HPE Alletra Storage ArcusOS Network Device Management V1R1

b

The HPE Alletra Storage ArcusOS device must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.

AC-8 - Medium - CCI-000048 - V-283358 - SV-283358r1194768_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

ASMP-ND-000130

Vuln IDs

V-283358

Rule IDs

SV-283358r1194768_rule

Displaying the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users. Satisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216

Checks: C-87923r1194766_chk

Verify the login banner is configured with the following command: cli% showbanner -all CLI banner: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work products are private and confidential. See User Agreement for details. SSH banner: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work products are private and confidential. See User Agreement for details. If the system does not display a graphical logon banner, or the banner does not match the wording for the Standard Mandatory DOD Notice and Consent, this is a finding.

Fix: F-87828r1194767_fix

Configure the login banner: cli% setbanner -all Paste the following text: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work products are private and confidential. See User Agreement for details. To complete the configuration, press "Enter" twice.

c

The HPE Alletra Storage ArcusOS device must be configured to prohibit using all unnecessary and/or nonsecure ports, protocols, and/or services.

CM-7 - High - CCI-000382 - V-283377 - SV-283377r1194825_rule

RMF Control

CM-7

Severity

H

CCI

CCI-000382

Version

ASMP-ND-000330

Vuln IDs

V-283377

Rule IDs

SV-283377r1194825_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting using ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved. Configuring the network device to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network device. Security-related parameters are those parameters impacting the security state of the network device, including the parameters required to satisfy other security control requirements. Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption.

Checks: C-87942r1194823_chk

Issue the following commands to check various services: cli% setnet disableports yes cli% stoprda RDA service is already disabled. Note: There is no command to show the status of the disabled ports or the RDA service. cli% showrcopy -d Remote Copy System Information Status: Stopped, Normal cli% showvasa -Service- -------------------VASA_API2_URL------------------- -MemUsage(MiB)- -Version- Enabled https://HPE_Alletra_Storage_MP-4UW0002474:9997/vasa 147 5.2.0.18 cli% showcim -Service- -State- --SLP-- SLPPort -HTTPS- HTTPSPort PGVer CIMVer Enabled Active Enabled 427 Enabled 5989 2.14.1 10.5.0 cli% showwsapi -d service State Enabled If any unnecessary and/or nonsecure ports, protocols, and/or services are enabled, this is a finding.

Fix: F-87847r1194824_fix

Disable all unnecessary and/or nonsecure ports, protocols, and/or services. Disable unsecure ports: cli% setnet disableports yes Stop the RDA Service: cli% stoprda Stop the Remote Copy Service: %cli stoprcopy" Stop the VASA Service: cli% stopvasa -f Stop the CIM Service: cli% stopcim -f Stop the Web Services API: cli% stopwsapi -f

b

The HPE Alletra Storage ArcusOS device must be configured with only one local interactive account to be used as the account of last resort in the event the authentication server is unavailable.

AC-2 - Medium - CCI-001358 - V-283378 - SV-283378r1194828_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001358

Version

ASMP-ND-000340

Vuln IDs

V-283378

Rule IDs

SV-283378r1194828_rule

Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.

Checks: C-87943r1194826_chk

Verify only one local interactive account is configured: cli% showuser The output will look similar to the example below: Username Domain Role Default adminsvc all super N hpesupport all service N telemetry all service N Note: The service role accounts are not interactive and cannot be used for logins. If more than one local interactive account to be used as the account of last resort exists, this is a finding.

Fix: F-87848r1194827_fix

Remove all interactive accounts except one account with the "super" role for last resort login with, the following command: cli% removeuser <username> Note: You must keep at least one account with the "super" role and it can be any organizationally defined account name.

b

The HPE Alletra Storage ArcusOS device must enforce a minimum 15-character password length.

Medium - CCI-004066 - V-283381 - SV-283381r1194837_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

ASMP-ND-000410

Vuln IDs

V-283381

Rule IDs

SV-283381r1194837_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.

