11:["$","div",null,{"className":"mx-auto max-w-7xl p-6","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-brand text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-4 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold","children":"Dell OS10 Switch NDM Security Technical Implementation Guide"}],false,["$","$L1b",null,{}]]}],["$","section",null,{"className":"mb-8 rounded-lg border border-gray-200 bg-white p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Dec 11, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-xs text-gray-500","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Dell_OS10_Switch_NDM_STIG","children":"Dell_OS10_Switch_NDM_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":39}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"rounded-full bg-gray-100 px-2 py-0.5 text-xs text-gray-700","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"rounded bg-red-100 px-3 py-1 text-sm font-medium text-red-800","children":["CAT I: ",14]}],["$","span",null,{"className":"rounded bg-yellow-100 px-3 py-1 text-sm font-medium text-yellow-800","children":["CAT II: ",25]}],["$","span",null,{"className":"rounded bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"mt-4 text-sm text-gray-600","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Dell%20OS10%20Switch%20NDM%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Dell%20OS10%20Switch%20NDM%20Security%20Technical%20Implementation%20Guide&format=csv","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Dell%20OS10%20Switch%20NDM%20Security%20Technical%20Implementation%20Guide&format=json","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Dell_OS10_Switch_Y26M04_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-brand/10 text-brand hover:bg-brand/20 border-brand/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1c",null,{"checks":[{"id":"acc1ac95-c0b0-497b-9566-e8709bc839d0","vulnId":"V-269768","severity":"medium","ruleTitle":"The Dell OS10 Switch must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.","description":"Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks.\n\nThis requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.","checkContent":"Review the network device configuration to verify if the device limits the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types. \n\nReview the running-configuration. Verify the configuration includes \"login concurrent-session limit\" followed by the number of sessions defined by the organization.\n\nNote: The default concurrent session limit is 10, so if it is not displayed when viewing the configuration, the limit is set to 10. \n\nIf the network device does not limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type, this is a finding.","fixText":"Configure the network device to limit the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types, as in the following example.\n\nOS10(config)# login concurrent-session limit 3"},{"id":"5323e064-5c46-44dc-9164-8e14d12624a9","vulnId":"V-269769","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to assign appropriate user roles or access levels to authenticated users.","description":"$1d","checkContent":"If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this requirement. Because the responsibility for meeting this requirement is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review.\n\nVerify the Dell OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user.\n\nOS10# show running-configuration users\nusername admin password **** role sysadmin priv-lvl 15\nusername op100 password **** role netoperator priv-lvl 1\nOS10#\n\nIf any users are assigned to the wrong role, this is a finding.","fixText":"Configure the OS10 Switch to assign appropriate user roles or access levels to authenticated users.\n\nOS10(config)# username password ********** role "},{"id":"73ba7002-6799-467b-809a-50a8cf780ccb","vulnId":"V-269770","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.","description":"$1e","checkContent":"$1f","fixText":"Configure the OS10 Switch to restrict management access to specific IP addresses as shown in the example below.\n\nStep 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM port and from the front panel data ports:\n\nOS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM\nOS10(config-ipv4-acl)# seq 10 permit ip 192.168.105.0/28 192.168.105.17/32\nOS10(config-ipv4-acl)# seq 20 deny ip any 192.168.105.17/32 log\n\nOS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA\nOS10(config-ipv4-acl)# seq 10 permit ip 10.20.30.0/24 10.20.31.1/32\nOS10(config-ipv4-acl)# seq 20 deny ip any 10.20.31.1 log\n\nStep 2: Apply the ACLs to the ingress of the control-plane:\n\nOS10(config)# control-plane\nOS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in\nOS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in"},{"id":"6edff18a-d39f-4a4d-942d-49a46bb9e91b","vulnId":"V-269771","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.","checkContent":"Review the Dell OS10 Switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts and a 15-minute lockout period as shown in the example below:\n\npassword-attributes lockout-period 15\n\nNote: Since the max-retry value of three is the default value, it will not be displayed when viewing the configuration. So, if the password-attributes max-retry value is not displayed then it is set to three attempts. \n\nIf the Dell OS10 Switch is not configured to enforce the limit of three consecutive invalid logon attempts and a 15-minute lockout period, this is a finding.","fixText":"Configure the Dell OS10 Switch to enforce the limit of three consecutive invalid logon attempts and a 15-minute lockout as shown in the example below:\n\nOS10(config)# password-attributes max-retry 3 lockout-period 15"},{"id":"a3efa716-1438-4598-8ee5-c4b8b19f51a6","vulnId":"V-269772","severity":"medium","ruleTitle":"The Dell OS10 device must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.","description":"Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users.\n\nSatisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216","checkContent":"$20","fixText":"$21"},{"id":"9640bb03-0b04-4988-80d0-aaf6adcf6154","vulnId":"V-269773","severity":"medium","ruleTitle":"The Dell OS10 Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation.","description":"This requirement supports nonrepudiation of actions taken by an administrator and is required to maintain the integrity of the configuration management process. All configuration changes to the network device are logged, and administrators authenticate with two-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement.\n\nTo meet this requirement, the network device must log administrator access and activity.","checkContent":"Verify the OS10 Switch protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation. \n\nReview the OS10 Switch configuration to determine if audit logging is enabled:\n\n!\nlogging audit enable\n\nIf audit logging is not enabled, this is a finding.","fixText":"Configure the OS10 Switch to enable audit logging:\n\nOS10(config)# logging audit enable"},{"id":"ed649e69-2d15-41ec-ba9a-bcdb3ff38d2d","vulnId":"V-269774","severity":"medium","ruleTitle":"The Dell OS10 Switch must initiate session auditing upon startup.","description":"If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.\n\nSatisfies: SRG-APP-000092-NDM-000224, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000319-NDM-000283, SRG-APP-000343-NDM-000289, SRG-APP-000381-NDM-000305, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323","checkContent":"Check the OS10 Switch to determine if it initiates session auditing upon startup:\n\n!\nlogging audit enable\n\nIf theOS10 Switch does not initiate session auditing upon startup, this is a finding.","fixText":"Configure the OS10 Switch to initiate session auditing upon startup:\n\nOS10(config)# logging audit enable"},{"id":"4e4cb0bd-0f87-4df4-b773-5e1099fd382a","vulnId":"V-269775","severity":"medium","ruleTitle":"The Dell OS10 Switch must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.","description":"Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. \n\nAccordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. \n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).","checkContent":"Determine if the OS10 Switch prevents the installation of patches, service packs, or application components without verifying the software component has been digitally signed using a certificate that is recognized and approved by the organization. \n\nImage install commands verify signatures if OS10 secure-boot is enabled. Verify that OS10 secure-boot feature is enabled with the following command:\n\nOS10# show secure-boot status\nLast boot was via secure boot : yes\nSecure boot configured : yes\nLatest startup config protected: yes\nBIOS secure boot:\nBIOS Secure boot configured: yes\n\nIf BIOS Secure boot is not configured, this is a finding.","fixText":"Install OS10 images with digital signature verification using the following command.\n\nEnable OS10 secure-boot, if necessary, with the following command. Reload the switch after enabling secure boot.\n\nOS10# secure-boot enable\n\nWith OS10 secure-boot enabled, install OS10 images with the following command:\n\nOS10# image secure-install {sha256 signature | gpg signature | pki signature publickey\n}"},{"id":"3976f98c-3da4-4335-9b49-374099d19574","vulnId":"V-269776","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.","description":"$22","checkContent":"Determine if the network device prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. \n\nVerify the configuration does not include unnecessary or nonsecure protocols and services:\n\nip telnet server enable\nrest api restconf\neula-consent support-assist accept\n\nIf any unnecessary or nonsecure functions are permitted, this is a finding.","fixText":"Configure the OS10 Switch to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services:\n\nOS10(config)# no ip telnet server enable\nOS10(config)# no rest api restconf\nOS10(config)# eula-consent support-assist reject"},{"id":"c65e6193-0459-420c-9670-4ff8f6ff8920","vulnId":"V-269777","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to disable the Bash shell.","description":"$23","checkContent":"Verify the bash shell is disabled.\n\nCheck the switch configuration for the setting \"system-cli disable\".\n\nIf system-cli disable is not configured, this is a finding.","fixText":"Disable Bash shell from the CLI:\n\nOS10# configure terminal\nOS10(config)# system-cli disable"},{"id":"51790f4c-372c-4af2-a0a5-e93d2f2fb441","vulnId":"V-269778","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.","description":"Authentication for administrative (privileged level) access to the device is always required. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is necessary.\n\nThe account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.","checkContent":"Review the network device configuration to determine if an account of last resort is configured. Verify default admin and other vendor-provided accounts are disabled, removed, or renamed where possible. Verify the username and password for the account of last resort is contained within a sealed envelope and kept in a safe. \n\nStep 1: Verify the Dell OS10 Switch is configured with only a single local user account. If one local account does not exist for use as the account of last resort, this is a finding. \n\nVerify the role is sysadmin.\n\nOS10# show running-configuration users\nusername alradmin password **** role sysadmin priv-lvl 15\nOS10#\n\nStep 2: Verify the linuxadmin system user has been disabled:\n\nOS10# show running-configuration | grep system-user\nsystem-user linuxadmin disable\nsystem-user linuxadmin password ****\nOS10#\n\nIf one local account does not exist for use as the account of last resort or the linuxadmin system-user has not been disabled, this is a finding.","fixText":"Configure the OS10 Switch to only allow one local account for use as the account of last resort.\n\nDisable the linuxadmin system user:\n\nOS10(config)# system-user linuxadmin disable\n\n%Warning : Operation is not recommended in absence of console access.\nDo you want to proceed ? [yes/no(default)]:yes\nOS10(config)#\n\nDelete any extra local users with the following command:\n\nOS10(config)# no username admin\n\nNote: The account of last resort must be added before the default admin account can be deleted."},{"id":"2e3f94bb-a256-4f14-8434-6ef48c89b5d6","vulnId":"V-269779","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.","description":"$24","checkContent":"Verify the OS10 Switch is configured to use DOD PKI as MFA for interactive logins. Evidence of successful configuration is usually indicated by a prompt for the user to insert a smartcard. If the smartcard is already inserted, the network device will prompt the user to enter the corresponding PIN which unlocks the certificate keystore on the smartcard. \n\nReview the running-configuration to verify that X.509v3 authentication is enabled for SSH. Verify the PKI authenticated user is mapped to the effective local user account by ensuring that peer-name-check has not been disabled in the associated security profile (\"no peer-name-check\" is not present).\n\nip ssh server x509v3-authentication security-profile cacpiv-prof\n...\ncrypto security-profile \n certificate \n ocsp-check \n...\n\nIf the OS10 Switch is not configured to use DOD PKI as MFA for interactive logins, this is a finding. \nIf peer-name-check has been disabled in the security profile this is a finding.","fixText":"Configure the OS10 Switch to use DOD PKI as MFA for interactive logins. Configure a named security profile to use for MFA. Configure the SSH server to enable authentication by PKI certificate:\n\nOS10(config)#\nOS10(config)# crypto security-profile \nOS10(config-sec-profile)# certificate \nOS10(config-sec-profile)# peer-name-check\nOS10(config-sec-profile)# ocsp-check \nOS10(config-sec-profile)# exit\nOS10(config)#\nOS10(config)# ip ssh server x509v3-authentication security-profile \nOS10(config)#"},{"id":"bac25f45-2ce6-41c5-98bf-4e8602206e52","vulnId":"V-269780","severity":"medium","ruleTitle":"The Dell OS10 Switch must implement replay-resistant authentication mechanisms for network access to privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.","checkContent":"Review the OS10 Switch configuration to determine if replay-resistant authentication mechanisms are implemented for network access to privileged accounts.\n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nVerify that SSH is enabled for network access by reviewing the SSH server status:\n\nOS10# show ip ssh | grep \"SSH Server:\"\nSSH Server: Enabled\n\nVerify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: \n\nip telnet server enable\n\nIf FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.","fixText":"Configure the OS10 Switch to implement replay-resistant authentication mechanisms for network access to privileged accounts:\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nDisable telnet if it has been enabled:\n OS10(config)# no ip telnet server enable\n\nEnable SSH if it has been disabled:\n OS10(config)# ip ssh server enable"},{"id":"fb5c4847-16ed-4a38-8714-4f9eaed14de3","vulnId":"V-269781","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce a minimum 15-character password length.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Determine if the OS10 Switch or its associated authentication server enforces a minimum 15-character password length. \n\nReview the configuration to verify that the min-length password-attribute is set to 15:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes min-length 15\n\nIf the OS10 Switch or its associated authentication server does not enforce a minimum 15-character password length, this is a finding.","fixText":"Configure the OS10 Switch or its associated authentication server to enforce a minimum 15-character password length:\n\nOS10(config)# password-attributes min-length 15"},{"id":"21c9072a-50ad-40d1-8d33-04b3759882c2","vulnId":"V-269782","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one uppercase character be used.\n\nReview the configuration to verify that the upper password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction upper 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one uppercase character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one uppercase character be used:\n\nOS10(config)# password-attributes character-restriction upper 1"},{"id":"b37f6f61-f782-42c2-9930-d3bf2b8da812","vulnId":"V-269783","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one lower-case character be used.\n\nReview the configuration to verify that the lower password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction lower 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one lowercase character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one lowercase character be used:\n\nOS10(config)# password-attributes character-restriction lower 1"},{"id":"b41aa123-cdc8-4553-9317-673598622943","vulnId":"V-269784","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one numeric character be used.\n\nReview the configuration to verify that the numeric password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction numeric 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one numeric character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one numeric character be used:\n\nOS10(config)# password-attributes character-restriction numeric 1"},{"id":"761124ff-ca1e-420b-83ed-c9508e9d42f5","vulnId":"V-269785","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Where passwords are used, confirm that the OS10 Switch and associated authentication server enforces password complexity by requiring that at least one special character be used.\n\nReview the configuration to verify that the special-char password-attribute is set to 1:\n\nOS10# show running-configuration password-attributes\n!\npassword-attributes character-restriction special-char 1\n\nIf the OS10 Switch and associated authentication server does not require that at least one special character be used in each password, this is a finding.","fixText":"Configure the OS10 Switch and associated authentication server to enforce password complexity by requiring that at least one special character be used:\n\nOS10(config)# password-attributes character-restriction special-char 1"},{"id":"aa714621-ea3a-4298-bb35-9f0e7bac39b8","vulnId":"V-269786","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to use DOD-approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.","description":"$25","checkContent":"Verify the OS10 Switch is configured to validate certificates used for PKI-based authentication using DOD-approved OCSP or CRL resources. \n\nVerify that OSCP validation using the appropriate DOD OCSP responder is enabled in the security profile:\n\nip ssh server x509v3-authentication security-profile cacpiv-prof\n...\ncrypto security-profile \n ...\n ocsp-check \n...\n\nIf the OS10 Switch is not configured to validate certificates used for PKI-based authentication using DOD approved OCSP or CRL sources, this is a finding.","fixText":"Configure the OS10 Switch to validate certificates used for PKI-based authentication using DOD approved OCSP or CRL sources:\n\nOS10(config)#\nOS10(config)# crypto security-profile \nOS10(config-sec-profile)# ocsp-check \nOS10(config-sec-profile)# exit\nOS10(config)#"},{"id":"70ea0671-920a-4dac-993f-f6392f92ea65","vulnId":"V-269787","severity":"high","ruleTitle":"The Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.","description":"$26","checkContent":"If PKI-based authentication is not used as the MFA solution for interactive logins, this requirement is not applicable.\n\nOS10 maps certificates to valid usernames by comparing the common name and user principal name in the certificate to the unique user account name. This check is applied by default unless name checking has been disabled in the security profile with the \"no peer-name-check\" setting. \n\nReview the running-configuration to verify that X.509v3 authentication is enabled for SSH. Verify the PKI authenticated user is mapped to the effective local user account by ensuring that peer-name-check has not been disabled in the associated security profile (\"no peer-name-check\" is not present).\n\nip ssh server x509v3-authentication security-profile cacpiv-prof\n...\ncrypto security-profile \n certificate \n ocsp-check \n...\n\nIf peer-name-check has been disabled in the security profile this is a finding.","fixText":"Configure the OS10 Switch to use DOD PKI as MFA for interactive logins. Configure a named security profile to use for MFA. Configure the SSH server to enable authentication by PKI certificate.\n\nOS10(config)#\nOS10(config)# crypto security-profile \nOS10(config-sec-profile)# certificate \nOS10(config-sec-profile)# peer-name-check\nOS10(config-sec-profile)# ocsp-check \nOS10(config-sec-profile)# exit\nOS10(config)#\nOS10(config)# ip ssh server x509v3-authentication security-profile \nOS10(config)#"},{"id":"729a09f1-d155-42c6-ac09-24d6034b928f","vulnId":"V-269788","severity":"high","ruleTitle":"The Dell OS10 Switch must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nNetwork devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.