The Dell OS10 Switch must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269775 | OS10-NDM-000320 | SV-269775r1051710_rule | CCI-003992 | medium |
| Description | ||||
| Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA). | ||||
| STIG | Date | |||
| Dell OS10 Switch NDM Security Technical Implementation Guide | 2024-12-11 | |||
Details
Check Text (C-269775r1051710_chk)
Determine if the OS10 Switch prevents the installation of patches, service packs, or application components without verifying the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Image install commands verify signatures if OS10 secure-boot is enabled. Verify that OS10 secure-boot feature is enabled with the following command:
OS10# show secure-boot status
Last boot was via secure boot : yes
Secure boot configured : yes
Latest startup config protected: yes
BIOS secure boot:
BIOS Secure boot configured: yes
If BIOS Secure boot is not configured, this is a finding.
Fix Text (F-73709r1051709_fix)
Install OS10 images with digital signature verification using the following command.
Enable OS10 secure-boot, if necessary, with the following command. Reload the switch after enabling secure boot.
OS10# secure-boot enable
With OS10 secure-boot enabled, install OS10 images with the following command:
OS10# image secure-install <image-filepath> {sha256 signature <signature-filepath> | gpg signature <signature-filepath> | pki signature <signature-filepath> publickey
<key-file>}