11:["$","div",null,{"className":"mx-auto max-w-7xl p-6","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-brand text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-4 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold","children":"HPE Aruba Networking AOS NDM Security Technical Implementation Guide"}],false,["$","$L1b",null,{}]]}],["$","section",null,{"className":"mb-8 rounded-lg border border-gray-200 bg-white p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Oct 29, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-xs text-gray-500","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"HPE_Aruba_AOS_NDM_STIG","children":"HPE_Aruba_AOS_NDM_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":37}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"rounded-full bg-gray-100 px-2 py-0.5 text-xs text-gray-700","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"rounded bg-red-100 px-3 py-1 text-sm font-medium text-red-800","children":["CAT I: ",9]}],["$","span",null,{"className":"rounded bg-yellow-100 px-3 py-1 text-sm font-medium text-yellow-800","children":["CAT II: ",28]}],["$","span",null,{"className":"rounded bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"mt-4 text-sm text-gray-600","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=HPE%20Aruba%20Networking%20AOS%20NDM%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=HPE%20Aruba%20Networking%20AOS%20NDM%20Security%20Technical%20Implementation%20Guide&format=csv","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=HPE%20Aruba%20Networking%20AOS%20NDM%20Security%20Technical%20Implementation%20Guide&format=json","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPE_Aruba_Networking_AOS_Y26M04_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-brand/10 text-brand hover:bg-brand/20 border-brand/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1c",null,{"checks":[{"id":"baa79132-a591-42e8-b030-e0d378dd910e","vulnId":"V-266903","severity":"medium","ruleTitle":"AOS must limit the number of concurrent sessions to a maximum of three for each administrator account and/or administrator account type.","description":"Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks. \n \nThis requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. At a minimum, limits must be set for Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), and account of last resort.","checkContent":"Verify the AOS configuration with the following command: \nshow mgmt-user admin \n \nIf \"Max-concurrent-sessions\" is not set to \"3\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nmgmt-user admin root max-concurrent-sessions 3 \nEnter the admin's password \nReenter the admin's password \nwrite memory"},{"id":"01615855-ee0d-4131-ad56-23f265449fee","vulnId":"V-266908","severity":"medium","ruleTitle":"AOS must automatically audit account creation.","description":"Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. \n \nNotification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nSatisfies: SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000091-NDM-000223, SRG-APP-000319-NDM-000283, SRG-APP-000381-NDM-000305, SRG-APP-000495-NDM-000318, SRG-APP-000503-NDM-000320, SRG-APP-000505-NDM-000322","checkContent":"Verify the AOS configuration with the following command: \nshow logging level \n \nIf the security logging level is not set to debug, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nlogging security level debug \nwrite memory"},{"id":"c0e3a7e3-84a4-40c4-996e-eede9ce604a7","vulnId":"V-266909","severity":"high","ruleTitle":"AOS must be configured to assign appropriate user roles or access levels to authenticated users.","description":"$1d","checkContent":"Verify the AOS configuration using the web interface: \n \nNavigate to Configuration >> System >> Admin tab and expand the \"Admin Authentication Options\". \n \nIf root is not the Default role, \"Enable\" is not checked, or the Server group is not configured to the enterprise server group for admin authorization, this is a finding.","fixText":"Configure AOS using the web interface: \n \nNavigate to Configuration >> System >> Admin tab and expand the \"Admin Authentication Options\". \n \nSelect root for the Default role. \n \nCheck the \"Enable\" checkbox. \n \nSelect the enterprise Server group that is configured for admin authorization. \n \nClick Submit >> Pending Changes >> Deploy changes."