Checks: C-87946r1194835_chk

Verify the minimum password length is 15 characters with the following command: cli% showsys -d Minimum PW length 15 If the line containing the string "Minimum PW length" does not show "15" for the length, this is a finding.

Fix: F-87851r1194836_fix

Configure the minimum password length for a value of "15": cli% setsys MinimumPWLength 15 Note: The user must have the "super" role to perform this action.

b

The HPE Alletra Storage ArcusOS device must enforce password complexity by requiring at least one uppercase character, one lowercase character, one numeric character, and one special character be used.

Medium - CCI-004066 - V-283382 - SV-283382r1194840_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

ASMP-ND-000420

Vuln IDs

V-283382

Rule IDs

SV-283382r1194840_rule

Use of complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account. Satisfies: SRG-APP-000166-NDM-000254, SRG-APP-000167-NDM-000255, SRG-APP-000168-NDM-000256, SRG-APP-000169-NDM-000257

Checks: C-87947r1194838_chk

Verify the system is configured to require complex passwords for local accounts with the following command: cli% showsys -d ------------------------General------------------------ System Name : s2474 System Model : HPE Alletra Storage MP Serial Number : 4UW0002474 Product Number : S0B84A System ID : 0x7E734 Number of Nodes : 2 Master Node : 0 Nodes Online : 0,1 Nodes in Cluster : 0,1 Chunklet Size (MiB) : 1024 Minimum PW length : 15 Minimum PW character classes : 4 If "Minimum PW character classes" is not set to a value of " 4", this is a finding.

Fix: F-87852r1194839_fix

Configure the system to require complex passwords with the following command: Cli% setsys MinimumPWCharacterClasses 4

c

The HPE Alletra Storage ArcusOS device must use FIPS 140-approved algorithms for authentication to a cryptographic module.

IA-7 - High - CCI-000803 - V-283387 - SV-283387r1194855_rule

RMF Control

IA-7

Severity

H

CCI

CCI-000803

Version

ASMP-ND-000600

Vuln IDs

V-283387

Rule IDs

SV-283387r1194855_rule

Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities. Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. The use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions. Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000172-NDM-000259, SRG-APP-000224-NDM-000270, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331

Checks: C-87952r1194853_chk

Verify the status of the FIPS communication library with the following command: cli% controlsecurity fips status FIPS mode: Enabled Service Status AUTHN Enabled CIM Disabled CLI Enabled EKM Enabled LDAP Enabled QW Enabled RDA Enabled SC CONNECTOR Disabled SNMP Enabled SSH Enabled SYSLOG Enabled VASA Enabled WSAPI Enabled If the line "FIPS Mode:" is not "Enabled", this is a finding. If any of the service lines for "CLI", "EKM", "LDAP", "SNMP", "SSH", or "SYSLOG" are "Disabled", this is a finding. If CIM, VASA, or WSAPI are "Disabled", and the services are enabled, this is a finding.

Fix: F-87857r1194854_fix

Warning: Enabling FIPS mode requires restarting all system management interfaces, which will terminate all existing connections including this one. Set the communications encryption module into FIPS mode: cli% controlsecurity fips enable

c

The HPE Alletra Storage ArcusOS device must terminate all network connections at the end of the session, or the session must be terminated after five minutes of inactivity, except to fulfill documented and validated mission requirements.

SC-10 - High - CCI-001133 - V-283388 - SV-283388r1194858_rule

RMF Control

SC-10

Severity

H

CCI

CCI-001133

Version

ASMP-ND-000610

Vuln IDs

V-283388

Rule IDs

SV-283388r1194858_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-87953r1194856_chk

Verify the current SessionTimeout setting with the following command: cli% showsys -param SessionTimeout : 00:05:00 If the value for "SessionTimeout" is not "00:05:00", this is a finding.

