The HP FlexFabric Switch must have a local account that will only be used as an account of last resort with full access to the network device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-217483	HFFS-ND-000140	SV-217483r961863_rule	CCI-000366	high
Description
In the event the network device loses connectivity to the management network authentication service, only a local account can gain access to the switch to perform configuration and maintenance. Without this capability, the network device is inaccessible to administrators.
STIG			Date
HP FlexFabric Switch NDM Security Technical Implementation Guide			2025-06-12

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

CM-6

1.00

DISA · V1R4 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.4.1

1.00

DISA · V1R4 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.4.2

1.00

DISA · V1R4 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000366

1.00

DISA · V1R4 · disa_xccdf · related

Details

Check Text (C-217483r961863_chk)

Verify that the switch is configured with a local user that has full access by entering the following command: display local-user user-name <name of user account>. The user role list should contain the following: network-admin, network-operator If the switch does not have a local user with full access, this is a finding.

Fix Text (F-18705r293125_fix)

Configure the switch with a local user account that has network-admin and network-operator role. [5900]local-user adminxxx [5900-luser-manage-adminxxx]authorization-attribute user-role network-admin (or level=15) [5900-luser-manage-adminxxx]authorization-attribute user-role network-operator [5900-luser-manage-adminxxx]service-type terminal [5900-luser-manage-adminxxx]password hash xxxxxxxxxxxxxx