},{"id":"bde3c4a0-c1cf-491a-ac84-8d7d93e3ca74","vulnId":"V-266910","severity":"medium","ruleTitle":"AOS must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.","description":"$1e","checkContent":"Verify the AOS configuration with the following command: \nshow running-config | begin \"interface gigabit\" \n \nNote the configured IP access-group session Access Control List (ACL) for each active interface. \n \nFor each configured ACL: \nshow ip access-list \n \nIf each ACL does not end in an \"any any deny log\" for both IPv4 and IPv6, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nip access-list session \nnetwork any any permit \nany any any deny log \nipv6 network any any permit \nipv6 any any any deny log \nexit \nwrite memory \ninterface gigabit <#/#/#> \nip access-group session \nexit \nwrite mem"},{"id":"c6f09171-b0c3-420c-82b9-ef031dbd1af1","vulnId":"V-266911","severity":"medium","ruleTitle":"AOS must be configured to enforce the limit of three consecutive invalid login attempts, after which time it must block any login attempt for 15 minutes.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.","checkContent":"1. Verify the AOS configuration with the following command: \nshow aaa password-policy mgmt \n \n2. Verify that \"Maximum Number of failed attempts in 3 minute window to lockout password based user\" is set to \"3 attempts\" and \"Time duration to lockout the password based user upon crossing the 'lock-out' threshold\" is set to \"15 minutes\". \n \nIf one or both of these settings are set to any other value, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa password-policy mgmt \npassword-lock-out 3 \npassword-lock-out-time 15 \nenable \nexit \nwrite memory"},{"id":"e7b3254b-b3fb-455d-8823-17d9b6530f63","vulnId":"V-266912","severity":"medium","ruleTitle":"AOS must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.","description":"Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. \n \nSystem use notifications are required only for access via logon interfaces with human users.","checkContent":"Verify the AOS configuration with the following command: \nshow banner \n \nIf the Standard Mandatory DOD Notice and Consent Banner is not set, this is a finding.","fixText":"$1f"},{"id":"d8f9e282-c0b5-478b-89f6-78dae00e3729","vulnId":"V-266913","severity":"medium","ruleTitle":"AOS must retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.","description":"The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DOD will not be in compliance with system use notifications required by law. \n \nTo establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement. \n \nIn the case of command line interface (CLI) access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, and then entering the password is also acceptable.","checkContent":"Verify the AOS configuration with the following command: \nshow running-config | include \"banner enforce-accept\" \n \nIf \"banner enforce-accept\" is not set, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nbanner enforce-accept \nwrite memory"},{"id":"0723a6c1-61b2-48e5-a18a-f4079cc1c51e","vulnId":"V-266928","severity":"high","ruleTitle":"AOS must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.","description":"$20","checkContent":"Verify the AOS configuration with the following commands: \nshow firewall-cp \nshow running-config | include ospf \n \nVerify that OSPF is not enabled and only unnecessary and/or nonsecure functions, ports, protocols, and/or services are denied. \n \nIf OSPF is enabled or any unnecessary and/or nonsecure functions, ports, protocols, and/or services are allowed, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nfirewall cp \nipv4 deny any proto 6 ports 17 17 \nipv4 deny any proto 6 ports 8080 8080 \nipv4 deny any proto 6 ports 8081 8081 \nipv4 deny any proto 6 ports 8082 8082 \nipv4 deny any proto 6 ports 8088 8088 \nipv6 deny any proto 6 ports 17 17 \nipv6 deny any proto 6 ports 8080 8080 \nipv6 deny any proto 6 ports 8081 8081 \nipv6 deny any proto 6 ports 8082 8082 \nipv6 deny any proto 6 ports 8088 8088 \nexit \nwrite memory \n \nFor any OSPF entries found: \nno router ospf \nno router ospf router-id \nno router ospf redistribute vlan <#> \nno \nwrite memory \n \nBlock any other ports as desired using the following example: \nconfigure terminal \nfirewall cp \n deny any proto ports \nexit \nwrite memory"},{"id":"62ea98d8-92ac-4bc7-945c-375a1b934792","vulnId":"V-266929","severity":"high","ruleTitle":"AOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.","description":"$21","checkContent":"Verify the AOS configuration using the web interface: \n \n1. Navigate to Configuration >> System >> Admin and expand \"Admin Authentication Options\". \n2. Verify what \"Server group\" is handling admin authentication. \n3. Verify