HPE Nimble Storage Array NDM Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2023-12-27
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
b
The HPE Nimble must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-252186 - SV-252186r879513_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
HPEN-NM-000010
Vuln IDs
  • V-252186
Rule IDs
  • SV-252186r879513_rule
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator reauthenticates. No other system activity aside from reauthentication must unlock the management session. Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time. So this requirement may only apply to local administrative sessions.
Checks: C-55642r814036_chk

Type "group --info | grep inactivity" and review the timeout value. If it is greater than 15 minutes, this is a finding.

Fix: F-55592r814037_fix

Type "group --edit --inactivity_timeout 15".

b
The HPE Nimble must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
AC-7 - Medium - CCI-000044 - V-252187 - SV-252187r879546_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
HPEN-NM-000020
Vuln IDs
  • V-252187
Rule IDs
  • SV-252187r879546_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Checks: C-55643r814039_chk

Type "userpolicy --info" and review output for line: "Number of authentication attempts". If the value is 2 or less, this is not a finding.

Fix: F-55593r814040_fix

Type "userpolicy --edit --allowed_attempts 2".

b
The HPE Nimble must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-252188 - SV-252188r879547_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
HPEN-NM-000030
Vuln IDs
  • V-252188
Rule IDs
  • SV-252188r879547_rule
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-55644r814042_chk

Attempt a login to NimOS by typing "ssh username@array", where username is a valid user, and array is an array DNS name. If the correct DoD banner is not displayed before a password prompt, this is a finding.

Fix: F-55594r814043_fix

Type "group --edit --login_banner", and then copy-paste or type the required banner. Then, to display the banner before login, type "group --edit --login_banner_after_auth no".

b
The HPE Nimble must not have any default manufacturer passwords when deployed.
IA-5 - Medium - CCI-002041 - V-252189 - SV-252189r879554_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002041
Version
HPEN-NM-000040
Vuln IDs
  • V-252189
Rule IDs
  • SV-252189r879554_rule
Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, which can result in loss of availability, confidentiality, or integrity of network traffic. Many default vendor passwords are well known or are easily guessed; therefore, not removing them prior to deploying the network device into production provides an opportunity for a malicious user to gain unauthorized access to the device.
Checks: C-55645r814045_chk

Attempt to login using SSH to a configured array using username "admin" and password "admin". If the login is successful, this is a finding.

Fix: F-55595r814046_fix

On an unconfigured array, the setup command requires the "--password <new password>" argument to be supplied. To fix an already configured array: after logging into the array as the "admin" user, type "useradmin --passwd", and enter the old and new passwords.

b
The HPE Nimble must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-252190 - SV-252190r879601_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
HPEN-NM-000050
Vuln IDs
  • V-252190
Rule IDs
  • SV-252190r879601_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-55646r814048_chk

Type "userpolicy --info" and review output for line: "Minimum Length". If it is 15 or more, this is not a finding.

Fix: F-55596r814049_fix

Set minimum password length to 15 by typing "userpolicy --edit --min_length 15".

b
The HPE Nimble must enforce password complexity by requiring that at least one upper-case character be used.
IA-5 - Medium - CCI-000192 - V-252191 - SV-252191r879603_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
HPEN-NM-000060
Vuln IDs
  • V-252191
Rule IDs
  • SV-252191r879603_rule
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-55647r814051_chk

Type "userpolicy --info" and review output for line: "Minimum Uppercase characters". If it is 1 or more, this is not a finding.

Fix: F-55597r814052_fix

Set minimum number of uppercase characters to 1 by typing "userpolicy --edit --upper 1".

b
The HPE Nimble must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-252192 - SV-252192r879604_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
HPEN-NM-000070
Vuln IDs
  • V-252192
Rule IDs
  • SV-252192r879604_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-55648r814054_chk

Type "userpolicy --info" and review output for line: "Minimum Lowercase characters". If it is 1 or more, this is not a finding.

Fix: F-55598r814055_fix

Set minimum number of lowercase characters to 1 by typing "userpolicy --edit --lower 1".

b
The HPE Nimble must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-252193 - SV-252193r879605_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
HPEN-NM-000080
Vuln IDs
  • V-252193
Rule IDs
  • SV-252193r879605_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-55649r814057_chk

Type "userpolicy --info" and review output for line: "Minimum Digits". If it is 1 or more, this is not a finding.

