API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Check if FIPS is enabled
Use the following command to verify if FIPS is enabled on the system:
OS10# show fips status
FIPS mode: Disabled
Enable and configure secure boot
OS10 secure boot provides a mechanism to verify the authenticity and integrity of the OS10 image. Secure Boot protects a
system from malicious code being loaded and run during the boot process. Use the secure boot feature to validate the OS10
image during installation and on demand at any time.
Enable secure boot
Rationale: Enabling the secure boot feature prevents a compromised kernel and system binaries from loading during the boot
operation.
Configuration:
OS10(config)# secure-boot enable
OS10(config)# exit
OS10# write memory
Protect the startup configuration file
Rationale: Protecting the startup configuration file saves a protected copy of the current startup config file internally. During
switch boot up, the protected version of the startup configuration is loaded. Protecting the startup configuration file ensures
that a compromised configuration file is not loaded when the system boots.
Configuration:
OS10(config)# secure-boot protect startup-config
OS10(config)# exit
OS10# write memory
Validate OS10 image file on demand
Rationale: Validate an OS10 image file anytime to verify the signature of the image files to ensure that the OS10 image is not
compromised.
Configuration:
OS10# image verify image-filepath {sha256 signature signature-filepath | gpg signature
signature-filepath | pki signature signature-filepath public-key key-file}
Validate OS10 kernel, system binaries, and startup configuration file
Rationale: Validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup. Validating
these files at startup ensures that the system does not load a compromised file.
Configuration:
OS10# secure-boot verify {kernel | file-system-integrity | startup-config}
Validate OS10 upgrade image files
Rationale: Validate the digital signature in the image files before installing an OS10 upgrade. You can use the following
command to validate an OS10 image before installing.
OS10 security best practices
7