The storage system must be configured to have only 1 emergency account which can be accessed without LDAP, and which has full administrator capabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-237824 | HP3P-32-001501 | SV-237824r647881_rule | High |
| Description |
|---|
| While LDAP allows the storage system to support stronger authentication and provides additional auditing, it also places a dependency on an external entity in the operational environment. The existence of a single local account with a strong password means that administrators can continue to access the storage system in the event the LDAP system is temporarily unavailable. |
| STIG | Date |
|---|---|
| HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide | 2021-11-23 |
Details
| Check Text ( C-41034r647879_chk ) |
|---|
| Verify that only essential local accounts are configured. Enter the following command: cli% showuser If the output shows users other than the four accounts below, this is a finding: 3paradm 3parsvc 3parsnmpuser 3parcimuser |
| Fix Text (F-40993r647880_fix) |
|---|
| Display users with the following command: cli% showuser If the accounts "3parbrowse", "3paredit", or "3parservice" exist, see HP3P-32-001504 for removal instructions specific to these accounts. If the account "3parcimuser" exists see HP3P-32-001002 for removal instructions specific to that account. Otherwise, remove all accounts except "3paradm", "3parsvc", "3parsnmpuser", and "3parcimuser" using the following command: cli% removeuser Confirm the operation with "y". |