The Dell OS10 Switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269793	SRG-APP-000395-NDM-000310	OS10-NDM-000740	SV-269793r1052419_rule	2024-12-11	1

Description
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Description

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

ℹ️ Check
Review the OS10 Switch configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-HMAC. Step 1: Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Step 2: Review the SNMP configuration to verify that the server is configured to enforce authentication ({auth\|priv} {name}). Verify the SNMP user is configured for SHA authentication (auth sha): OS10(config)# show running-configuration snmp ! ... snmp-server group Group3 3 priv notify NOTIFY snmp-server host 10.10.10.10 traps version 3 priv User3 snmp-server user User3 Group3 3 encrypted auth sha ** priv aes ** If SNMP is not configured to enforce authentication or FIPS mode is not enabled, this is a finding.

ℹ️ Check

Review the OS10 Switch configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-HMAC. Step 1: Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Step 2: Review the SNMP configuration to verify that the server is configured to enforce authentication ({auth|priv} {name}). Verify the SNMP user is configured for SHA authentication (auth sha): OS10(config)# show running-configuration snmp ! ... snmp-server group Group3 3 priv notify NOTIFY snmp-server host 10.10.10.10 traps version 3 priv User3 snmp-server user User3 Group3 3 encrypted auth sha **** priv aes **** If SNMP is not configured to enforce authentication or FIPS mode is not enabled, this is a finding.

✔️ Fix
Configure the OS10 Switch to authenticate SNMP messages using a FIPS-validated Keyed-HMAC. Ensure FIPS mode is enabled. OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Configure an SNMP user to enforce SHA authentication. OS10(config)# snmp-server group Group3 3 priv notify NOTIFY OS10(config)# snmp-server user User3 Group3 3 auth sha ******** priv aes ******** Configure the SNMP server to use version 3 and enforce SHA authentication (auth) or both SHA authentication and AES encryption (priv). OS10(config)# snmp-server host 10.10.10.10 version 3 priv User3 snmp

✔️ Fix

Configure the OS10 Switch to authenticate SNMP messages using a FIPS-validated Keyed-HMAC. Ensure FIPS mode is enabled. OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Configure an SNMP user to enforce SHA authentication. OS10(config)# snmp-server group Group3 3 priv notify NOTIFY OS10(config)# snmp-server user User3 Group3 3 auth sha ********** priv aes ********** Configure the SNMP server to use version 3 and enforce SHA authentication (auth) or both SHA authentication and AES encryption (priv). OS10(config)# snmp-server host 10.10.10.10 version 3 priv User3 snmp