Fix: F-55599r814058_fix

Set minimum number of numeric characters to 1 by typing "userpolicy --edit --digit 1".

b
The HPE Nimble must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-252194 - SV-252194r879606_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
HPEN-NM-000090
Vuln IDs
  • V-252194
Rule IDs
  • SV-252194r879606_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-55650r814060_chk

Type "userpolicy --info" and review output for line: "Minimum Special characters". If it is 1 or more, this is not a finding.

Fix: F-55600r814061_fix

Set minimum number of special characters to 1 by typing "userpolicy --edit --special 1".

b
The HPE Nimble must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
IA-5 - Medium - CCI-000195 - V-252195 - SV-252195r879607_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000195
Version
HPEN-NM-000100
Vuln IDs
  • V-252195
Rule IDs
  • SV-252195r879607_rule
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-55651r814063_chk

Type "userpolicy --info" and review output for line: "Minimum number of characters change from previous password". If it is 8 or more, this is not a finding.

Fix: F-55601r814064_fix

Set minimum number of characters changed from previous password to 8 by typing "userpolicy --edit --previous_diff 8".

c
The HPE Nimble must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity.
SC-10 - High - CCI-001133 - V-252196 - SV-252196r916342_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
HPEN-NM-000110
Vuln IDs
  • V-252196
Rule IDs
  • SV-252196r916342_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-55652r814066_chk

Type "group --info | grep inactivity" and review the timeout value. If it is greater than 10 minutes, this is a finding.

Fix: F-55602r814067_fix

To set the inactivity timeout to 10 minutes, type "group --edit --inactivity_timeout 10".

c
The HPE Nimble must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
CM-6 - High - CCI-000366 - V-252197 - SV-252197r916111_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
HPEN-NM-000120
Vuln IDs
  • V-252197
Rule IDs
  • SV-252197r916111_rule
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Checks: C-55653r814069_chk

Run the command "userauth --list". If the output is "No domains configured", this is a finding.

Fix: F-55603r814070_fix

To configure AD, run the following commands: "userauth --join <domain> --domain_user administrator" and enter the domain administrator password to join <domain>. "userauth --list" will show the domain and its status. To create a mapping between an AD group and one of the four device RBAC roles, run the following command: "userauth --add_group <domain_group> --domain <domain> --role {administrator|poweruser|operator|guest}" This command allows any member of <domain_group> in <domain> AD domain to log in to the device with one of the selected roles. To display the group to role mappings, run "userauth --list_group --domain <domain>".

b
The HPE Nimble must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-252198 - SV-252198r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HPEN-NM-000130
Vuln IDs
  • V-252198
Rule IDs
  • SV-252198r879887_rule
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Checks: C-55654r814072_chk

Type "cert --list". Review the output to confirm that the custom-ca and custom certificates exist, and the "Use" values specified for HTTPS and APIS are both "custom". If not, this is a finding.

Fix: F-55604r814073_fix

To create and import a custom, CA-signed certificate follow these steps: 1. Type "cert --gen custom-csr". Copy the displayed CSR and submit it to an appropriate signing authority. 2. Type "cert --import custom-ca" and paste the PEM-encoded CA certificate chain as input to the command. 3. Type "cert --import custom" and paste the signed certificate obtained from the CA.

c
The HPE Nimble must forward critical alerts (at a minimum) to the system administrators and the ISSO.
SI-2 - High - CCI-002605 - V-252199 - SV-252199r916114_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
HPEN-NM-000140
Vuln IDs
  • V-252199
Rule IDs
  • SV-252199r916114_rule
Alerts are essential to let the system administrators and security personnel know immediately of issues which may impact the system or users. If these alerts are also sent to the syslog, this information is used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Alerts are identifiers about specific actions that occur on a group of arrays. There are several ways to meet this requirement. The Nimble can be configured for forward alerts from groups to a secure Simple Mail Transfer Protocol (SMTP) server. The alert may also be sent to the syslog server and the syslog configured to send the alert to the appropriate personnel.
Checks: C-55655r814075_chk

Type "group --info | grep -i syslog" and review the output lines. The "Syslogd enabled" value should be "Yes", and the "Syslogd server" and "Syslogd port" values should contain the correct syslog server and port values. If not, this is a finding.

