The HPE Alletra Storage ArcusOS device must use FIPS 140-approved algorithms for authentication to a cryptographic module.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283387 | ASMP-ND-000600 | SV-283387r1194855_rule | CCI-000803 | high |
| Description | ||||
| Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities. Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. The use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions. Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000172-NDM-000259, SRG-APP-000224-NDM-000270, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331 | ||||
| STIG | Date | |||
| HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide | 2026-03-03 | |||
Details
Check Text (C-283387r1194855_chk)
Verify the status of the FIPS communication library with the following command:
cli% controlsecurity fips status
FIPS mode: Enabled
Service Status
AUTHN Enabled
CIM Disabled
CLI Enabled
EKM Enabled
LDAP Enabled
QW Enabled
RDA Enabled
SC CONNECTOR Disabled
SNMP Enabled
SSH Enabled
SYSLOG Enabled
VASA Enabled
WSAPI Enabled
If the line "FIPS Mode:" is not "Enabled", this is a finding.
If any of the service lines for "CLI", "EKM", "LDAP", "SNMP", "SSH", or "SYSLOG" are "Disabled", this is a finding.
If CIM, VASA, or WSAPI are "Disabled", and the services are enabled, this is a finding.
Fix Text (F-87857r1194854_fix)
Warning: Enabling FIPS mode requires restarting all system management interfaces, which will terminate all existing connections including this one.
Set the communications encryption module into FIPS mode:
cli% controlsecurity fips enable