| V-283377 | high | The HPE Alletra Storage ArcusOS device must be configured to prohibit using all unnecessary and/or nonsecure ports, protocols, and/or services. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.
Network devices can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting using ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Configuring the network device to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network device. Security-related parameters are those parameters impacting the security state of the network device, including the parameters required to satisfy other security control requirements.
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption. |
| V-283387 | high | The HPE Alletra Storage ArcusOS device must use FIPS 140-approved algorithms for authentication to a cryptographic module. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities.
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
Network devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.
The use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000172-NDM-000259, SRG-APP-000224-NDM-000270, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331 |
| V-283388 | high | The HPE Alletra Storage ArcusOS device must terminate all network connections at the end of the session, or the session must be terminated after five minutes of inactivity, except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. |
| V-283425 | high | The HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000156-NDM-000250, SRG-APP-000177-NDM-000263 |
| V-283429 | high | The HPE Alletra Storage ArcusOS device must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
A network boundary device is a piece of networking hardware that sits at the edge of a network, controlling the flow of data traffic between the internal network and external networks like the internet. It acts as a gatekeeper, enforcing security policies and protecting the internal network from unauthorized access and malicious attacks. Having a second central log server delivers a defense in depth approach for critical boundary devices.
Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000515-NDM-000325, SRG-APP-000795-NDM-000130 |
| V-283430 | high | The HPE Alletra Storage ArcusOS device must be running an operating system release that is currently supported by the vendor. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. |
| V-283358 | medium | The HPE Alletra Storage ArcusOS device must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device. | Displaying the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users.
Satisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216 |
| V-283378 | medium | The HPE Alletra Storage ArcusOS device must be configured with only one local interactive account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.
The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions. |
| V-283381 | medium | The HPE Alletra Storage ArcusOS device must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. |
| V-283382 | medium | The HPE Alletra Storage ArcusOS device must enforce password complexity by requiring at least one uppercase character, one lowercase character, one numeric character, and one special character be used. | Use of complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Satisfies: SRG-APP-000166-NDM-000254, SRG-APP-000167-NDM-000255, SRG-APP-000168-NDM-000256, SRG-APP-000169-NDM-000257 |
| V-283400 | medium | The HPE Alletra Storage ArcusOS device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | Network devices must be able to allocate audit record storage capacity to ensure sufficient storage capacity in which to write the audit logs. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors. |
| V-283401 | medium | The HPE Alletra Storage ArcusOS device must allocate a set number of audit records that can be stored on the system in accordance with organization-defined audit record storage requirements. | Network devices must be able to allocate audit record storage capacity to ensure sufficient storage capacity in which to write the audit logs. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors. |
| V-283402 | medium | The HPE Alletra Storage ArcusOS device must have an SNMPv3 user account configured. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without using a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).
Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. |
| V-283403 | medium | The HPE Alletra Storage ArcusOS device must be configured to collect and send SNMPv3 notifications. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without using a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).
Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. |
| V-283404 | medium | The HPE Alletra Storage ArcusOS device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. |
| V-283409 | medium | The HPE Alletra Storage ArcusOS device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without using a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).
Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. |
| V-283410 | medium | The HPE Alletra Storage ArcusOS device must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based. | If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Satisfies: SRG-APP-000395-NDM-000347, SRG-APP-000920-NDM-000320, SRG-APP-000925-NDM-000330 |
| V-283414 | medium | The HPE Alletra Storage ArcusOS device must install security-relevant firmware updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs). | Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. |
| V-283437 | medium | The HPE Alletra Storage ArcusOS device must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.
Network devices can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting using ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Configuring the network device to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network device. Security-related parameters are those parameters impacting the security state of the network device, including the parameters required to satisfy other security control requirements.
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption. |