Fix: F-55605r814076_fix

Configure email alerts (optional) group--edit [--smtp_serversmtp server] [--smtp_portsmtp port] [--smtp_auth {yes | no}] [--smtp_username username] --smtp_encrypt_type ssl [--smtp_from_addr email addr] [--smtp_to_addr email addr] [--send_event_data {yes | no}] [--alert_level {info | warning | critical}] To specify and enable logging of alerts, type "group --edit --syslog_enabled yes --syslog_server <server> --syslog_port <port>", where <server> and <port> are the server DNS name or IP address, and <port> is the port to send syslog messages to.

c
The HPE Nimble must be running an operating system release that is currently supported by the vendor.
CM-6 - High - CCI-000366 - V-252200 - SV-252200r879887_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
HPEN-NM-000150
Vuln IDs
  • V-252200
Rule IDs
  • SV-252200r879887_rule
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.
Checks: C-55656r817263_chk

Log in to https://infosight.hpe.com using HPE Passport credentials. Click on the Main Menu icon in the upper left corner. Select Resources &gt;&gt; Alletra 6000, Nimble Storage &gt;&gt; Documentation. Determine current array OS version using User Interface (UI). Refer to Nimble "GUI Administration Guide" Version: NOS 5.2.x, section "Hardware and Software Updates", subsection "Find the Array OS Version" to determine the version of the OS that is currently in use by the array. Determine available array OS update versions using InfoSight. *Any version of Nimble OS software greater than the "current array OS version" might qualify to be an update to the "current array OS version". The option exists to bypass several releases to come up to the newest available release depending upon requirements. *Call HPE Support with any questions about choosing an appropriate release or the process to upgrade a release. - Follow above instructions to log in to HPE InfoSight. - Choose a "Software Version" from the left panel equal to or greater than the current array OS version. For example, 5.2.x would be equal to the current version and 5.3.x would be greater than the current version. - Open the Release Notes document for each version that is greater than the current array OS version. For example, "NimbleOS Release Notes Version NOS 5.2.1.700" is greater than NOS 5.2.1.600. - Review the entire release notes document. - Determine if this is a release should be used for an upgrade. - Confirm that the "From Version", for example 5.2.1.600, can be used to go to the version for which the release notes are applicable; for example 5.2.1.700. If the operating system version is no longer supported by the vendor, this is a finding.

Fix: F-55606r817259_fix

To upgrade to a supported version, type "software --list". Select the last version listed with at least number 5.2.x. Type "software --download <version<, where <version< is the version selected. After the download is complete, type "software --update" and accept the terms and conditions. The update progress can be monitored using "software --update_status". Once finished, use "version" to verify that the new software has been installed correctly.

b
The HPE Nimble must limit the number of concurrent sessions to an organization-defined number for each administrator account.
AC-10 - Medium - CCI-000054 - V-252201 - SV-252201r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
HPEN-NM-000160
Vuln IDs
  • V-252201
Rule IDs
  • SV-252201r879511_rule
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions. The product contains the ability to limit the number of total sessions, but not by individual user or user type.
Checks: C-55657r814081_chk

Verify that in Administration &gt;&gt; Security Policies page in the UI, "Unlimited" for the number of sessions is unchecked and a limit is specified. If a limit is not specified, this is a finding.

Fix: F-55607r814082_fix

On the Administration >> Security Policies page in the UI, uncheck "Unlimited" for the number of sessions and specify a new limit.

b
The HPE Nimble must be configured to synchronize internal information system clocks using an authoritative time source.
CM-6 - Medium - CCI-000366 - V-252202 - SV-252202r879746_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HPEN-NM-000271
Vuln IDs
  • V-252202
Rule IDs
  • SV-252202r879746_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-55658r851190_chk

To Determine if the HPE Nimble Array is configured to synchronize internal information system clocks with the primary NTP server: ArrayA:/# ntpq ntpq&gt; sysinfo associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync, system peer: cxo-nmbldc-01.nimblestorage.com:123 system peer mode: client leap indicator: 00 stratum: 4 log2 precision: -24 root delay: 37.321 root dispersion: 265.639 reference ID: 10.157.24.95 reference time: e509b178.9f897118 Thu, Oct 7 2021 11:48:40.623 system jitter: 0.000000 clock jitter: 0.673 clock wander: 0.003 broadcast delay: -50.000 symm. auth. delay: 0.000 If the HPE Storage Array is not configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.

