DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
DISA Rule
SV-85111r1_rule
Vulnerability Number
V-70489
Group Title
SRG-OS-000033-GPOS-00014
Rule Version
HP3P-32-001100
Severity
CAT I
CCI(s)
- CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
- CCI-000366 - The organization implements the security configuration settings.
- CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
- CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
- CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
- CCI-002314 - The information system controls remote access methods.
- CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
- CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
- CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
- CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
- CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
Weight
10
Fix Recommendation
Disable insecure ports via this command by entering the following command:
cli% setnet disableports yes
Confirm the operation by entering "y" and pressing "Enter".
Check Contents
Verify that insecure ports are disabled.
cli% setnet disableports yes
Confirm the operation by entering "y" and pressing "Enter".
If an error is reported, this is a finding.
If available, a remote port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command:
cli% nmap -sT -sU -sV --version-all -vv -p1 -65535 <ip address of storage system>
If any port other than 22 (ssh), 123 (ntp), 161 and 162 (snmp), and 5783 (ssl manageability) report as open, this is a finding.
Vulnerability Number
V-70489
Documentable
False
Rule Version
HP3P-32-001100
Severity Override Guidance
Verify that insecure ports are disabled.
cli% setnet disableports yes
Confirm the operation by entering "y" and pressing "Enter".
If an error is reported, this is a finding.
If available, a remote port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command:
cli% nmap -sT -sU -sV --version-all -vv -p1 -65535 <ip address of storage system>
If any port other than 22 (ssh), 123 (ntp), 161 and 162 (snmp), and 5783 (ssl manageability) report as open, this is a finding.
Check Content Reference
M
Target Key
3013
Comments
STIGQter: STIG Summary: HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 28 Jul 2017: