Check: HP3P-33-001100
HPE 3PAR StoreServ 3.3.x STIG:
HP3P-33-001100
(in versions v1 r2 through v1 r1)
Title
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions. (Cat I impact)
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The HPE 3PAR OS supports communication security in compliance with DOD requirements. These include TLS1.2 protocols, encryption supplied by a FIPS140-2 library, and using specific cipher suites in a subset of the CNSA guidelines. Configuration is required to restrict the available algorithms to a subset of those approved by the DOD. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000096-GPOS-00050, SRG-OS-000112-GPOS-00057, SRG-OS-000250-GPOS-00093, SRG-OS-000480-GPOS-00227, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000297-GPOS-00115, SRG-OS-000074-GPOS-00042
Check Content
Verify that insecure ports are disabled. cli% setnet disableports yes To confirm the operation, enter "cli% y" and press "Enter". If an error is reported, this is a finding. If available, a port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command: cli% nmap -sT -sU -sV --version-all -vv -p1 -65535 <ip address of storage system> If any Port is listed other than SSHD(22), NTP(123), SNMP(161,162), 3PAR Mgmt Intfc (5783), CIM (5989/configurable), or WSAPI (8088/configurable), this is a finding.
Fix Text
To disable all unencrypted ports, use the command: cli% setnet disableports yes To confirm the operation, enter "cli% y" and press "Enter".
Additional Identifiers
Rule ID: SV-255272r877398_rule
Vulnerability ID: V-255272
Group Title: SRG-OS-000033-GPOS-00014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002314 |
The information system controls remote access methods. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
CCI-002890 |
The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
Controls
Number | Title |
---|---|
AC-17 (1) |
Automated Monitoring / Control |
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
CM-6 |
Configuration Settings |
CM-7 |
Least Functionality |
IA-5 (1) |
Password-Based Authentication |
MA-4 (6) |
Cryptographic Protection |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (1) |
Cryptographic Or Alternate Physical Protection |
SC-8 (2) |
Pre / Post Transmission Handling |