{"stig":{"title":"HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide","version":"2","release":"1"},"checks":[{"vulnId":"V-255270","ruleId":"SV-255270r958478_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential web-services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The web-services component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Verify the state of the Optional capabilities on the array.\n\ncli% showwsapi\n\nIf the service state is not \"Disabled\", and the web-services functionality is not being used, this is a finding.\n\nIf web services functionality is required, this is not applicable.","fixText":"If web services functionality is not required, stop and disable web-services:\n\ncli% stopwsapi -f","ccis":["CCI-000381"]},{"vulnId":"V-255271","ruleId":"SV-255271r986305_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to terminate all network connections associated with a communications session at the end of the session, or after 10 minutes of inactivity.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nIf a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.\n\nUnder normal circumstances, a service user would log out of the array when maintenance is complete, and the session/connection would be terminated. Setting an acceptable inactivity timeout will guarantee that sessions cannot remain idle if they were not cleanly terminated.\n\nSatisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109","checkContent":"Verify the current SessionTimeout setting:\n\ncli% showsys -param\n\nFind the line in the output for SessionTimeout, if the value is not \"00:10:00\", this is a finding.","fixText":"Set the SessionTimeout value to 10 minutes:\n\ncli% setsys SessionTimeout 10m","ccis":["CCI-001133","CCI-002361"]},{"vulnId":"V-255272","ruleId":"SV-255272r958408_rule","severity":"high","ruleTitle":"The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.\n\nThe HPE 3PAR OS supports communication security in compliance with DOD requirements. These include TLS1.2 protocols, encryption supplied by a FIPS140-2 library, and using specific cipher suites in a subset of the CNSA guidelines. Configuration is required to restrict the available algorithms to a subset of those approved by the DOD.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000096-GPOS-00050, SRG-OS-000112-GPOS-00057, SRG-OS-000250-GPOS-00093, SRG-OS-000480-GPOS-00227, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000297-GPOS-00115, SRG-OS-000074-GPOS-00042","checkContent":"Verify that insecure ports are disabled.\n\ncli% setnet disableports yes\n\nTo confirm the operation, enter\n\"cli% y\"\nand press \"Enter\".\n\nIf an error is reported, this is a finding.\n\nIf available, a port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command:\ncli% nmap -sT -sU -sV --version-all -vv -p1 -65535 \n\nIf any Port is listed other than SSHD(22), NTP(123), SNMP(161,162), 3PAR Mgmt Intfc (5783), CIM (5989/configurable), or WSAPI (8088/configurable), this is a finding.","fixText":"To disable all unencrypted ports, use the command:\n\ncli% setnet disableports yes\n\nTo confirm the operation, enter\n\"cli% y\"\nand press \"Enter\".","ccis":["CCI-000068","CCI-000197","CCI-000366","CCI-000382","CCI-001453","CCI-002314","CCI-002418","CCI-002420","CCI-002421","CCI-002422","CCI-002890","CCI-003123"]},{"vulnId":"V-255273","ruleId":"SV-255273r971535_rule","severity":"high","ruleTitle":"The HPE 3PAR OS must be configured to initialize its FIPS module to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.","checkContent":"Verify the status of FIPS operation mode:\n\ncli% controlsecurity fips status\n\nIf the output indicates FIPS mode is disabled, this is a finding.\n\nIf the output shows CIM is disabled, and CIM is an essential service for the mission, this is a finding.\n\nIf the output shows VASA is disabled, and VASA is an essential service for the mission, this is a finding.\n\nIf the output shows WSAPI is disabled, and WSAPI is an essential service for the mission, this is a finding.\n\nIf the output shows any other service status as Disabled, this is a finding.","fixText":"To initialize the FIPS module use:\n\ncli% controlsecurity fips enable\n\nWarning: Enabling FIPS mode requires restarting all system management interfaces, which will terminate ALL existing connections including this one.\nWhen that happens, you must reconnect to continue.\nContinue enabling FIPS mode (yes/no)?\nyes\n\nAfter reconnecting, verify FIPS mode with:\ncli% controlsecurity fips status","ccis":["CCI-000803"]},{"vulnId":"V-255274","ruleId":"SV-255274r958870_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to implement cryptographic mechanisms to prevent the unauthorized modification or disclosure of all information at rest on all operating system components.","description":"Operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nThe HPE 3PAR OS protects data at rest through the use of Self-Encrypting Drives, and a licensed feature that takes ownership of them. The feature requires an authorized installer to install and activate it.