Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

NetApp ONTAP DSC 9.x Security Technical Implementation Guide

V1R2 · · · Released 27 Jul 2022 · 30 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 13 Jul 2021 −13 ✎ 26

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Removed rules 13

  • V-246924 Medium ONTAP must terminate shared/group account credentials when members leave the group.
  • V-246928 Medium ONTAP must enforce organization-defined DAC policies.
  • V-246929 Medium ONTAP must enforce approved authorizations for controlling the flow of management information.
  • V-246934 Medium ONTAP must off-load audit records onto a different system or media.
  • V-246937 Medium ONTAP must use internal system clocks to generate time stamps for audit records.
  • V-246941 Medium ONTAP must be configured to enforce organization-defined mandatory access control policies over all subjects and objects.
  • V-246942 Medium ONTAP must enforce organization-defined role-based access control policies over defined subjects and objects.
  • V-246943 Medium ONTAP must generate log records for a locally developed list of auditable events.
  • V-246956 Medium ONTAP must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
  • V-246957 Medium ONTAP must prohibit the use of cached authenticators.
  • V-246960 Medium ONTAP must recognize only system-generated session identifiers.
  • V-246961 Medium ONTAP must generate unique session identifiers using a FIPS 140-2-approved random number generator.
  • V-246962 High ONTAP must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).

Content changes 26

  • V-246923 Medium check ONTAP must be configured to create a session lock after 15 minutes.
  • V-246926 Medium check ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
  • V-246927 High description ONTAP must enforce administrator privileges based on their defined roles.
  • V-246931 Medium checkfix ONTAP must be configured to enforce the limit of three consecutive failed logon attempts.
  • V-246932 Medium check ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
  • V-246933 Medium descriptioncheckfix ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
  • V-246935 Medium descriptioncheckfix ONTAP must have audit guarantee enabled.
  • V-246936 Medium checkfix ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources.
  • V-246938 Medium checkfix ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
  • V-246939 Medium check ONTAP must enforce access restrictions associated with changes to the device configuration.
  • V-246940 High check ONTAP must be configured to use an authentication server to provide multifactor authentication.
  • V-246944 Medium check ONTAP must be configured to conduct backups of system level information.
  • V-246945 Medium descriptioncheckfix ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates.
  • V-246946 High check ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
  • V-246947 Medium check ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
  • V-246948 Medium check ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts.
  • V-246949 Medium check ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC.
  • V-246950 Medium check ONTAP must authenticate NTP sources using authentication that is cryptographically based.
  • V-246951 Medium check ONTAP must enforce a minimum 15-character password length.
  • V-246952 Medium checkfix ONTAP must enforce password complexity by requiring that at least one uppercase character be used.
  • V-246953 Medium checkfix ONTAP must enforce password complexity by requiring that at least one lowercase character be used.
  • V-246954 Medium check ONTAP must enforce password complexity by requiring that at least one numeric character be used.
  • V-246955 Medium check ONTAP must enforce password complexity by requiring that at least one special character be used.
  • V-246958 High check ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.
  • V-246963 Medium descriptioncheckfix ONTAP must be configured to use a data authentication key to safeguard against denial-of-service (DoS) attacks.
  • V-246964 High check ONTAP must be configured to send audit log data to a central log server.
Sort by
b
ONTAP must be configured to limit the number of concurrent sessions.
AC-10 - Medium - CCI-000054 - V-246922 - SV-246922r769098_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
NAOT-AC-000001
Vuln IDs
  • V-246922
Rule IDs
  • SV-246922r769098_rule
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks.
Checks: C-50354r769096_chk

Use "security session limit show -interface cli" to check the concurrent session limit. If the security session limit is not configured to limit the number of concurrent sessions to 1, this is a finding.

Fix: F-50308r769097_fix

Configure session limits with the command, “security session limit modify -max-active-limit 1 -interface cli -category application".

b
ONTAP must be configured to create a session lock after 15 minutes.
AC-11 - Medium - CCI-000057 - V-246923 - SV-246923r835206_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
NAOT-AC-000002
Vuln IDs
  • V-246923
Rule IDs
  • SV-246923r835206_rule
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator re-authenticates. No other system activity aside from re-authentication must unlock the management session. Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time. This requirement may only apply to local administrative sessions.
Checks: C-50355r835205_chk

Use "system timeout show" to check the current CLI timeout. If the system timeout is not set to 15 minute(s) or less, this is a finding.

Fix: F-50309r769100_fix

Configure the CLI timeout value to 15 minutes with the command, "system timeout modify -timeout 15".

b
ONTAP must automatically audit account-enabling actions.
AC-2 - Medium - CCI-002130 - V-246925 - SV-246925r769107_rule
RMF Control
AC-2
Severity
M
CCI
CCI-002130
Version
NAOT-AC-000004
Vuln IDs
  • V-246925
Rule IDs
  • SV-246925r769107_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of application user accounts and notifies administrators and Information System Security Officer (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Checks: C-50357r769105_chk

Use "cluster log-forwarding show" to see if a remote syslog destination is defined for ONTAP. Use commands available on the remote syslog server to check for new account creation or enabling a disabled account. If ONTAP does not automatically audit account-enabling actions, this is a finding.

Fix: F-50311r769106_fix

Use "cluster log-forwarding show" to identify defined ONTAP remote syslog servers. If no remote syslog servers are defined, use "cluster log-forwarding create" to define a syslog destination. On the remote syslog server, use commands available to check for new account creation or enabling a disabled account.

b
ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-246926 - SV-246926r835209_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001358
Version
NAOT-AC-000005
Vuln IDs
  • V-246926
Rule IDs
  • SV-246926r835209_rule
Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.
Checks: C-50358r835208_chk

Use "security login show -role admin -authentication-method password" to see the local administrative account. If ONTAP is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.

