Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the state of the Optional capabilities on the array. cli% showwsapi If the service state is not "Disabled", and the web-services functionality is not being used, this is a finding. If web services functionality is required, this is not applicable.
If web services functionality is not required, stop and disable web-services: cli% stopwsapi -f
Verify the current SessionTimeout setting: cli% showsys -param Find the line in the output for SessionTimeout, if the value is not "00:10:00", this is a finding.
Set the SessionTimeout value to 10 minutes: cli% setsys SessionTimeout 10m
Verify that insecure ports are disabled. cli% setnet disableports yes To confirm the operation, enter "cli% y" and press "Enter". If an error is reported, this is a finding. If available, a port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command: cli% nmap -sT -sU -sV --version-all -vv -p1 -65535 <ip address of storage system> If any Port is listed other than SSHD(22), NTP(123), SNMP(161,162), 3PAR Mgmt Intfc (5783), CIM (5989/configurable), or WSAPI (8088/configurable), this is a finding.
To disable all unencrypted ports, use the command: cli% setnet disableports yes To confirm the operation, enter "cli% y" and press "Enter".
Verify the status of FIPS operation mode: cli% controlsecurity fips status If the output indicates FIPS mode is disabled, this is a finding. If the output shows CIM is disabled, and CIM is an essential service for the mission, this is a finding. If the output shows VASA is disabled, and VASA is an essential service for the mission, this is a finding. If the output shows WSAPI is disabled, and WSAPI is an essential service for the mission, this is a finding. If the output shows any other service status as Disabled, this is a finding.
To initialize the FIPS module use: cli% controlsecurity fips enable Warning: Enabling FIPS mode requires restarting all system management interfaces, which will terminate ALL existing connections including this one. When that happens, you must reconnect to continue. Continue enabling FIPS mode (yes/no)? yes After reconnecting, verify FIPS mode with: cli% controlsecurity fips status
Review the requirements by the Information Owner to discover whether the system stores sensitive or classified information. If the system does not store sensitive or classified information, this requirement is not applicable. If the system does store sensitive or classified information, use the following command to display the state of encryption: cli% controlencryption status If Licensed, Enabled, or BackupSaved is not "Yes", or Keystore is not "EKM", this is a finding.
Contact an authorized service partner to install and configure the encryption license feature.
Verify an SNMPv3 user account is configured: cli% showsnmpuser Username | AuthProtocol | PrivProtocol 3parsnmpuser | HMAC SHA 96 | CFB128 AES 128 If the output is not displayed in the above format, this is a finding. Identify the SNMP trap recipient and report SNMP configuration: cli% showsnmpmgr HostIP | Port | SNMPVersion | User <snmp trap recipient IP> | 162 | 3 | 3parsnmpuser If the SNMP trap recipient IP address is incorrect, this is a finding. If the SNMP port is not "162", this is a finding. If the SNMP version is not "3", this is a finding. If the SNMP user ID is incorrect, this is a finding. Generate a test trap: cli% checksnmp Trap sent to the following managers: < IP address of trap recipient> If the response does not indicate a trap was successfully sent, this is a finding.
To configure SNMPv3 alert notifications, use this sequence of operations. Create and enable an SNMPv3 user, and create associated keys for authentication and privacy: cli% createuser 3parsnmpuser all browse Enter the password and confirm cli% createsnmpuser 3parsnmpuser at the prompt, enter the password at the next prompt, re-enter the password. Add the IP address of the SNMPv3 trap recipient, where permissions of the account are used: cli% addsnmpmgr -version 3 -snmpuser 3parsnmpuser <ip address>
Verify that an SNMPV3 user account is configured: cli% showsnmpuser Username | AuthProtocol | PrivProtocol <someusername> | HMAC SHA 96 | CFB128 AES 128 If the output is not in the above format, this is a finding. Verify the SNMP trap recipient and SNMP configuration: cli% showsnmpmgr If the HostIP identified is not correct, this is a finding. If the port is not 162, this is a finding. If the version is not 3, this is a finding. If the username does not match the user from above, this is a finding. Send a test trap and verify it is received: cli% checksnmp If the response does not indicate a trap was successfully sent, this is a finding.
