CATA (Comprehensive Applications Threat Analysis) is a powerful security quality assessment tool designed to substantially reduce the number of latent security defects. The design of the appliance employed CATA fundamentals and underwent CATA review.
The following factors secured (hardened) the appliance and its operating system:
-
Best practice operating system security guidelines were followed.
The appliance operating system minimizes its vulnerability by running only the services required to provide functionality. The appliance operating system enforces mandatory access controls internally.
-
The appliance maintains a firewall that allows traffic on specific ports and blocks all unused ports. See Ports required for HPE OneView for the list of network ports used.
-
Key appliance services run only with the required privileges; they do not run as privileged users.
-
The operating system bootloader is password protected. The appliance cannot be compromised by someone attempting to boot in single-user mode.
-
-
The appliance is designed to operate entirely on an isolated management LAN. Access to the production LAN is not required.
-
The appliance enforces a password change at first login. The default password cannot be used again.
-
The appliance supports self-signed certificates and certificates issued by a certificate authority.
The appliance is initially configured with a self-signed certificate. As the Infrastructure administrator, you can generate a CSR (certificate signing request) and, upon receipt, upload the certificate to the appliance. This ensures the integrity and authenticity of your HTTPS connection to the appliance.
-
All browser operations and REST API calls use HTTPS. All weak SSL (Secure Sockets Layer) ciphers are disabled.
-
The appliance supports secure updating. Hewlett Packard Enterprise digitally signs all updates to ensure integrity and authenticity.
-
Support dumps are encrypted by default, but you (as Infrastructure administrator) have the option to not encrypt them. Support dumps are automatically encrypted when a user with another role creates them.
-
Operating-system-level users are not allowed to access the appliance.
-
Hewlett Packard Enterprise closely monitors security bulletins for threats to appliance software components and, if necessary, issues software updates.