The HPE Nimble must forward critical alerts (at a minimum) to the system administrators and the ISSO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-252199	HPEN-NM-000140	SV-252199r814077_rule		High

Description
Alerts are essential to let the system administrators and security personnel know immediately of issues which may impact the system or users. If these alerts are also sent to the syslog, this information is used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Alerts are identifiers about specific actions that occur on a group of arrays. There are several ways to meet this requirement. The Nimble can be configured for forward alerts from groups to a secure Simple Mail Transfer Protocol (SMTP) server. The alert may also be sent to the syslog server and the syslog configured to send the alert to the appropriate personnel.

Description

Alerts are essential to let the system administrators and security personnel know immediately of issues which may impact the system or users. If these alerts are also sent to the syslog, this information is used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Alerts are identifiers about specific actions that occur on a group of arrays. There are several ways to meet this requirement. The Nimble can be configured for forward alerts from groups to a secure Simple Mail Transfer Protocol (SMTP) server. The alert may also be sent to the syslog server and the syslog configured to send the alert to the appropriate personnel.

STIG	Date
HPE Nimble Storage Array Security Technical Implementation Guide	2022-03-16

Details

Check Text ( C-55655r814075_chk )
Type "group --info \| grep -i syslog" and review the output lines. The "Syslogd enabled" value should be "Yes", and the "Syslogd server" and "Syslogd port" values should contain the correct syslog server and port values. If not, this is a finding.

Fix Text (F-55605r814076_fix)
Configure email alerts (optional) group--edit [--smtp_serversmtp server] [--smtp_portsmtp port] [--smtp_auth {yes \| no}] [--smtp_username username] --smtp_encrypt_type ssl [--smtp_from_addr email addr] [--smtp_to_addr email addr] [--send_event_data {yes \| no}] [--alert_level {info \| warning \| critical}] To specify and enable logging of alerts, type "group --edit --syslog_enabled yes --syslog_server --syslog_port ", where and are the server DNS name or IP address, and is the port to send syslog messages to.

Fix Text (F-55605r814076_fix)

Configure email alerts (optional)
group--edit [--smtp_serversmtp server] [--smtp_portsmtp port] [--smtp_auth {yes | no}] [--smtp_username username]
--smtp_encrypt_type ssl [--smtp_from_addr email addr] [--smtp_to_addr email addr]
[--send_event_data {yes | no}] [--alert_level {info | warning | critical}]

To specify and enable logging of alerts, type "group --edit --syslog_enabled yes --syslog_server --syslog_port ", where and are the server DNS name or IP address, and is the port to send syslog messages to.