13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide"}],false,["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"May 30, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"HPE_3PAR_StoreServ_3.3.x_STIG","children":"HPE_3PAR_StoreServ_3.3.x_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":30}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",7]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",23]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=HPE%203PAR%20StoreServ%203.3.x%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=HPE%203PAR%20StoreServ%203.3.x%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=HPE%203PAR%20StoreServ%203.3.x%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPE_3PAR_StoreServ_OS_Y24M07_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1e",null,{"checks":[{"id":"7209b745-9b79-45ad-875b-942c733d4f48","vulnId":"V-255270","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential web-services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The web-services component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Verify the state of the Optional capabilities on the array.\n\ncli% showwsapi\n\nIf the service state is not \"Disabled\", and the web-services functionality is not being used, this is a finding.\n\nIf web services functionality is required, this is not applicable.","fixText":"If web services functionality is not required, stop and disable web-services:\n\ncli% stopwsapi -f"},{"id":"018bf408-716e-4444-a12d-1c24d510893c","vulnId":"V-255271","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to terminate all network connections associated with a communications session at the end of the session, or after 10 minutes of inactivity.","description":"$1f","checkContent":"Verify the current SessionTimeout setting:\n\ncli% showsys -param\n\nFind the line in the output for SessionTimeout, if the value is not \"00:10:00\", this is a finding.","fixText":"Set the SessionTimeout value to 10 minutes:\n\ncli% setsys SessionTimeout 10m"},{"id":"4cfcae39-084c-4647-beb9-ba84b5a8f754","vulnId":"V-255272","severity":"high","ruleTitle":"The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.","description":"$20","checkContent":"Verify that insecure ports are disabled.\n\ncli% setnet disableports yes\n\nTo confirm the operation, enter\n\"cli% y\"\nand press \"Enter\".\n\nIf an error is reported, this is a finding.\n\nIf available, a port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command:\ncli% nmap -sT -sU -sV --version-all -vv -p1 -65535 \n\nIf any Port is listed other than SSHD(22), NTP(123), SNMP(161,162), 3PAR Mgmt Intfc (5783), CIM (5989/configurable), or WSAPI (8088/configurable), this is a finding.","fixText":"To disable all unencrypted ports, use the command:\n\ncli% setnet disableports yes\n\nTo confirm the operation, enter\n\"cli% y\"\nand press \"Enter\"."},{"id":"7da8b7d4-f5c1-4d1a-817c-046dc3ef5551","vulnId":"V-255273","severity":"high","ruleTitle":"The HPE 3PAR OS must be configured to initialize its FIPS module to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.","checkContent":"Verify the status of FIPS operation mode:\n\ncli% controlsecurity fips status\n\nIf the output indicates FIPS mode is disabled, this is a finding.\n\nIf the output shows CIM is disabled, and CIM is an essential service for the mission, this is a finding.\n\nIf the output shows VASA is disabled, and VASA is an essential service for the mission, this is a finding.\n\nIf the output shows WSAPI is disabled, and WSAPI is an essential service for the mission, this is a finding.\n\nIf the output shows any other service status as Disabled, this is a finding.","fixText":"To initialize the FIPS module use:\n\ncli% controlsecurity fips enable\n\nWarning: Enabling FIPS mode requires restarting all system management interfaces, which will terminate ALL existing connections including this one.\nWhen that happens, you must reconnect to continue.\nContinue enabling FIPS mode (yes/no)?\nyes\n\nAfter reconnecting, verify FIPS mode with:\ncli% controlsecurity fips status"},{"id":"e2aa79dc-368e-4414-b2e7-6a4f5ac034ed","vulnId":"V-255274","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to implement cryptographic mechanisms to prevent the unauthorized modification or disclosure of all information at rest on all operating system components.","description":"Operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nThe HPE 3PAR OS protects data at rest through the use of Self-Encrypting Drives, and a licensed feature that takes ownership of them. The feature requires an authorized installer to install and activate it.