{"stig":{"title":"Dell OS10 Switch NDM Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-269768","ruleId":"SV-269768r1051689_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.","description":"Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks.\n\nThis requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.","checkContent":"Review the network device configuration to verify if the device limits the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types. \n\nReview the running-configuration. Verify the configuration includes \"login concurrent-session limit\" followed by the number of sessions defined by the organization.\n\nNote: The default concurrent session limit is 10, so if it is not displayed when viewing the configuration, the limit is set to 10. \n\nIf the network device does not limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type, this is a finding.","fixText":"Configure the network device to limit the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types, as in the following example.\n\nOS10(config)# login concurrent-session limit 3","ccis":["CCI-000054"]},{"vulnId":"V-269769","ruleId":"SV-269769r1052474_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to assign appropriate user roles or access levels to authenticated users.","description":"Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.\n\nAuthorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.\n\nSome network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions, and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group.\n\nNetwork devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership.","checkContent":"If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this requirement. Because the responsibility for meeting this requirement is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review.\n\nVerify the Dell OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user.\n\nOS10# show running-configuration users\nusername admin password **** role sysadmin priv-lvl 15\nusername op100 password **** role netoperator priv-lvl 1\nOS10#\n\nIf any users are assigned to the wrong role, this is a finding.","fixText":"Configure the OS10 Switch to assign appropriate user roles or access levels to authenticated users.\n\nOS10(config)# username password ********** role ","ccis":["CCI-000213"]},{"vulnId":"V-269770","ruleId":"SV-269770r1051695_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.","description":"A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. \n\nApplication-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).\n\nApplications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.\n\nSatisfies: SRG-APP-000038-NDM-000213, SRG-APP-000880-NDM-000290","checkContent":"Review the OS10 Switch configuration to verify that administrative access to the switch is allowed only from hosts residing in the management network.\n\nStep 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM port or front panel data ports:\n\n!\ncontrol-plane\n ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in\n ip access-group MGMT_TRAFFIC_FROM_DATA data in\n\nStep 2: Review the control plane ACLs to verify traffic is limited appropriately.\n\nFor example, to restrict the management traffic access to a switch at address 192.168.105.17 to only a subset of the 192.168.105.0 subnet, check for an ACL list such as the following:\n!\nip access-list MGMT_TRAFFIC_FROM_OOBM\n seq 10 permit ip 192.168.105.0/28 192.168.105.17/32\n seq 20 deny ip any 192.168.105.17/32 log\n\nLikewise, to restrict the management traffic arriving to a switch address 10.20.30.1 on the front panel data ports: \n\n!\nip access-list MGMT_TRAFFIC_FROM_DATA\n seq 10 permit ip 10.20.30.0/24 10.20.31.1/32\n seq 20 deny ip any 10.20.31.1 log\n \nIf the OS10 Switch is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.","fixText":"Configure the OS10 Switch to restrict management access to specific IP addresses as shown in the example below.\n\nStep 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM port and from the front panel data ports:\n\nOS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM\nOS10(config-ipv4-acl)# seq 10 permit ip 192.168.105.0/28 192.168.105.17/32\nOS10(config-ipv4-acl)# seq 20 deny ip any 192.168.105.17/32 log\n\nOS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA\nOS10(config-ipv4-acl)# seq 10 permit ip 10.20.30.0/24 10.20.31.1/32\nOS10(config-ipv4-acl)# seq 20 deny ip any 10.20.31.1 log\n\nStep 2: Apply the ACLs to the ingress of the control-plane:\n\nOS10(config)# control-plane\nOS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in\nOS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in","ccis":["CCI-001368","CCI-004192"]},{"vulnId":"V-269771","ruleId":"SV-269771r1051698_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.","checkContent":"Review the Dell OS10 Switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts and a 15-minute lockout period as shown in the example below:\n\npassword-attributes lockout-period 15\n\nNote: Since the max-retry value of three is the default value, it will not be displayed when viewing the configuration. So, if the password-attributes max-retry value is not displayed then it is set to three attempts. \n\nIf the Dell OS10 Switch is not configured to enforce the limit of three consecutive invalid logon attempts and a 15-minute lockout period, this is a finding.","fixText":"Configure the Dell OS10 Switch to enforce the limit of three consecutive invalid logon attempts and a 15-minute lockout as shown in the example below:\n\nOS10(config)# password-attributes max-retry 3 lockout-period 15","ccis":["CCI-000044"]},{"vulnId":"V-269772","ruleId":"SV-269772r1051701_rule","severity":"medium","ruleTitle":"The Dell OS10 device must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.","description":"Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users.\n\nSatisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216","checkContent":"Determine if the Dell OS10 device is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Verify the following banner is displayed during login before the password is entered:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf such a banner is not presented, this is a finding.","fixText":"Configure the Dell OS10 Switch to display the Standard Mandatory DOD Notice and Consent Banner before granting access as follows:\n\nOS10(config)# banner motd disable\nOS10(config)# banner login ^C\n*****************************************************************\nYou are accessing a U.S. Government (USG) Information System\n(IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to,\npenetration testing, COMSEC monitoring, network operations and\ndefense, personnel misconduct (PM), law enforcement (LE), and\ncounterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on\nthis IS.\n-Communications using, or data stored on, this IS are not\nprivate, are subject to routine monitoring, interception, and\nsearch, and may be disclosed or used for any USG authorized\npurpose.\n-This IS includes security measures (e.g., authentication and\naccess controls) to protect USG interests--not for your\npersonal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring\nof the content of privileged communications, or work product,\nrelated to personal representation or services by attorneys,\npsychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential.\nSee User Agreement for details.\n*****************************************************************\n^C","ccis":["CCI-000048","CCI-000050"]},{"vulnId":"V-269773","ruleId":"SV-269773r1051704_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation.","description":"This requirement supports nonrepudiation of actions taken by an administrator and is required to maintain the integrity of the configuration management process. All configuration changes to the network device are logged, and administrators authenticate with two-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement.\n\nTo meet this requirement, the network device must log administrator access and activity.","checkContent":"Verify the OS10 Switch protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation. \n\nReview the OS10 Switch configuration to determine if audit logging is enabled:\n\n!\nlogging audit enable\n\nIf audit logging is not enabled, this is a finding.","fixText":"Configure the OS10 Switch to enable audit logging:\n\nOS10(config)# logging audit enable","ccis":["CCI-000166"]},{"vulnId":"V-269774","ruleId":"SV-269774r1051707_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must initiate session auditing upon startup.","description":"If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.\n\nSatisfies: SRG-APP-000092-NDM-000224, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000319-NDM-000283, SRG-APP-000343-NDM-000289, SRG-APP-000381-NDM-000305, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323","checkContent":"Check the OS10 Switch to determine if it initiates session auditing upon startup:\n\n!\nlogging audit enable\n\nIf theOS10 Switch does not initiate session auditing upon startup, this is a finding.","fixText":"Configure the OS10 Switch to initiate session auditing upon startup:\n\nOS10(config)# logging audit enable","ccis":["CCI-001464","CCI-000018","CCI-001403","CCI-001404","CCI-001405","CCI-000172","CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-001487","CCI-000135","CCI-002130","CCI-002234","CCI-003938"]},{"vulnId":"V-269775","ruleId":"SV-269775r1051710_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.","description":"Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. \n\nAccordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. \n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).","checkContent":"Determine if the OS10 Switch prevents the installation of patches, service packs, or application components without verifying the software component has been digitally signed using a certificate that is recognized and approved by the organization. \n\nImage install commands verify signatures if OS10 secure-boot is enabled. Verify that OS10 secure-boot feature is enabled with the following command:\n\nOS10# show secure-boot status\nLast boot was via secure boot : yes\nSecure boot configured : yes\nLatest startup config protected: yes\nBIOS secure boot:\nBIOS Secure boot configured: yes\n\nIf BIOS Secure boot is not configured, this is a finding.","fixText":"Install OS10 images with digital signature verification using the following command.\n\nEnable OS10 secure-boot, if necessary, with the following command. Reload the switch after enabling secure boot.\n\nOS10# secure-boot enable\n\nWith OS10 secure-boot enabled, install OS10 images with the following command:\n\nOS10# image secure-install {sha256 signature | gpg signature | pki signature publickey\n}","ccis":["CCI-003992"]},{"vulnId":"V-269776","ruleId":"SV-269776r1051713_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.","description":"To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.\n\nNetwork devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.","checkContent":"Determine if the network device prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. \n\nVerify the configuration does not include unnecessary or nonsecure protocols and services:\n\nip telnet server enable\nrest api restconf\neula-consent support-assist accept\n\nIf any unnecessary or nonsecure functions are permitted, this is a finding.","fixText":"Configure the OS10 Switch to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services:\n\nOS10(config)# no ip telnet server enable\nOS10(config)# no rest api restconf\nOS10(config)# eula-consent support-assist reject","ccis":["CCI-000382"]},{"vulnId":"V-269777","ruleId":"SV-269777r1051716_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to disable the Bash shell.","description":"To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.\n\nNetwork devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.","checkContent":"Verify the bash shell is disabled.\n\nCheck the switch configuration for the setting \"system-cli disable\".\n\nIf system-cli disable is not configured, this is a finding.","fixText":"Disable Bash shell from the CLI:\n\nOS10# configure terminal\nOS10(config)# system-cli disable","ccis":["CCI-000382"]},{"vulnId":"V-269778","ruleId":"SV-269778r1051719_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.","description":"Authentication for administrative (privileged level) access to the device is always required. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is necessary.\n\nThe account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.","checkContent":"Review the network device configuration to determine if an account of last resort is configured. Verify default admin and other vendor-provided accounts are disabled, removed, or renamed where possible. Verify the username and password for the account of last resort is contained within a sealed envelope and kept in a safe. \n\nStep 1: Verify the Dell OS10 Switch is configured with only a single local user account. If one local account does not exist for use as the account of last resort, this is a finding. \n\nVerify the role is sysadmin.\n\nOS10# show running-configuration users\nusername alradmin password **** role sysadmin priv-lvl 15\nOS10#\n\nStep 2: Verify the linuxadmin system user has been disabled:\n\nOS10# show running-configuration | grep system-user\nsystem-user linuxadmin disable\nsystem-user linuxadmin password ****\nOS10#\n\nIf one local account does not exist for use as the account of last resort or the linuxadmin system-user has not been disabled, this is a finding.","fixText":"Configure the OS10 Switch to only allow one local account for use as the account of last resort.\n\nDisable the linuxadmin system user:\n\nOS10(config)# system-user linuxadmin disable\n\n%Warning : Operation is not recommended in absence of console access.\nDo you want to proceed ? [yes/no(default)]:yes\nOS10(config)#\n\nDelete any extra local users with the following command:\n\nOS10(config)# no username admin\n\nNote: The account of last resort must be added before the default admin account can be deleted.","ccis":["CCI-001358","CCI-002111"]},{"vulnId":"V-269779","ruleId":"SV-269779r1051722_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.","description":"MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user’s biometric digital presence.\n\nPrivate industry recognizes and uses a wide variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DOD, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or \"alternate tokens\", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users).