{"stig":{"title":"HPE Nimble Storage Array NDM Security Technical Implementation Guide","version":"2","release":"1"},"checks":[{"vulnId":"V-252186","ruleId":"SV-252186r960741_rule","severity":"medium","ruleTitle":"The HPE Nimble must initiate a session lock after a 15-minute period of inactivity.","description":"A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator reauthenticates. No other system activity aside from reauthentication must unlock the management session.\n\nNote that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time. So this requirement may only apply to local administrative sessions.","checkContent":"Type \"group --info | grep inactivity\" and review the timeout value. If it is greater than 15 minutes, this is a finding.","fixText":"Type \"group --edit --inactivity_timeout 15\".","ccis":["CCI-000057"]},{"vulnId":"V-252187","ruleId":"SV-252187r960840_rule","severity":"medium","ruleTitle":"The HPE Nimble must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.","checkContent":"Type \"userpolicy --info\" and review output for line: \"Number of authentication attempts\". If the value is 2 or less, this is not a finding.","fixText":"Type \"userpolicy --edit --allowed_attempts 2\".","ccis":["CCI-000044"]},{"vulnId":"V-252188","ruleId":"SV-252188r960843_rule","severity":"medium","ruleTitle":"The HPE Nimble must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.","description":"Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users.","checkContent":"Attempt a login to NimOS by typing \"ssh username@array\", where username is a valid user, and array is an array DNS name. If the correct DoD banner is not displayed before a password prompt, this is a finding.","fixText":"Type \"group --edit --login_banner\", and then copy-paste or type the required banner. Then, to display the banner before login, type \"group --edit --login_banner_after_auth no\".","ccis":["CCI-000048"]},{"vulnId":"V-252190","ruleId":"SV-252190r997770_rule","severity":"medium","ruleTitle":"The HPE Nimble must enforce a minimum 15-character password length.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Type \"userpolicy --info\" and review output for line: \"Minimum Length\".\n\nIf it is 15 or more, this is not a finding.","fixText":"Set minimum password length to 15 by typing \"userpolicy --edit --min_length 15\".","ccis":["CCI-004066"]},{"vulnId":"V-252191","ruleId":"SV-252191r997772_rule","severity":"medium","ruleTitle":"The HPE Nimble must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Type \"userpolicy --info\" and review output for line: \"Minimum Uppercase characters\".\n\nIf it is 1 or more, this is not a finding.","fixText":"Set minimum number of uppercase characters to 1 by typing \"userpolicy --edit --upper 1\".","ccis":["CCI-004066"]},{"vulnId":"V-252192","ruleId":"SV-252192r997774_rule","severity":"medium","ruleTitle":"The HPE Nimble must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Type \"userpolicy --info\" and review output for line: \"Minimum Lowercase characters\".\n\nIf it is 1 or more, this is not a finding.","fixText":"Set minimum number of lowercase characters to 1 by typing \"userpolicy --edit --lower 1\".","ccis":["CCI-004066"]},{"vulnId":"V-252193","ruleId":"SV-252193r997775_rule","severity":"medium","ruleTitle":"The HPE Nimble must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Type \"userpolicy --info\" and review output for line: \"Minimum Digits\". If it is 1 or more, this is not a finding.","fixText":"Set minimum number of numeric characters to 1 by typing \"userpolicy --edit --digit 1\".","ccis":["CCI-004066"]},{"vulnId":"V-252194","ruleId":"SV-252194r997777_rule","severity":"medium","ruleTitle":"The HPE Nimble must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Type \"userpolicy --info\" and review output for line: \"Minimum Special characters\". \n\nIf it is 1 or more, this is not a finding.","fixText":"Set minimum number of special characters to 1 by typing \"userpolicy --edit --special 1\".","ccis":["CCI-004066"]},{"vulnId":"V-252195","ruleId":"SV-252195r997779_rule","severity":"medium","ruleTitle":"The HPE Nimble must require that when a password is changed, the characters are changed in at least eight of the positions within the password.","description":"If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.","checkContent":"Type \"userpolicy --info\" and review output for line: \"Minimum number of characters change from previous password\". \n\nIf it is 8 or more, this is not a finding.","fixText":"Set minimum number of characters changed from previous password to 8 by typing \"userpolicy --edit --previous_diff 8\".","ccis":["CCI-004066"]},{"vulnId":"V-252196","ruleId":"SV-252196r961068_rule","severity":"high","ruleTitle":"The HPE Nimble must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.","checkContent":"Type \"group --info | grep inactivity\" and review the timeout value. If it is greater than 10 minutes, this is a finding.","fixText":"To set the inactivity timeout to 10 minutes, type \"group --edit --inactivity_timeout 10\".","ccis":["CCI-001133"]},{"vulnId":"V-252197","ruleId":"SV-252197r997780_rule","severity":"high","ruleTitle":"The HPE Nimble must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.","description":"Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.","checkContent":"Run the command \"userauth --list\". \n\nIf the output is \"No domains configured\", this is a finding.","fixText":"To configure AD, run the following commands: \n\n\"userauth --join <domain> --domain_user administrator\" and enter the domain administrator password to join <domain>. \n\n\"userauth --list\" will show the domain and its status. \n\nTo create a mapping between an AD group and one of the four device RBAC roles, run the following command: \n\n\"userauth --add_group <domain_group> --domain <domain> --role {administrator|poweruser|operator|guest}\"\n\nThis command allows any member of <domain_group> in <domain> AD domain to log in to the device with one of the selected roles. \n\nTo display the group to role mappings, run \"userauth --list_group --domain <domain>\".","ccis":["CCI-000366","CCI-000370"]},{"vulnId":"V-252198","ruleId":"SV-252198r1001013_rule","severity":"medium","ruleTitle":"The HPE Nimble must obtain its public key certificates from an appropriate certificate policy through an approved service provider.","description":"For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority (CA) will suffice.","checkContent":"Type \"cert --list\". Review the output to confirm that the custom-ca and custom certificates exist, and the \"Use\" values specified for HTTPS and APIS are both \"custom\". If not, this is a finding.","fixText":"To create and import a custom, CA-signed certificate, follow these steps:\n\n1. Type \"cert --gen custom-csr\". Copy the displayed CSR and submit it to an appropriate signing authority.\n2. Type \"cert --import custom-ca\" and paste the PEM-encoded CA certificate chain as input to the command.\n3. Type \"cert --import custom\" and paste the signed certificate obtained from the CA.","ccis":["CCI-000366","CCI-001159","CCI-004068"]},{"vulnId":"V-252199","ruleId":"SV-252199r961863_rule","severity":"high","ruleTitle":"The HPE Nimble must forward critical alerts (at a minimum) to the system administrators and the ISSO.","description":"Alerts are essential to let the system administrators and security personnel know immediately of issues which may impact the system or users. If these alerts are also sent to the syslog, this information is used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.\n\nAlerts are identifiers about specific actions that occur on a group of arrays.\n\nThere are several ways to meet this requirement. The Nimble can be configured for forward alerts from groups to a secure Simple Mail Transfer Protocol (SMTP) server. The alert may also be sent to the syslog server and the syslog configured to send the alert to the appropriate personnel.","checkContent":"Type \"group --info | grep -i syslog\" and review the output lines. The \"Syslogd enabled\" value should be \"Yes\", and the \"Syslogd server\" and \"Syslogd port\" values should contain the correct syslog server and port values. If not, this is a finding.","fixText":"Configure email alerts (optional)\ngroup--edit [--smtp_serversmtp server] [--smtp_portsmtp port] [--smtp_auth {yes | no}] [--smtp_username username]\n--smtp_encrypt_type  ssl [--smtp_from_addr email addr] [--smtp_to_addr email addr]\n[--send_event_data {yes | no}] [--alert_level {info | warning | critical}]\n\nTo specify and enable logging of alerts, type \"group --edit --syslog_enabled yes --syslog_server <server> --syslog_port <port>\", where <server> and <port> are the server DNS name or IP address, and <port> is the port to send syslog messages to.","ccis":["CCI-002605"]},{"vulnId":"V-252200","ruleId":"SV-252200r961863_rule","severity":"high","ruleTitle":"The HPE Nimble must be running an operating system release that is currently supported by the vendor.","description":"Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.","checkContent":"Log in to https://infosight.hpe.com using HPE Passport credentials.\n\nClick on the Main Menu icon in the upper left corner. Select Resources >> Alletra 6000, Nimble Storage >> Documentation.\n\nDetermine current array OS version using User Interface (UI).\n\nRefer to Nimble \"GUI Administration Guide\" Version: NOS 5.2.x, section \"Hardware and Software Updates\", subsection \"Find the Array OS Version\" to determine the version of the OS that is currently in use by the array.\n\nDetermine available array OS update versions using InfoSight.\n\n*Any version of Nimble OS software greater than the \"current array OS version\" might qualify to be an update to the \"current array OS version\". The option exists to bypass several releases to come up to the newest available release depending upon requirements.\n\n*Call HPE Support with any questions about choosing an appropriate release or the process to upgrade a release.\n\n- Follow above instructions to log in to HPE InfoSight.\n- Choose a \"Software Version\" from the left panel equal to or greater than the current array OS version. For example, 5.2.x would be equal to the current version and 5.3.x would be greater than the current version.\n- Open the Release Notes document for each version that is greater than the current array OS version. For example, \"NimbleOS Release Notes Version NOS 5.2.1.700\" is greater than NOS 5.2.1.600.\n- Review the entire release notes document.\n- Determine if this is a release should be used for an upgrade.\n- Confirm that the \"From Version\", for example 5.2.1.600, can be used to go to the version for which the release notes are applicable; for example 5.2.1.700.\n\nIf the operating system version is no longer supported by the vendor, this is a finding.","fixText":"To upgrade to a supported version, type \"software --list\". \n\nSelect the last version listed with at least number 5.2.x.\n\nType \"software --download <version<, where <version< is the version selected. \n\nAfter the download is complete, type \"software --update\" and accept the terms and conditions.\n\nThe update progress can be monitored using \"software --update_status\". Once finished, use \"version\" to verify that the new software has been installed correctly.","ccis":["CCI-000366"]},{"vulnId":"V-252201","ruleId":"SV-252201r960735_rule","severity":"medium","ruleTitle":"The HPE Nimble must limit the number of concurrent sessions to an organization-defined number for each administrator account.","description":"Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.\n\nThe product contains the ability to limit the number of total sessions, but not by individual user or user type.","checkContent":"Verify that in Administration >> Security Policies page in the UI, \"Unlimited\" for the number of sessions is unchecked and a limit is specified.\n\nIf a limit is not specified, this is a finding.","fixText":"On the Administration >> Security Policies page in the UI, uncheck \"Unlimited\" for the number of sessions and specify a new limit.","ccis":["CCI-000054"]},{"vulnId":"V-252202","ruleId":"SV-252202r1001011_rule","severity":"medium","ruleTitle":"The HPE Nimble must be configured to synchronize internal information system clocks using an authoritative time source.","description":"The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. \n\nMultiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.