Fix: F-87858r1194857_fix

Set the SessionTimeout value to 5 minutes: cli% setsys SessionTimeout 5m

b

The HPE Alletra Storage ArcusOS device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

AU-4 - Medium - CCI-001849 - V-283400 - SV-283400r1194894_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

ASMP-ND-000740

Vuln IDs

V-283400

Rule IDs

SV-283400r1194894_rule

Network devices must be able to allocate audit record storage capacity to ensure sufficient storage capacity in which to write the audit logs. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.

Checks: C-87965r1194892_chk

Verify the system is configured to limit the size of event logs stored on the system with the following command: cli% showsys -param ----------Parameter----------- ----Value---- RawSpaceAlertSSD : 100 RawSpaceAlertQLC : 0 RemoteSyslog : 1 RemoteSyslogHost : 16.172.70.122 RemoteSyslogProfile : None RemoteSyslogSecurityHost: 16.172.70.200 SparingAlgorithm: Default EventLogSize: 10M EventLogNum : 30 If "EventLogSize" is set to a value less than "10M", this is a finding.

Fix: F-87870r1194893_fix

Configure the system to limit the size of event logs stored: cli% setsys EventLogSize 10M

b

The HPE Alletra Storage ArcusOS device must allocate a set number of audit records that can be stored on the system in accordance with organization-defined audit record storage requirements.

AU-4 - Medium - CCI-001849 - V-283401 - SV-283401r1194897_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

ASMP-ND-000750

Vuln IDs

V-283401

Rule IDs

SV-283401r1194897_rule

Network devices must be able to allocate audit record storage capacity to ensure sufficient storage capacity in which to write the audit logs. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.

Checks: C-87966r1194895_chk

Verify the system is configured to limit the number of event logs stored on the system with the following command: cli% showsys -param ----------Parameter----------- ----Value---- RawSpaceAlertSSD : 100 RawSpaceAlertQLC : 0 RemoteSyslog : 1 RemoteSyslogHost : 16.172.70.122 RemoteSyslogProfile : None RemoteSyslogSecurityHost: 16.172.70.200 SparingAlgorithm: Default EventLogSize: 10M EventLogNum : 30 If "EventLogNum" is set to a value less than "30", this is a finding.

Fix: F-87871r1194896_fix

Configure the system to limit the number of event logs stored: cli% setsys EventLogNum 30

b

The HPE Alletra Storage ArcusOS device must have an SNMPv3 user account configured.

AU-5 - Medium - CCI-001858 - V-283402 - SV-283402r1194900_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

ASMP-ND-000760

Vuln IDs

V-283402

Rule IDs

SV-283402r1194900_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without using a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Checks: C-87967r1194898_chk

Verify an SNMPv3 user account is configured with the following command: cli% showsnmpuser Username AuthProtocol PrivProtocol Alletrasnmpuser HMAC-SHA-96 CFB128-AES-128 If the output is not displayed in the above format, this is a finding.

Fix: F-87872r1194899_fix

Configure SNMPv3 alert notifications using the following sequence of operations: Create and enable an SNMPv3 user, and create associated keys for authentication and privacy. cli% createuser Alletrasnmpuser all browse Enter the password and confirm. cli% createsnmpuser Alletrasnmpuser At the prompt, enter the password. At the next prompt, reenter the password.

b

The HPE Alletra Storage ArcusOS device must be configured to collect and send SNMPv3 notifications.

AU-5 - Medium - CCI-001858 - V-283403 - SV-283403r1194903_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

ASMP-ND-000770

Vuln IDs

V-283403

Rule IDs

SV-283403r1194903_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without using a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Checks: C-87968r1194901_chk

Identify the SNMP trap recipient and report SNMP configuration with the following command: cli% showsnmpmgr HostIP Port SNMPVersion User Notify AlertClear <snmp trap recipient IP> 162 3 Alletrasnmpuser standard standard If the SNMP trap recipient IP address is incorrect, this is a finding. If the SNMP port is not "162", this is a finding. If the SNMP version is not "3", this is a finding. If the SNMP user ID is incorrect, this is a finding.