\n\nNote: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not used by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.\n\nSatisfies: SRG-APP-000149-NDM-000247, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180","checkContent":"Verify the OS10 Switch is configured to use DOD PKI as MFA for interactive logins. Evidence of successful configuration is usually indicated by a prompt for the user to insert a smartcard. If the smartcard is already inserted, the network device will prompt the user to enter the corresponding PIN which unlocks the certificate keystore on the smartcard. \n\nReview the running-configuration to verify that X.509v3 authentication is enabled for SSH. Verify the PKI authenticated user is mapped to the effective local user account by ensuring that peer-name-check has not been disabled in the associated security profile (\"no peer-name-check\" is not present).\n\nip ssh server x509v3-authentication security-profile cacpiv-prof\n...\ncrypto security-profile \n certificate \n ocsp-check \n...\n\nIf the OS10 Switch is not configured to use DOD PKI as MFA for interactive logins, this is a finding. \nIf peer-name-check has been disabled in the security profile this is a finding.","fixText":"Configure the OS10 Switch to use DOD PKI as MFA for interactive logins. Configure a named security profile to use for MFA. Configure the SSH server to enable authentication by PKI certificate:\n\nOS10(config)#\nOS10(config)# crypto security-profile \nOS10(config-sec-profile)# certificate \nOS10(config-sec-profile)# peer-name-check\nOS10(config-sec-profile)# ocsp-check \nOS10(config-sec-profile)# exit\nOS10(config)#\nOS10(config)# ip ssh server x509v3-authentication security-profile \nOS10(config)#","ccis":["CCI-000765","CCI-004046","CCI-004047"]},{"vulnId":"V-269780","ruleId":"SV-269780r1051725_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must implement replay-resistant authentication mechanisms for network access to privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.","checkContent":"Review the OS10 Switch configuration to determine if replay-resistant authentication mechanisms are implemented for network access to privileged accounts.\n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nVerify that SSH is enabled for network access by reviewing the SSH server status:\n\nOS10# show ip ssh | grep \"SSH Server:\"\nSSH Server: Enabled\n\nVerify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: \n\nip telnet server enable\n\nIf FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.","fixText":"Configure the OS10 Switch to implement replay-resistant authentication mechanisms for network access to privileged accounts:\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nDisable telnet if it has been enabled:\n OS10(config)# no ip telnet server enable\n\nEnable SSH if it has been disabled:\n OS10(config)# ip ssh server enable","ccis":["CCI-001941"]},{"vulnId":"V-269781","ruleId":"SV-269781r1051728_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce a minimum 15-character password length.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Determine if the OS10 Switch or its associated authentication server enforces a minimum 15-character password length. \n\nReview the configuration to verify that the min-length password-attribute is set to 15:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes min-length 15\n\nIf the OS10 Switch or its associated authentication server does not enforce a minimum 15-character password length, this is a finding.","fixText":"Configure the OS10 Switch or its associated authentication server to enforce a minimum 15-character password length:\n\nOS10(config)# password-attributes min-length 15","ccis":["CCI-004066"]},{"vulnId":"V-269782","ruleId":"SV-269782r1051731_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one uppercase character be used.\n\nReview the configuration to verify that the upper password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction upper 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one uppercase character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one uppercase character be used:\n\nOS10(config)# password-attributes character-restriction upper 1","ccis":["CCI-004066"]},{"vulnId":"V-269783","ruleId":"SV-269783r1051734_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one lower-case character be used.\n\nReview the configuration to verify that the lower password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction lower 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one lowercase character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one lowercase character be used:\n\nOS10(config)# password-attributes character-restriction lower 1","ccis":["CCI-004066"]},{"vulnId":"V-269784","ruleId":"SV-269784r1051737_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one numeric character be used.\n\nReview the configuration to verify that the numeric password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction numeric 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one numeric character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one numeric character be used:\n\nOS10(config)# password-attributes character-restriction numeric 1","ccis":["CCI-004066"]},{"vulnId":"V-269785","ruleId":"SV-269785r1051740_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one special character be used.\n\nReview the configuration to verify that the special-char password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction special-char 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one special character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one special character be used:\n\nOS10(config)# password-attributes character-restriction special-char 1","ccis":["CCI-004066"]},{"vulnId":"V-269786","ruleId":"SV-269786r1052487_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to use DOD-approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.","description":"Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three years or shorter within the DOD. However, there are many reasons a certificate may become invalid before the prescribed expiration date. For example, an employee may leave or be terminated and still possess the smartcard on which the PKI certificates were stored. Another example is that a smartcard containing PKI certificates may become lost or stolen. A more serious issue could be that the CA or server which issued the PKI certificates has become compromised, thereby jeopardizing every certificate keypair that was issued by the CA. These examples of revocation use cases and many more can be researched further using internet cybersecurity resources.\n\nPKI user certificates presented as part of the identification and authentication criteria (e.g., DOD PKI as multifactor authentication [MFA]) must be checked for validity by network devices. For example, valid PKI certificates are digitally signed by a trusted DOD CA. Additionally, valid PKI certificates are not expired, and valid certificates have not been revoked by a DOD CA.