\n\nDOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.","checkContent":"To Determine if the HPE Nimble Array is configured to synchronize internal information system clocks with the primary NTP server:\n \nArrayA:/# ntpq\nntpq> sysinfo\nassocid=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync,\nsystem peer: cxo-nmbldc-01.nimblestorage.com:123\nsystem peer mode: client\nleap indicator: 00\nstratum: 4\nlog2 precision: -24\nroot delay: 37.321\nroot dispersion: 265.639\nreference ID: 10.157.24.95\nreference time: e509b178.9f897118 Thu, Oct 7 2021 11:48:40.623\nsystem jitter: 0.000000\nclock jitter: 0.673\nclock wander: 0.003\nbroadcast delay: -50.000\nsymm. auth. delay: 0.000\n\nIf the HPE Storage Array is not configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.","fixText":"Configure the HPE Nimble Array to synchronize internal information system clocks with the primary time source:\n \nArrayA:/# group --edit --ntpserver <ip_address_of_ntp_server>\n  \nThere would be a finding here given we only support primary ntp source.","ccis":["CCI-000366","CCI-004928","CCI-004922"]},{"vulnId":"V-252203","ruleId":"SV-252203r961860_rule","severity":"medium","ruleTitle":"The HPE Nimble must configure a syslog server onto a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nUDP is used to communicate between the array group and the syslog server (SSL is not supported at this time). This is an issue because DoD requires the use of TCP. One syslog message is generated for each alert and audit log message. Alert severity types include INFO, WARN, and ERROR.","checkContent":"Type \"group --info | grep -i syslog\" and review the output lines. The \"Syslogd enabled\" value should be \"Yes\", and the \"Syslogd server\" and \"Syslogd port\" values should contain the correct syslog server and port values. If not, this is a finding.","fixText":"To specify and enable logging of alerts, type \"group --edit --syslog_enabled yes --syslog_server <server> --syslog_port <port>\", where <server> and <port> are the server DNS name or IP address, and <port> is the port to send syslog messages to.","ccis":["CCI-001851"]},{"vulnId":"V-252902","ruleId":"SV-252902r960966_rule","severity":"medium","ruleTitle":"HPE Nimble must be configured to disable HPE InfoSight.","description":"DoD requires that the Mission Owner uses only the cloud services offering listed in either the FedRAMP or DISA PA DoD Cloud Catalog to host Unclassified, public-releasable, DoD information.\n\nHPE InfoSight data collection is disabled by default in the HPE Nimble. Users must not enable it.","checkContent":"Navigate to Administration >> Alerts and Monitoring page of the storage array management interface. Verify the checkbox is not checked.\n\nIf HPE InfoSight is enabled, this is a finding.","fixText":"In HPE Nimble Storage arrays, data collection is disabled by default.\n\nNavigate to Administration >> Alerts and Monitoring page of the storage array management interface. \n\nUncheck the checkbox.","ccis":["CCI-000382"]},{"vulnId":"V-259800","ruleId":"SV-259800r960966_rule","severity":"medium","ruleTitle":"HPE Nimble must not be configured to use \"HPE Greenlake: Data Services Cloud Console\".","description":"DOD requires that the Mission Owner uses only the cloud services offering listed in either the FedRAMP or DISA PA DOD Cloud Catalog to host Unclassified, public-releasable, DOD information. Management by \"HPE Greenlake: Data Services Cloud Console\" is disabled by default for HPE Nimble and must not be enabled.","checkContent":"Ensure cloud console is disabled.\nType \"group --info |grep -i \"cloud enabled\". \n\nIf the response is \"cloud enabled: Yes\", this is a finding.","fixText":"Disable cloud console\nNavigate to Administration >> Customization >> Data Services Cloud Console.\n\nUncheck \"Connect to Data Services Cloud Console\".","ccis":["CCI-000382"]},{"vulnId":"V-259801","ruleId":"SV-259801r960966_rule","severity":"medium","ruleTitle":"HPE Alletra 5000/6000 must be configured to disable management by \"HPE Greenlake: Data Services Cloud Console\".","description":"DOD requires that the Mission Owner uses only the cloud services offering listed in either the FedRAMP or DISA PA DOD Cloud Catalog to host Unclassified, public-releasable, DOD information.  Management by \"HPE Greenlake: Data Services Cloud Console\" is enabled by default for HPE Alletra and must be disabled.","checkContent":"Verify cloud console is disabled.\nType \"group --info |grep -i \"cloud enabled\". \n\nIf the response is \"cloud enabled: Yes\", this is a finding.","fixText":"Disable Alletra cloud console.\nType \"group --edit --cloud_management off\".\n\nIf the response is as follows, contact your HPE sales account team to request approval:\n\n\"ERROR: Failed to change system configuration. Updating cloud management is not permitted.\"","ccis":["CCI-000382"]}]}