The HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283425 | ASMP-ND-001060 | SV-283425r1194969_rule | CCI-000370 | high |
| Description | ||||
| Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000156-NDM-000250, SRG-APP-000177-NDM-000263 | ||||
| STIG | Date | |||
| HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide | 2026-03-03 | |||
Details
Check Text (C-283425r1194969_chk)
Determine if the system is configured to use a primary and secondary authentication server with the following command:
cli% showauthparam
ldap-type MSAD
accounts-dn <accounts dn configuration>
super-map <super-map configuration>
edit-map <edit-map configuration>
browse-map <browse-map configuration>
service-map <service-map configuration>
ldap-StartTLS require
kerberos-realm <Kerberos-realm configuration>
ldap-2FA-cert-field subjectAlt:rfc822Name
ldap-2FA-object-attr mail
ldap-server <server hostname>
ldap-server <server hostname>
ldap-ssl-cacert:
-----BEGIN CERTIFICATE-----
If the command output does not list authparams for ldap-type, kerberos-realm, accounts-dn, ldap-ssl-cacert, and at least one role map (e.g., super-map), this is a finding.
If there are not two ldap-server lines, this is a finding.
ldap-StartTLS must be set to require, if not, this is a finding.
If the ldap-reqcert authparam is not set to "1", this is a finding.
Fix Text (F-87895r1194968_fix)
Use the following commands to configure the primary and secondary authentication servers.
cli% setauthparam -f ldap-type <type> where type is MSAD, RHDS or OPEN.
cli% setauthparam ldap-server <primary hostname> <secondary hostname>
cli% setauthparam -f accounts-dn <base of the ad subtree, such as CN=Users,DC=win2k12forest,DC=thisdomain,DC=com>
cli% setauthparam -f kerberos-realm <Kerberos-realm configuration>
cli% setauthparam -f ldap-reqcert 1
Set up a super role such as the super role:
cli% setauthparam -f super-map <customer-assigned name of "super" group>
Enable TLS with:
cli% setauthparam -f ldap-StartTLS require
or
cli% setauthparam -f ldap-ssl 1
Import a TLS certificate:
cli% importcert ldap -f stdin