STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide

V-283425

CAT I (High)

The HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Rule ID

SV-283425r1194969_rule

STIG

HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000370CCI-001941CCI-000187CCI-000764CCI-000166

Discussion

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000156-NDM-000250, SRG-APP-000177-NDM-000263

Check Content

Determine if the system is configured to use a primary and secondary authentication server with the following command:

cli% showauthparam
ldap-type      MSAD
accounts-dn          <accounts dn configuration>
super-map              <super-map configuration>
edit-map                  <edit-map configuration>
browse-map           <browse-map configuration>
service-map           <service-map configuration>
ldap-StartTLS        require
kerberos-realm       <Kerberos-realm configuration>
ldap-2FA-cert-field  subjectAlt:rfc822Name
ldap-2FA-object-attr mail
ldap-server          <server hostname>
ldap-server          <server hostname>
ldap-ssl-cacert:
-----BEGIN CERTIFICATE-----

If the command output does not list authparams for ldap-type, kerberos-realm, accounts-dn, ldap-ssl-cacert, and at least one role map (e.g., super-map), this is a finding. 

If there are not two ldap-server lines, this is a finding.

ldap-StartTLS must be set to require, if not, this is a finding.

If the ldap-reqcert authparam is not set to "1", this is a finding.

Fix Text

Use the following commands to configure the primary and secondary authentication servers.

cli% setauthparam -f ldap-type <type>  where type is MSAD, RHDS or OPEN.
cli% setauthparam ldap-server <primary hostname> <secondary hostname>
cli% setauthparam -f accounts-dn <base of the ad subtree, such as CN=Users,DC=win2k12forest,DC=thisdomain,DC=com>
cli% setauthparam -f kerberos-realm <Kerberos-realm configuration>
cli% setauthparam -f ldap-reqcert 1

Set up a super role such as the super role:
cli% setauthparam -f super-map <customer-assigned name of "super" group>

Enable TLS with:
cli% setauthparam -f ldap-StartTLS require
or
cli% setauthparam -f ldap-ssl 1

Import a TLS certificate:
cli% importcert ldap -f stdin