Configure SNMPV3 notifications. Create an SNMPV3 user, and create associated keys for authentication and privacy. cli% createsnmpuser <someusername> where "<someusername>" is the desired username, and then enter a password at the prompts. Add the SNMP trap recipient and the user just created. cli% addsnmpmgr -version 3 -snmpuser <someusername> <ipaddress> where "<someusername>" is the user created above, and "<ipaddress>" is the address of the SNMPV3 trap recipient. Generate a test trap: cli% checksnmp Verify that a trap was received by the manager specified.
Verify NTP is operational: cli% shownet If any of the NTP Server lines in the output show an incorrect NTP Server address, this is a finding. If only one NTP Server line is present, and it indicates "None" for the address, this is a finding.
Enable NTP with: cli% setnet ntp -add <server ip address> This command can be used multiple times to specify multiple NTP Servers.
Determine if the system is configured for external account management. Enter the command "cli% showauthparam" If the result returns an error, or these fields of the output are not configured, this is a finding. ldap-server <ip address of LDAP server> ldap-server-hn <host name of LDAP server> ldap-type <RHDS | OPEN> If ldap-type is "MSAD", this requirement is not applicable. If the resulting Parameters DO NOT include the following group parameters, this is a finding. groups-dn group-obj group-name-attr Next, verify that the LDAP authentication is operational by entering the command: cli% checkpassword <username> Enter the password for <username> If the username and password used in checkpassword are known to be valid LDAP credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding. user <username> is authenticated and authorized Note: checkpassword will fail even if LDAP is properly configured, if the username and password are not entered correctly.
If Active Directory is in use, this requirement is not applicable. Use this series of commands to configure LDAP: cli% setauthparam -f ldap-type <type> where type is RHDS or OPEN. cli% setauthparam -f ldap-server       <ldap server IP address> cli% setauthparam -f ldap-server-hn    <fully qualified domain name of ldap server, such as ldapserver.thisdomain.com> cli% setauthparam -f binding           simple cli% setauthparam -f ldap-StartTLS     require cli% setauthparam -f groups-dn         ou=Groups,dc=thisdomain,dc=com cli% setauthparam -f user-dn-base      ou=People,dc=thisdomain,dc=com cli% setauthparam -f user-attr         uid cli% setauthparam -f group-obj         groupofuniquenames cli% setauthparam -f group-name-attr   cn cli% setauthparam -f member-attr       uniqueMember cli% setauthparam -f browse-map <customer-assigned name of browse role> <customer-assigned name of "browse" group> cli% setauthparam -f edit-map          <customer-assigned name of edit role> <customer-assigned name of "edit" group> cli% setauthparam -f service-map      <customer-assigned name of service role> <customer-assigned name of "service" group> cli% setauthparam -f super-map         <customer-assigned name of super role> <customer-assigned name of "super" group>
Verify that only essential local accounts are configured. cli% showuser If the output shows users other than the three accounts below, this is a finding. --3paradm (or some other customer chosen account with "super" role) --3parsnmpuser --3parsvc
Display users cli% showuser Remove all accounts except: --3paradm (or other customer-created "super" role account) --3parsnmpuser --3parsvc Use the command: cli% removeuser <username> and confirm the operation with "y".
Verify that the minimum password length is 15 characters: cli% showsys -d Verify that the line containing the string "Minimum PW length" shows "15" for the length. If it is not, this is a finding.
Configure the minimum password length for a value of "15": cli% setpassword -minlen 15 Note: The user must have super-admin privileges to perform this action.
Verify that the login banner is configured. Enter the following command: cli% showbanner -all CLI banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." SSH banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the system does not display a graphical logon banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
To configure the login banner, enter the command: cli% setbanner -all Paste the following text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." To complete the configuration, press "Enter" twice.
To verify the logging capacity is set to the maximum value of "4", enter the following command: cli% showsys -param In the resulting list of configured parameters and values, if the following line does not appear, this is a finding. cli% EventLogSize : 4M
Enter the following command to configure the audit logging capacity for the maximum storage value: cli% setsys EventLogSize 4M
To verify the time zone is configured, enter: cli% showdate If the time zone field is not configured, this is a finding.
