Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-66287 | HFFS-ND-000132 | SV-80777r1_rule | Medium |
Description |
---|
Changes to the hardware or software components of the HP FlexFabric Switch can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the HP FlexFabric Switch for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters. |
STIG | Date |
---|---|
HP FlexFabric Switch NDM Security Technical Implementation Guide | 2019-09-27 |
Check Text ( C-66933r1_chk ) |
---|
Check the HP FlexFabric Switch to determine if only authorized administrators have permissions for changes, deletions and updates on HP FlexFabric Switch. [HP] display local-user Device management user user1: State: Active Service type: SSH User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: role1 [HP] display role Role: role1 Description: VLAN policy: deny Permitted VLANs: 10 to 20 Interface policy: permit (default) VPN instance policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit R-- feature - 2 permit command system-view ; vlan * R:Read W:Write X:Execute If unauthorized users are allowed to change the hardware or software, this is a finding. |
Fix Text (F-72363r1_fix) |
---|
Configure the HP FlexFabric Switch to enforce access restrictions associated with changes to the system components. Below is an example how to configure a user-role and assign it to a user: Create the user role role1: [HP] role name role1 Configure rule 1 to permit the user role to access read commands of all features: [HP-role-role1] rule 1 permit read feature Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view: [HP-role-role1] rule 2 permit command system-view ; vlan * Change the VLAN policy to permit the user role to configure only VLANs 10 to 20: [HP-role-role1] vlan policy deny [HP-role-role1-vlanpolicy] permit vlan 10 to 20 [HP-role-role1-vlanpolicy] quit [HP-role-role1] quit Create a management local user named user1 and enter its view: [HP] local-user user1 class manage Set a password for the user: [HP-luser-manage-user1] password simple xxxxxx Set the service type to SSH: [HP-luser-manage-user1] service-type ssh Assign role1 to the user: [HP-luser-manage-user1] authorization-attribute user-role role1 To make sure that the user has only the permissions of role1, remove the user from the default user role network-operator: [HP-luser-manage-user1] undo authorization-attribute user-role network-operator [HP-luser-manage-user1] quit |