\n\nSatisfies: SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184","checkContent":"Review the requirements by the Information Owner to discover whether the system stores sensitive or classified information.\n\nIf the system does not store sensitive or classified information, this requirement is not applicable.\n\nIf the system does store sensitive or classified information, use the following command to display the state of encryption:\n\ncli% controlencryption status\n\nIf Licensed, Enabled, or BackupSaved is not \"Yes\", or Keystore is not \"EKM\", this is a finding.","fixText":"Contact an authorized service partner to install and configure the encryption license feature.","ccis":["CCI-002475","CCI-002476"]},{"vulnId":"V-255275","ruleId":"SV-255275r958424_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to send SNMP alerts to alert in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nThe HPE 3PAR OS will send an SNMP trap event on any failure of audit components (failure to write a record, failure to send to remote syslog server, etc.). All of these conditions are automatically recovered Q20 in the short term. Configuration of the SNMP consumer is required to facilitate collection of these events.","checkContent":"Verify an SNMPv3 user account is configured:\ncli% showsnmpuser\n\nUsername | AuthProtocol | PrivProtocol\n3parsnmpuser | HMAC SHA 96 | CFB128 AES 128\n\nIf the output is not displayed in the above format, this is a finding.\n\nIdentify the SNMP trap recipient and report SNMP configuration:\n\ncli% showsnmpmgr\n\n HostIP | Port | SNMPVersion | User\n | 162 | 3 | 3parsnmpuser\n\nIf the SNMP trap recipient IP address is incorrect, this is a finding.\n\nIf the SNMP port is not \"162\", this is a finding.\n\nIf the SNMP version is not \"3\", this is a finding.\n\nIf the SNMP user ID is incorrect, this is a finding.\n\nGenerate a test trap:\ncli% checksnmp\n\nTrap sent to the following managers:\n< IP address of trap recipient>\n\nIf the response does not indicate a trap was successfully sent, this is a finding.","fixText":"To configure SNMPv3 alert notifications, use this sequence of operations.\n\nCreate and enable an SNMPv3 user, and create associated keys for authentication and privacy:\ncli% createuser 3parsnmpuser all browse\nEnter the password and confirm\n\ncli% createsnmpuser 3parsnmpuser\nat the prompt, enter the password\nat the next prompt, re-enter the password.\n\nAdd the IP address of the SNMPv3 trap recipient, where permissions of the account are used:\ncli% addsnmpmgr -version 3 -snmpuser 3parsnmpuser ","ccis":["CCI-000139"]},{"vulnId":"V-255276","ruleId":"SV-255276r958758_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.\n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).\n\nIn HPE 3PAR OS all event logging responsibility is shared among the clustered nodes. If one node should panic, a surviving node will issue an SNMP trap, and take over event log management, recording the failure messages from the panic'ing node. If the panic'ing node was also the network owner (responsible for communications with outside entities such as the SIEM system), another node will take over the network ownership. Any messages not yet sent will be sent to the SIEM system at this time. When the panic'd node reboots, it will simply rejoin the cluster as a participant.","checkContent":"Verify that an SNMPV3 user account is configured:\n\ncli% showsnmpuser\n\nUsername | AuthProtocol | PrivProtocol\n | HMAC SHA 96 | CFB128 AES 128\n\nIf the output is not in the above format, this is a finding.\n\nVerify the SNMP trap recipient and SNMP configuration:\n\ncli% showsnmpmgr\n\nIf the HostIP identified is not correct, this is a finding.\n\nIf the port is not 162, this is a finding.\n\nIf the version is not 3, this is a finding.\n\nIf the username does not match the user from above, this is a finding.\n\nSend a test trap and verify it is received:\n\ncli% checksnmp\n\nIf the response does not indicate a trap was successfully sent, this is a finding.","fixText":"Configure SNMPV3 notifications.\n\nCreate an SNMPV3 user, and create associated keys for authentication and privacy.\n\ncli% createsnmpuser \nwhere \"\" is the desired username, and then enter a password at the prompts.\n\nAdd the SNMP trap recipient and the user just created.\n\ncli% addsnmpmgr -version 3 -snmpuser \nwhere \"\" is the user created above, and \"\" is the address of the SNMPV3 trap recipient.\n\nGenerate a test trap:\ncli% checksnmp\n\nVerify that a trap was received by the manager specified.","ccis":["CCI-001858"]},{"vulnId":"V-255277","ruleId":"SV-255277r986303_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\nThe HPE 3PAR OS maintains an internal synchronization of node clocks, and aligns that with an NTP client always running on the network owner node when configured as shown.","checkContent":"Verify NTP is operational:\ncli% shownet\n\nIf any of the NTP Server lines in the output show an incorrect NTP Server address, this is a finding.