that Client certificate is enabled. \n4. Expand \"Admin Authentication Servers\". \n5. Select the Server Group identified from the \"Options\" section. \n6. Verify that each authentication server configured in Server Group is configured with the Key attribute: of userPrincipalName. \n \nIf Client certificate is not enabled and the management authentication servers are not configured with userPrincipalName, this is a finding.","fixText":"$22"},{"id":"7d2856b1-af82-44db-9d1a-44ad663cfa90","vulnId":"V-266930","severity":"medium","ruleTitle":"AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. \n \nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n \nTechniques to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., Transport Layer Security [TLS], Web Services Security [WS_Security]). Additional techniques include time-synchronous or challenge-response one-time authenticators.","checkContent":"Verify the AOS configuration using the web interface: \n \n1. Navigate to Configuration >> System >> Admin and expand \"Admin Authentication Options\". \n2. Verify what \"Server group\" is handling admin authentication. \n3. Expand \"Admin Authentication Servers\". \n4. Select the Server Group identified from the \"Options\" section. \n5. Verify that each authentication server configured in Server Group is configured with secure LDAP using port 636 and connection type ldap-s. \n \nIf each management authentication server is not configured to use secure LDAP, this is a finding.","fixText":"$23"},{"id":"4cff853a-0463-4d06-bec6-7fc26a1e8ad8","vulnId":"V-266931","severity":"medium","ruleTitle":"AOS must enforce a minimum 15-character password length.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. \n \nThe shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Verify the AOS configuration with the following command: \nshow aaa password-policy mgmt \n \nIf \"Minimum password length required\" is not set to \"15 characters\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa password-policy mgmt \npassword-min-length 15 \nexit \nwrite memory"},{"id":"f647e2ae-7d9c-4980-9c57-a097308b1681","vulnId":"V-266932","severity":"medium","ruleTitle":"AOS must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n \nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. \n \nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available and for the account of last resort and root account.","checkContent":"Verify the AOS configuration with the following command: \nshow aaa password-policy mgmt \n \nIf \"Minimum number of Upper Case characters\" is not set to \"1 characters\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa password-policy mgmt \npassword-min-uppercase-characters 1 \nexit \nwrite memory"},{"id":"377f332d-26d7-453a-bc3d-368232310ba0","vulnId":"V-266933","severity":"medium","ruleTitle":"AOS must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n \nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n \nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available and for the account of last resort and root account.","checkContent":"Verify the AOS configuration with the following command: \nshow aaa password-policy mgmt \n \nIf \"Minimum number of Lower Case characters\" is not set to \"1 characters\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa password-policy mgmt \npassword-min-lowercase-characters 1 \nexit \nwrite memory"},{"id":"56889355-4362-4c2a-9f6f-8a11d59d0b5e","vulnId":"V-266934","severity":"medium","ruleTitle":"AOS must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n \nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n \nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available and for the account of last resort and root account.","checkContent":"Verify the AOS configuration with the following command: \nshow aaa password-policy mgmt \n \nIf \"Minimum number of Digits\" is not set to \"1 digits\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa password-policy mgmt \npassword-min-digit 1 \nexit \nwrite memory"},{"id":"a6790639-1e5f-4086-a116-9b5b552e6e92","vulnId":"V-266935","severity":"medium","ruleTitle":"AOS must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n \nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n \nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available and for the account of last resort and root account.","checkContent":"Verify the AOS configuration with the following command: \nshow aaa password-policy mgmt \n \nIf \"Minimum number of Special characters\" is not set to \"1 characters\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa password-policy mgmt \npassword-min-special-character 1 \nexit \nwrite memory"},{"id":"08c4cc17-36f4-42ec-84b0-f3a8be9a047b","vulnId":"V-266937","severity":"high","ruleTitle":"AOS must transmit only encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. \n \nNetwork devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities.","checkContent":"Verify the AOS configuration with the following commands: \nshow aaa authentication-server all \nshow snmp user-table \n \nIf the LDAP servers are not configured to use port 636, or if the SNMP users are not configured to use AES encryption, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa authentication-server ldap \nauthport 636 \npreferred-conn-type ldap-s \nexit \nsnmp-server user auth-prot sha priv-prot AES \nwrite memory"},{"id":"2f43f45e-5983-4433-a0db-7bd87c3a70fb","vulnId":"V-266938","severity":"high","ruleTitle":"AOS must be configured to use DOD-approved Online Certificate Status Protocol (OCSP) responders or Certificate Revocation Lists (CRLs) to validate certificates used for public key infrastructure (PKI)-based authentication.","description":"$24","checkContent":"Verify the AOS configuration with the following command: \nshow crypto-local pki rcp \n \nIf any configured trusted root certificate authorities are not configured to use OCSP, this is a finding.","fixText":"Configure AOS using the web interface: \n \n1. Navigate to Configuration >> System >> Certificates tab. \n2. Under \"Import Certificates\", upload the trusted root CA. Provide the Certificate name, upload the certificate file, and select the matching Certificate format. \n3. Choose the TrustedCA Certificate type. Click \"Submit\". \n4. Upload the same certificate and select the OCSPResponderCert Certificate type (provide a different friendly name). Click \"Submit\". \n5. Click Pending Changes >> Deploy the Changes. \n6. Expand \"Revocation Checkpoint\". Select the configured trusted root CA. \n7. Select OCSP for Revocation method 1. \n8. Enter the OCSP server URL in the OCSP URL field (remove \"http://\"). \n9. Choose the configured certificate under OCSP responder cert. \n10. Choose \"Fail-Over\" for Server unreachable. \n11. Click Submit >> Pending Changes >> Deploy Changes."},{"id":"a3908233-d410-4a82-b54d-76609397a276","vulnId":"V-266940","severity":"high","ruleTitle":"AOS must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied on to provide confidentiality or integrity, and DOD data may be compromised. \n \nNetwork devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n \nFIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only authentication algorithms that are FIPS-approved and recommended by the National Institute of Standards and Technology (NIST).\n\nSatisfies: SRG-APP-000179-NDM-000265, SRG-APP-000224-NDM-000270, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331","checkContent":"Verify the AOS configuration with the following command: \nshow fips \n \nIf \"FIPS settings: Mode Enabled\" is not returned, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nfips enable \nwrite memory \nreload"},{"id":"a7b9ef63-ee20-4cdc-8833-7cf336c83faf","vulnId":"V-266941","severity":"high","ruleTitle":"AOS must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session will also free up resources committed by the managed network element. \n \nTerminating network connections associated with communications sessions includes, for example, deallocating associated Transmission Control Protocol/Internet Protocol (TCP/IP) address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nSatisfies: SRG-APP-000190-NDM-000267, SRG-APP-000186-NDM-000266","checkContent":"Verify the AOS configuration with the following commands: \nshow running-config | include \"loginsession timeout\" \nshow web-server profile \n \nIf the login session timeout is not set to \"5\" (minutes), this is a finding. \n \nIf \"User session timeout <30-3600> (seconds)\" is not set to \"300\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nloginsession timeout 5 \nweb-server profile \nsession-timeout 300 \nexit \nwrite memory"},{"id":"e5d9cb21-a940-4f38-9e31-0fc5af675956","vulnId":"V-266948","severity":"medium","ruleTitle":"AOS must enforce role-based access control policies over defined subjects and objects.","description":"Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. \n \nRBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. \n \nThe RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.","checkContent":"Verify the AOS configuration using the web interface: \n \n1. Navigate to Configuration >> System >> Admin. Expand \"Admin Authentication Options\". \n2. Verify the following: \n- Default role: Is set to root. \n- Enable: Checkbox is checked. \n- The enterprise Server group is set to the configured enterprise LDAP server group. \n \nIf any of the three settings above are not configured, this is a finding.","fixText":"Configure AOS using the web interface: \n \n1. Navigate to Configuration >> System >> Admin and expand \"Admin Authentication Options\". \n2. Select the Default role: of root. \n3. Click the Enable: checkbox. \n4. Select the configured enterprise LDAP server group. \n5. Under Server group, click Submit >> Pending Changes >> Deploy Changes."