STIGQter: STIG Summary: HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 28 Jul 2017:

SNMP must be changed from default settings and must be configured on the storage system to provide alerts of critical events that impact system security.

DISA Rule

SV-85115r1_rule

Vulnerability Number

V-70493

Group Title

SRG-OS-000046-GPOS-00022

Rule Version

HP3P-32-001300

Severity

CAT II

CCI(s)

• CCI-000139 - The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.
• CCI-000366 - The organization implements the security configuration settings.
• CCI-001858 - The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

Weight

10

Fix Recommendation

To configure SNMPv3 alert notifications, use this sequence of operations to create and enable an SNMPv3 user, and create associated keys for authentication and privacy:

First, create the "3parsnmpuser" on the host with the following command:

cli% createuser 3parsnmpuser all browse

Enter the password and retype the password to confirm.

Next, create the snmp user and associate that with the "3parsnmpuser" account on the host.

cli% createsnmpuser 3parsnmpuser

Enter the password and retype the password to confirm.

Finally, add the IP address of the SNMPv3 trap recipient, where the permissions of the account are used:

cli% addsnmpmgr -pw <password> -version 3 -snmpuser 3parsnmpuser <ip address>

Check Contents

Verify a SNMPv3 user account is configured. Run the following command:

cli% showsnmpuser
Username | AuthProtocol | PrivProtocol
3parsnmpuser | HMAC SHA 96 | CFB128 AES 128

If the output is not displayed in the above format, this is a finding.

Identify the SNMP trap recipient and report SNMP configuration with the following command:

cli% showsnmpmgr
HostIP | Port | SNMPVersion | User
<snmp trap recipient IP> | 162 | 3 | 3parsnmpuser

If the SNMP trap recipient IP address is incorrect, this is a finding.
If the SNMP port is not "162", this is a finding.
If the SNMP version is not "3", this is a finding.
If the SNMP user ID is incorrect, this is a finding.

Generate a test trap:
cli% checksnmp

Trap sent to the following managers:
< IP address of trap recipient>

If the response does not indicate a trap was successfully sent, this is a finding.

Vulnerability Number

V-70493

Documentable

False

Rule Version

HP3P-32-001300

Severity Override Guidance

Verify a SNMPv3 user account is configured. Run the following command:

cli% showsnmpuser
Username | AuthProtocol | PrivProtocol
3parsnmpuser | HMAC SHA 96 | CFB128 AES 128

If the output is not displayed in the above format, this is a finding.

Identify the SNMP trap recipient and report SNMP configuration with the following command:

cli% showsnmpmgr
HostIP | Port | SNMPVersion | User
<snmp trap recipient IP> | 162 | 3 | 3parsnmpuser

If the SNMP trap recipient IP address is incorrect, this is a finding.
If the SNMP port is not "162", this is a finding.
If the SNMP version is not "3", this is a finding.
If the SNMP user ID is incorrect, this is a finding.

Generate a test trap:
cli% checksnmp

Trap sent to the following managers:
< IP address of trap recipient>

If the response does not indicate a trap was successfully sent, this is a finding.

Check Content Reference

M

Target Key

3013

Comments