Dell PowerSwitch S5212F-ON SmartFabric OS10 Security Best Practices Guide July - Page 7
Users, roles, and privilege levels
View all Dell PowerSwitch S5212F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 7 highlights
Rationale: Validate an OS10 image file anytime to verify the signature of the image files to ensure that the OS10 image is not compromised. Configuration: OS10# image verify image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file} Validate OS10 kernel, system binaries, and startup configuration file Rationale: Validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup. Validating these files at startup ensures that the system does not load a compromised file. Configuration: OS10# secure-boot verify {kernel | file-system-integrity | startup-config} Validate OS10 upgrade image files Rationale: Validate the digital signature in the image files before installing an OS10 upgrade. You can use the following command to validate an OS10 image before installing. Configuration: OS10# image secure-install image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file} NOTE: When secure boot is enabled, you can only upgrade OS10 using the image secure-install command. Validate OS10 image before ONIE OS manual installation Rationale: When secure boot is enabled and you manually install an OS10 image using ONIE, you can validate the image using PKI or SHA256. Configuration: OS10# onie-nos-install image_url pki signature_filepath certificate_filepath Or OS10# onie-nos-install image_url sha256 signature_filepath Users, roles, and privilege levels Using a password controls terminal access to a switch. But you can increase security by limiting user access to a subset of commands using privilege levels. Create users, assign roles, and privilege levels Rationale: Controlling terminal access to a switch is one method of securing the device and network. To increase security, you can limit user access to a subset of commands using privilege levels. Configuration: • Create privilege levels in CONFIGURATION mode. OS10(config)# privilege mode priv-lvl privilege-level command-string ○ mode-Enter the privilege mode used to access CLI modes: ▪ exec-Accesses EXEC mode. ▪ configure-Accesses class-map, DHCP, logging, monitor, openFlow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. OS10 security best practices 7