STIGQter: STIG Summary: HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 28 Jul 2017: STIGQter: STIG Summary: HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 28 Jul 2017:SV-85129r1_rule
V-70507
SRG-OS-000001-GPOS-00001
HP3P-32-001507
CAT I
10
Use this series of commands to configure the host to use Active Directory:
cli% setauthparam -f ldap-server <AD server IP address>
cli% setauthparam -f binding simple
cli% setauthparam -f ldap-StartTLS require
cli% setauthparam -f Kerberos-realm <Kerberos realm, such as WIN2K12FOREST.THISDOMAIN.COM>
cli% setauthparam -f ldap-server-hn <fully qualified domain name of AD server, such as adserver.thisdomain.com>
cli% setauthparam -f accounts-dn CN=Users,DC=win2k12forest,DC=thisdomain,DC=com
cli% setauthparam -f user-dn-base CN=Users,DC=win2k12forest,DC=thisdomain,DC=com
cli% setauthparam -f user-attr WIN2K12FOREST\\
cli% setauthparam -f account-obj user
cli% setauthparam -f account-name-attr sAMAccountName
cli% setauthparam -f memberof-attr memberOf
cli% setauthparam -f browse-map "CN=<customer-assigned name of browse role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
cli% setauthparam -f edit-map "CN=<customer-assigned name of edit role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
cli% setauthparam -f service-map "CN=<customer-assigned name of service role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
cli% setauthparam -f super-map "CN=<customer-assigned name of super role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
Determine if the system is configured for Active Directory (AD).
Enter the following command:
cli% showauthparam
If the result returns an error, this is a finding.
If the resulting output does include the parameters "groups-dn", "group-obj", or "group-name-attr" then the host is setup for LDAP, this requirement is not applicable.
If the host is setup for Active Directory and these fields in the output are not configured, this is a finding.
ldap-server <ip address of AD server>
ldap-server-hn <host name of AD server>
Next, verify that the AD authentication is operational by entering the following command:
cli% checkpassword <username>:
password: <Enter the password for username>
If the username and password used in checkpassword are known to be valid AD credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding.
user <username> is authenticated and authorized
Note: The "checkpassword" command will not display authenticated information even if AD is properly configured, if the username and password are not entered correctly.
V-70507
False
HP3P-32-001507
Determine if the system is configured for Active Directory (AD).
Enter the following command:
cli% showauthparam
If the result returns an error, this is a finding.
If the resulting output does include the parameters "groups-dn", "group-obj", or "group-name-attr" then the host is setup for LDAP, this requirement is not applicable.
If the host is setup for Active Directory and these fields in the output are not configured, this is a finding.
ldap-server <ip address of AD server>
ldap-server-hn <host name of AD server>
Next, verify that the AD authentication is operational by entering the following command:
cli% checkpassword <username>:
password: <Enter the password for username>
If the username and password used in checkpassword are known to be valid AD credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding.
user <username> is authenticated and authorized
Note: The "checkpassword" command will not display authenticated information even if AD is properly configured, if the username and password are not entered correctly.
M
3013