The Dell OS10 Switch must be configured to assign appropriate user roles or access levels to authenticated users.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269769	SRG-APP-000033-NDM-000212	OS10-NDM-000100	SV-269769r1052474_rule	2024-12-11	1

Description
Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions, and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership.

Description

Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions, and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership.

ℹ️ Check
If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this requirement. Because the responsibility for meeting this requirement is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review. Verify the Dell OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user. OS10# show running-configuration users username admin password ** role sysadmin priv-lvl 15 username op100 password ** role netoperator priv-lvl 1 OS10# If any users are assigned to the wrong role, this is a finding.

ℹ️ Check

If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this requirement. Because the responsibility for meeting this requirement is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review. Verify the Dell OS10 Switch is configured to assign appropriate user roles to authenticated users. Valid roles are system admin, security admin, network admin, and network operator. Verify the correct role is assigned to each user. OS10# show running-configuration users username admin password **** role sysadmin priv-lvl 15 username op100 password **** role netoperator priv-lvl 1 OS10# If any users are assigned to the wrong role, this is a finding.

✔️ Fix
Configure the OS10 Switch to assign appropriate user roles or access levels to authenticated users. OS10(config)# username <name> password ********** role <sysadmin/netoperator/secadmin/netadmin>