\n\nSatisfies: SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184","checkContent":"Review the requirements by the Information Owner to discover whether the system stores sensitive or classified information.\n\nIf the system does not store sensitive or classified information, this requirement is not applicable.\n\nIf the system does store sensitive or classified information, use the following command to display the state of encryption:\n\ncli% controlencryption status\n\nIf Licensed, Enabled, or BackupSaved is not \"Yes\", or Keystore is not \"EKM\", this is a finding.","fixText":"Contact an authorized service partner to install and configure the encryption license feature."},{"id":"ef790683-3922-4ca0-b52c-cfaed9954ef5","vulnId":"V-255275","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to send SNMP alerts to alert in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nThe HPE 3PAR OS will send an SNMP trap event on any failure of audit components (failure to write a record, failure to send to remote syslog server, etc.). All of these conditions are automatically recovered Q20 in the short term. Configuration of the SNMP consumer is required to facilitate collection of these events.","checkContent":"Verify an SNMPv3 user account is configured:\ncli% showsnmpuser\n\nUsername | AuthProtocol | PrivProtocol\n3parsnmpuser | HMAC SHA 96 | CFB128 AES 128\n\nIf the output is not displayed in the above format, this is a finding.\n\nIdentify the SNMP trap recipient and report SNMP configuration:\n\ncli% showsnmpmgr\n\n HostIP | Port | SNMPVersion | User\n | 162 | 3 | 3parsnmpuser\n\nIf the SNMP trap recipient IP address is incorrect, this is a finding.\n\nIf the SNMP port is not \"162\", this is a finding.\n\nIf the SNMP version is not \"3\", this is a finding.\n\nIf the SNMP user ID is incorrect, this is a finding.\n\nGenerate a test trap:\ncli% checksnmp\n\nTrap sent to the following managers:\n< IP address of trap recipient>\n\nIf the response does not indicate a trap was successfully sent, this is a finding.","fixText":"To configure SNMPv3 alert notifications, use this sequence of operations.\n\nCreate and enable an SNMPv3 user, and create associated keys for authentication and privacy:\ncli% createuser 3parsnmpuser all browse\nEnter the password and confirm\n\ncli% createsnmpuser 3parsnmpuser\nat the prompt, enter the password\nat the next prompt, re-enter the password.\n\nAdd the IP address of the SNMPv3 trap recipient, where permissions of the account are used:\ncli% addsnmpmgr -version 3 -snmpuser 3parsnmpuser "},{"id":"faad95ba-9791-4f38-becb-b131e1072723","vulnId":"V-255276","severity":"medium","ruleTitle":"The HPE 3PAR OS must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.","description":"$21","checkContent":"Verify that an SNMPV3 user account is configured:\n\ncli% showsnmpuser\n\nUsername | AuthProtocol | PrivProtocol\n | HMAC SHA 96 | CFB128 AES 128\n\nIf the output is not in the above format, this is a finding.\n\nVerify the SNMP trap recipient and SNMP configuration:\n\ncli% showsnmpmgr\n\nIf the HostIP identified is not correct, this is a finding.\n\nIf the port is not 162, this is a finding.\n\nIf the version is not 3, this is a finding.\n\nIf the username does not match the user from above, this is a finding.\n\nSend a test trap and verify it is received:\n\ncli% checksnmp\n\nIf the response does not indicate a trap was successfully sent, this is a finding.","fixText":"Configure SNMPV3 notifications.\n\nCreate an SNMPV3 user, and create associated keys for authentication and privacy.\n\ncli% createsnmpuser \nwhere \"\" is the desired username, and then enter a password at the prompts.\n\nAdd the SNMP trap recipient and the user just created.\n\ncli% addsnmpmgr -version 3 -snmpuser \nwhere \"\" is the user created above, and \"\" is the address of the SNMPV3 trap recipient.\n\nGenerate a test trap:\ncli% checksnmp\n\nVerify that a trap was received by the manager specified."