},{"id":"a1ad987f-1fb4-4c15-b466-e16263e192f9","vulnId":"V-266950","severity":"medium","ruleTitle":"AOS must audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\nSatisfies: SRG-APP-000343-NDM-000289, SRG-APP-000101-NDM-000231, SRG-APP-000504-NDM-000321","checkContent":"Verify the AOS configuration with the following command: \nshow running-config | include audit-trail \n \nIf the audit-trail is not enabled, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naudit-trail all \nwrite memory"},{"id":"efcbdf47-b717-42bd-8918-a92c3dc27cb9","vulnId":"V-266952","severity":"medium","ruleTitle":"AOS must generate an immediate real-time alert of all audit failure events requiring real-time alerts.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.","checkContent":"Verify the AOS configuration with the following commands: \nshow snmp trap-hosts \nshow snmp trap-list | include wlsxProcessDied \nshow snmp trap-list | include wlsxProcessRestart \n \nIf a SNMP server is not configured and both process traps are not enabled, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nsnmp-server host version snmp-server host version engine-id \nsnmp-server trap wlsxProcessDied \nsnmp-server trap wlsxProcessRestart \nwrite memory"},{"id":"77cf7f76-27b9-421d-933f-d7c239272540","vulnId":"V-266953","severity":"medium","ruleTitle":"AOS must be configured to synchronize internal information system clocks using redundant authoritative time sources.","description":"$25","checkContent":"Verify the AOS configuration with the following command: \nshow ntp servers \n \nIf at least two NTP servers are not configured, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nntp authentication-key (keyid #> sha1 \nntp trusted-key <keyid #> \nntp server <first fqdn, ipv4, or ipv6 address> key <keyid #> \nntp server <second fqdn, ipv4, or ipv6 address> key <keyid #> \nntp authenticate \nwrite memory"},{"id":"84e7fd5a-c6b3-46bd-924d-b77ed6a1564f","vulnId":"V-266954","severity":"medium","ruleTitle":"AOS must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","description":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).","checkContent":"Verify the AOS configuration with the following command: \nshow clock \n \nIf the clock is not set to the appropriate time zone or UTC/GMT, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nclock timezone <IANA time zone> \nto set the appropriate timezone \nwrite memory"},{"id":"eea0db1b-06f4-4a61-a596-1ac627a27d64","vulnId":"V-266958","severity":"medium","ruleTitle":"AOS must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).","description":"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. \n \nA local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). \n \nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.","checkContent":"Verify the AOS configuration with the following command: \nshow snmp user-table \n \nIf the configured SNMP user(s) are not using SHA, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nsnmp-server user <SNMP user> auth-prot sha <authentication password> priv-prot aes <privacy password> \nwrite memory"},{"id":"d0f384e1-09b9-45c6-bc8d-cb8a5897c98b","vulnId":"V-266959","severity":"medium","ruleTitle":"AOS must prohibit the use of cached authenticators after an organization-defined time period.","description":"Some authentication implementations can be configured to use cached authenticators. \n \nIf cached authentication information is out of date, the validity of the authentication information may be questionable. \n \nThe organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.","checkContent":"Verify the AOS configuration with the following command: \nshow configuration effective | include auth-survivability \n \nIf \"aaa auth-survivability enable\" is returned and \"auth-survivability\" is enabled, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nno aaa auth-survivability enable \nwrite memory"},{"id":"8e29a316-a212-411f-ac3b-1fd5af2b3bc5","vulnId":"V-266961","severity":"medium","ruleTitle":"AOS must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.","description":"$26","checkContent":"Verify the AOS configuration using the web interface: \n \nNavigate to Configuration >> Services >> Firewall. \n \nIf the organization-defined safeguards are not enabled to protect against known DoS attacks, this is a finding.","fixText":"Configure AOS using the web interface: \n \nNavigate to Configuration >> Services >> Firewall and enable DoS protection in accordance with organization-defined policy. \n \nClick Submit >> Pending Changes >> Deploy Changes."