Free DISA STIG and SRG Library | Vaulted

V-70501

The storage system must be configured to have only 1 emergency account which can be accessed without LDAP, and which has full administrator capabilities.

Finding ID
HP3P-32-001501
Rule ID
SV-85123r2_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-000123-GPOS-00064
CCI
CCI-001682
Target Key
(None)
Documentable
No
Discussion

While LDAP allows the storage system to support stronger authentication and provides additional auditing, it also places a dependency on an external entity in the operational environment. The existence of a single local account with a strong password means that administrators can continue to access the storage system in the event the LDAP system is temporarily unavailable.

Fix Text

Display users with the following command: cli% showuser If the accounts "3parbrowse", "3paredit", or "3parservice" exist, see HP3P-32-001504 for removal instructions specific to these accounts. If the account "3parcimuser" exists see HP3P-32-001002 for removal instructions specific to that account. Otherwise, remove all accounts except "3paradm", "3parsvc", "3parsnmpuser", and "3parcimuser" using the following command: cli% removeuser <username> Confirm the operation with "y".

Check Content

Verify that only essential local accounts are configured. Enter the following command: cli% showuser If the output shows users other than the four accounts below, this is a finding: 3paradm 3parsvc 3parsnmpuser 3parcimuser