Check: HP3P-33-001501
HPE 3PAR StoreServ 3.3.x STIG:
HP3P-33-001501
(in versions v1 r2 through v1 r1)
Title
The HPE 3PAR OS must be configured to have only one emergency account that can be accessed without LDAP and that has full administrator privileges. (Cat II impact)
Discussion
While LDAP allows the storage system to support stronger authentication, and provides additional auditing, it also places a dependency on an external entity in the operational environment. The existence of a single local account with a strong password means that administrators can continue to access the storage system in event the LDAP system is temporarily unavailable. A non-LDAP enabled emergency administrator account is required in the event that LDAP fails. This account will allow the organization to successfully administer the system during an LDAP outage. Once LDAP services have been restored, the password for this account must be changed and stored in a DOD approved safe. The product requires at least one local account to be present. However, the administrator must still manually remove all other local accounts, except for the emergency account, after the product has been configured for operation. The 3paradm account is a user bootstrap account. During installation, the user must use it to create a new local super user account. Once that is done, the 3paradm account must be removed. The 3parsvc account is used internally by the system. The 3parsnmp account was created in the fix text for HP3P-33-001300.
Check Content
Verify that only essential local accounts are configured. cli% showuser If the output shows users other than the three accounts below, this is a finding. --3paradm (or some other customer chosen account with "super" role) --3parsnmpuser --3parsvc
Fix Text
Display users cli% showuser Remove all accounts except: --3paradm (or other customer-created "super" role account) --3parsnmpuser --3parsvc Use the command: cli% removeuser <username> and confirm the operation with "y".
Additional Identifiers
Rule ID: SV-255279r870156_rule
Vulnerability ID: V-255279
Group Title: SRG-OS-000123-GPOS-00064
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001682 |
The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account. |
Controls
Number | Title |
---|---|
AC-2 (2) |
Removal Of Temporary / Emergency Accounts |