The Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
---|---|---|---|---|---|---|
high | V-269787 | SRG-APP-000177-NDM-000263 | OS10-NDM-000490 | SV-269787r1052488_rule | 2024-12-11 | 1 |
Description |
---|
Without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or the status of their nonrepudiation is considerably impacted during forensic analysis. A strength of using PKI as multifactor authentication (MFA) is that it can help ensure only the assigned individual is using their associated user account. This can only be accomplished if the network device is configured to enforce the relationship which binds PKI certificates to unique user accounts. Local accounts (accounts created, stored, and maintained locally on the network device) should be avoided in lieu of using a centrally managed directory service. Local accounts empower the same workgroup who will be operating the network infrastructure to also control and manipulate access methods, thus creating operational autonomy. This undesirable approach breaks the concept of separation of duties. Additionally, local accounts are susceptible to poor cyber hygiene because they create another user database that must be maintained by the operator, whose primary focus is on running the network. Such examples of poor hygiene include dormant accounts that are not disabled or deleted, employees who have left the organization but whose accounts are still present, periodic password and hash rotation, password complexity shortcomings, increased exposure to insider threat, etc. For reasons such as this, local users on network devices are frequently the targets of cyber-attacks. Instead, organizations should explore examples of centrally managed account services. These examples include the implementation of AAA concepts like the use of external RADIUS and LDAP directory service brokers. |
ℹ️ Check |
---|
If PKI-based authentication is not used as the MFA solution for interactive logins, this requirement is not applicable. OS10 maps certificates to valid usernames by comparing the common name and user principal name in the certificate to the unique user account name. This check is applied by default unless name checking has been disabled in the security profile with the "no peer-name-check" setting. Review the running-configuration to verify that X.509v3 authentication is enabled for SSH. Verify the PKI authenticated user is mapped to the effective local user account by ensuring that peer-name-check has not been disabled in the associated security profile ("no peer-name-check" is not present). ip ssh server x509v3-authentication security-profile cacpiv-prof ... crypto security-profile <profile-name> certificate <host-certificate-name> ocsp-check <ocsp-url> ... If peer-name-check has been disabled in the security profile this is a finding. |
✔️ Fix |
---|
Configure the OS10 Switch to use DOD PKI as MFA for interactive logins. Configure a named security profile to use for MFA. Configure the SSH server to enable authentication by PKI certificate. OS10(config)# OS10(config)# crypto security-profile <profile-name> OS10(config-sec-profile)# certificate <host-certificate-name> OS10(config-sec-profile)# peer-name-check OS10(config-sec-profile)# ocsp-check <ocsp-url> OS10(config-sec-profile)# exit OS10(config)# OS10(config)# ip ssh server x509v3-authentication security-profile <profile-name> OS10(config)# |