Fix: F-87873r1194902_fix

Configure SNMPv3 alert notifications using the following sequence of operations: Add the IP address of the SNMPv3 trap recipient, where permissions of the account are used. cli% addsnmpmgr -version 3 -snmpuser Alletrasnmpuser <ip address>

b

The HPE Alletra Storage ArcusOS device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-283404 - SV-283404r1194906_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

ASMP-ND-000780

Vuln IDs

V-283404

Rule IDs

SV-283404r1194906_rule

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.

Checks: C-87969r1194904_chk

Verify the time zone is configured with the following command: cli% showdate If the time zone field is not configured, this is a finding.

Fix: F-87874r1194905_fix

Identify the time zone group: cli% setdate -tzlist Identify the specific time zone in the selected group: cli% setdate -tzlist <time zone group> Configure the time zone with: cli% setdate -tz <time zone group/location> Verify the time zone is set with: cli% showdate

b

The HPE Alletra Storage ArcusOS device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

IA-3 - Medium - CCI-001967 - V-283409 - SV-283409r1194921_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001967

Version

ASMP-ND-000830

Vuln IDs

V-283409

Rule IDs

SV-283409r1194921_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without using a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Checks: C-87974r1194919_chk

Verify the system is configured to use SNMP v3 with the following command: cli% showsnmpmgr HostIP Port SNMPVersion User Notify AlertClear 16.172.70.200 162 3 Alletrasnmpuser standard standard If the "HostIP" is blank, this is a finding. If "SNMPVersion" is not set to "3", this is a finding.

Fix: F-87879r1194920_fix

Configure the system to use SNMPv3: cli% setsnmpmgr <ip_address> -p <port> -version 3 Note: The system supports both IPv4 and IPv6 addresses for the SNMP Host.

b

The HPE Alletra Storage ArcusOS device must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

IA-3 - Medium - CCI-001967 - V-283410 - SV-283410r1194924_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001967

Version

ASMP-ND-000840

Vuln IDs

V-283410

Rule IDs

SV-283410r1194924_rule

If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source. Satisfies: SRG-APP-000395-NDM-000347, SRG-APP-000920-NDM-000320, SRG-APP-000925-NDM-000330

Checks: C-87975r1194922_chk

Verify the NTP server is configured to utilize a valid key using the following command: cli% shownet -d Example output: Detailed information about configured NTP servers 16.110.135.123 : 10.157.44.5 : key 1 If "Detailed information about configured NTP servers" does not display an NTP server with a key, this is a finding.

Fix: F-87880r1194923_fix

Import the NTP key and add it to the NTP server with the following commands: cli% setnet ntp -add <server ip address> cli% importkeys ntp stdin Please paste the keys for ntp. Once finished, please press Enter twice. 1 SHA256 myfirstsecretkey cli% cli% setnet ntp -add -key <ID> <NTP_Server_IP>

b

The HPE Alletra Storage ArcusOS device must install security-relevant firmware updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).

SI-2 - Medium - CCI-002605 - V-283414 - SV-283414r1194936_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

ASMP-ND-000900

Vuln IDs

V-283414

Rule IDs

SV-283414r1194936_rule

Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.

Checks: C-87979r1194934_chk

Verify software updates are consistently applied to the HPE Alletra Storage ArcusOS device within the time frame defined for each patch. Check the software version: cli% showversion Release version 10.3.0 Component Name Version CLI Server 10.3.0 CLI Client 10.3.0 System Manager 10.3.0 Kernel 10.3.0 IO Stack 10.3.0 Drive Firmware 10.3.0 Enclosure Firmware 10.3.0 Upgrade Tool 61 (231107) If the HPE Alletra Storage ArcusOS device does not have security-relevant updates installed within the time period directed by the authoritative source, this is a finding.