\n\nNetwork devices can verify the validity of PKI certificates by checking with an authoritative CA. One method of checking the status of PKI certificates is to query databases referred to as certificate revocation lists (CRL). These are lists which are published, updated, and maintained by authoritative DOD CAs. For example, once certificates are expired or revoked, issuing CAs place the certificates on a certificate revocation list (CRL). Organizations can download these lists periodically (i.e., daily or weekly) and store them locally on the devices themselves or even onto another nearby local enclave resource. Storing them locally ensures revocation status can be checked even if internet connectivity is severed at the enclave’s point of presence (PoP). However, CRLs can be rather large in storage size and further, the use of CRLs can be rather taxing on some computing resources.\n\nAnother method of validating certificate status is to use the online certificate status protocol (OCSP). Using OCSP, a requestor (i.e., the network device to which the user is trying to authenticate) sends a request to an authoritative CA challenging the validity of a certificate that has been presented for identification and authentication. The CA receives the request and sends a digitally signed response indicating the status of the user's certificate as valid, revoked, or unknown. Network devices should only allow access for responses that indicate the certificates presented by the user were considered valid by an approved DOD CA. OCSP is the preferred method because it is fast, provides the most current status, and is lightweight.","checkContent":"Verify the OS10 Switch is configured to validate certificates used for PKI-based authentication using DOD-approved OCSP or CRL resources. \n\nVerify that OSCP validation using the appropriate DOD OCSP responder is enabled in the security profile:\n\nip ssh server x509v3-authentication security-profile cacpiv-prof\n...\ncrypto security-profile \n ...\n ocsp-check \n...\n\nIf the OS10 Switch is not configured to validate certificates used for PKI-based authentication using DOD approved OCSP or CRL sources, this is a finding.","fixText":"Configure the OS10 Switch to validate certificates used for PKI-based authentication using DOD approved OCSP or CRL sources:\n\nOS10(config)#\nOS10(config)# crypto security-profile \nOS10(config-sec-profile)# ocsp-check \nOS10(config-sec-profile)# exit\nOS10(config)#","ccis":["CCI-000185"]},{"vulnId":"V-269787","ruleId":"SV-269787r1052488_rule","severity":"high","ruleTitle":"The Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.","description":"Without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or the status of their nonrepudiation is considerably impacted during forensic analysis. A strength of using PKI as multifactor authentication (MFA) is that it can help ensure only the assigned individual is using their associated user account. This can only be accomplished if the network device is configured to enforce the relationship which binds PKI certificates to unique user accounts.\n\nLocal accounts (accounts created, stored, and maintained locally on the network device) should be avoided in lieu of using a centrally managed directory service. Local accounts empower the same workgroup who will be operating the network infrastructure to also control and manipulate access methods, thus creating operational autonomy. This undesirable approach breaks the concept of separation of duties. Additionally, local accounts are susceptible to poor cyber hygiene because they create another user database that must be maintained by the operator, whose primary focus is on running the network. Such examples of poor hygiene include dormant accounts that are not disabled or deleted, employees who have left the organization but whose accounts are still present, periodic password and hash rotation, password complexity shortcomings, increased exposure to insider threat, etc. For reasons such as this, local users on network devices are frequently the targets of cyber-attacks. Instead, organizations should explore examples of centrally managed account services. These examples include the implementation of AAA concepts like the use of external RADIUS and LDAP directory service brokers.","checkContent":"If PKI-based authentication is not used as the MFA solution for interactive logins, this requirement is not applicable.\n\nOS10 maps certificates to valid usernames by comparing the common name and user principal name in the certificate to the unique user account name. This check is applied by default unless name checking has been disabled in the security profile with the \"no peer-name-check\" setting. \n\nReview the running-configuration to verify that X.509v3 authentication is enabled for SSH. Verify the PKI authenticated user is mapped to the effective local user account by ensuring that peer-name-check has not been disabled in the associated security profile (\"no peer-name-check\" is not present).\n\nip ssh server x509v3-authentication security-profile cacpiv-prof\n...\ncrypto security-profile \n certificate \n ocsp-check \n...\n\nIf peer-name-check has been disabled in the security profile this is a finding.","fixText":"Configure the OS10 Switch to use DOD PKI as MFA for interactive logins. Configure a named security profile to use for MFA. Configure the SSH server to enable authentication by PKI certificate.\n\nOS10(config)#\nOS10(config)# crypto security-profile \nOS10(config-sec-profile)# certificate \nOS10(config-sec-profile)# peer-name-check\nOS10(config-sec-profile)# ocsp-check \nOS10(config-sec-profile)# exit\nOS10(config)#\nOS10(config)# ip ssh server x509v3-authentication security-profile \nOS10(config)#","ccis":["CCI-000187","CCI-000764","CCI-000166"]},{"vulnId":"V-269788","ruleId":"SV-269788r1051749_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nNetwork devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.\n\nSatisfies: SRG-APP-000179-NDM-000265, SRG-APP-000172-NDM-000259","checkContent":"Determine if the network device uses FIPS 140-2 approved algorithms for authentication to a cryptographic module. \n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nIf the network device is not configured to use a FIPS-approved authentication algorithm to a cryptographic module, this is a finding.","fixText":"Configure the network device to use FIPS 140-2 approved algorithms for authentication to a cryptographic module:\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#","ccis":["CCI-000803","CCI-000197"]},{"vulnId":"V-269789","ruleId":"SV-269789r1051752_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nSatisfies: SRG-APP-000190-NDM-000267, SRG-APP-000186-NDM-000266, SRG-APP-000516-NDM-000336","checkContent":"Determine if the network device terminates the connection associated with a device management session at the end of the session or after five minutes of inactivity. \n\nReview the running-configuration. Verify the configuration includes \"exec-timeout 300\" which disconnects sessions after five minutes of inactivity.\n\nIf the network device does not terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity, this is a finding.","fixText":"Configure the OS10 Switch to terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity:\n\nOS10(config)# exec-timeout 300","ccis":["CCI-001133","CCI-000879","CCI-000370"]},{"vulnId":"V-269790","ruleId":"SV-269790r1051755_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. \n\nPrivileged functions include establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations.\n\nSatisfies: SRG-APP-000340-NDM-000288, SRG-APP-000329-NDM-000287","checkContent":"Determine if the OS10 Switch prevents nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nAccess to privileged functions is restricted by OS10 to users with the appropriate role. Verify the OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user:\n\nOS10# show running-configuration users\nusername admin password **** role sysadmin priv-lvl 15\nusername op100 password **** role netoperator priv-lvl 1\nOS10#\n\nIf the OS10 Switch does not prevent nonprivileged users from executing privileged functions, this is a finding.","fixText":"Configure the OS10 Switch to assign appropriate user roles or access levels to authenticated users:\n\nOS10(config)# username password ********** role ","ccis":["CCI-002235","CCI-002169","CCI-000366"]},{"vulnId":"V-269791","ruleId":"SV-269791r1051758_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must generate an immediate real-time alert of all audit failure events requiring real-time alerts.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).\n\nSatisfies: SRG-APP-000360-NDM-000295, SRG-APP-000795-NDM-000130","checkContent":"Determine if the OS10 Switch generates an immediate alert of all audit failure events requiring real-time alerts.\n\nVerify that syslog is configured to use a connection-based protocol, either TCP or TLS, when connecting to a remote syslog server:\n\nOS10# show running-configuration logging\n!\n...\nlogging server 100.94.75.111 tcp 514\n\nIf the OS10 Switch is not configured to use either TCP or TLS for connection to the remote syslog servers, this is a finding.","fixText":"Configure the OS10 Switch to use either TCP or TLS for connection to the remote syslog servers:\n\nOS10(config)# logging server 100.94.75.111 tcp","ccis":["CCI-001858","CCI-003831"]},{"vulnId":"V-269793","ruleId":"SV-269793r1052419_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).","description":"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nA local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.","checkContent":"Review the OS10 Switch configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-HMAC.\n\nStep 1: Review the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nStep 2: Review the SNMP configuration to verify that the server is configured to enforce authentication ({auth|priv} {name}). Verify the SNMP user is configured for SHA authentication (auth sha):\n\nOS10(config)# show running-configuration snmp\n!\n...\nsnmp-server group Group3 3 priv notify NOTIFY\nsnmp-server host 10.10.10.10 traps version 3 priv User3\nsnmp-server user User3 Group3 3 encrypted auth sha **** priv aes ****\n\nIf SNMP is not configured to enforce authentication or FIPS mode is not enabled, this is a finding.","fixText":"Configure the OS10 Switch to authenticate SNMP messages using a FIPS-validated Keyed-HMAC.\n\nEnsure FIPS mode is enabled.\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nConfigure an SNMP user to enforce SHA authentication.\nOS10(config)# snmp-server group Group3 3 priv notify NOTIFY\nOS10(config)# snmp-server user User3 Group3 3 auth sha ********** priv aes **********\n\nConfigure the SNMP server to use version 3 and enforce SHA authentication (auth) or both SHA authentication and AES encryption (priv).\nOS10(config)# snmp-server host 10.10.10.10 version 3 priv User3 snmp","ccis":["CCI-001967"]},{"vulnId":"V-269794","ruleId":"SV-269794r1051767_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.","description":"If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.","checkContent":"Review the OS10 Switch configuration to determine if the network device authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based.\n\nReview the configuration to verify that NTP authentication is configured when communicating with the NTP servers with the following commands:\n\nOS10# show running-configuration ntp\n!\nntp authenticate\nntp authentication-key 345 sha2-256 9 ****\nntp server 192.0.2.1 key 345 prefer\nntp server 192.0.2.5 key 345\nntp trusted-key 345\n\nIf the OS10 Switch not authenticate NTP sources using authentication that is cryptographically based, this is a finding.","fixText":"Configure the OS10 Switch to authenticate NTP sources using authentication that is cryptographically based:\n\nOS10(config)# ntp authenticate\nOS10(config)# ntp trusted-key 345\nOS10(config)# ntp authentication-key 345 sha2-256 0 \nOS10(config)# ntp server 192.0.2.1 key 345 preferred\nOS10(config)# ntp server 192.0.2.5 key 345","ccis":["CCI-001967"]},{"vulnId":"V-269795","ruleId":"SV-269795r1052420_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must prohibit the use of cached authenticators after an organization-defined time period.","description":"Some authentication implementations can be configured to use cached authenticators.\n\nIf cached authentication information is out-of-date, the validity of the authentication information may be questionable.\n\nThe organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.","checkContent":"Review the OS10 Switch configuration to determine if it prohibits the use of cached authenticators after an organization-defined time period.\n\nVerify the rest authentication token validity setting is configured. If no entry is displayed, the default is 120 minutes.\n\nOS10# show running-configuration | grep \"rest authentication token validity\"\nrest authentication token validity 60\n\nIf cached authenticators are used after an organization-defined time period, this is a finding.","fixText":"Configure the OS10 Switch to prohibit the use of cached authenticators after an organization-defined time period:\n\nOS10(config)# rest authentication token validity {minutes}","ccis":["CCI-002007"]},{"vulnId":"V-269796","ruleId":"SV-269796r1051773_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. \n\nCurrently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.\n\nSeparate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.","checkContent":"Verify the OS10 Switch uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.\n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nVerify that SSH is enabled for network access by reviewing the SSH server status:\n\nOS10# show ip ssh | grep \"SSH Server:\"\nSSH Server: Enabled\n\nVerify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: \nip telnet server enable\n\n If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.","fixText":"Configure the OS10 Switch to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nDisable telnet if it has been enabled:\n\n OS10(config)# no ip telnet server enable\n\nEnable SSH if it has been disabled:\n\n OS10(config)# ip ssh server enable","ccis":["CCI-002890"]},{"vulnId":"V-269797","ruleId":"SV-269797r1052421_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.","description":"This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise, and potentially allowing hijacking of maintenance sessions.","checkContent":"Review the OS10 Switch configuration to determine if cryptographic mechanisms are implemented using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.