},{"id":"0c50aff0-1657-49d3-bcd4-6805dd05782a","vulnId":"V-266966","severity":"medium","ruleTitle":"AOS must off-load audit records onto a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration. \n \nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Verify the AOS configuration with the following command: \nshow logging server \n \nIf a configured syslog server is not returned, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nlogging <IPv4 or IPv6 address> \nwrite memory"},{"id":"33a54dd5-e9bd-4fb1-8447-26514b15f093","vulnId":"V-266967","severity":"medium","ruleTitle":"AOS must require that when a password is changed, the characters are changed in at least eight of the positions within the password.","description":"If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. \n \nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. \n \nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available and for the account of last resort and root account.","checkContent":"Verify the AOS configuration with the following command: \nshow aaa password-policy mgmt \n \nIf \"Minimum number of differing characters between passwords\" is not set to \"8 digits\", this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \naaa password-policy mgmt \nmin-char-difference 8 \nexit \nwrite memory"},{"id":"b8c0a0c0-da9e-4134-b672-bf65c4e3be80","vulnId":"V-266968","severity":"medium","ruleTitle":"AOS must generate log records for a locally developed list of auditable events.","description":"Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.","checkContent":"Verify the AOS configuration with the following command: \nshow logging level \n \nIf the logging levels are not set to the organization-desired level, this is a finding.","fixText":"Configure AOS with the following commands for each logging category: \nconfigure terminal \nlogging <category> level <level> \nwrite memory"},{"id":"f682bcc3-7730-4930-aef7-7d41c2fe1077","vulnId":"V-266970","severity":"high","ruleTitle":"AOS must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.","description":"Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. \n \nWith robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.","checkContent":"Verify the AOS configuration using the web interface: \n \n1. Navigate to Configuration >> System >> Admin and expand \"Admin Authentication Options\". \n2. Verify what \"Server group\" is handling admin authentication. \n3. Expand \"Admin Authentication Servers\". \n4. Select the Server Group identified from the \"Options\" section. \n5. Verify that at least two authentication servers are configured in the Server Group. \n \nIf the admin authentication server group does not have at least two configured authentication servers, this is a finding.","fixText":"$27"},{"id":"b5337920-4915-4e49-a5e5-b9efafb5cb65","vulnId":"V-266971","severity":"medium","ruleTitle":"AOS must be configured to conduct backups of system-level information contained in the information system when changes occur.","description":"System-level information includes default and customized settings and security attributes, including Access Control Lists (ACLs) that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who use this critical network component. \n \nThis control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.","checkContent":"Review the site's backup policy to verify plans and procedures are in place to back up AOS configurations when changes occur. \n \nIf the site does not have a policy to back up AOS configurations when changes occur, this is a finding.","fixText":"Configure AOS with the following commands: \n \n1. In the AOS CLI, create the backup file: \nbackup config <filename> \n2. Copy the file to a central server: \ncopy flash: <filename> scp: <scp server IPv4 or IPv6 address> <username> <destination filename>"},{"id":"138999e3-0758-49b6-869a-7a1f6790f196","vulnId":"V-266972","severity":"medium","ruleTitle":"AOS