Fix: F-87884r1194935_fix

Install the latest approved update through the web UI. 1. Select "system" from left navigation pane. 2. Select "software" from main navigation pane. 3. Select "Load an update package" from the Actions pane. 4. Choose a file location from which to upload. 5. Return to the software screen and select "Update software" from the Actions pane. 6. Verify the version selected for update is listed/selected, and then click "Install".

c

The HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

CM-6 - High - CCI-000370 - V-283425 - SV-283425r1194969_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000370

Version

ASMP-ND-001060

Vuln IDs

V-283425

Rule IDs

SV-283425r1194969_rule

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000156-NDM-000250, SRG-APP-000177-NDM-000263

Checks: C-87990r1194967_chk

Determine if the system is configured to use a primary and secondary authentication server with the following command: cli% showauthparam ldap-type MSAD accounts-dn <accounts dn configuration> super-map <super-map configuration> edit-map <edit-map configuration> browse-map <browse-map configuration> service-map <service-map configuration> ldap-StartTLS require kerberos-realm <Kerberos-realm configuration> ldap-2FA-cert-field subjectAlt:rfc822Name ldap-2FA-object-attr mail ldap-server <server hostname> ldap-server <server hostname> ldap-ssl-cacert: -----BEGIN CERTIFICATE----- If the command output does not list authparams for ldap-type, kerberos-realm, accounts-dn, ldap-ssl-cacert, and at least one role map (e.g., super-map), this is a finding. If there are not two ldap-server lines, this is a finding. ldap-StartTLS must be set to require, if not, this is a finding. If the ldap-reqcert authparam is not set to "1", this is a finding.

Fix: F-87895r1194968_fix

Use the following commands to configure the primary and secondary authentication servers. cli% setauthparam -f ldap-type <type> where type is MSAD, RHDS or OPEN. cli% setauthparam ldap-server <primary hostname> <secondary hostname> cli% setauthparam -f accounts-dn <base of the ad subtree, such as CN=Users,DC=win2k12forest,DC=thisdomain,DC=com> cli% setauthparam -f kerberos-realm <Kerberos-realm configuration> cli% setauthparam -f ldap-reqcert 1 Set up a super role such as the super role: cli% setauthparam -f super-map <customer-assigned name of "super" group> Enable TLS with: cli% setauthparam -f ldap-StartTLS require or cli% setauthparam -f ldap-ssl 1 Import a TLS certificate: cli% importcert ldap -f stdin

c

The HPE Alletra Storage ArcusOS device must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required.

AU-4 - High - CCI-001851 - V-283429 - SV-283429r1194981_rule

RMF Control

AU-4

Severity

H

CCI

CCI-001851

Version

ASMP-ND-001100

Vuln IDs

V-283429

Rule IDs

SV-283429r1194981_rule

The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. A network boundary device is a piece of networking hardware that sits at the edge of a network, controlling the flow of data traffic between the internal network and external networks like the internet. It acts as a gatekeeper, enforcing security policies and protecting the internal network from unauthorized access and malicious attacks. Having a second central log server delivers a defense in depth approach for critical boundary devices. Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000515-NDM-000325, SRG-APP-000795-NDM-000130

Checks: C-87994r1194979_chk

Verify the system is configured to off-load security syslog events with the following command: cli% showsys -d --------------------Remote_Syslog_Status-------------------- Active : 1 General Server : es1-vlan3489-rsyslog.es1-storage.net General Connection : TLS RemoteSyslogProfile : None Security Server : es1-vlan3489-rsyslog.es1-storage.net Security Connection : TLS For the options in the "Remote Syslog Status" section: If "Active" is not "1", this is a finding. If "Security Server" is not defined, this is a finding. If "Security Connection" is not "TLS", this is a finding.

Fix: F-87899r1194980_fix

Configure the remote syslog host: cli% setsys RemoteSyslogSecurityHost <hostname> <address-spec> [:port] Note: The hostname and address are both required. If both IPv4 and IPv6 addresses are supplied, the IPv6 address must be enclosed in []. The default port is 6514 using TLS. Configure the system to use remote syslog: cli% setsys RemoteSyslog 1

c

The HPE Alletra Storage ArcusOS device must be running an operating system release that is currently supported by the vendor.

