STIGQter: STIG Summary: Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019:

The Arista Multilayer Switch must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

DISA Rule

SV-75315r1_rule

Vulnerability Number

V-60857

Group Title

SRG-APP-000190-NDM-000267

Rule Version

AMLS-NM-000240

Severity

CAT II

CCI(s)

• CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

Weight

10

Fix Recommendation

Configure the network device to terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity.

Arista switches have a configurable timeout function that automatically closes connections to the switch upon reaching an organization-defined period of time.

Configuration Example:

switch(config)#management ssh
switch(config-mgmt-ssh)#idle-timeout 10

Configure the switch to terminate an idle ssh connection after 10 minutes of inactivity.

Check Contents

Determine if the network device terminates the connection associated with a device management session at the end of the session or after 10 minutes of inactivity. This requirement may be verified by demonstration or configuration review.

Verify by executing a "show running-config" command, and under the "management ssh" subsection, validate the configuration statement "idle-timeout 10" is present and the value is 10 or less.

If the network device does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.

Vulnerability Number

V-60857

Documentable

False

Rule Version

AMLS-NM-000240

Severity Override Guidance

Determine if the network device terminates the connection associated with a device management session at the end of the session or after 10 minutes of inactivity. This requirement may be verified by demonstration or configuration review.

Verify by executing a "show running-config" command, and under the "management ssh" subsection, validate the configuration statement "idle-timeout 10" is present and the value is 10 or less.

If the network device does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.

Check Content Reference

M

Target Key

2825

Comments