\n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nVerify that SSH is enabled for network access by reviewing the SSH server status:\n\nOS10# show ip ssh | grep \"SSH Server:\"\nSSH Server: Enabled\n\nVerify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: \n\nip telnet server enable\n\nIf FIPS mode is not enabled, if the SSH is not enabled, or if telnet is enabled in the OS10 Switch, this is a finding.","fixText":"Configure the OS10 Switch to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm:\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nDisable telnet if it has been enabled:\n OS10(config)# no ip telnet server enable\n\nEnable SSH if it has been disabled:\n OS10(config)# ip ssh server enable","ccis":["CCI-003123"]},{"vulnId":"V-269798","ruleId":"SV-269798r1051779_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.\n\nThe security safeguards cannot be defined at the DOD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).","checkContent":"Determine if the OS10 Switch protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. Dell OS10 Switches provide DoS protection via control plane ACLs and Control Plane Policing (CoPP).\n\nUse the show control-plane info command to verify that the CoPP queue rate limits are appropriate to implement the organization-defined security safeguards:\n\nOS10# show control-plane info\nQueue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocols\n0 600 600 ISCSI UNKNOWN UNICAST\n1 1000 1000 OPEN_FLOW SFLOW\n2 400 400 IGMP PIM\n3 600 1000 VLT NDS\n4 500 1000 IPV6_ICMP IPV4_ICMP\n5 500 1000 ICMPV6_RS ICMPV6_NS ICMPV6_RA ICMPV6_NA\n6 500 1000 ARP_REQ SERVICEABILITY\n7 500 1000 ARP_RESP\n8 500 500 SSH TELNET TACACS NTP FTP\n9 600 600 FCOE NVME\n10 600 1000 LACP\n11 400 400 RSTP PVST MSTP\n12 500 500 DOT1X LLDP FEFD\n13 600 1000 IPV6_OSPF IPV4_OSPF\n14 600 1000 OSPF_HELLO\n15 600 1000 BGP\n16 500 500 IPV6_DHCP IPV4_DHCP\n17 600 1000 VRRP\n18 700 700 BFD\n19 1400 2000 REMOTE CPS\n20 300 300 MCAST DATA\n21 100 100 ACL LOGGING\n22 300 300 MCAST KNOWN DATA\n23 100 100 PTP\n24 100 100 PORT_SECURITY\nOS10#\n\nUse the show running-configuration class-map and policy-map to review configured CoPP policies:\n\nOS10# show running-configuration class-map\n!\nclass-map type application class-iscsi\n!\nclass-map type control-plane example-copp-class-map-name\nOS10#\nOS10# show running-configuration policy-map\n!\npolicy-map type application policy-iscsi\n!\npolicy-map type control-plane example-copp-policy-map-name\n !\n class example-copp-class-map-name\n set qos-group 2\n police cir 100 pir 100\n\nExamine the interface configuration for the control plane ACLs applied to the traffic destined to the control plane from the OOBM management port or front panel data ports:\n\nOS10# show running-configuration control-plane\n!\ncontrol-plane\n ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in\n ip access-group MGMT_TRAFFIC_FROM_DATA data in\n\nReview the control plane ACLs and verify traffic is limited appropriately:\n\nOS10# show running-configuration access-list\n!\nip access-list MGMT_TRAFFIC_FROM_OOBM\n seq 10 permit ...\n seq 20 permit ...\n seq 30 deny ... log\n seq 40 deny ... log\n\n!\nip access-list MGMT_TRAFFIC_FROM_DATA\n seq 10 permit ...\n seq 20 permit ...\n seq 30 deny ... log\n seq 40 deny ... log\n\nIf the OS10 Switch does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.","fixText":"Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards.\n\nCreate an appropriate QoS policy for CoPP:\n\nOS10(config)# class-map type control-plane example-copp-class-map-name\nOS10(config-cmap-control-plane)# exit\nOS10(config)# policy-map type control-plane example-copp-policy-map-name\nOS10(config-pmap-control-plane)# class example-copp-class-map-name\nOS10(config-pmap-c)# set qos-group 2\nOS10(config-pmap-c)# police cir 100 pir 100\n\nAssign the control-plane service-policy:\n\nOS10(config)# control-plane\nOS10(conf-control-plane)# service-policy input example-copp-policy-map-name\n\nConfigure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports:\n\nOS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM\nOS10(config-ipv4-acl)# permit ...\nOS10(config-ipv4-acl)# permit ...\nOS10(config-ipv4-acl)# deny ... log\nOS10(config-ipv4-acl)# deny ... log\n\nOS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA\nOS10(config-ipv4-acl)# permit ...\nOS10(config-ipv4-acl)# permit ...\nOS10(config-ipv4-acl)# deny ... log\nOS10(config-ipv4-acl)# deny ... log\n\nApply the ACLs to the ingress of the control-plane:\n\nOS10(config)# control-plane\nOS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in\nOS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in","ccis":["CCI-002385"]},{"vulnId":"V-269799","ruleId":"SV-269799r1051782_rule","severity":"medium","ruleTitle":"The application must install security-relevant firmware updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. \n\nOrganization-defined time periods for updating security-relevant firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions that are used to install firmware patches across the enclave (e.g., mobile device management solutions). Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant firmware updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant firmware updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Verify the OS10 Switch version by entering the following command: \n\nOS10# show version\n\nVerify the release is the most recent approved release available on Dell.com. All OS10 releases supported by Dell can be found at https://www.dell.com/support.\n\nIf the OS10 Switch is not running an approved release within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs), this is a finding.","fixText":"Upgrade the network device to the latest version of the desired LTS version of OS10 available from Dell support.\n\nStep 1: Download the OS10 image file and GPG signature using secure file transfer from a trusted local server:\n\nOS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin\nDownload started.\nUse 'show image status' for updates\nOS10#\nOS10# show image status\nImage Upgrade State: idle\n==================================================\nFile Transfer State: transfer-success\n--------------------------------------------------\n State Detail: Completed: No error\n Task Start: 2024-04-26T16:52:54Z\n Task End: 2024-04-26T16:53:18Z\n Transfer Progress: 100 %\n Transfer Bytes: 959310070 bytes\n File Size: 959310070 bytes\n Transfer Rate: 44447 kbps\n\nInstallation State: idle\n--------------------------------------------------\n State Detail: No install information available\n Task Start: 0000-00-00T00:00:00Z\n Task End: 0000-00-00T00:00:00Z\nOS10#\nOS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg\nOS10#\nOS10#\nOS10# dir image\n\nDirectory contents for folder: image\nDate (modified) Size (bytes) Name\n--------------------- ------------ ------------------------------------------\n2024-04-26T16:53:16Z 959310070 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin\n2024-04-26T16:57:36Z 566 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg\nOS10#\n\nStep 2: Load the Dell GPG signing key and verify the image GPG signature:\n\nOS10# image gpg-key key-server keyserver.ubuntu.com key-id 7FDA043B\nOS10#\nOS10# image verify image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin gpg signature image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg\nImage verified successfully.