STIGQter: STIG Summary: HP FlexFabric Switch NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must map the authenticated identity to the user account for PKI-based authentication.

DISA Rule

SV-80711r1_rule

Vulnerability Number

V-66221

Group Title

SRG-APP-000177-NDM-000263

Rule Version

HFFS-ND-000065

Severity

CAT II

CCI(s)

• CCI-000187 - The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to map the authenticated identity to the user account for PKI-based authentication.

Configure PKI entity:
[HP] pki entity HP
[HP-pki-entity-HP] common-name HP
[HP-pki-entity-HP] country US
[HP-pki-entity-HP] locality Littleton
[HP-pki-entity-HP] organization-unit STG
[HP-pki-entity-HP] organization HP
[HP-pki-entity-HP] state MA
[HP-pki-entity-HP] ip 15.252.76.101
[HP-pki-entity-HP] quit

Configure PKI domain:
[HP] pki domain HP
[HP-pki-domain-HP] certificate request entity HP
[HP-pki-domain-HP] public-key rsa general name hostkey
[HP-pki-domain-HP] source ip 15.252.76.101
[HP-pki-domain-HP] undo crl check enable
[HP-pki-domain-HP] quit

Submit certificate request on the switch:
[HP] pki request-certificate domain HP pkcs10

Transfer and import downloaded CA and user certificates to the switch:
[HP] pki import domain jitc pem ca filename rae-root-ca.cer
[HP] pki import domain jitc pem local filename HP.cer

Configure a local user:
[HP] local-user pkiuser
[HP-luser-pkiuser] service-type ssh
[HP-luser-pkiuser] authorization-attribute user-role network-admin
[HP-luser-pkiuser] password

Set this user as an SSH user and set authentication type to password-public key and assign pki domain:
[HP] ssh user pkiuser service-type all authentication-type password-publickey assign pki-domain hp

Note: Configuration required on the server side is not covered here.

Check Contents

Determine if the HP FlexFabric Switch maps the authenticated identity to the user account for PKI-based authentication.

[HP] display ssh user-information

Total ssh users: 3
Username Authentication-type User-public-key-name Service-type
pkiuser password-publickey hp all

If the HP FlexFabric Switch does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.

Vulnerability Number

V-66221

Documentable

False

Rule Version

HFFS-ND-000065

Severity Override Guidance

Determine if the HP FlexFabric Switch maps the authenticated identity to the user account for PKI-based authentication.

[HP] display ssh user-information

Total ssh users: 3
Username Authentication-type User-public-key-name Service-type
pkiuser password-publickey hp all

If the HP FlexFabric Switch does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.

Check Content Reference

M

Target Key

2971

Comments