\n\nSatisfies: SRG-APP-000179-NDM-000265, SRG-APP-000172-NDM-000259","checkContent":"Determine if the network device uses FIPS 140-2 approved algorithms for authentication to a cryptographic module. \n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nIf the network device is not configured to use a FIPS-approved authentication algorithm to a cryptographic module, this is a finding.","fixText":"Configure the network device to use FIPS 140-2 approved algorithms for authentication to a cryptographic module:\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#"},{"id":"89bbc91c-b6b7-4d85-a07e-facf55375871","vulnId":"V-269789","severity":"high","ruleTitle":"The Dell OS10 Switch must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nSatisfies: SRG-APP-000190-NDM-000267, SRG-APP-000186-NDM-000266, SRG-APP-000516-NDM-000336","checkContent":"Determine if the network device terminates the connection associated with a device management session at the end of the session or after five minutes of inactivity. \n\nReview the running-configuration. Verify the configuration includes \"exec-timeout 300\" which disconnects sessions after five minutes of inactivity.\n\nIf the network device does not terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity, this is a finding.","fixText":"Configure the OS10 Switch to terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity:\n\nOS10(config)# exec-timeout 300"},{"id":"09091179-00f9-4dc4-b4d2-e3b06d54c992","vulnId":"V-269790","severity":"high","ruleTitle":"The Dell OS10 Switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. \n\nPrivileged functions include establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations.\n\nSatisfies: SRG-APP-000340-NDM-000288, SRG-APP-000329-NDM-000287","checkContent":"Determine if the OS10 Switch prevents nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nAccess to privileged functions is restricted by OS10 to users with the appropriate role. Verify the OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user:\n\nOS10# show running-configuration users\nusername admin password **** role sysadmin priv-lvl 15\nusername op100 password **** role netoperator priv-lvl 1\nOS10#\n\nIf the OS10 Switch does not prevent nonprivileged users from executing privileged functions, this is a finding.","fixText":"Configure the OS10 Switch to assign appropriate user roles or access levels to authenticated users:\n\nOS10(config)# username password ********** role "},{"id":"ffbf9f34-a1dc-402c-8dfc-8f8adc834f73","vulnId":"V-269791","severity":"medium","ruleTitle":"The Dell OS10 Switch must generate an immediate real-time alert of all audit failure events requiring real-time alerts.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).\n\nSatisfies: SRG-APP-000360-NDM-000295, SRG-APP-000795-NDM-000130","checkContent":"Determine if the OS10 Switch generates an immediate alert of all audit failure events requiring real-time alerts.\n\nVerify that syslog is configured to use a connection-based protocol, either TCP or TLS, when connecting to a remote syslog server:\n\nOS10# show running-configuration logging\n!\n...\nlogging server 100.94.75.111 tcp 514\n\nIf the OS10 Switch is not configured to use either TCP or TLS for connection to the remote syslog servers, this is a finding.","fixText":"Configure the OS10 Switch to use either TCP or TLS for connection to the remote syslog servers:\n\nOS10(config)# logging server 100.94.75.111 tcp"},{"id":"434ac566-c620-44a7-b054-1fcd04702aef","vulnId":"V-269793","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).","description":"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nA local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.","checkContent":"Review the OS10 Switch configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-HMAC.\n\nStep 1: Review the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nStep 2: Review the SNMP configuration to verify that the server is configured to enforce authentication ({auth|priv} {name}). Verify the SNMP user is configured for SHA authentication (auth sha):\n\nOS10(config)# show running-configuration snmp\n!\n...\nsnmp-server group Group3 3 priv notify NOTIFY\nsnmp-server host 10.10.10.10 traps version 3 priv User3\nsnmp-server user User3 Group3 3 encrypted auth sha **** priv aes ****\n\nIf SNMP is not configured to enforce authentication or FIPS mode is not enabled, this is a finding.","fixText":"Configure the OS10 Switch to authenticate SNMP messages using a FIPS-validated Keyed-HMAC.\n\nEnsure FIPS mode is enabled.\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nConfigure an SNMP user to enforce SHA authentication.\nOS10(config)# snmp-server group Group3 3 priv notify NOTIFY\nOS10(config)# snmp-server user User3 Group3 3 auth sha ********** priv aes **********\n\nConfigure the SNMP server to use version 3 and enforce SHA authentication (auth) or both SHA authentication and AES encryption (priv).\nOS10(config)# snmp-server host 10.10.10.10 version 3 priv User3 snmp"},{"id":"a71f1861-ff8c-4913-ad52-2aa7961b2b2b","vulnId":"V-269794","severity":"medium","ruleTitle":"The Dell OS10 Switch must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.","description":"If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.","checkContent":"Review the OS10 Switch configuration to determine if the network device authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based.\n\nReview the configuration to verify that NTP authentication is configured when communicating with the NTP servers with the following commands:\n\nOS10# show running-configuration ntp\n!\nntp authenticate\nntp authentication-key 345 sha2-256 9 ****\nntp server 192.0.2.1 key 345 prefer\nntp server 192.0.2.5 key 345\nntp trusted-key 345\n\nIf the OS10 Switch not authenticate NTP sources using authentication that is cryptographically based, this is a finding.","fixText":"Configure the OS10 Switch to authenticate NTP sources using authentication that is cryptographically based:\n\nOS10(config)# ntp authenticate\nOS10(config)# ntp trusted-key 345\nOS10(config)# ntp authentication-key 345 sha2-256 0 \nOS10(config)# ntp server 192.0.2.1 key 345 preferred\nOS10(config)# ntp server 192.0.2.5 key 345"},{"id":"049a7a21-b3f5-4768-bf02-40bdee73591e","vulnId":"V-269795","severity":"medium","ruleTitle":"The Dell OS10 Switch must prohibit the use of cached authenticators after an organization-defined time period.","description":"Some authentication implementations can be configured to use cached authenticators.\n\nIf cached authentication information is out-of-date, the validity of the authentication information may be questionable.\n\nThe organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.","checkContent":"Review the OS10 Switch configuration to determine if it prohibits the use of cached authenticators after an organization-defined time period.\n\nVerify the rest authentication token validity setting is configured. If no entry is displayed, the default is 120 minutes.\n\nOS10# show running-configuration | grep \"rest authentication token validity\"\nrest authentication token validity 60\n\nIf cached authenticators are used after an organization-defined time period, this is a finding.","fixText":"Configure the OS10 Switch to prohibit the use of cached authenticators after an organization-defined time period:\n\nOS10(config)# rest authentication token validity {minutes}"},{"id":"79ccaaea-58f5-4db4-a0bc-538a04a4a971","vulnId":"V-269796","severity":"high","ruleTitle":"The Dell OS10 Switch must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.","description":"$27","checkContent":"Verify the OS10 Switch uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.\n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nVerify that SSH is enabled for network access by reviewing the SSH server status:\n\nOS10# show ip ssh | grep \"SSH Server:\"\nSSH Server: Enabled\n\nVerify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: \nip telnet server enable\n\n If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.","fixText":"Configure the OS10 Switch to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nDisable telnet if it has been enabled:\n\n OS10(config)# no ip telnet server enable\n\nEnable SSH if it has been disabled:\n\n OS10(config)# ip ssh server enable"},{"id":"e6c18414-3c72-4553-9e5f-099aa7e33539","vulnId":"V-269797","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.","description":"This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise, and potentially allowing hijacking of maintenance sessions.","checkContent":"Review the OS10 Switch configuration to determine if cryptographic mechanisms are implemented using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.\n\nReview the FIPS status to verify that FIPS mode is enabled, as shown below:\n\nOS10# show fips status\n\nFIPS mode: Enabled\nCrypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023\nFIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021\nOS10#\n\nVerify that SSH is enabled for network access by reviewing the SSH server status:\n\nOS10# show ip ssh | grep \"SSH Server:\"\nSSH Server: Enabled\n\nVerify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: \n\nip telnet server enable\n\nIf FIPS mode is not enabled, if the SSH is not enabled, or if telnet is enabled in the OS10 Switch, this is a finding.","fixText":"Configure the OS10 Switch to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm:\n\nOS10(config)# crypto fips enable\n\nWARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!\nContinue? [yes/no(default)]:yes\nOS10(config)#\n\nDisable telnet if it has been enabled:\n OS10(config)# no ip telnet server enable\n\nEnable SSH if it has been disabled:\n OS10(config)# ip ssh server enable"},{"id":"5f431172-d6f5-468f-846b-a94951d0c21a","vulnId":"V-269798","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.","description":"$28","checkContent":"$29","fixText":"$2a"},{"id":"68713fe5-76f5-4222-aaf1-a29d4588a0b8","vulnId":"V-269799","severity":"medium","ruleTitle":"The application must install security-relevant firmware updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"$2b","checkContent":"Verify the OS10 Switch version by entering the following command: \n\nOS10# show version\n\nVerify the release is the most recent approved release available on Dell.com. All OS10 releases supported by Dell can be found at https://www.dell.com/support.