},{"id":"1afa6da7-9bb1-409b-877d-3aebafeff605","vulnId":"V-255277","severity":"medium","ruleTitle":"The HPE 3PAR OS must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\nThe HPE 3PAR OS maintains an internal synchronization of node clocks, and aligns that with an NTP client always running on the network owner node when configured as shown.","checkContent":"Verify NTP is operational:\ncli% shownet\n\nIf any of the NTP Server lines in the output show an incorrect NTP Server address, this is a finding.\n\nIf only one NTP Server line is present, and it indicates \"None\" for the address, this is a finding.","fixText":"Enable NTP with:\n\ncli% setnet ntp -add \n\nThis command can be used multiple times to specify multiple NTP Servers."},{"id":"0fcb5c83-d8b6-483b-99f7-c778c6fe4db8","vulnId":"V-255278","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured for centralized account management functions via LDAP.","description":"$22","checkContent":"$23","fixText":"$24"},{"id":"f5890e77-1789-4153-89c1-3beb97044af3","vulnId":"V-255279","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to have only one emergency account that can be accessed without LDAP and that has full administrator privileges.","description":"$25","checkContent":"Verify that only essential local accounts are configured.\ncli% showuser\n\nIf the output shows users other than the three accounts below, this is a finding.\n--3paradm (or some other customer chosen account with \"super\" role)\n--3parsnmpuser\n--3parsvc","fixText":"Display users\ncli% showuser\n\nRemove all accounts except:\n--3paradm (or other customer-created \"super\" role account)\n--3parsnmpuser\n--3parsvc\n\nUse the command:\ncli% removeuser \nand confirm the operation with \"y\"."},{"id":"875b1de5-571c-4b8e-8252-eabb96f71242","vulnId":"V-255280","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.\n\nThe HPE 3PAR OS can be configured to have 15 characters (or more) for minimum password length. This setting affects local user accounts only, and only has an impact when a password is changed.\n\nPassword length for externally managed users is enforced by the external identity management system (LDAP/AD). This is a dependency on HP3P-33-001500/HP3P-33-101500. The HPE 3PAR OS does not supply an interface for modification of passwords maintained by external identity management systems.","checkContent":"Verify that the minimum password length is 15 characters:\n\ncli% showsys -d\n\nVerify that the line containing the string \"Minimum PW length\" shows \"15\" for the length. If it is not, this is a finding.","fixText":"Configure the minimum password length for a value of \"15\":\n\ncli% setpassword -minlen 15\n\nNote: The user must have super-admin privileges to perform this action."},{"id":"0096e56e-8d88-4eea-a310-4208c6da27f3","vulnId":"V-255281","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.","description":"$26","checkContent":"$27","fixText":"$28"},{"id":"07663abf-cecd-40bc-bd21-a2c14d830655","vulnId":"V-255282","severity":"medium","ruleTitle":"The HPE 3PAR operating system must be configured to allocate audit record storage capacity to store at least one week of audit records, even though all audit records are immediately sent to a centralized audit record storage system (SIEM).","description":"To ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the operating system.","checkContent":"To verify the logging capacity is set to the maximum value of \"4\", enter the following command:\ncli% showsys -param\n\nIn the resulting list of configured parameters and values, if the following line does not appear, this is a finding.\ncli% EventLogSize : 4M","fixText":"Enter the following command to configure the audit logging capacity for the maximum storage value:\ncli% setsys EventLogSize 4M"},{"id":"c8a412e4-14fe-46a5-8582-81c420789f0c","vulnId":"V-255283","severity":"medium","ruleTitle":"The HPE 3PAR OS must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.","checkContent":"To verify the time zone is configured, enter:\n\ncli% showdate\n\nIf the time zone field is not configured, this is a finding.","fixText":"Configure the time zone by first identifying the time zone indicator:\n\ncli% setdate -tzlist\n\nThen configure the timezone with:\n\ncli% setdate -tz \n\nIf UTC is to be used, complete the operation with:\n\ncli% setdate -tz Etc/UTC\n\nVerify the timezone is set with:\ncli% showdate"},{"id":"0672cbbe-0a71-45b9-910d-93ac7773e2fc","vulnId":"V-255284","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to offload audit records onto a different system or media from the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOffloading is a common process in information systems with limited audit storage capacity.\n\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224","checkContent":"Verify offloading of security syslog events with \n\ncli% showsys -d\n\nFind the output section \"Remote Syslog Status\".\n\nIf \"Active\" is not \"1\", this is a finding.\n\nIf \"Security Server\" is not defined, this is a finding.\n\nIf \"Security Connection\" is not \"TLS\", this is a finding.","fixText":"Configure the remote syslog host:\n\ncli% setsys RemoteSyslogSecurityHost