SA-22 - High - CCI-003376 - V-283430 - SV-283430r1194984_rule

RMF Control

SA-22

Severity

H

CCI

CCI-003376

Version

ASMP-ND-001110

Vuln IDs

V-283430

Rule IDs

SV-283430r1194984_rule

Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.

Checks: C-87995r1194982_chk

Verify the operating system is at the current version with the following command: cli% showversion Release version 10.4.2 Release Type: Standard Support Release Component Name Version CLI Server 10.4.2 CLI Client 10.4.2 System Manager 10.4.2 Kernel 10.4.2 IO Stack 10.4.2 Drive Firmware 10.4.2 Enclosure Firmware 10.4.2 Upgrade Tool 67 (240730-10.4.2) If the displayed version does not match the HPE Alletra Storage ArcusOS device latest version, this is a finding.

Fix: F-87900r1194983_fix

Contact an authorized service partner to obtain and install the most recent version of the operating system.

b

The HPE Alletra Storage ArcusOS device must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.

Medium - CCI-004192 - V-283437 - SV-283437r1195005_rule

RMF Control

Severity

M

CCI

CCI-004192

Version

ASMP-ND-001310

Vuln IDs

V-283437

Rule IDs

SV-283437r1195005_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting using ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved. Configuring the network device to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network device. Security-related parameters are those parameters impacting the security state of the network device, including the parameters required to satisfy other security control requirements. Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption.

Checks: C-88002r1195003_chk

Using the nmap tool, verify only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command: $ sudo nmap -sT -sU -sV --version-all -vv -p 1-65535 <ip address of storage system> If any Port is listed other than SSHD(22), NTP(123), SNMP(161,162), 3par-mgmt-ssl (5783), CIM (5989/configurable), or WSAPI (8088/configurable), this is a finding.

Fix: F-87907r1195004_fix

Disable all unencrypted ports: cli% setnet disableports yes

Checks: C-87923r1194766_chk

Fix: F-87828r1194767_fix

Generate Mitigation Statement:

Checks: C-87942r1194823_chk

Fix: F-87847r1194824_fix

Generate Mitigation Statement:

Checks: C-87943r1194826_chk

Fix: F-87848r1194827_fix

Generate Mitigation Statement:

Checks: C-87946r1194835_chk

Fix: F-87851r1194836_fix

Generate Mitigation Statement:

Checks: C-87947r1194838_chk

Fix: F-87852r1194839_fix

Generate Mitigation Statement:

Checks: C-87952r1194853_chk

Fix: F-87857r1194854_fix

Generate Mitigation Statement:

Checks: C-87953r1194856_chk

Fix: F-87858r1194857_fix

Generate Mitigation Statement:

Checks: C-87965r1194892_chk

Fix: F-87870r1194893_fix

Generate Mitigation Statement:

Checks: C-87966r1194895_chk

Fix: F-87871r1194896_fix

Generate Mitigation Statement:

Checks: C-87967r1194898_chk

Fix: F-87872r1194899_fix

Generate Mitigation Statement:

Checks: C-87968r1194901_chk

Fix: F-87873r1194902_fix

Generate Mitigation Statement:

Checks: C-87969r1194904_chk

Fix: F-87874r1194905_fix

Generate Mitigation Statement:

Checks: C-87974r1194919_chk

Fix: F-87879r1194920_fix

Generate Mitigation Statement:

Checks: C-87975r1194922_chk

Fix: F-87880r1194923_fix

Generate Mitigation Statement:

Checks: C-87979r1194934_chk

Fix: F-87884r1194935_fix

Generate Mitigation Statement:

Checks: C-87990r1194967_chk

Fix: F-87895r1194968_fix

Generate Mitigation Statement:

Checks: C-87994r1194979_chk

Fix: F-87899r1194980_fix

Generate Mitigation Statement:

Checks: C-87995r1194982_chk

Fix: F-87900r1194983_fix

Generate Mitigation Statement:

Checks: C-88002r1195003_chk

Fix: F-87907r1195004_fix

Generate Mitigation Statement: