The storage system must be configured to have only 1 emergency account which can be accessed without LDAP, and which has full administrator capabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-237824 | HP3P-32-001501 | SV-237824r647881_rule | CCI-001682 | high |
| Description | ||||
| While LDAP allows the storage system to support stronger authentication and provides additional auditing, it also places a dependency on an external entity in the operational environment. The existence of a single local account with a strong password means that administrators can continue to access the storage system in the event the LDAP system is temporarily unavailable. | ||||
| STIG | Date | |||
| HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide | 2021-11-23 | |||
Details
Check Text (C-237824r647881_chk)
Verify that only essential local accounts are configured. Enter the following command:
cli% showuser
If the output shows users other than the four accounts below, this is a finding:
3paradm
3parsvc
3parsnmpuser
3parcimuser
Fix Text (F-40993r647880_fix)
Display users with the following command:
cli% showuser
If the accounts "3parbrowse", "3paredit", or "3parservice" exist, see HP3P-32-001504 for removal instructions specific to these accounts.
If the account "3parcimuser" exists see HP3P-32-001002 for removal instructions specific to that account.
Otherwise, remove all accounts except "3paradm", "3parsvc", "3parsnmpuser", and "3parcimuser" using the following command:
cli% removeuser <username>
Confirm the operation with "y".