[:port]\n\nThe hostname, and address are both required. If both IPv4 and IPv6 addresses are supplied, the IPv6 address must be enclosed in []. The default port is 6514 utilizing TLS.\n\nImport the ca certificate that will have signed the syslog server:\n\ncli% importcert syslog-sec-server -ca stdin\n\nCopy and paste the PEM format of the appropriate CA as instructed.\n\nConfigure the system to utilize remote syslog:\n\ncli% setsys RemoteSyslog 1"},{"id":"2c259d72-2961-4f77-8a59-62fa02ec6edd","vulnId":"V-255285","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government, since this provides assurance they have been tested and validated.\n\nThe HPE 3PAR OS can be configured to use FIPS validated cryptographic methods for communications secrecy. It also has an encryption license feature that controls the handling of Self-Encrypting backend drives, which requires an authorized service provider for install and activation.\n\nSatisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223","checkContent":"Verify the status of the FIPS communication library:\n\ncli% controlsecurity fips status\n\nIf the line \"FIPS Mode:\" is not \"Enabled\", this is a finding.\n\nIf any of the service lines for CLI, EKM, LDAP, SNMP, SSH, or SYSLOG are Disabled, this is a finding.\n\nIf CIM, VASA, or WSAPI are \"Disabled\", and the mission requires any of these services, this is a finding.\n\nReview the requirements by the Information Owner to determine if the system will store sensitive or classified information.\n\nIf the mission does not store sensitive, or classified information, the remainder of the check is not applicable.\n\nIf the mission stores classified data, check the status of backend drive encryption:\n\ncli% controlencryption status\n\nIf Licensed, Enabled, or BackupSaved are \"no\", or the keystore is not EKM, this is a finding.","fixText":"Set the communications encryption module into fips mode:\n\ncli% controlsecurity fips enable\n\nIf the mission stores classified information, contact an authorized service provider to install and configure the licensed encryption feature."},{"id":"07f29c92-19cc-4792-b304-d342d8267f2d","vulnId":"V-255286","severity":"high","ruleTitle":"The HPE 3PAR OS must map the authenticated identity to the user account for PKI-based authentication.","description":"Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.\n\nPKI authentication is performed by the HPE 3PAR SSMC, and the authenticated user's identity is extracted from the certificate and forwarded to the HPE 3PAR OS over a mutually authenticated TLS channel. The HPE 3PAR OS then queries/authorizes the identity in the external Account Management system (LDAP/AD), and authorizes the individual as appropriate based on that. The ldap-2fa-cert-field is used to tell the SSMC which field to extract from the user certificate. The ldap-2fa-object-attr is used to search the account management system for an account with a matching attribute.","checkContent":"Verify that the two factor authentication (2fa) parameters are set:\n\ncli% showauthparam\nIf there is an error, or the output does not contain the following, this is a finding. \nldap-2fa-cert-field \nldap-2fa-object-attr ","fixText":"To configure the two factor authentication parameters (2fa) to support PKI based authentication/authorization:\n\ncli% setauthparam -f ldap-2fa-cert-field \n\ncli% setauthparam -f ldap-2fa-object-attr "},{"id":"a60d520c-feb3-4e15-ad9b-8ee1c2327cc2","vulnId":"V-255287","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check that a signed certificate and CA certificate have been imported:\n\ncli% showcert -service unified-server\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Create a CSR to be signed by an appropriate CA:\n\ncli% createcert unified-server -csr -CN -SAN \n\nCopy the output and give it to the CA for signing.