API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Configuration:
OS10# image secure-install image-filepath {sha256 signature signature-filepath | gpg
signature signature-filepath | pki signature signature-filepath public-key key-file}
NOTE: When secure boot is enabled, you can only upgrade OS10 using the image secure-install command.
Validate OS10 image before ONIE OS manual installation
Rationale: When secure boot is enabled and you manually install an OS10 image using ONIE, you can validate the image using
PKI or SHA256.
Configuration:
OS10# onie-nos-install image_url pki signature_filepath certificate_filepath
Or
OS10# onie-nos-install image_url sha256 signature_filepath
Check if secure boot is enabled and the file integrity status
Use the following commands to check the status of the secure boot operation and the file integrity status:
OS10# show secure-boot status
Last boot was via secure boot : yes
Secure boot configured : yes
Latest startup config protected : yes
OS10# show secure-boot file-integrity-status
File Integrity Status: OK
Users, roles, and privilege levels
Using a password controls terminal access to a switch. But you can increase security by limiting user access to a subset of
commands using privilege levels.
Create users, assign roles, and privilege levels
Rationale: Controlling terminal access to a switch is one method of securing the device and network. To increase security, you
can limit user access to a subset of commands using privilege levels.
Configuration:
● Create privilege levels in CONFIGURATION mode.
OS10(config)# privilege mode priv-lvl privilege-level command-string
○ mode—Enter the privilege mode used to access CLI modes:
■ exec—Accesses EXEC mode.
■ configure—Accesses class-map, DHCP, logging, monitor, openFlow, policy-map, QOS, support-assist, telemetry,
CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes.
■ interface—Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port
channel, and VLAN modes.
■ route-map—Accesses route-map mode.
■ router—Accesses router-bgp and router-ospf modes.
■ line—Accesses line-vty mode.
○ priv-lvl privilege-level—Enter the number of a privilege level, from 2 to 14.
○ command-string—Enter the commands supported at the privilege level.
● Create a username, password, assign a role, and assign a privilege level in CONFIGURATION mode.
OS10(config)# username username password password role role priv-lvl privilege-level
8
OS10 security best practices