must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.","description":"Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. \n \nThis control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.","checkContent":"Review the site's backup policy to verify plans and procedures are in place to back up AOS configurations when changes occur or weekly, whichever is sooner. \n \nIf the site does not have a policy to back up AOS configurations when changes occur or weekly, whichever is sooner, this is a finding.","fixText":"Configure AOS with the following commands: \n \n1. In the AOS CLI, create the backup file: \nbackup config <filename> \n2. Copy the file to a central server: \ncopy flash: <filename> scp: <scp server IPv4 or IPv6 address> <username> <destination filename>"},{"id":"171944e4-8865-4b33-bf60-d3ffccbbddaa","vulnId":"V-266973","severity":"medium","ruleTitle":"AOS must obtain its public key certificates from an appropriate certificate policy through an approved service provider.","description":"For user certificates, each organization obtains certificates from an approved, shared service provider, as required by Office of Management and Budget policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certificate authority will suffice.","checkContent":"Interview the system administrator and determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider. \n \nIf the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.","fixText":"Configure AOS with the following commands: \ncrypto pki csr rsa key_len 2048 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> \nshow crypto pki csr \n \n1. Use DOD PKI to generate a public certificate based on the CSR. \n2. Using the web GUI, navigate to Configuration >> System >> Certificates > Import Certificates. \n3. Click the plus sign (+) and enter \"Certificate name:\", browse to the public certificate file, choose the appropriate format, select Certificate type: \"ServerCert\", and click \"Submit\". \n4. Click Pending Changes >> Deploy Changes. \n5. Navigate to Configuration >> System >> Admin >> Admin Authentication Options and choose the imported certificate under \"Server Certificate\". \n6. Click Submit >> Pending Changes >> Deploy Changes."},{"id":"8944d0b2-60ca-432e-80c7-2760142e2964","vulnId":"V-266975","severity":"medium","ruleTitle":"AOS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.","description":"Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. \n \nThe account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.","checkContent":"Verify the AOS configuration with the following command: \nshow mgmt-user \n \nIf any user other than \"admin\" is present, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nno mgmt-user <username> \nfor any existing users other than \"admin\". \nwrite memory"},{"id":"ab93aa43-fd2e-4c45-81c7-cd62e15d3eac","vulnId":"V-266976","severity":"medium","ruleTitle":"AOS must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.","description":"If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.","checkContent":"1. Verify the AOS configuration with the following command: \nshow ntp status \n \nIf \"Authentication\" shows \"disabled\", this is a finding. \n \n2. show running-config | include ntp \n \nIf at least one trusted NTP authentication-key is not configured and at least one NTP server configured to use the key, this is a finding.","fixText":"Configure AOS with the following commands: \nconfigure terminal \nntp authentication-key (keyid #> sha1 <plaintext key> \nntp trusted-key <keyid #> \nntp server <first fqdn, ipv4, or ipv6 address> key <keyid #> \nntp server <second fqdn, ipv4, or ipv6 address> key <keyid #> \nntp authenticate \nwrite memory"},{"id":"ef2e1c4d-e99a-4d86-9376-0b153bc524d8","vulnId":"V-266977","severity":"high","ruleTitle":"AOS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).","description":"The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network Information Assurance team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, is important to learn whether someone is an internal employee or an outside threat.\n\nSatisfies: SRG-APP-000516-NDM-000350, SRG-APP-000223-NDM-000269","checkContent":"Verify the AOS configuration with the following command: \nshow logging server \n \nIf at least two central log servers are not configured, this is a finding.","fixText":"Configure AOS with the following commands: \n \nFor two or more central syslog servers: \nconfigure terminal \nlogging <IPv4 or IPv6 address> \nwrite memory"}]}]]}] </article></body></html>

HPE Aruba Networking AOS NDM Security Technical Implementation Guide

Checks (37)