STIGQter STIGQter: STIG Summary: HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 28 Jul 2017:

The storage system must only be operated in conjunction with an LDAP server in a trusted environment if an Active Directory server is not available.

DISA Rule

SV-85125r1_rule

Vulnerability Number

V-70503

Group Title

SRG-OS-000001-GPOS-00001

Rule Version

HP3P-32-001503

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Use this series of commands to configure LDAP.

cli% setauthparam -f ldap-server <ldap server IP address>
cli% setauthparam -f ldap-server-hn <fully qualified domain name of ldap server, such as ldapserver.thisdomain.com>
cli% setauthparam -f binding simple
cli% setauthparam -f ldap-StartTLS require
cli% setauthparam -f groups-dn ou=Groups,dc=thisdomain,dc=com
cli% setauthparam -f user-dn-base ou=People,dc=thisdomain,dc=com
cli% setauthparam -f user-attr uid
cli% setauthparam -f group-obj groupofuniquenames
cli% setauthparam -f group-name-attr cn
cli% setauthparam -f member-attr uniqueMember
cli% setauthparam -f browse-map "*"
cli% setauthparam -f edit-map <customer-assigned name of edit role> <customer-assigned name of "edit" group>
cli% setauthparam -f service-map <customer-assigned name of service role> <customer-assigned name of "service" group>
cli% setauthparam -f super-map <customer-assigned name of super role> <customer-assigned name of "super" group>

Check Contents

Determine if the system is configured for LDAP.

Enter the following command:

cli% showauthparam

If the output indicates an error, this is a finding.

If the resulting output does not include group parameters "groups-dn", "group-obj", or "group-name-attr" then the host is configured to use Active Directory and this requirement is not applicable.

If the host is using LDAP and the following fields of the output are not configured, this is a finding.

ldap-server <ip address of LDAP server>
ldap-server-hn <host name of LDAP server>

Next, verify that the LDAP authentication is operational by entering the following command:

cli% checkpassword <username>
password: <Enter the password for username>

If the username and password used in "checkpassword" are known to be valid LDAP credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding.

user <username> is authenticated and authorized

Note: The "checkpassword" command will not display authenticated information even if LDAP is properly configured, if the username and password are not entered correctly.

Vulnerability Number

V-70503

Documentable

False

Rule Version

HP3P-32-001503

Severity Override Guidance

Determine if the system is configured for LDAP.

Enter the following command:

cli% showauthparam

If the output indicates an error, this is a finding.

If the resulting output does not include group parameters "groups-dn", "group-obj", or "group-name-attr" then the host is configured to use Active Directory and this requirement is not applicable.

If the host is using LDAP and the following fields of the output are not configured, this is a finding.

ldap-server <ip address of LDAP server>
ldap-server-hn <host name of LDAP server>

Next, verify that the LDAP authentication is operational by entering the following command:

cli% checkpassword <username>
password: <Enter the password for username>

If the username and password used in "checkpassword" are known to be valid LDAP credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding.

user <username> is authenticated and authorized

Note: The "checkpassword" command will not display authenticated information even if LDAP is properly configured, if the username and password are not entered correctly.

Check Content Reference

M

Target Key

3013

Comments