\nOS10#\n\nStep 3: install the new OS10 image into the backup image partition:\n\nOS10# image install image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin\nInfo: Take the Backup of the configs which can be used during downgrade\nInstall started.\nUse 'show image status' for updates\nOS10#\nOS10# show image status\nImage Upgrade State: idle\n==================================================\nFile Transfer State: transfer-success\n--------------------------------------------------\n State Detail: Completed: No error\n Task Start: 2024-04-26T16:58:01Z\n Task End: 2024-04-26T16:58:01Z\n Transfer Progress: 100 %\n Transfer Bytes: 350 bytes\n File Size: 350 bytes\n Transfer Rate: 3 kbps\n\nInstallation State: install-success\n--------------------------------------------------\n State Detail: Completed: Success\n Task Start: 2024-04-26T17:04:48Z\n Task End: 2024-04-26T17:22:03Z\nOS10#\n\nStep 4: Switch the standby image to be the boot image and reboot the switch:\n\nOS10#\nOS10# boot system standby\nOS10#\nOS10# reload\n\nProceed to reboot the system? [confirm yes/no]:yes","ccis":["CCI-002605"]},{"vulnId":"V-269800","ruleId":"SV-269800r1052422_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must generate log records for a locally developed list of auditable events.","description":"Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource usage or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.","checkContent":"Determine if the OS10 Switch generates audit log events for a locally developed list of auditable events.\n\nReview the OS10 Switch configuration to determine if audit logging is enabled:\n\n!\nlogging audit enable\n\nFor the locally developed list of audit items review the auditd rule set with the following command:\n\nOS10# system \"sudo auditctl -l\"\n-a never,user\n-a never,task\n-w /var/run/utmp -p wa -k session\n-w /var/log/btmp -p wa -k session\n-w /var/log/wtmp -p wa -k session\n-w /usr/bin/dpkg -p x -k software_mgmt\n-w /usr/bin/apt-add-repository -p x -k software_mgmt\n-w /usr/bin/apt-get -p x -k software_mgmt\n-w /usr/bin/aptitude -p x -k software_mgmt\nOS10#\n\nIf audit logging is not enabled or auditctl does not list rules for the desired auditable events, this is a finding.\n\nReview the OS10 Switch configuration to determine if audit logging is enabled:\n\n!\nlogging audit enable\n\nIf audit logging is not enabled, this is a finding.","fixText":"Configure the OS10 Switch to enable audit logging:\n\nOS10(config)# logging audit enable\n\nConfigure the switch to log a locally developed list of auditable events by adding appropriate configuration for audit as shown in the example below.\n\nFrom a shell as root, add desired audit rules to a file in the /etc/audit/rules.d/ directory, as in this example:\n\nOS10# system \"sudo -i\"\n[sudo] password for admin:\nroot@OS10:~# echo “-w /var/log/sudo.log -p wa -k actions\" >> /etc/audit/rules.d/audit.rules\nroot@OS10:~#\n\nDelete any rules from the rule sets with the obsolete action of “entry”:\n\nroot@OS10:~# sed -i '/-a entry/d' /etc/audit/rules.d/*\n\nReload the rules files:\n\nroot@OS10:~# augenrules --load","ccis":["CCI-000169","CCI-000366"]},{"vulnId":"V-269801","ruleId":"SV-269801r1051788_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce access restrictions associated with changes to the system components.","description":"Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.","checkContent":"Check the OS10 Switch to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the authorized administrators.\n\nChanges, deletions, and updates in Dell OS10 can only be done by users with sysadmin, secadmin, or netadmin role. Verify if there are any unauthorized users assigned to the any of these roles:\n\nOS10# show running-configuration users\n\nIf any unauthorized users are assigned to the sysadmin, secadmin, or netadmin role, this is a finding.","fixText":"Configure any unauthorized users to have the netoperator role that cannot make any changes:\n\nOS10(config)# username password ********** role netoperator","ccis":["CCI-000345","CCI-000366"]},{"vulnId":"V-269802","ruleId":"SV-269802r1052489_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must obtain its public key certificates from an appropriate certificate policy through an approved service provider.","description":"For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority (CA) will suffice.\n\nSatisfies: SRG-APP-000516-NDM-000344, SRG-APP-000910-NDM-000300","checkContent":"Determine if the OS10 Switch obtains public key certificates from an appropriate certificate policy through an approved service provider.\n\nVerify the configured CA certificates with the following commands:\n\nOS10# show crypto ca-certs\n --------------------------------------\n| Locally installed certificates |\n --------------------------------------\nDOD_PKE.crt\nOS10#\nOS10# show crypto ca-certs DOD_PKE.crt\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n...\n\nIf the OS10 Switch does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.","fixText":"Configure the OS10 Switch to obtain its public key certificates from an appropriate certificate policy through an approved service provider.\n\nInstall CA certificates using the crypto ca-cert install command as shown in the example below.\n\nOS10# crypto ca-cert install\nCertificate base file name : DOD_PKE\nPaste certificate below.\nInclude the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers.\nEnter a blank line to abort this command.\nCertificate:\n-----BEGIN CERTIFICATE-----\nMIID...\n...\n...=\n-----END CERTIFICATE-----\n\nInstall as trusted-host certificate? [yes/no]:n\nProcessing file ...\nInstalled Root CA certificate\n CommonName = ...\n IssuerName = ...\nOS10#","ccis":["CCI-000366","CCI-001159","CCI-004909"]},{"vulnId":"V-269803","ruleId":"SV-269803r1051794_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).","description":"The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.\n\nSatisfies: SRG-APP-000516-NDM-000350, SRG-APP-000515-NDM-000325","checkContent":"Verify the OS10 Switch is configured to send log data to at least two central log servers. \n\nOS10# show running-configuration logging\n!\nlogging audit enable\n!\nlogging server 10.0.0.4\nlogging server 10.0.0.8\n\nIf the OS10 Switch is not configured to send log data to at least two central log servers, this is a finding.","fixText":"Configure the OS10 Switch to send log data to at least two central log servers:\n\n!\nlogging audit enable\n!\nlogging server 10.0.0.4\nlogging server 10.0.0.8\n!","ccis":["CCI-001851"]},{"vulnId":"V-269804","ruleId":"SV-269804r1051797_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be running an operating system release that is currently supported by Dell.","description":"Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.","checkContent":"Verify the OS10 Switch complies with this requirement by entering the following command: \n\nOS10# show version\n\nVerify the release is still supported by Dell. All OS10 releases supported by Dell can be found at https://www.dell.com/support.\n\nIf the OS10 Switch is not running an operating system release that is currently supported by Dell, this is a finding.","fixText":"Upgrade the network device to the latest version of the desired LTS version of OS10 available from Dell support.\n\nStep 1: Download the OS10 image file and GPG signature using secure file transfer from a trusted local server:\n\nOS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin\nDownload started.\nUse 'show image status' for updates\nOS10#\nOS10# show image status\nImage Upgrade State: idle\n==================================================\nFile Transfer State: transfer-success\n--------------------------------------------------\n State Detail: Completed: No error\n Task Start: 2024-04-26T16:52:54Z\n Task End: 2024-04-26T16:53:18Z\n Transfer Progress: 100 %\n Transfer Bytes: 959310070 bytes\n File Size: 959310070 bytes\n Transfer Rate: 44447 kbps\n\nInstallation State: idle\n--------------------------------------------------\n State Detail: No install information available\n Task Start: 0000-00-00T00:00:00Z\n Task End: 0000-00-00T00:00:00Z\nOS10#\nOS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg\nOS10#\nOS10#\nOS10# dir image\n\nDirectory contents for folder: image\nDate (modified) Size (bytes) Name\n--------------------- ------------ ------------------------------------------\n2024-04-26T16:53:16Z 959310070 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin\n2024-04-26T16:57:36Z 566 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg\nOS10#\n\nStep 2: Load the Dell GPG signing key and verify the image GPG signature:\n\nOS10# image gpg-key key-server keyserver.ubuntu.com key-id 7FDA043B\nOS10#\nOS10# image verify image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin gpg signature image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg\nImage verified successfully.\nOS10#\n\nStep 3: Install the new OS10 image into the backup image partition:\n\nOS10# image install image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin\nInfo: Take the Backup of the configs which can be used during downgrade\nInstall started.\nUse 'show image status' for updates\nOS10#\nOS10# show image status\nImage Upgrade State: idle\n==================================================\nFile Transfer State: transfer-success\n--------------------------------------------------\n State Detail: Completed: No error\n Task Start: 2024-04-26T16:58:01Z\n Task End: 2024-04-26T16:58:01Z\n Transfer Progress: 100 %\n Transfer Bytes: 350 bytes\n File Size: 350 bytes\n Transfer Rate: 3 kbps\n\nInstallation State: install-success\n--------------------------------------------------\n State Detail: Completed: Success\n Task Start: 2024-04-26T17:04:48Z\n Task End: 2024-04-26T17:22:03Z\nOS10#\n\nStep 4: Switch the standby image to be the boot image and reboot the switch:\n\nOS10#\nOS10# boot system standby\nOS10#\nOS10# reload\n\nProceed to reboot the system? [confirm yes/no]:yes","ccis":["CCI-000366"]},{"vulnId":"V-269805","ruleId":"SV-269805r1051800_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must not have any default manufacturer passwords when deployed.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"If a default password is still configured for any user, warning messages will be displayed on login directly above the initial prompt, as shown below.\n\nLog in to OS10 and verify that no warning messages about default passwords are displayed above the initial prompt:\n\n%Warning : Default password for admin account should be changed to secure the system\n%Warning : Default password for linuxadmin account should be changed to secure the system.\nOS10#\n\nIf any default password warnings are displayed, this is a finding. \n\nIf \"system-user linuxadmin disable\" is not shown in the switch configuration, this is a finding.","fixText":"Configure new passwords for the admin and linuxadmin users as shown below and disable the linuxadmin:\n\nOS10(config)# username admin password ********** role sysadmin\n\nOS10(config)# system-user linuxadmin password ************\nOS10(config)# system-user linuxadmin disable","ccis":["CCI-004061"]},{"vulnId":"V-270643","ruleId":"SV-270643r1052343_rule","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.","description":"Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.","checkContent":"Review the OS10 switch configuration to verify the device is configured to use at least two authentication servers as primary source for authentication. Verify that multiple radius servers are configured and that AAA login authentication is configured to use remote authentication.\n\nOS10#\nOS10# show running-configuration radius-server\nradius-server host 10.120.60.23 tls security-profile PROFILE-1 key 9 ****\nradius-server host 10.120.80.82 tls security-profile PROFILE1 key 9 ****\nOS10#\nOS10# show running-configuration aaa\n!\naaa authentication login default group radius local\naaa authentication login console local group radius\nOS10#\n\nIf the OS10 switch is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.","fixText":"Configure the network device to use at least two authentication servers. The authentication order is determined by the order in which the radius-server entries are configured.\n\nOS10(config)#\nOS10(config)# radius-server host 10.120.60.23 tls security-profile PROFILE1 key ******************\nOS10(config)# radius-server host 10.120.80.82 tls security-profile PROFILE1 key ******************\nOS10(config)#\nOS10(config)# aaa authentication login default group radius local\nOS10(config)# aaa authentication login console group radius local\nOS10(config)#\n\nConfigure all network connections associated with a device management to use the authentication servers for the purpose of login authentication.\nOS10(config)# aaa authentication login default group radius local\n\nOptionally, configure the local console access to try local authentication before attempting remote authentication servers.\nOS10(config)# aaa authentication login console local group radius","ccis":["CCI-000370"]},{"vulnId":"V-270644","ruleId":"SV-270644r1052341_rule","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to synchronize internal information system clocks using redundant authoritative time sources.","description":"The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. \n\nMultiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.\n\nDOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be in a different geographic region than the primary time source.","checkContent":"Determine if the OS10 Switch is configured to synchronize internal information system clocks with the primary and secondary time sources.\n\nReview the configuration to verify that the primary and secondary time sources are configured as NTP servers with the following commands:\n\nOS10# show running-configuration ntp\n!\nntp authenticate\nntp authentication-key 345 sha2-256 9 ****\nntp server 192.0.2.1 key 345 prefer\nntp server 192.0.2.5 key 345\nntp trusted-key 345\n\nIf the OS10 Switch is not configured to synchronize internal information system clocks with the primary and secondary time sources, this is a finding.","fixText":"Configure the OS10 Switch to synchronize internal information system clocks with the primary and secondary time sources:\n\nOS10(config)# ntp authenticate\nOS10(config)# ntp trusted-key 345\nOS10(config)# ntp authentication-key 345 sha2-256 0 \nOS10(config)# ntp server 192.0.2.1 key 345 prefer\nOS10(config)# ntp server 192.0.2.5 key 345","ccis":["CCI-004922","CCI-004923"]}]}