\n\nInstall the root CA certificate bundle:\n\ncli% importcert unified-server -ca stdin\n\nCopy and paste the ca bundle contents as instructed.\n\nInstall the signed certificate from the ca:\n\ncli% importcert unified-server stdin\n\nCopy and paste the PEM format signed certificate contents as instructed."},{"id":"aeac9ab9-1af0-4de7-a90b-a0361aeb3b13","vulnId":"V-255288","severity":"medium","ruleTitle":"The HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.","description":"$29","checkContent":"$2a","fixText":"$2b"},{"id":"55e21c22-039b-4d00-a9ca-9f1fd2bdd2fc","vulnId":"V-255289","severity":"medium","ruleTitle":"The HPE 3PAR OS syslog-sec-client must be configured to perform mutual TLS authentication using a CA-signed client certificate.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check with the Information Owner to verify if Mutual Authentication is required by the syslog server.\n\nIf mutual TLS authentication is not required, this requirement is not applicable.\n\nCheck that a signed client certificate and CA certificate have been imported for the syslog-sec-client service:\n\ncli% showcert -service syslog-sec-client\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Check with the Information Owner to verify that TLS mutual authentication is required by the remote syslog server.\n\nIf TLS mutual authentication is not required, this requirement is not applicable.\n\nCreate a CSR to be signed by an appropriate CA:\n\ncli% createcert syslog-sec-client -csr -CN -SAN \n\nCopy the output and give it to the CA for signing.\n\nInstall the root CA certificate bundle:\n\ncli% importcert syslog-sec-client -ca stdin\n\nCopy and paste the ca bundle contents as instructed.\n\nInstall the signed certificate from the ca:\n\ncli% importcert sysloc-sec-client stdin\n\nCopy and paste the PEM format signed certificate contents as instructed.\n\nThe syslog-sec-client service will be restarted."},{"id":"48be511c-d5a6-4ec0-8f0c-48eb32e6fb4d","vulnId":"V-255290","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential Common Information Model services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The Common Information Model services component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Check with the Information Owner to verify if the mission objectives require CIM functionality.\n\nIf the mission requirements include CIM service capabilities, this requirement is not applicable.\n\nIf mission requirements do not include CIM, then verify the state of the CIM services capabilities on the array:\n\ncli% showcim\n\nIf the service state is not \"Disabled\", this is a finding.","fixText":"Verify with the Information Owner whether mission objectives require CIM functionality.\n\nIf CIM services functionality is not part of the mission requirements, stop and disable \"cimserver\":\n\ncli% stopcim -f\n\ncli% setcim -f -http disable -https disable"},{"id":"32139c8c-f8f8-43b9-841f-44512fd27d00","vulnId":"V-255291","severity":"high","ruleTitle":"The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.","description":"$2c","checkContent":"If the mission does not require CIM functionality this requirement is not applicable.\n\nVerify if CIMserver is configured to run.\nUse the command:\n\"cli% showcim\"\n\nIf the Server column shows \"Disabled\", this is not applicable.\n\nIf the HTTP column shows \"Enabled\", this is a finding.\n\nIf the HTTPS column shows \"Disabled\", this is a finding.\n\nUse the command:\n\"cli% showcim -pol\" to display advanced configuration policies.\n\nIf the output contains \"no_tls_strict\", this is a finding.","fixText":"Verify if CIMserver is configured to run.\nUse the command:\n\"cli% showcim\"\n\nIf the Server column shows \"Disabled\", this is not applicable.\n\nTemporarily stop the server using the command: \"cli% stopcim -f\"\n\nDisable the HTTP listener, and enable the HTTPS listener, using the command: \ncli% setcim -http disable -https enable\n\nSet the TLS policy to utilize only TLS1.2 with the following command:\ncli% setcim -pol tls_strict\n\nRestart the CIMserver using the command:\ncli% startcim"},{"id":"f5da1e59-5928-4a9e-b777-86945e832c5f","vulnId":"V-255292","severity":"high","ruleTitle":"The HPE 3PAR OS cimserver process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nThe HPE 3PAR OS cimserver utilizes a vendor-affirmed FIPS module and operates OpenSSL in FIPS mode when configured as described. If the service is not enabled in FIPS mode, it is incorrectly configured.","checkContent":"If the mission does not require CIM functionality, this requirement is not applicable.