The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-255272	SRG-OS-000033-GPOS-00014	HP3P-33-001100	SV-255272r958408_rule	2024-08-27	2

Description
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The HPE 3PAR OS supports communication security in compliance with DOD requirements. These include TLS1.2 protocols, encryption supplied by a FIPS140-2 library, and using specific cipher suites in a subset of the CNSA guidelines. Configuration is required to restrict the available algorithms to a subset of those approved by the DOD. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000096-GPOS-00050, SRG-OS-000112-GPOS-00057, SRG-OS-000250-GPOS-00093, SRG-OS-000480-GPOS-00227, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000297-GPOS-00115, SRG-OS-000074-GPOS-00042

Description

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The HPE 3PAR OS supports communication security in compliance with DOD requirements. These include TLS1.2 protocols, encryption supplied by a FIPS140-2 library, and using specific cipher suites in a subset of the CNSA guidelines. Configuration is required to restrict the available algorithms to a subset of those approved by the DOD. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000096-GPOS-00050, SRG-OS-000112-GPOS-00057, SRG-OS-000250-GPOS-00093, SRG-OS-000480-GPOS-00227, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000297-GPOS-00115, SRG-OS-000074-GPOS-00042

ℹ️ Check
Verify that insecure ports are disabled. cli% setnet disableports yes To confirm the operation, enter "cli% y" and press "Enter". If an error is reported, this is a finding. If available, a port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command: cli% nmap -sT -sU -sV --version-all -vv -p1 -65535 <ip address of storage system> If any Port is listed other than SSHD(22), NTP(123), SNMP(161,162), 3PAR Mgmt Intfc (5783), CIM (5989/configurable), or WSAPI (8088/configurable), this is a finding.

ℹ️ Check

Verify that insecure ports are disabled. cli% setnet disableports yes To confirm the operation, enter "cli% y" and press "Enter". If an error is reported, this is a finding. If available, a port scan can also verify that only secure ports are open. From a command shell on a Linux workstation in the operational environment, enter the following command: cli% nmap -sT -sU -sV --version-all -vv -p1 -65535 <ip address of storage system> If any Port is listed other than SSHD(22), NTP(123), SNMP(161,162), 3PAR Mgmt Intfc (5783), CIM (5989/configurable), or WSAPI (8088/configurable), this is a finding.

✔️ Fix
To disable all unencrypted ports, use the command: cli% setnet disableports yes To confirm the operation, enter "cli% y" and press "Enter".