AOS must limit the number of concurrent sessions to a maximum of three for each administrator account and/or administrator account type.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-266903 | ARBA-ND-000200 | SV-266903r1039730_rule | Medium |
Description |
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. At a minimum, limits must be set for Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), and account of last resort. |
STIG | Date |
HPE Aruba Networking AOS NDM Security Technical Implementation Guide | 2024-10-29 |
Details
Check Text (C-70827r1039728_chk) |
Verify the AOS configuration with the following command: show mgmt-user admin If "Max-concurrent-sessions" is not set to "3", this is a finding. |
Fix Text (F-70730r1039729_fix) |
Configure AOS with the following commands: configure terminal mgmt-user admin root max-concurrent-sessions 3 Enter the admin's password Reenter the admin's password write memory |