\n\nIf only one NTP Server line is present, and it indicates \"None\" for the address, this is a finding.","fixText":"Enable NTP with:\n\ncli% setnet ntp -add \n\nThis command can be used multiple times to specify multiple NTP Servers.","ccis":["CCI-004923"]},{"vulnId":"V-255278","ruleId":"SV-255278r958362_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured for centralized account management functions via LDAP.","description":"Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors.\n\nA comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated, or by disabling accounts located in noncentralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.\n\nThe automated mechanisms may reside within the operating system itself or may be offered by other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements.\n\nAccount management functions include assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example, using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.\n\nThe HPE 3PAR OS supports external account management via communication with LDAP-enabled technologies (OpenLDAP and Active Directory). Configuration is required to establish the external management relationship. Internally defined roles (SUPER, SERVICE, EDIT, BROWSE) are mapped to centrally defined user groups. Administrators attempting to log in are checked first against local accounts (for emergency purposes). If no local account exists, the central account management system is checked. Users that are successfully authenticated, are then checked for membership in the mapped groups to establish their authorization to access the system, if any, and at what role level.\n\nSatisfies: SRG-OS-000001-GPOS-00001, SRG-OS-000104-GPOS-00051, SRG-OS-000042-GPOS-00021","checkContent":"Determine if the system is configured for external account management.\nEnter the command\n\"cli% showauthparam\"\n\nIf the result returns an error, or these fields of the output are not configured, this is a finding.\nldap-server \nldap-server-hn \nldap-type \n\nIf ldap-type is \"MSAD\", this requirement is not applicable.\n\nIf the resulting Parameters DO NOT include the following group parameters, this is a finding.\ngroups-dn\ngroup-obj \ngroup-name-attr\n\nNext, verify that the LDAP authentication is operational by entering the command:\ncli% checkpassword \nEnter the password for \n\nIf the username and password used in checkpassword are known to be valid LDAP credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding.\n\nuser is authenticated and authorized\n\nNote: checkpassword will fail even if LDAP is properly configured, if the username and password are not entered correctly.","fixText":"If Active Directory is in use, this requirement is not applicable.\n\nUse this series of commands to configure LDAP:\n\ncli% setauthparam -f ldap-type where type is RHDS or OPEN.\ncli% setauthparam -f ldap-server        \ncli% setauthparam -f ldap-server-hn    \ncli% setauthparam -f binding            simple\ncli% setauthparam -f ldap-StartTLS      require\ncli% setauthparam -f groups-dn          ou=Groups,dc=thisdomain,dc=com\ncli% setauthparam -f user-dn-base       ou=People,dc=thisdomain,dc=com\ncli% setauthparam -f user-attr          uid\ncli% setauthparam -f group-obj          groupofuniquenames\ncli% setauthparam -f group-name-attr    cn\ncli% setauthparam -f member-attr        uniqueMember\ncli% setauthparam -f browse-map \ncli% setauthparam -f edit-map           \ncli% setauthparam -f service-map       \ncli% setauthparam -f super-map          ","ccis":["CCI-000015","CCI-000135","CCI-000764"]},{"vulnId":"V-255279","ruleId":"SV-255279r958508_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to have only one emergency account that can be accessed without LDAP and that has full administrator privileges.","description":"While LDAP allows the storage system to support stronger authentication, and provides additional auditing, it also places a dependency on an external entity in the operational environment. The existence of a single local account with a strong password means that administrators can continue to access the storage system in event the LDAP system is temporarily unavailable.\n\nA non-LDAP enabled emergency administrator account is required in the event that LDAP fails. This account will allow the organization to successfully administer the system during an LDAP outage. Once LDAP services have been restored, the password for this account must be changed and stored in a DOD approved safe.\n\nThe product requires at least one local account to be present. However, the administrator must still manually remove all other local accounts, except for the emergency account, after the product has been configured for operation.\n\nThe 3paradm account is a user bootstrap account. During installation, the user must use it to create a new local super user account. Once that is done, the 3paradm account must be removed.\n\nThe 3parsvc account is used internally by the system.