The HPE 3PAR OS syslog-sec-client must be configured to perform mutual TLS authentication using a CA-signed client certificate.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255289	HP3P-33-104020	SV-255289r870186_rule		Medium

Description
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.

Description

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The HPE 3PAR OS can be configured to use only defined CA(s) for specific purposes. There is no default set of CA certificates included in the product.

STIG	Date
HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide	2023-11-30

Details

Check Text ( C-58962r870184_chk )
Check with the Information Owner to verify if Mutual Authentication is required by the syslog server. If mutual TLS authentication is not required, this requirement is not applicable. Check that a signed client certificate and CA certificate have been imported for the syslog-sec-client service: cli% showcert -service syslog-sec-client If the output does not contain DOD PKI certificates of at least two lines of output, one of type "cert" and one of type "rootca", this is a finding.

Check Text ( C-58962r870184_chk )

Check with the Information Owner to verify if Mutual Authentication is required by the syslog server.

If mutual TLS authentication is not required, this requirement is not applicable.

Check that a signed client certificate and CA certificate have been imported for the syslog-sec-client service:

cli% showcert -service syslog-sec-client

If the output does not contain DOD PKI certificates of at least two lines of output, one of type "cert" and one of type "rootca", this is a finding.

Fix Text (F-58906r870185_fix)
Check with the Information Owner to verify that TLS mutual authentication is required by the remote syslog server. If TLS mutual authentication is not required, this requirement is not applicable. Create a CSR to be signed by an appropriate CA: cli% createcert syslog-sec-client -csr -CN -SAN Copy the output and give it to the CA for signing. Install the root CA certificate bundle: cli% importcert syslog-sec-client -ca stdin Copy and paste the ca bundle contents as instructed. Install the signed certificate from the ca: cli% importcert sysloc-sec-client stdin Copy and paste the PEM format signed certificate contents as instructed. The syslog-sec-client service will be restarted.

Fix Text (F-58906r870185_fix)

Check with the Information Owner to verify that TLS mutual authentication is required by the remote syslog server.

If TLS mutual authentication is not required, this requirement is not applicable.

Create a CSR to be signed by an appropriate CA:

cli% createcert syslog-sec-client -csr -CN -SAN

Copy the output and give it to the CA for signing.

Install the root CA certificate bundle:

cli% importcert syslog-sec-client -ca stdin

Copy and paste the ca bundle contents as instructed.

Install the signed certificate from the ca:

cli% importcert sysloc-sec-client stdin

Copy and paste the PEM format signed certificate contents as instructed.

The syslog-sec-client service will be restarted.