The storage system must be configured to have only 1 emergency account which can be accessed without LDAP, and which has full administrator capabilities.

An XCCDF Rule

Description

<VulnDiscussion>While LDAP allows the storage system to support stronger authentication and provides additional auditing, it also places a dependency on an external entity in the operational environment. The existence of a single local account with a strong password means that administrators can continue to access the storage system in the event the LDAP system is temporarily unavailable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-237824r647881_rule
Severity: High
References: CCI-001682
Updated: about 1 year ago

Display users with the following command:

cli% showuser

If the accounts "3parbrowse", "3paredit", or "3parservice" exist, see HP3P-32-001504 for removal instructions specific to these accounts.
If the account "3parcimuser" exists see HP3P-32-001002 for removal instructions specific to that account.

Otherwise, remove all accounts except "3paradm", "3parsvc", "3parsnmpuser", and "3parcimuser" using the following command:

cli% removeuser <username>

Confirm the operation with "y".

The storage system must be configured to have only 1 emergency account which can be accessed without LDAP, and which has full administrator capabilities.

Description

Remediation - Manual Procedure