\n\nThe 3parsnmp account was created in the fix text for HP3P-33-001300.","checkContent":"Verify that only essential local accounts are configured.\ncli% showuser\n\nIf the output shows users other than the three accounts below, this is a finding.\n--3paradm (or some other customer chosen account with \"super\" role)\n--3parsnmpuser\n--3parsvc","fixText":"Display users\ncli% showuser\n\nRemove all accounts except:\n--3paradm (or other customer-created \"super\" role account)\n--3parsnmpuser\n--3parsvc\n\nUse the command:\ncli% removeuser \nand confirm the operation with \"y\".","ccis":["CCI-001682"]},{"vulnId":"V-255280","ruleId":"SV-255280r986304_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.\n\nThe HPE 3PAR OS can be configured to have 15 characters (or more) for minimum password length. This setting affects local user accounts only, and only has an impact when a password is changed.\n\nPassword length for externally managed users is enforced by the external identity management system (LDAP/AD). This is a dependency on HP3P-33-001500/HP3P-33-101500. The HPE 3PAR OS does not supply an interface for modification of passwords maintained by external identity management systems.","checkContent":"Verify that the minimum password length is 15 characters:\n\ncli% showsys -d\n\nVerify that the line containing the string \"Minimum PW length\" shows \"15\" for the length. If it is not, this is a finding.","fixText":"Configure the minimum password length for a value of \"15\":\n\ncli% setpassword -minlen 15\n\nNote: The user must have super-admin privileges to perform this action.","ccis":["CCI-004066"]},{"vulnId":"V-255281","ruleId":"SV-255281r958390_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088","checkContent":"Verify that the login banner is configured.\nEnter the following command:\n\ncli% showbanner -all\n\nCLI banner:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nSSH banner:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.","fixText":"To configure the login banner, enter the command:\n\ncli% setbanner -all\n\nPaste the following text:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nTo complete the configuration, press \"Enter\" twice.","ccis":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"vulnId":"V-255282","ruleId":"SV-255282r958752_rule","severity":"medium","ruleTitle":"The HPE 3PAR operating system must be configured to allocate audit record storage capacity to store at least one week of audit records, even though all audit records are immediately sent to a centralized audit record storage system (SIEM).","description":"To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the operating system.","checkContent":"To verify the logging capacity is set to the maximum value of \"4\", enter the following command:\ncli% showsys -param\n\nIn the resulting list of configured parameters and values, if the following line does not appear, this is a finding.\ncli% EventLogSize : 4M","fixText":"Enter the following command to configure the audit logging capacity for the maximum storage value:\ncli% setsys EventLogSize 4M","ccis":["CCI-001849"]},{"vulnId":"V-255283","ruleId":"SV-255283r958788_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.","checkContent":"To verify the time zone is configured, enter:\n\ncli% showdate\n\nIf the time zone field is not configured, this is a finding.","fixText":"Configure the time zone by first identifying the time zone indicator:\n\ncli% setdate -tzlist\n\nThen configure the timezone with:\n\ncli% setdate -tz \n\nIf UTC is to be used, complete the operation with:\n\ncli% setdate -tz Etc/UTC\n\nVerify the timezone is set with:\ncli% showdate","ccis":["CCI-001890"]},{"vulnId":"V-255284","ruleId":"SV-255284r958754_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to offload audit records onto a different system or media from the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOffloading is a common process in information systems with limited audit storage capacity.\n\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224","checkContent":"Verify offloading of security syslog events with \n\ncli% showsys -d\n\nFind the output section \"Remote Syslog Status\".\n\nIf \"Active\" is not \"1\", this is a finding.\n\nIf \"Security Server\" is not defined, this is a finding.\n\nIf \"Security Connection\" is not \"TLS\", this is a finding.","fixText":"Configure the remote syslog host:\n\ncli% setsys RemoteSyslogSecurityHost [:port]\n\nThe hostname, and address are both required. If both IPv4 and IPv6 addresses are supplied, the IPv6 address must be enclosed in []. The default port is 6514 utilizing TLS.\n\nImport the ca certificate that will have signed the syslog server:\n\ncli% importcert syslog-sec-server -ca stdin\n\nCopy and paste the PEM format of the appropriate CA as instructed.\n\nConfigure the system to utilize remote syslog:\n\ncli% setsys RemoteSyslog 1","ccis":["CCI-001851"]},{"vulnId":"V-255285","ruleId":"SV-255285r987791_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government, since this provides assurance they have been tested and validated.\n\nThe HPE 3PAR OS can be configured to use FIPS validated cryptographic methods for communications secrecy. It also has an encryption license feature that controls the handling of Self-Encrypting backend drives, which requires an authorized service provider for install and activation.\n\nSatisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223","checkContent":"Verify the status of the FIPS communication library:\n\ncli% controlsecurity fips status\n\nIf the line \"FIPS Mode:\" is not \"Enabled\", this is a finding.\n\nIf any of the service lines for CLI, EKM, LDAP, SNMP, SSH, or SYSLOG are Disabled, this is a finding.\n\nIf CIM, VASA, or WSAPI are \"Disabled\", and the mission requires any of these services, this is a finding.\n\nReview the requirements by the Information Owner to determine if the system will store sensitive or classified information.\n\nIf the mission does not store sensitive, or classified information, the remainder of the check is not applicable.\n\nIf the mission stores classified data, check the status of backend drive encryption:\n\ncli% controlencryption status\n\nIf Licensed, Enabled, or BackupSaved are \"no\", or the keystore is not EKM, this is a finding.","fixText":"Set the communications encryption module into fips mode:\n\ncli% controlsecurity fips enable\n\nIf the mission stores classified information, contact an authorized service provider to install and configure the licensed encryption feature.","ccis":["CCI-002450"]},{"vulnId":"V-255286","ruleId":"SV-255286r958452_rule","severity":"high","ruleTitle":"The HPE 3PAR OS must map the authenticated identity to the user account for PKI-based authentication.","description":"Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.\n\nPKI authentication is performed by the HPE 3PAR SSMC, and the authenticated user's identity is extracted from the certificate and forwarded to the HPE 3PAR OS over a mutually authenticated TLS channel. The HPE 3PAR OS then queries/authorizes the identity in the external Account Management system (LDAP/AD), and authorizes the individual as appropriate based on that. The ldap-2fa-cert-field is used to tell the SSMC which field to extract from the user certificate. The ldap-2fa-object-attr is used to search the account management system for an account with a matching attribute.","checkContent":"Verify that the two factor authentication (2fa) parameters are set:\n\ncli% showauthparam\nIf there is an error, or the output does not contain the following, this is a finding. \nldap-2fa-cert-field \nldap-2fa-object-attr ","fixText":"To configure the two factor authentication parameters (2fa) to support PKI based authentication/authorization:\n\ncli% setauthparam -f ldap-2fa-cert-field \n\ncli% setauthparam -f ldap-2fa-object-attr ","ccis":["CCI-000187"]},{"vulnId":"V-255287","ruleId":"SV-255287r958868_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check that a signed certificate and CA certificate have been imported:\n\ncli% showcert -service unified-server\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Create a CSR to be signed by an appropriate CA:\n\ncli% createcert unified-server -csr -CN -SAN \n\nCopy the output and give it to the CA for signing.\n\nInstall the root CA certificate bundle:\n\ncli% importcert unified-server -ca stdin\n\nCopy and paste the ca bundle contents as instructed.\n\nInstall the signed certificate from the ca:\n\ncli% importcert unified-server stdin\n\nCopy and paste the PEM format signed certificate contents as instructed.","ccis":["CCI-002470"]},{"vulnId":"V-255288","ruleId":"SV-255288r958362_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.","description":"Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors.\n\nA comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated, or by disabling accounts located in noncentralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.\n\nThe automated mechanisms may reside within the operating system itself or may be offered by other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements.\n\nAccount management functions include: Assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: Using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.\n\nThe HPE 3PAR OS supports external account management via communication with LDAP-enabled technologies (OpenLDAP and Active Directory). Configuration is required to establish the external management relationship. Internally defined roles (SUPER, SERVICE, EDIT, BROWSE) are mapped to centrally defined user groups. Administrators attempting to log in are checked first against local accounts (for emergency purposes). If no local account exists, the central account management system is checked. Users that are successfully authenticated, are then checked for membership in the mapped groups to establish their authorization to access the system, if any, and at what role level.