit/rules.d/ directory, as in this example: OS10# system "sudo -i" [sudo] password for admin: root@OS10:~# echo “-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/rules.d/audit.rules root@OS10:~# Delete any rules from the rule sets with the obsolete action of “entry”: root@OS10:~# sed -i '/-a entry/d' /etc/audit/rules.d/* Reload the rules files: root@OS10:~# augenrules --load
Check the OS10 Switch to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the authorized administrators. Changes, deletions, and updates in Dell OS10 can only be done by users with sysadmin, secadmin, or netadmin role. Verify if there are any unauthorized users assigned to the any of these roles: OS10# show running-configuration users If any unauthorized users are assigned to the sysadmin, secadmin, or netadmin role, this is a finding.
Configure any unauthorized users to have the netoperator role that cannot make any changes: OS10(config)# username <name> password ********** role netoperator
Determine if the OS10 Switch obtains public key certificates from an appropriate certificate policy through an approved service provider. Verify the configured CA certificates with the following commands: OS10# show crypto ca-certs -------------------------------------- | Locally installed certificates | -------------------------------------- DOD_PKE.crt OS10# OS10# show crypto ca-certs DOD_PKE.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) ... If the OS10 Switch does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Configure the OS10 Switch to obtain its public key certificates from an appropriate certificate policy through an approved service provider. Install CA certificates using the crypto ca-cert install command as shown in the example below. OS10# crypto ca-cert install Certificate base file name : DOD_PKE Paste certificate below. Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. Enter a blank line to abort this command. Certificate: -----BEGIN CERTIFICATE----- MIID... ... ...= -----END CERTIFICATE----- Install as trusted-host certificate? [yes/no]:n Processing file ... Installed Root CA certificate CommonName = ... IssuerName = ... OS10#
Verify the OS10 Switch is configured to send log data to at least two central log servers. OS10# show running-configuration logging ! logging audit enable ! logging server 10.0.0.4 logging server 10.0.0.8 If the OS10 Switch is not configured to send log data to at least two central log servers, this is a finding.
Configure the OS10 Switch to send log data to at least two central log servers: ! logging audit enable ! logging server 10.0.0.4 logging server 10.0.0.8 !
Verify the OS10 Switch complies with this requirement by entering the following command: OS10# show version Verify the release is still supported by Dell. All OS10 releases supported by Dell can be found at https://www.dell.com/support. If the OS10 Switch is not running an operating system release that is currently supported by Dell, this is a finding.
Upgrade the network device to the latest version of the desired LTS version of OS10 available from Dell support. Step 1: Download the OS10 image file and GPG signature using secure file transfer from a trusted local server: OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Download started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:52:54Z Task End: 2024-04-26T16:53:18Z Transfer Progress: 100 % Transfer Bytes: 959310070 bytes File Size: 959310070 bytes Transfer Rate: 44447 kbps Installation State: idle -------------------------------------------------- State Detail: No install information available Task Start: 0000-00-00T00:00:00Z Task End: 0000-00-00T00:00:00Z OS10# OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# OS10# OS10# dir image Directory contents for folder: image Date (modified) Size (bytes) Name --------------------- ------------ ------------------------------------------ 2024-04-26T16:53:16Z 959310070 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin 2024-04-26T16:57:36Z 566 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# Step 2: Load the Dell GPG signing key and verify the image GPG signature: OS10# image gpg-key key-server keyserver.ubuntu.com key-id 7FDA043B OS10# OS10# image verify image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin gpg signature image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg Image verified successfully. OS10# Step 3: Install the new OS10 image into the backup image partition: OS10# image install image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Info: Take the Backup of the configs which can be used during downgrade Install started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:58:01Z Task End: 2024-04-26T16:58:01Z Transfer Progress: 100 % Transfer Bytes: 350 bytes File Size: 350 bytes Transfer Rate: 3 kbps Installation State: install-success -------------------------------------------------- State Detail: Completed: Success Task Start: 2024-04-26T17:04:48Z Task End: 2024-04-26T17:22:03Z OS10# Step 4: Switch the standby image to be the boot image and reboot the switch: OS10# OS10# boot system standby OS10# OS10# reload Proceed to reboot the system? [confirm yes/no]:yes
If a default password is still configured for any user, warning messages will be displayed on login directly above the initial prompt, as shown below. Log in to OS10 and verify that no warning messages about default passwords are displayed above the initial prompt: %Warning : Default password for admin account should be changed to secure the system %Warning : Default password for linuxadmin account should be changed to secure the system. OS10# If any default password warnings are displayed, this is a finding. If "system-user linuxadmin disable" is not shown in the switch configuration, this is a finding.
Configure new passwords for the admin and linuxadmin users as shown below and disable the linuxadmin: OS10(config)# username admin password ********** role sysadmin OS10(config)# system-user linuxadmin password ************ OS10(config)# system-user linuxadmin disable
Review the OS10 switch configuration to verify the device is configured to use at least two authentication servers as primary source for authentication. Verify that multiple radius servers are configured and that AAA login authentication is configured to use remote authentication. OS10# OS10# show running-configuration radius-server radius-server host 10.120.60.23 tls security-profile PROFILE-1 key 9 **** radius-server host 10.120.80.82 tls security-profile PROFILE1 key 9 **** OS10# OS10# show running-configuration aaa ! aaa authentication login default group radius local aaa authentication login console local group radius OS10# If the OS10 switch is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.
Configure the network device to use at least two authentication servers. The authentication order is determined by the order in which the radius-server entries are configured. OS10(config)# OS10(config)# radius-server host 10.120.60.23 tls security-profile PROFILE1 key ****************** OS10(config)# radius-server host 10.120.80.82 tls security-profile PROFILE1 key ****************** OS10(config)# OS10(config)# aaa authentication login default group radius local OS10(config)# aaa authentication login console group radius local OS10(config)# Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication. OS10(config)# aaa authentication login default group radius local Optionally, configure the local console access to try local authentication before attempting remote authentication servers. OS10(config)# aaa authentication login console local group radius
Determine if the OS10 Switch is configured to synchronize internal information system clocks with the primary and secondary time sources. Review the configuration to verify that the primary and secondary time sources are configured as NTP servers with the following commands: OS10# show running-configuration ntp ! ntp authenticate ntp authentication-key 345 sha2-256 9 **** ntp server 192.0.2.1 key 345 prefer ntp server 192.0.2.5 key 345 ntp trusted-key 345 If the OS10 Switch is not configured to synchronize internal information system clocks with the primary and secondary time sources, this is a finding.
Configure the OS10 Switch to synchronize internal information system clocks with the primary and secondary time sources: OS10(config)# ntp authenticate OS10(config)# ntp trusted-key 345 OS10(config)# ntp authentication-key 345 sha2-256 0 <key> OS10(config)# ntp server 192.0.2.1 key 345 prefer OS10(config)# ntp server 192.0.2.5 key 345