Check: HP3P-33-001001
HPE 3PAR StoreServ 3.3.x STIG:
HP3P-33-001001
(in versions v1 r2 through v1 r1)
Title
The HPE 3PAR OS must be configured to disable nonessential web-services. (Cat II impact)
Discussion
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The HPE 3PAR OS does not, by default, operate nonessential services. The web-services component must be configured for it to start. If it is not required by the mission, then it must be disabled.
Check Content
Verify the state of the Optional capabilities on the array. cli% showwsapi If the service state is not "Disabled", and the web-services functionality is not being used, this is a finding. If web services functionality is required, this is not applicable.
Fix Text
If web services functionality is not required, stop and disable web-services: cli% stopwsapi -f
Additional Identifiers
Rule ID: SV-255270r870129_rule
Vulnerability ID: V-255270
Group Title: SRG-OS-000095-GPOS-00049
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |