If the HP FlexFabric Switch uses mandatory access control, the HP FlexFabric Switch must enforce organization-defined mandatory access control policies over all subjects and objects.

An XCCDF Rule

Description

<VulnDiscussion>Mandatory access control policies constrain what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. Enforcement of mandatory access control is typically provided via an implementation that meets the reference monitor concept. The reference monitor enforces (mediates) access relationships between all subjects and objects based on privilege and need to know. The mandatory access control policies are defined uniquely for each network device, so they cannot be specified in the requirement. An example of where mandatory access control may be needed is to prevent administrators from tampering with audit objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-80755r1_rule
Severity: Medium
References: CCI-000366 CCI-003014
Updated: about 1 year ago

Configure the HP FlexFabric Switch to enforce organization-defined mandatory access control policies over all subjects and objects. Below is an example how to configure a user-role and assign it to a user:

Create the user role role1: 
 [HP] role name role1

Configure rule 1 to permit the user role to access read commands of all features: 
[HP-role-role1] rule 1 permit read feature

Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view: 

[HP-role-role1] rule 2 permit command system-view ; vlan *

Change the VLAN policy to permit the user role to configure only VLANs 10 to 20: 

[HP-role-role1] vlan policy deny
[HP-role-role1-vlanpolicy] permit vlan 10 to 20
[HP-role-role1-vlanpolicy] quit
[HP-role-role1] quit

Create a management local user named user1 and enter its view: 

[HP] local-user user1 class manage

Set a password for the user: 

[HP-luser-manage-user1] password simple xxxxxx

Set the service type to SSH: 

[HP-luser-manage-user1] service-type ssh

Assign role1 to the user: 

[HP-luser-manage-user1] authorization-attribute user-role role1

To make sure that the user has only the permissions of role1, remove the user from the default user role network-operator: 

[HP-luser-manage-user1] undo authorization-attribute user-role network-operator
[HP-luser-manage-user1] quit

If the HP FlexFabric Switch uses mandatory access control, the HP FlexFabric Switch must enforce organization-defined mandatory access control policies over all subjects and objects.

Description

Remediation - Manual Procedure