NetApp ONTAP DSC 9.x Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2022-06-07

Updated At: 2022-08-25 11:38:36

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-246922r769098_rule NAOT-AC-000001 CCI-000054 MEDIUM ONTAP must be configured to limit the number of concurrent sessions. Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpfu
    SV-246923r835206_rule NAOT-AC-000002 CCI-000057 MEDIUM ONTAP must be configured to create a session lock after 15 minutes. A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating
    SV-246925r769107_rule NAOT-AC-000004 CCI-002130 MEDIUM ONTAP must automatically audit account-enabling actions. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account
    SV-246926r835209_rule NAOT-AC-000005 CCI-001358 MEDIUM ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authenti
    SV-246927r835210_rule NAOT-AC-000006 CCI-000213 HIGH ONTAP must enforce administrator privileges based on their defined roles. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the poss
    SV-246930r835213_rule NAOT-AC-000009 CCI-002235 HIGH ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-246931r835216_rule NAOT-AC-000010 CCI-000044 MEDIUM ONTAP must be configured to enforce the limit of three consecutive failed logon attempts. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
    SV-246932r835218_rule NAOT-AC-000011 CCI-000048 MEDIUM ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, a
    SV-246933r835221_rule NAOT-AU-000001 CCI-001819 MEDIUM ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. Audit records are stored on staging volumes when auditing is enabled. If the staging volumes do not exist when auditing is enabled, the auditing subsystem creates the staging volumes. These volumes hold the audit logs until they can be consolidated. Enab
    SV-246935r835225_rule NAOT-AU-000003 CCI-001858 MEDIUM ONTAP must have audit guarantee enabled. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. With audit guarantee enabled, all SMB operations must generate an audit event before an ACK is returned to the client and the ope
    SV-246936r835228_rule NAOT-AU-000004 CCI-000366 MEDIUM ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources. The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by in
    SV-246938r835232_rule NAOT-AU-000006 CCI-001890 MEDIUM ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC
    SV-246939r835234_rule NAOT-CM-000001 CCI-001813 MEDIUM ONTAP must enforce access restrictions associated with changes to the device configuration. Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that
    SV-246940r835236_rule NAOT-CM-000002 CCI-000370 HIGH ONTAP must be configured to use an authentication server to provide multifactor authentication. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrat
    SV-246944r835241_rule NAOT-CM-000007 CCI-000366 MEDIUM ONTAP must be configured to conduct backups of system level information. System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backu
    SV-246945r835244_rule NAOT-CM-000008 CCI-000366 MEDIUM ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates. Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medi
    SV-246946r835246_rule NAOT-CM-000009 CCI-000382 HIGH ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocol
    SV-246947r835248_rule NAOT-IA-000001 CCI-000770 MEDIUM ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role. To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared ac
    SV-246948r835250_rule NAOT-IA-000002 CCI-001941 MEDIUM ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process
    SV-246949r835252_rule NAOT-IA-000003 CCI-001967 MEDIUM ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of gre
    SV-246950r835254_rule NAOT-IA-000004 CCI-001967 MEDIUM ONTAP must authenticate NTP sources using authentication that is cryptographically based. If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled act
    SV-246951r835256_rule NAOT-IA-000005 CCI-000205 MEDIUM ONTAP must enforce a minimum 15-character password length. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a passwor
    SV-246952r835259_rule NAOT-IA-000006 CCI-000192 MEDIUM ONTAP must enforce password complexity by requiring that at least one uppercase character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-246953r835262_rule NAOT-IA-000007 CCI-000193 MEDIUM ONTAP must enforce password complexity by requiring that at least one lowercase character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-246954r835264_rule NAOT-IA-000008 CCI-000194 MEDIUM ONTAP must enforce password complexity by requiring that at least one numeric character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-246955r835266_rule NAOT-IA-000009 CCI-001619 MEDIUM ONTAP must enforce password complexity by requiring that at least one special character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-246958r835271_rule NAOT-MA-000002 CCI-000803 HIGH ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Satisfies: SRG-APP-000412-NDM-000331, SRG-AP
    SV-246959r769209_rule NAOT-SC-000001 CCI-001133 HIGH ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-246963r835277_rule NAOT-SC-000005 CCI-002385 MEDIUM ONTAP must be configured to use a data authentication key to safeguard against denial-of-service (DoS) attacks. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Usually, DoS attacks are assumed to be network related where the attac
    SV-246964r835279_rule NAOT-SI-000001 CCI-001851 HIGH ONTAP must be configured to send audit log data to a central log server. The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address