STIGQter: STIG Summary: Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019:

The Arista Multilayer Switch must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).

DISA Rule

SV-75317r1_rule

Vulnerability Number

V-60859

Group Title

SRG-APP-000267-NDM-000273

Rule Version

AMLS-NM-000250

Severity

CAT II

CCI(s)

• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.

Weight

10

Fix Recommendation

Configure the network device or its associated audit server to reveal error messages only to authorized individuals.

SNMP is used to fulfill this function. An example SNMP configuration is provided below. To configure SNMP according to site-specific policies and procedures, refer to the Arista Configuration Guide Chapter 37

snmp-server engineID local
snmp-server view snmpview system included
snmp-server group ROgroup v3 priv read snmpview
snmp-server group RWgroup v3 priv write snmpview
snmp-server user disa ROgroup v3
snmp-server user disaRW RWgroup v3
snmp-server host 10.1.1.1 version 3 priv disaRW
snmp-server host 10.2.2.2 version 3 noauth disaRW
snmp-server host 10.3.3.3 version 3 noauth disaRW
snmp-server host 127.0.0.1 version 3 noauth auth
snmp-server host 172.22.29.82 version 3 noauth disaRW
snmp-server enable traps

Check Contents

Determine if the network device is configured to reveal error messages only to authorized individuals. This requirement may be verified by demonstration or configuration review. This requirement can be met by a central audit server if the network device is configured to send audit logs to that audit server.

If the network device reveals error messages to any unauthorized individuals, this is a finding.

This is a function of SNMP Traps. Verify the SNMP configuration is present in the output of the "show running-config" command and that SNMP is active via the "show snmp" command.

Vulnerability Number

V-60859

Documentable

False

Rule Version

AMLS-NM-000250

Severity Override Guidance

Determine if the network device is configured to reveal error messages only to authorized individuals. This requirement may be verified by demonstration or configuration review. This requirement can be met by a central audit server if the network device is configured to send audit logs to that audit server.

If the network device reveals error messages to any unauthorized individuals, this is a finding.

This is a function of SNMP Traps. Verify the SNMP configuration is present in the output of the "show running-config" command and that SNMP is active via the "show snmp" command.

Check Content Reference

M

Target Key

2825

Comments