\n\nVerify cim is configured:\ncli% showcim\n\nIf there is an error, this is a finding.\n\nIf the output indicates the service is \"Disabled\", the state is \"Inactive\", HTTP is \"Enabled\", or HTTPS is \"Disabled\", this is a finding.\n\nCheck the FIPS status\ncli% controlsecurity fips status\n\nIf there is an error, or CIM shows as \"Disabled\", this is a finding.","fixText":"Stop the cimserver process:\ncli% stopcim -f\n\nReconfigure the cimserver to use only HTTPS on TLSV1.2\ncli% setcim -f -http disable\ncli% setcim -f -https enable\ncli% setcim -f -pol tls_strict\n\nRestart the cimserver process:\ncli% startcim -f\n\nWait up to five minutes for CIM to start up and verify it is Enabled/Active \ncli% showcim\n\nOnce CIM is active, verify FIPS mode:\ncli% controlsecurity fips status\n\nIf CIM is \"Disabled\", this is an error that requires a service escalation."},{"id":"3d6e4a87-f78a-4693-b2a4-1149db5143e9","vulnId":"V-255293","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with an External Key Manager.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check that a signed client certificate and CA certificate have been imported for the ekm-server service:\n\ncli% showcert -service ekm-server\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Install the root CA certificate used to sign the EKM server’s certificate:\n\ncli% importcert ekm-server -ca stdin\n\nCopy and paste the PEM format certificate contents as instructed.\n\nThe fipsvr process will be restarted."},{"id":"f4a7480d-6a17-420b-b105-bf305fb3c533","vulnId":"V-255294","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential VASA VVol services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The VASA VVol Provider service component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Check with the Information Owner whether the mission objectives require VASA VVol functionality.\n\nIf the mission requirements include VASA VVol functionality, this requirement is not applicable.\n\nIf mission requirements do not include this functionality, verify the state of the VASA VVol services capabilities on the array:\n\ncli% showvasa\n\nIf the state is \"enabled\", this is a finding.","fixText":"Verify with the Information Owner whether VASA VVol functionality is required by the mission objectives.\n\nIf the mission requires VASA VVol functionality, this requirement is not applicable.\n\nIf VASA VVol services functionality is not required by the mission, stop the VASA provider:\n\ncli% stopvasa -f"},{"id":"783b4650-0f72-4147-9498-c8e5a53f3eff","vulnId":"V-255295","severity":"high","ruleTitle":"The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.","description":"$2d","checkContent":"If the mission does not require WSAPI functionality, this requirement is not applicable.\n\nVerify if WSAPI is configured to run.\nUse the command:\ncli% showwsapi -d\n\nIf \"Service State\" shows \"Disabled\", this is not applicable.\n\nIf \"HTTP State\" shows \"Enabled\", this is a finding.\n\nIf \"HTTPS State\" shows \"Disabled\", this is a finding.\n\nIf \"Policy\" contains \"no_tls_strict\", this is a finding.","fixText":"Verify if WSAPI is configured to run. Use the command:\ncli% showwsapi -d\n\nIf \"Service State\" shows \"Disabled\", this is not applicable.\n\nTemporarily stop the WSAPI server with the command:\ncli% stopwsapi -f\n\nTo disable the HTTP listener, and enable the HTTPS listener, use the command:\ncli% setwsapi -http disable -https enable\n\nTo set the TLS policy to TLSv1.2 only, use the command:\ncli% setwsapi -pol tls_strict\n\nRestart the server with the following command:\ncli% startwsapi"},{"id":"e1dc95fb-1378-42e8-a88e-ef168684a037","vulnId":"V-255296","severity":"high","ruleTitle":"The HPE 3PAR OS WSAPI process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nThe HPE 3PAR OS cimserver utilizes a vendor-affirmed FIPS module and operates OpenSSL in FIPS mode when configured as described. If the service is not enabled in FIPS mode it is incorrectly configured.","checkContent":"If the mission does not require WSAPI functionality, this requirement is not applicable.\n\nVerify if WSAPI is configured to run.\nUse the command:\ncli% showwsapi -d\n\nIf \"service State\" shows \"Disabled\", this is not applicable.\n\nIf \"HTTP State\" shows \"Enabled\", this is a finding.\n\nIf \"HTTPS State\" shows \"Disabled\", this is a finding.\n\nIf \"Policy\" contains \"no_tls_strict\", this is a finding.","fixText":"Stop the WSAPI process:\ncli% stopwsapi -f\n\nReconfigure the WSAPI to use only HTTPS on TLSV1.2:\ncli% setwsapi -f -http disable\ncli% setwsapi -f -https enable\ncli% setwsapi -f -pol tls_strict\n\nRestart the WSAPI process:\ncli% startwsapi -f\n\nWait up to five minutes for WSAPI to start up and verify it is Enabled/Active:\ncli% showwsapi\n\nOnce WSAPI is active, verify FIPS mode:\ncli% controlsecurity fips status\n\nIf WSAPI is \"Disabled\", this is an error that requires a service escalation."},{"id":"cfcbfe7e-7a15-44e8-9948-004c9beb0f7d","vulnId":"V-255297","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to perform mutual TLS authentication using a CA-signed client certificate when communicating with an External Key Manager.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check with the Information Owner to verify if Mutual Authentication is required by the EKM server.\n\nIf mutual TLS authentication is not required, this requirement is not applicable.\n\nCheck that a signed client certificate and CA certificate have been imported for the ekm-client service:\n\ncli% showcert -service ekm-client\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Check with the Information Owner to verify that TLS mutual authentication is required by the EKM server.\n\nIf TLS mutual authentication is not required, this requirement is not applicable.\n\nCreate a CSR to be signed by an appropriate CA:\n\ncli% createcert ekm-client -csr -CN -SAN \n\nCopy the output and give it to the CA for signing.\n\nInstall the root CA certificate bundle:\n\ncli% importcert ekm-client -ca stdin\n\nCopy and paste the ca bundle contents as instructed.\n\nInstall the signed certificate from the ca:\ncli% importcert ekm-client stdin\nCopy and paste the PEM format signed certificate contents as instructed.\n\nThe fipsvr process will be restarted."},{"id":"c0f3e089-b46b-43b9-8802-005892e96af3","vulnId":"V-255298","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to disable nonessential Remote Copy services.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe HPE 3PAR OS does not, by default, operate nonessential services. The Remote Copy services component must be configured for it to start. If it is not required by the mission, then it must be disabled.","checkContent":"Verify with the Information Owner that the mission objectives exclude Remote Copy functionality.\n\nIf Remote Copy is required by the mission, this requirement is not applicable.\n\nIf Remote Copy is not required by the mission, verify the state of RC functionality: \n\ncli% showrcopy\n\nIf the output is an error and indicates the system is not licensed for Remote Copy, this is not a finding.\n\nIf the output indicates \"Remote Copy is not configured for this system\", this is not a finding.\n\nIf the output indicates any other status, this is a finding.","fixText":"Verify with the Information Owner that the mission objectives do not require remote copy.\n\nIf Remote Copy is not required by the mission, forcibly stop the functionality, and clear the configuration:\n\ncli% stoprcopy -f -clear"},{"id":"26afa52c-3d80-4165-82b7-40529da4f904","vulnId":"V-255299","severity":"medium","ruleTitle":"The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with a centralized account management server.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThe HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.","checkContent":"Check that a signed client certificate and CA certificate have been imported for the ldap service:\n\ncli% showcert -service ldap\n\nIf the output does not contain DOD PKI certificates of at least two lines of output, one of type \"cert\" and one of type \"rootca\", this is a finding.","fixText":"Install the root CA certificate used to sign the LDAP server’s certificate:\n\ncli% importcert ldap -ca stdin\n\nCopy and paste the PEM format certificate contents as instructed.\n\nThe fipsvr process will be restarted."}]}]]}]

HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide

Checks (30)