Check: HP3P-33-002052
HPE 3PAR StoreServ 3.3.x STIG:
HP3P-33-002052
(in versions v1 r2 through v1 r1)
Title
The HPE 3PAR OS must be configured to offload audit records onto a different system or media from the system being audited. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
Check Content
Verify offloading of security syslog events with cli% showsys -d Find the output section "Remote Syslog Status". If "Active" is not "1", this is a finding. If "Security Server" is not defined, this is a finding. If "Security Connection" is not "TLS", this is a finding.
Fix Text
Configure the remote syslog host: cli% setsys RemoteSyslogSecurityHost <hostname> <address-spec> [:port] The hostname, and address are both required. If both IPv4 and IPv6 addresses are supplied, the IPv6 address must be enclosed in []. The default port is 6514 utilizing TLS. Import the ca certificate that will have signed the syslog server: cli% importcert syslog-sec-server -ca stdin Copy and paste the PEM format of the appropriate CA as instructed. Configure the system to utilize remote syslog: cli% setsys RemoteSyslog 1
Additional Identifiers
Rule ID: SV-255284r877390_rule
Vulnerability ID: V-255284
Group Title: SRG-OS-000342-GPOS-00133
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |