SSMC must be configured to offload logs to a SIEM that is configured to alert the ISSO or SA when the local built-in admin account (ssmcadmin) is accessed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255243	SSMC-OS-010100	SV-255243r870274_rule		Medium

Description
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. The ssmcadmin account is an emergency group account used to administer ssmc. This is a privileged account that can Log on to the SSMC appliance. The ssmcaudit account is a nonprivileged group user account that can be enabled/disabled by ssmcadmin for CVE scanning via TUI. This is the other group account that can log on to the appliance. By alerting to the use of ssmcadmin account, the information assurance team can mitigate the risks involved in using this group account. These alerts must be used to ensure that the use of this account is warranted and documented.

Description

Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. The ssmcadmin account is an emergency group account used to administer ssmc. This is a privileged account that can Log on to the SSMC appliance. The ssmcaudit account is a nonprivileged group user account that can be enabled/disabled by ssmcadmin for CVE scanning via TUI. This is the other group account that can log on to the appliance. By alerting to the use of ssmcadmin account, the information assurance team can mitigate the risks involved in using this group account. These alerts must be used to ensure that the use of this account is warranted and documented.

STIG	Date
HPE 3PAR SSMC Operating System Security Technical Implementation Guide	2022-10-13

Details

Check Text ( C-58856r869877_chk )
Verify that SSMC is configured to offload logs to a SIEM that is set up to alert the ISSO or SA when the ssmcadmin account is accessed by performing the following: 1. Log on to SIEM where the logs are being offloaded. 2. Log on to SSMC with the ssmcadmin account. 3. Return to the SIEM to see that an alert has been generated based on the access of the ssmcadmin account. If the SIEM does not generate an alert for the ISSO or SA, this is a finding.

Check Text ( C-58856r869877_chk )

Verify that SSMC is configured to offload logs to a SIEM that is set up to alert the ISSO or SA when the ssmcadmin account is accessed by performing the following:

1. Log on to SIEM where the logs are being offloaded.

2. Log on to SSMC with the ssmcadmin account.

3. Return to the SIEM to see that an alert has been generated based on the access of the ssmcadmin account.

If the SIEM does not generate an alert for the ISSO or SA, this is a finding.

Fix Text (F-58800r869878_fix)
Configure SSMC to offload logs to a SIEM that is set up to alert the ISSO or SA when the ssmcadmin account is accessed by performing the following: 1. Implement SSMC-WS-010080 to establish offloading logs to a SIEM. 2. Configure the SIEM to alert the ISSO or SA in the event that the ssmcadmin account is accessed.