Configure the time zone by first identifying the time zone indicator: cli% setdate -tzlist Then configure the timezone with: cli% setdate -tz <timezone identifier from above> If UTC is to be used, complete the operation with: cli% setdate -tz Etc/UTC Verify the timezone is set with: cli% showdate
Verify offloading of security syslog events with cli% showsys -d Find the output section "Remote Syslog Status". If "Active" is not "1", this is a finding. If "Security Server" is not defined, this is a finding. If "Security Connection" is not "TLS", this is a finding.
Configure the remote syslog host: cli% setsys RemoteSyslogSecurityHost <hostname> <address-spec> [:port] The hostname, and address are both required. If both IPv4 and IPv6 addresses are supplied, the IPv6 address must be enclosed in []. The default port is 6514 utilizing TLS. Import the ca certificate that will have signed the syslog server: cli% importcert syslog-sec-server -ca stdin Copy and paste the PEM format of the appropriate CA as instructed. Configure the system to utilize remote syslog: cli% setsys RemoteSyslog 1
Verify the status of the FIPS communication library: cli% controlsecurity fips status If the line "FIPS Mode:" is not "Enabled", this is a finding. If any of the service lines for CLI, EKM, LDAP, SNMP, SSH, or SYSLOG are Disabled, this is a finding. If CIM, VASA, or WSAPI are "Disabled", and the mission requires any of these services, this is a finding. Review the requirements by the Information Owner to determine if the system will store sensitive or classified information. If the mission does not store sensitive, or classified information, the remainder of the check is not applicable. If the mission stores classified data, check the status of backend drive encryption: cli% controlencryption status If Licensed, Enabled, or BackupSaved are "no", or the keystore is not EKM, this is a finding.
Set the communications encryption module into fips mode: cli% controlsecurity fips enable If the mission stores classified information, contact an authorized service provider to install and configure the licensed encryption feature.
Verify that the two factor authentication (2fa) parameters are set: cli% showauthparam If there is an error, or the output does not contain the following, this is a finding. ldap-2fa-cert-field <fieldName> ldap-2fa-object-attr <ldap object corresponding to cert field>
To configure the two factor authentication parameters (2fa) to support PKI based authentication/authorization: cli% setauthparam -f ldap-2fa-cert-field <name of certificate field containing user identity string> cli% setauthparam -f ldap-2fa-object-attr <attribute in ldap object corresponding to cert field value>
Check that a signed certificate and CA certificate have been imported: cli% showcert -service unified-server If the output does not contain DOD PKI certificates of at least two lines of output, one of type "cert" and one of type "rootca", this is a finding.
Create a CSR to be signed by an appropriate CA: cli% createcert unified-server -csr -CN <common name> -SAN <DNS:somednsname or IP:someipaddress> Copy the output and give it to the CA for signing. Install the root CA certificate bundle: cli% importcert unified-server -ca stdin Copy and paste the ca bundle contents as instructed. Install the signed certificate from the ca: cli% importcert unified-server stdin Copy and paste the PEM format signed certificate contents as instructed.
Check with the Information Owner to verify if Active Directory will be used for Centralized Account Management. If Active Directory will not be used, this requirement is not applicable. Determine if the system is configured for Active Directory (AD). Enter the command: cli% showauthparam If the result returns an error, or these fields of the output are not configured, this is a finding. ldap-server <ip address of AD server> ldap-server-hn <host name of AD server> If the resulting Parameters include: group parameters groups-dn group-obj group-name-attr this requirement is not applicable. Next, verify that the AD authentication is operational by entering the command cli% checkpassword <username> Enter the password for <username> If the username and password used in checkpassword are known to be valid AD credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding: user <username> is authenticated and authorized Note: checkpassword will fail even if AD is properly configured, if the username and password are not entered correctly.
Use this series of commands to configure AD: cli% setauthparam -f ldap-type MSAD cli% setauthparam -f ldap-server       <AD server IP address> cli% setauthparam -f binding           simple cli% setauthparam -f ldap-StartTLS     require cli% setauthparam -f kerberos-realm    <kerberos realm, such as WIN2K12FOREST.THISDOMAIN.COM> cli% setauthparam -f ldap-server-hn     <fully qualified domain name of AD server, such as adserver.thisdomain.com> cli% setauthparam -f accounts-dn       CN=Users,DC=win2k12forest,DC=thisdomain,DC=com cli% setauthparam -f user-dn-base      CN=Users,DC=win2k12forest,DC=thisdomain,DC=com cli% setauthparam -f user-attr         WIN2K12FOREST\\ cli% setauthparam -f account-obj       user cli% setauthparam -f account-name-attr sAMAccountName cli% setauthparam -f memberof-attr     memberOf cli% setauthparam -f browse-map        "CN=<customer-assigned name of browse role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com" cli% setauthparam -f edit-map          "CN=<customer-assigned name of edit role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com" cli% setauthparam -f service-map       "CN=<customer-assigned name of service role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com" cli% setauthparam -f super-map         "CN=<customer-assigned name of super role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
Check with the Information Owner to verify if Mutual Authentication is required by the syslog server. If mutual TLS authentication is not required, this requirement is not applicable. Check that a signed client certificate and CA certificate have been imported for the syslog-sec-client service: cli% showcert -service syslog-sec-client If the output does not contain DOD PKI certificates of at least two lines of output, one of type "cert" and one of type "rootca", this is a finding.
Check with the Information Owner to verify that TLS mutual authentication is required by the remote syslog server. If TLS mutual authentication is not required, this requirement is not applicable. Create a CSR to be signed by an appropriate CA: cli% createcert syslog-sec-client -csr -CN <common name> -SAN <DNS:somednsname or IP:someipaddress> Copy the output and give it to the CA for signing. Install the root CA certificate bundle: cli% importcert syslog-sec-client -ca stdin Copy and paste the ca bundle contents as instructed. Install the signed certificate from the ca: cli% importcert sysloc-sec-client stdin Copy and paste the PEM format signed certificate contents as instructed. The syslog-sec-client service will be restarted.
Check with the Information Owner to verify if the mission objectives require CIM functionality. If the mission requirements include CIM service capabilities, this requirement is not applicable. If mission requirements do not include CIM, then verify the state of the CIM services capabilities on the array: cli% showcim If the service state is not "Disabled", this is a finding.
Verify with the Information Owner whether mission objectives require CIM functionality. If CIM services functionality is not part of the mission requirements, stop and disable "cimserver": cli% stopcim -f cli% setcim -f -http disable -https disable
If the mission does not require CIM functionality this requirement is not applicable. Verify if CIMserver is configured to run. Use the command: "cli% showcim" If the Server column shows "Disabled", this is not applicable. If the HTTP column shows "Enabled", this is a finding. If the HTTPS column shows "Disabled", this is a finding. Use the command: "cli% showcim -pol" to display advanced configuration policies. If the output contains "no_tls_strict", this is a finding.
Verify if CIMserver is configured to run. Use the command: "cli% showcim" If the Server column shows "Disabled", this is not applicable. Temporarily stop the server using the command: "cli% stopcim -f" Disable the HTTP listener, and enable the HTTPS listener, using the command: cli% setcim -http disable -https enable Set the TLS policy to utilize only TLS1.2 with the following command: cli% setcim -pol tls_strict Restart the CIMserver using the command: cli% startcim
If the mission does not require CIM functionality, this requirement is not applicable. Verify cim is configured: cli% showcim If there is an error, this is a finding. If the output indicates the service is "Disabled", the state is "Inactive", HTTP is "Enabled", or HTTPS is "Disabled", this is a finding. Check the FIPS status cli% controlsecurity fips status If there is an error, or CIM shows as "Disabled", this is a finding.
Stop the cimserver process: cli% stopcim -f Reconfigure the cimserver to use only HTTPS on TLSV1.2 cli% setcim -f -http disable cli% setcim -f -https enable cli% setcim -f -pol tls_strict Restart the cimserver process: cli% startcim -f Wait up to five minutes for CIM to start up and verify it is Enabled/Active cli% showcim Once CIM is active, verify FIPS mode: cli% controlsecurity fips status If CIM is "Disabled", this is an error that requires a service escalation.
Check that a signed client certificate and CA certificate have been imported for the ekm-server service: cli% showcert -service ekm-server If the output does not contain DOD PKI certificates of at least two lines of output, one of type "cert" and one of type "rootca", this is a finding.
Install the root CA certificate used to sign the EKM server’s certificate: cli% importcert ekm-server -ca stdin Copy and paste the PEM format certificate contents as instructed. The fipsvr process will be restarted.
Check with the Information Owner whether the mission objectives require VASA VVol functionality. If the mission requirements include VASA VVol functionality, this requirement is not applicable. If mission requirements do not include this functionality, verify the state of the VASA VVol services capabilities on the array: cli% showvasa If the state is "enabled", this is a finding.
Verify with the Information Owner whether VASA VVol functionality is required by the mission objectives. If the mission requires VASA VVol functionality, this requirement is not applicable. If VASA VVol services functionality is not required by the mission, stop the VASA provider: cli% stopvasa -f
If the mission does not require WSAPI functionality, this requirement is not applicable. Verify if WSAPI is configured to run. Use the command: cli% showwsapi -d If "Service State" shows "Disabled", this is not applicable. If "HTTP State" shows "Enabled", this is a finding. If "HTTPS State" shows "Disabled", this is a finding. If "Policy" contains "no_tls_strict", this is a finding.
Verify if WSAPI is configured to run. Use the command: cli% showwsapi -d If "Service State" shows "Disabled", this is not applicable. Temporarily stop the WSAPI server with the command: cli% stopwsapi -f To disable the HTTP listener, and enable the HTTPS listener, use the command: cli% setwsapi -http disable -https enable To set the TLS policy to TLSv1.2 only, use the command: cli% setwsapi -pol tls_strict Restart the server with the following command: cli% startwsapi
If the mission does not require WSAPI functionality, this requirement is not applicable. Verify if WSAPI is configured to run. Use the command: cli% showwsapi -d If "service State" shows "Disabled", this is not applicable. If "HTTP State" shows "Enabled", this is a finding. If "HTTPS State" shows "Disabled", this is a finding. If "Policy" contains "no_tls_strict", this is a finding.
Stop the WSAPI process: cli% stopwsapi -f Reconfigure the WSAPI to use only HTTPS on TLSV1.2: cli% setwsapi -f -http disable cli% setwsapi -f -https enable cli% setwsapi -f -pol tls_strict Restart the WSAPI process: cli% startwsapi -f Wait up to five minutes for WSAPI to start up and verify it is Enabled/Active: cli% showwsapi Once WSAPI is active, verify FIPS mode: cli% controlsecurity fips status If WSAPI is "Disabled", this is an error that requires a service escalation.
Check with the Information Owner to verify if Mutual Authentication is required by the EKM server. If mutual TLS authentication is not required, this requirement is not applicable. Check that a signed client certificate and CA certificate have been imported for the ekm-client service: cli% showcert -service ekm-client If the output does not contain DOD PKI certificates of at least two lines of output, one of type "cert" and one of type "rootca", this is a finding.
Check with the Information Owner to verify that TLS mutual authentication is required by the EKM server. If TLS mutual authentication is not required, this requirement is not applicable. Create a CSR to be signed by an appropriate CA: cli% createcert ekm-client -csr -CN <common name> -SAN <DNS:somednsname or IP:someipaddress> Copy the output and give it to the CA for signing. Install the root CA certificate bundle: cli% importcert ekm-client -ca stdin Copy and paste the ca bundle contents as instructed. Install the signed certificate from the ca: cli% importcert ekm-client stdin Copy and paste the PEM format signed certificate contents as instructed. The fipsvr process will be restarted.
Verify with the Information Owner that the mission objectives exclude Remote Copy functionality. If Remote Copy is required by the mission, this requirement is not applicable. If Remote Copy is not required by the mission, verify the state of RC functionality: cli% showrcopy If the output is an error and indicates the system is not licensed for Remote Copy, this is not a finding. If the output indicates "Remote Copy is not configured for this system", this is not a finding. If the output indicates any other status, this is a finding.
Verify with the Information Owner that the mission objectives do not require remote copy. If Remote Copy is not required by the mission, forcibly stop the functionality, and clear the configuration: cli% stoprcopy -f -clear
Check that a signed client certificate and CA certificate have been imported for the ldap service: cli% showcert -service ldap If the output does not contain DOD PKI certificates of at least two lines of output, one of type "cert" and one of type "rootca", this is a finding.
Install the root CA certificate used to sign the LDAP server’s certificate: cli% importcert ldap -ca stdin Copy and paste the PEM format certificate contents as instructed. The fipsvr process will be restarted.