Fix: F-55608r814085_fix

Configure the HPE Nimble Array to synchronize internal information system clocks with the primary time source: ArrayA:/# group --edit --ntpserver <ip_address_of_ntp_server> There would be a finding here given we only support primary ntp source.

b
The HPE Nimble must configure a syslog server onto a different system or media than the system being audited.
AU-4 - Medium - CCI-001851 - V-252203 - SV-252203r879886_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
HPEN-NM-000300
Vuln IDs
  • V-252203
Rule IDs
  • SV-252203r879886_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. UDP is used to communicate between the array group and the syslog server (SSL is not supported at this time). This is an issue because DoD requires the use of TCP. One syslog message is generated for each alert and audit log message. Alert severity types include INFO, WARN, and ERROR.
Checks: C-55659r814087_chk

Type "group --info | grep -i syslog" and review the output lines. The "Syslogd enabled" value should be "Yes", and the "Syslogd server" and "Syslogd port" values should contain the correct syslog server and port values. If not, this is a finding.

Fix: F-55609r814088_fix

To specify and enable logging of alerts, type "group --edit --syslog_enabled yes --syslog_server <server> --syslog_port <port>", where <server> and <port> are the server DNS name or IP address, and <port> is the port to send syslog messages to.

b
HPE Nimble must be configured to disable HPE InfoSight.
CM-7 - Medium - CCI-000382 - V-252902 - SV-252902r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
HPEN-NM-000221
Vuln IDs
  • V-252902
Rule IDs
  • SV-252902r879588_rule
DoD requires that the Mission Owner uses only the cloud services offering listed in either the FedRAMP or DISA PA DoD Cloud Catalog to host Unclassified, public-releasable, DoD information. HPE InfoSight data collection is disabled by default in the HPE Nimble. Users must not enable it.
Checks: C-56357r822430_chk

Navigate to Administration &gt;&gt; Alerts and Monitoring page of the storage array management interface. Verify the checkbox is not checked. If HPE InfoSight is enabled, this is a finding.

Fix: F-56307r822431_fix

In HPE Nimble Storage arrays, data collection is disabled by default. Navigate to Administration >> Alerts and Monitoring page of the storage array management interface. Uncheck the checkbox.

b
HPE Nimble must not be configured to use "HPE Greenlake: Data Services Cloud Console".
CM-7 - Medium - CCI-000382 - V-259800 - SV-259800r944374_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
HPEN-NM-000222
Vuln IDs
  • V-259800
Rule IDs
  • SV-259800r944374_rule
DOD requires that the Mission Owner uses only the cloud services offering listed in either the FedRAMP or DISA PA DOD Cloud Catalog to host Unclassified, public-releasable, DOD information. Management by "HPE Greenlake: Data Services Cloud Console" is disabled by default for HPE Nimble and must not be enabled.
Checks: C-63531r944371_chk

Ensure cloud console is disabled. Type "group --info |grep -i "cloud enabled". If the response is "cloud enabled: Yes", this is a finding.

Fix: F-63438r944372_fix

Disable cloud console Navigate to Administration >> Customization >> Data Services Cloud Console. Uncheck "Connect to Data Services Cloud Console".

b
HPE Alletra 5000/6000 must be configured to disable management by "HPE Greenlake: Data Services Cloud Console".
CM-7 - Medium - CCI-000382 - V-259801 - SV-259801r944975_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
HPEN-NM-000223
Vuln IDs
  • V-259801
Rule IDs
  • SV-259801r944975_rule
DOD requires that the Mission Owner uses only the cloud services offering listed in either the FedRAMP or DISA PA DOD Cloud Catalog to host Unclassified, public-releasable, DOD information.  Management by "HPE Greenlake: Data Services Cloud Console" is enabled by default for HPE Alletra and must be disabled.
Checks: C-63532r944376_chk

Verify cloud console is disabled. Type "group --info |grep -i "cloud enabled". If the response is "cloud enabled: Yes", this is a finding.

Fix: F-63439r944975_fix

Disable Alletra cloud console. Type "group --edit --cloud_management off". If the response is as follows, contact your HPE sales account team to request approval: "ERROR: Failed to change system configuration. Updating cloud management is not permitted."