← Back to HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide

V-237824

CAT I (High)

The storage system must be configured to have only 1 emergency account which can be accessed without LDAP, and which has full administrator capabilities.

Rule ID

SV-237824r647881_rule

STIG

HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-001682

Discussion

While LDAP allows the storage system to support stronger authentication and provides additional auditing, it also places a dependency on an external entity in the operational environment. The existence of a single local account with a strong password means that administrators can continue to access the storage system in the event the LDAP system is temporarily unavailable.

Check Content

Verify that only essential local accounts are configured. Enter the following command:

cli% showuser

If the output shows users other than the four accounts below, this is a finding:

3paradm
3parsvc
3parsnmpuser
3parcimuser

Fix Text

Display users with the following command:

cli% showuser

If the accounts "3parbrowse", "3paredit", or "3parservice" exist, see HP3P-32-001504 for removal instructions specific to these accounts.

If the account "3parcimuser" exists see HP3P-32-001002 for removal instructions specific to that account.

Otherwise, remove all accounts except "3paradm", "3parsvc", "3parsnmpuser", and "3parcimuser" using the following command:

cli% removeuser <username>

Confirm the operation with "y".