\n\nIf the OS10 Switch is not running an approved release within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs), this is a finding.","fixText":"$2c"},{"id":"2a8d8d37-b6b6-43d8-9ead-1773fb63b13e","vulnId":"V-269800","severity":"medium","ruleTitle":"The Dell OS10 Switch must generate log records for a locally developed list of auditable events.","description":"Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource usage or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.","checkContent":"Determine if the OS10 Switch generates audit log events for a locally developed list of auditable events.\n\nReview the OS10 Switch configuration to determine if audit logging is enabled:\n\n!\nlogging audit enable\n\nFor the locally developed list of audit items review the auditd rule set with the following command:\n\nOS10# system \"sudo auditctl -l\"\n-a never,user\n-a never,task\n-w /var/run/utmp -p wa -k session\n-w /var/log/btmp -p wa -k session\n-w /var/log/wtmp -p wa -k session\n-w /usr/bin/dpkg -p x -k software_mgmt\n-w /usr/bin/apt-add-repository -p x -k software_mgmt\n-w /usr/bin/apt-get -p x -k software_mgmt\n-w /usr/bin/aptitude -p x -k software_mgmt\nOS10#\n\nIf audit logging is not enabled or auditctl does not list rules for the desired auditable events, this is a finding.\n\nReview the OS10 Switch configuration to determine if audit logging is enabled:\n\n!\nlogging audit enable\n\nIf audit logging is not enabled, this is a finding.","fixText":"Configure the OS10 Switch to enable audit logging:\n\nOS10(config)# logging audit enable\n\nConfigure the switch to log a locally developed list of auditable events by adding appropriate configuration for audit as shown in the example below.\n\nFrom a shell as root, add desired audit rules to a file in the /etc/audit/rules.d/ directory, as in this example:\n\nOS10# system \"sudo -i\"\n[sudo] password for admin:\nroot@OS10:~# echo “-w /var/log/sudo.log -p wa -k actions\" >> /etc/audit/rules.d/audit.rules\nroot@OS10:~#\n\nDelete any rules from the rule sets with the obsolete action of “entry”:\n\nroot@OS10:~# sed -i '/-a entry/d' /etc/audit/rules.d/*\n\nReload the rules files:\n\nroot@OS10:~# augenrules --load"},{"id":"33c7d38a-6b0d-4f08-a1ff-113334ef464b","vulnId":"V-269801","severity":"medium","ruleTitle":"The Dell OS10 Switch must enforce access restrictions associated with changes to the system components.","description":"Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.","checkContent":"Check the OS10 Switch to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the authorized administrators.\n\nChanges, deletions, and updates in Dell OS10 can only be done by users with sysadmin, secadmin, or netadmin role. Verify if there are any unauthorized users assigned to the any of these roles:\n\nOS10# show running-configuration users\n\nIf any unauthorized users are assigned to the sysadmin, secadmin, or netadmin role, this is a finding.","fixText":"Configure any unauthorized users to have the netoperator role that cannot make any changes:\n\nOS10(config)# username password ********** role netoperator"},{"id":"50a0a0e4-2194-4245-a90c-a43d794a4fb0","vulnId":"V-269802","severity":"medium","ruleTitle":"The Dell OS10 Switch must obtain its public key certificates from an appropriate certificate policy through an approved service provider.","description":"For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority (CA) will suffice.\n\nSatisfies: SRG-APP-000516-NDM-000344, SRG-APP-000910-NDM-000300","checkContent":"Determine if the OS10 Switch obtains public key certificates from an appropriate certificate policy through an approved service provider.\n\nVerify the configured CA certificates with the following commands:\n\nOS10# show crypto ca-certs\n --------------------------------------\n| Locally installed certificates |\n --------------------------------------\nDOD_PKE.crt\nOS10#\nOS10# show crypto ca-certs DOD_PKE.crt\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n...\n\nIf the OS10 Switch does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.","fixText":"Configure the OS10 Switch to obtain its public key certificates from an appropriate certificate policy through an approved service provider.\n\nInstall CA certificates using the crypto ca-cert install command as shown in the example below.\n\nOS10# crypto ca-cert install\nCertificate base file name : DOD_PKE\nPaste certificate below.\nInclude the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers.\nEnter a blank line to abort this command.\nCertificate:\n-----BEGIN CERTIFICATE-----\nMIID...\n...\n...=\n-----END CERTIFICATE-----\n\nInstall as trusted-host certificate? [yes/no]:n\nProcessing file ...\nInstalled Root CA certificate\n CommonName = ...\n IssuerName = ...\nOS10#"},{"id":"5484f44a-8b24-4eea-9340-f2591b1c9d9d","vulnId":"V-269803","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).","description":"The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.\n\nSatisfies: SRG-APP-000516-NDM-000350, SRG-APP-000515-NDM-000325","checkContent":"Verify the OS10 Switch is configured to send log data to at least two central log servers. \n\nOS10# show running-configuration logging\n!\nlogging audit enable\n!\nlogging server 10.0.0.4\nlogging server 10.0.0.8\n\nIf the OS10 Switch is not configured to send log data to at least two central log servers, this is a finding.","fixText":"Configure the OS10 Switch to send log data to at least two central log servers:\n\n!\nlogging audit enable\n!\nlogging server 10.0.0.4\nlogging server 10.0.0.8\n!"},{"id":"cef08580-b95d-4c56-9a19-e98bd2deba53","vulnId":"V-269804","severity":"high","ruleTitle":"The Dell OS10 Switch must be running an operating system release that is currently supported by Dell.","description":"Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.","checkContent":"Verify the OS10 Switch complies with this requirement by entering the following command: \n\nOS10# show version\n\nVerify the release is still supported by Dell. All OS10 releases supported by Dell can be found at https://www.dell.com/support.\n\nIf the OS10 Switch is not running an operating system release that is currently supported by Dell, this is a finding.","fixText":"$2d"},{"id":"83225a62-4326-4ffd-85dc-c0efe3dbf2b7","vulnId":"V-269805","severity":"medium","ruleTitle":"The Dell OS10 Switch must not have any default manufacturer passwords when deployed.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"If a default password is still configured for any user, warning messages will be displayed on login directly above the initial prompt, as shown below.\n\nLog in to OS10 and verify that no warning messages about default passwords are displayed above the initial prompt:\n\n%Warning : Default password for admin account should be changed to secure the system\n%Warning : Default password for linuxadmin account should be changed to secure the system.\nOS10#\n\nIf any default password warnings are displayed, this is a finding. \n\nIf \"system-user linuxadmin disable\" is not shown in the switch configuration, this is a finding.","fixText":"Configure new passwords for the admin and linuxadmin users as shown below and disable the linuxadmin:\n\nOS10(config)# username admin password ********** role sysadmin\n\nOS10(config)# system-user linuxadmin password ************\nOS10(config)# system-user linuxadmin disable"},{"id":"4de2c772-b1aa-40c3-bac6-f9ab1fe2cac5","vulnId":"V-270643","severity":"high","ruleTitle":"The Dell OS10 Switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.","description":"Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.","checkContent":"Review the OS10 switch configuration to verify the device is configured to use at least two authentication servers as primary source for authentication. Verify that multiple radius servers are configured and that AAA login authentication is configured to use remote authentication.\n\nOS10#\nOS10# show running-configuration radius-server\nradius-server host 10.120.60.23 tls security-profile PROFILE-1 key 9 ****\nradius-server host 10.120.80.82 tls security-profile PROFILE1 key 9 ****\nOS10#\nOS10# show running-configuration aaa\n!\naaa authentication login default group radius local\naaa authentication login console local group radius\nOS10#\n\nIf the OS10 switch is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.","fixText":"Configure the network device to use at least two authentication servers. The authentication order is determined by the order in which the radius-server entries are configured.\n\nOS10(config)#\nOS10(config)# radius-server host 10.120.60.23 tls security-profile PROFILE1 key ******************\nOS10(config)# radius-server host 10.120.80.82 tls security-profile PROFILE1 key ******************\nOS10(config)#\nOS10(config)# aaa authentication login default group radius local\nOS10(config)# aaa authentication login console group radius local\nOS10(config)#\n\nConfigure all network connections associated with a device management to use the authentication servers for the purpose of login authentication.\nOS10(config)# aaa authentication login default group radius local\n\nOptionally, configure the local console access to try local authentication before attempting remote authentication servers.\nOS10(config)# aaa authentication login console local group radius"},{"id":"9ea6bf1a-1d56-42c6-b68c-f285b8a14477","vulnId":"V-270644","severity":"medium","ruleTitle":"The Dell OS10 Switch must be configured to synchronize internal information system clocks using redundant authoritative time sources.","description":"$2e","checkContent":"Determine if the OS10 Switch is configured to synchronize internal information system clocks with the primary and secondary time sources.\n\nReview the configuration to verify that the primary and secondary time sources are configured as NTP servers with the following commands:\n\nOS10# show running-configuration ntp\n!\nntp authenticate\nntp authentication-key 345 sha2-256 9 ****\nntp server 192.0.2.1 key 345 prefer\nntp server 192.0.2.5 key 345\nntp trusted-key 345\n\nIf the OS10 Switch is not configured to synchronize internal information system clocks with the primary and secondary time sources, this is a finding.","fixText":"Configure the OS10 Switch to synchronize internal information system clocks with the primary and secondary time sources:\n\nOS10(config)# ntp authenticate\nOS10(config)# ntp trusted-key 345\nOS10(config)# ntp authentication-key 345 sha2-256 0 \nOS10(config)# ntp server 192.0.2.1 key 345 prefer\nOS10(config)# ntp server 192.0.2.5 key 345"}]}]]}]

Dell OS10 Switch NDM Security Technical Implementation Guide

Checks (39)