\n\nSatisfies: SRG-OS-000001-GPOS-00001, SRG-OS-000042-GPOS-00021, SRG-OS-000104-GPOS-00051","checkContent":"Check with the Information Owner to verify if Active Directory will be used for Centralized Account Management.\n\nIf Active Directory will not be used, this requirement is not applicable.\n\nDetermine if the system is configured for Active Directory (AD). \n\nEnter the command:\ncli% showauthparam\n\nIf the result returns an error, or these fields of the output are not configured, this is a finding.\nldap-server \nldap-server-hn \n\nIf the resulting Parameters include: group parameters\ngroups-dn\ngroup-obj\ngroup-name-attr\nthis requirement is not applicable.\n\nNext, verify that the AD authentication is operational by entering the command\ncli% checkpassword \nEnter the password for \n\nIf the username and password used in checkpassword are known to be valid AD credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding:\n\nuser is authenticated and authorized\n\nNote: checkpassword will fail even if AD is properly configured, if the username and password are not entered correctly.","fixText":"Use this series of commands to configure AD:\n\ncli% setauthparam -f ldap-type MSAD\ncli% setauthparam -f ldap-server        \ncli% setauthparam -f binding            simple\ncli% setauthparam -f ldap-StartTLS      require\ncli% setauthparam -f kerberos-realm    \ncli% setauthparam -f ldap-server-hn     \ncli% setauthparam -f accounts-dn        CN=Users,DC=win2k12forest,DC=thisdomain,DC=com\ncli% setauthparam -f user-dn-base       CN=Users,DC=win2k12forest,DC=thisdomain,DC=com\ncli% setauthparam -f user-attr          WIN2K12FOREST\\\\\ncli% setauthparam -f account-obj        user\ncli% setauthparam -f account-name-attr  sAMAccountName\ncli% setauthparam -f memberof-attr      memberOf\ncli% setauthparam -f browse-map         \"CN=,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com\"\ncli% setauthparam -f edit-map           \"CN=,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com\"\ncli% setauthparam -f service-map        \"CN=,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com\"\ncli% setauthparam -f super-map          \"CN=,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com\"","ccis":["CCI-000015","CCI-000135","CCI-000764"]},{"vulnId":"V-255289","ruleId":"SV-255289r958868_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS syslog-sec-client must be configured to perform mutual TLS authentication using a CA-signed client certificate.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check with the Information Owner to verify if Mutual Authentication is required by the syslog server.\n\nIf mutual TLS authentication is not required, this requirement is not applicable.\n\nCheck that a signed client certificate and CA certificate have been imported for the syslog-sec-client service:\n\ncli% showcert -service syslog-sec-client\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Check with the Information Owner to verify that TLS mutual authentication is required by the remote syslog server.\n\nIf TLS mutual authentication is not required, this requirement is not applicable.\n\nCreate a CSR to be signed by an appropriate CA:\n\ncli% createcert syslog-sec-client -csr -CN -SAN \n\nCopy the output and give it to the CA for signing.\n\nInstall the root CA certificate bundle:\n\ncli% importcert syslog-sec-client -ca stdin\n\nCopy and paste the ca bundle contents as instructed.\n\nInstall the signed certificate from the ca:\n\ncli% importcert sysloc-sec-client stdin\n\nCopy and paste the PEM format signed certificate contents as instructed.\n\nThe syslog-sec-client service will be restarted.","ccis":["CCI-002470"]},{"vulnId":"V-255290","ruleId":"SV-255290r958478_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential Common Information Model services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The Common Information Model services component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Check with the Information Owner to verify if the mission objectives require CIM functionality.\n\nIf the mission requirements include CIM service capabilities, this requirement is not applicable.\n\nIf mission requirements do not include CIM, then verify the state of the CIM services capabilities on the array:\n\ncli% showcim\n\nIf the service state is not \"Disabled\", this is a finding.","fixText":"Verify with the Information Owner whether mission objectives require CIM functionality.\n\nIf CIM services functionality is not part of the mission requirements, stop and disable \"cimserver\":\n\ncli% stopcim -f\n\ncli% setcim -f -http disable -https disable","ccis":["CCI-000381"]},{"vulnId":"V-255291","ruleId":"SV-255291r958408_rule","severity":"high","ruleTitle":"The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.\n\nThe Common Information Model (CIM) protocol, and its associated Service Location Protocol (SLP) represent an additional, optional, management protocol for monitoring and controlling some aspects of the Storage Array. These settings limit the server to communications using TLS1.2.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000096-GPOS-00050, SRG-OS-000112-GPOS-00057, SRG-OS-000074-GPOS-00042","checkContent":"If the mission does not require CIM functionality this requirement is not applicable.\n\nVerify if CIMserver is configured to run.\nUse the command:\n\"cli% showcim\"\n\nIf the Server column shows \"Disabled\", this is not applicable.\n\nIf the HTTP column shows \"Enabled\", this is a finding.\n\nIf the HTTPS column shows \"Disabled\", this is a finding.\n\nUse the command:\n\"cli% showcim -pol\" to display advanced configuration policies.\n\nIf the output contains \"no_tls_strict\", this is a finding.","fixText":"Verify if CIMserver is configured to run.\nUse the command:\n\"cli% showcim\"\n\nIf the Server column shows \"Disabled\", this is not applicable.\n\nTemporarily stop the server using the command: \"cli% stopcim -f\"\n\nDisable the HTTP listener, and enable the HTTPS listener, using the command: \ncli% setcim -http disable -https enable\n\nSet the TLS policy to utilize only TLS1.2 with the following command:\ncli% setcim -pol tls_strict\n\nRestart the CIMserver using the command:\ncli% startcim","ccis":["CCI-000068","CCI-000197","CCI-000382","CCI-001941"]},{"vulnId":"V-255292","ruleId":"SV-255292r971535_rule","severity":"high","ruleTitle":"The HPE 3PAR OS cimserver process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nThe HPE 3PAR OS cimserver utilizes a vendor-affirmed FIPS module and operates OpenSSL in FIPS mode when configured as described. If the service is not enabled in FIPS mode, it is incorrectly configured.","checkContent":"If the mission does not require CIM functionality, this requirement is not applicable.\n\nVerify cim is configured:\ncli% showcim\n\nIf there is an error, this is a finding.\n\nIf the output indicates the service is \"Disabled\", the state is \"Inactive\", HTTP is \"Enabled\", or HTTPS is \"Disabled\", this is a finding.\n\nCheck the FIPS status\ncli% controlsecurity fips status\n\nIf there is an error, or CIM shows as \"Disabled\", this is a finding.","fixText":"Stop the cimserver process:\ncli% stopcim -f\n\nReconfigure the cimserver to use only HTTPS on TLSV1.2\ncli% setcim -f -http disable\ncli% setcim -f -https enable\ncli% setcim -f -pol tls_strict\n\nRestart the cimserver process:\ncli% startcim -f\n\nWait up to five minutes for CIM to start up and verify it is Enabled/Active \ncli% showcim\n\nOnce CIM is active, verify FIPS mode:\ncli% controlsecurity fips status\n\nIf CIM is \"Disabled\", this is an error that requires a service escalation.","ccis":["CCI-000803"]},{"vulnId":"V-255293","ruleId":"SV-255293r958868_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with an External Key Manager.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check that a signed client certificate and CA certificate have been imported for the ekm-server service:\n\ncli% showcert -service ekm-server\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Install the root CA certificate used to sign the EKM server’s certificate:\n\ncli% importcert ekm-server -ca stdin\n\nCopy and paste the PEM format certificate contents as instructed.\n\nThe fipsvr process will be restarted.","ccis":["CCI-002470"]},{"vulnId":"V-255294","ruleId":"SV-255294r958478_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential VASA VVol services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The VASA VVol Provider service component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Check with the Information Owner whether the mission objectives require VASA VVol functionality.\n\nIf the mission requirements include VASA VVol functionality, this requirement is not applicable.\n\nIf mission requirements do not include this functionality, verify the state of the VASA VVol services capabilities on the array:\n\ncli% showvasa\n\nIf the state is \"enabled\", this is a finding.","fixText":"Verify with the Information Owner whether VASA VVol functionality is required by the mission objectives.\n\nIf the mission requires VASA VVol functionality, this requirement is not applicable.\n\nIf VASA VVol services functionality is not required by the mission, stop the VASA provider:\n\ncli% stopvasa -f","ccis":["CCI-000381"]},{"vulnId":"V-255295","ruleId":"SV-255295r958408_rule","severity":"high","ruleTitle":"The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.\n\nThe WSAPI provides an, optional, REST interface for programmatic monitoring and control of the array operations and configuration. These configuration settings confine the server to using only TLS1.2.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000096-GPOS-00050, SRG-OS-000112-GPOS-00057, SRG-OS-000074-GPOS-00042","checkContent":"If the mission does not require WSAPI functionality, this requirement is not applicable.\n\nVerify if WSAPI is configured to run.\nUse the command:\ncli% showwsapi -d\n\nIf \"Service State\" shows \"Disabled\", this is not applicable.\n\nIf \"HTTP State\" shows \"Enabled\", this is a finding.\n\nIf \"HTTPS State\" shows \"Disabled\", this is a finding.