STIGQter: STIG Summary: HP FlexFabric Switch NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must enforce access restrictions associated with changes to the system components.

DISA Rule

SV-80777r1_rule

Vulnerability Number

V-66287

Group Title

SRG-APP-000516-NDM-000335

Rule Version

HFFS-ND-000132

Severity

CAT II

CCI(s)

• CCI-000345 - The organization enforces logical access restrictions associated with changes to the information system.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to enforce access restrictions associated with changes to the system components.

Below is an example how to configure a user-role and assign it to a user:

Create the user role role1:

[HP] role name role1

Configure rule 1 to permit the user role to access read commands of all features:

[HP-role-role1] rule 1 permit read feature

Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view:

[HP-role-role1] rule 2 permit command system-view ; vlan *

Change the VLAN policy to permit the user role to configure only VLANs 10 to 20:

[HP-role-role1] vlan policy deny
[HP-role-role1-vlanpolicy] permit vlan 10 to 20
[HP-role-role1-vlanpolicy] quit
[HP-role-role1] quit

Create a management local user named user1 and enter its view:

[HP] local-user user1 class manage

Set a password for the user:

[HP-luser-manage-user1] password simple xxxxxx

Set the service type to SSH:

[HP-luser-manage-user1] service-type ssh

Assign role1 to the user:

[HP-luser-manage-user1] authorization-attribute user-role role1

To make sure that the user has only the permissions of role1, remove the user from the default user role network-operator:

[HP-luser-manage-user1] undo authorization-attribute user-role network-operator
[HP-luser-manage-user1] quit

Check Contents

Check the HP FlexFabric Switch to determine if only authorized administrators have permissions for changes, deletions and updates on HP FlexFabric Switch.

[HP] display local-user

Device management user user1:
State: Active
Service type: SSH
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: role1

[HP] display role

Role: role1
Description:
VLAN policy: deny
Permitted VLANs: 10 to 20
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit R-- feature -
2 permit command system-view ; vlan *
R:Read W:Write X:Execute

If unauthorized users are allowed to change the hardware or software, this is a finding.

Vulnerability Number

V-66287

Documentable

False

Rule Version

HFFS-ND-000132

Severity Override Guidance

Check the HP FlexFabric Switch to determine if only authorized administrators have permissions for changes, deletions and updates on HP FlexFabric Switch.

[HP] display local-user

Device management user user1:
State: Active
Service type: SSH
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: role1

[HP] display role

Role: role1
Description:
VLAN policy: deny
Permitted VLANs: 10 to 20
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit R-- feature -
2 permit command system-view ; vlan *
R:Read W:Write X:Execute

If unauthorized users are allowed to change the hardware or software, this is a finding.

Check Content Reference

M

Target Key

2971

Comments