\n\nIf \"Policy\" contains \"no_tls_strict\", this is a finding.","fixText":"Verify if WSAPI is configured to run. Use the command:\ncli% showwsapi -d\n\nIf \"Service State\" shows \"Disabled\", this is not applicable.\n\nTemporarily stop the WSAPI server with the command:\ncli% stopwsapi -f\n\nTo disable the HTTP listener, and enable the HTTPS listener, use the command:\ncli% setwsapi -http disable -https enable\n\nTo set the TLS policy to TLSv1.2 only, use the command:\ncli% setwsapi -pol tls_strict\n\nRestart the server with the following command:\ncli% startwsapi","ccis":["CCI-000068","CCI-000197","CCI-000382","CCI-001941"]},{"vulnId":"V-255296","ruleId":"SV-255296r971535_rule","severity":"high","ruleTitle":"The HPE 3PAR OS WSAPI process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nThe HPE 3PAR OS cimserver utilizes a vendor-affirmed FIPS module and operates OpenSSL in FIPS mode when configured as described. If the service is not enabled in FIPS mode it is incorrectly configured.","checkContent":"If the mission does not require WSAPI functionality, this requirement is not applicable.\n\nVerify if WSAPI is configured to run.\nUse the command:\ncli% showwsapi -d\n\nIf \"service State\" shows \"Disabled\", this is not applicable.\n\nIf \"HTTP State\" shows \"Enabled\", this is a finding.\n\nIf \"HTTPS State\" shows \"Disabled\", this is a finding.\n\nIf \"Policy\" contains \"no_tls_strict\", this is a finding.","fixText":"Stop the WSAPI process:\ncli% stopwsapi -f\n\nReconfigure the WSAPI to use only HTTPS on TLSV1.2:\ncli% setwsapi -f -http disable\ncli% setwsapi -f -https enable\ncli% setwsapi -f -pol tls_strict\n\nRestart the WSAPI process:\ncli% startwsapi -f\n\nWait up to five minutes for WSAPI to start up and verify it is Enabled/Active:\ncli% showwsapi\n\nOnce WSAPI is active, verify FIPS mode:\ncli% controlsecurity fips status\n\nIf WSAPI is \"Disabled\", this is an error that requires a service escalation.","ccis":["CCI-000803"]},{"vulnId":"V-255297","ruleId":"SV-255297r958868_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to perform mutual TLS authentication using a CA-signed client certificate when communicating with an External Key Manager.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check with the Information Owner to verify if Mutual Authentication is required by the EKM server.\n\nIf mutual TLS authentication is not required, this requirement is not applicable.\n\nCheck that a signed client certificate and CA certificate have been imported for the ekm-client service:\n\ncli% showcert -service ekm-client\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Check with the Information Owner to verify that TLS mutual authentication is required by the EKM server.\n\nIf TLS mutual authentication is not required, this requirement is not applicable.\n\nCreate a CSR to be signed by an appropriate CA:\n\ncli% createcert ekm-client -csr -CN -SAN \n\nCopy the output and give it to the CA for signing.\n\nInstall the root CA certificate bundle:\n\ncli% importcert ekm-client -ca stdin\n\nCopy and paste the ca bundle contents as instructed.\n\nInstall the signed certificate from the ca:\ncli% importcert ekm-client stdin\nCopy and paste the PEM format signed certificate contents as instructed.\n\nThe fipsvr process will be restarted.","ccis":["CCI-002470"]},{"vulnId":"V-255298","ruleId":"SV-255298r958478_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential Remote Copy services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The Remote Copy services component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Verify with the Information Owner that the mission objectives exclude Remote Copy functionality.\n\nIf Remote Copy is required by the mission, this requirement is not applicable.\n\nIf Remote Copy is not required by the mission, verify the state of RC functionality: \n\ncli% showrcopy\n\nIf the output is an error and indicates the system is not licensed for Remote Copy, this is not a finding.\n\nIf the output indicates \"Remote Copy is not configured for this system\", this is not a finding.\n\nIf the output indicates any other status, this is a finding.","fixText":"Verify with the Information Owner that the mission objectives do not require remote copy.\n\nIf Remote Copy is not required by the mission, forcibly stop the functionality, and clear the configuration:\n\ncli% stoprcopy -f -clear","ccis":["CCI-000381"]},{"vulnId":"V-255299","ruleId":"SV-255299r958868_rule","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with a centralized account management server.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check that a signed client certificate and CA certificate have been imported for the ldap service:\n\ncli% showcert -service ldap\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Install the root CA certificate used to sign the LDAP server’s certificate:\n\ncli% importcert ldap -ca stdin\n\nCopy and paste the PEM format certificate contents as instructed.\n\nThe fipsvr process will be restarted.","ccis":["CCI-002470"]}]}