Fix: F-50312r769109_fix

Configure a secure password for the local administrative account with "security login password -username <user_name>".

c
ONTAP must enforce administrator privileges based on their defined roles.
AC-3 - High - CCI-000213 - V-246927 - SV-246927r835210_rule
RMF Control
AC-3
Severity
H
CCI
CCI-000213
Version
NAOT-AC-000006
Vuln IDs
  • V-246927
Rule IDs
  • SV-246927r835210_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device. The access policies must include protecting the data in all three states, i.e. Data at rest, data in use, and data in motion. An example of each state can be seen through the use of a configuration setting or file for ONTAP. When stored, the data is at rest. When the data is being updated either through CLI or some web frontend, the data is in use and when the configuration is being transmitted to the devices being managed, the data is in transit.
Checks: C-50359r769111_chk

Use "security login show" to see all configured users and their roles. Use "security login role show" to see specific commands allowed for each role. If ONTAP does not enforce administrator privileges based on their defined roles, this is a finding.

Fix: F-50313r769112_fix

Configure roles with "security login role create -role <name>" to create new roles, and "security login create -user-or-group-name <user_name> -role <name>" to assign the role to a specific user or group.

c
ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
AC-6 - High - CCI-002235 - V-246930 - SV-246930r835213_rule
RMF Control
AC-6
Severity
H
CCI
CCI-002235
Version
NAOT-AC-000009
Vuln IDs
  • V-246930
Rule IDs
  • SV-246930r835213_rule
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.
Checks: C-50362r769120_chk

Use "security login role show” to see role-based access policies defined in ONTAP for privileged and unprivileged users. Privileged users have the role of admin. If ONTAP does not prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, this is a finding.

Fix: F-50316r769121_fix

Configure privileged users with "security login create -user-or-group-name <user_name> -role admin". Configure non-privileged users with "security login create -user-or-group-name <user_name> -role <role_name>“where a non-privileged user role other than admin is used.

b
ONTAP must be configured to enforce the limit of three consecutive failed logon attempts.
AC-7 - Medium - CCI-000044 - V-246931 - SV-246931r835216_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
NAOT-AC-000010
Vuln IDs
  • V-246931
Rule IDs
  • SV-246931r835216_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Checks: C-50363r835214_chk

Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver &lt;vserver_name&gt; -role &lt;role_name&gt;" to view the password requirements for each role. If any role has "Maximum Number of Failed Attempts" not set to 3, this is a finding. Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Delay after Each Failed Login Attempt". If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes, this is a finding.

Fix: F-50317r835215_fix

Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. For any role that does not have "Maximum Number of Failed Attempts" set to 3, use the command "security login role config modify -role <role_name> -vserver <vserver_name> -max-failed-login-attempts 3".

b
ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-246932 - SV-246932r835218_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
NAOT-AC-000011
Vuln IDs
  • V-246932
Rule IDs
  • SV-246932r835218_rule
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-50364r835217_chk

Use "security login banner show" to see the current login notice and consent banner. If ONTAP is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.

Fix: F-50318r769127_fix

Configure the Standard Mandatory DoD Notice and Consent Banner with "security login banner modify -message <Standard DoD Notice and Consent Banner>".

b
ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
CM-3 - Medium - CCI-001819 - V-246933 - SV-246933r835221_rule
RMF Control
CM-3
Severity
M
CCI
CCI-001819
Version
NAOT-AU-000001
Vuln IDs
  • V-246933
Rule IDs
  • SV-246933r835221_rule
Audit records are stored on staging volumes when auditing is enabled. If the staging volumes do not exist when auditing is enabled, the auditing subsystem creates the staging volumes. These volumes hold the audit logs until they can be consolidated. Enabling auditing will also enable guaranteed auditing by default. This feature will guarantee audit records are not lost even when a node goes offline or the disk becomes filled. Audit records are stored on staging volumes prior to consolidation and conversion. Staging volumes can only be created by ONTAP and are given volume names that begin with MDV_aud_ followed by the UUID of the aggregate containing the staging volume.
Checks: C-50365r835219_chk

To ensure audit record storage capacity is sufficient, use the command "df MDV*". The output from the command will show the size of the audit volumes, amount used and amount available. Sample output from the command looks like the following: cluster ::&gt; df MDV* Filesystem kbytes used avail capacity Mounted on /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ 1992296 532 1991764 0% /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ 1992296 384 1991912 0% /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ 1992296 1992296 0 100% /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ If any ONTAP volumes show 100 percent capacity, this is a finding.

Fix: F-50319r835220_fix

Increase the size of the volume that is filled using the command "vol size <volume name> <size increase>". To increase vol1 by 500MB, the command would be "vol size vol1 +500m".

b
ONTAP must have audit guarantee enabled.
AU-5 - Medium - CCI-001858 - V-246935 - SV-246935r835225_rule
RMF Control
AU-5
Severity
M
CCI
CCI-001858
Version
NAOT-AU-000003
Vuln IDs
  • V-246935
Rule IDs
  • SV-246935r835225_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. With audit guarantee enabled, all SMB operations must generate an audit event before an ACK is returned to the client and the operation completed. If the audit event cannot be written, then the client operation is delayed or denied.
Checks: C-50367r835223_chk

Use "vserver audit show -fields audit-guarantee" to see if audit guarantee is enabled. If audit-guarantee is set to false, this is a finding.

Fix: F-50321r835224_fix

Use the command "vserver audit modify -vserver <vserver_name> -destination <audit log location> -audit-guarantee true" to set audit-guarantee to true. An example command for a vserver named svm01 with the audit logs at /audit_log would be "vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee true". Use the command "vserver audit show -fields audit-guarantee" to verify the change.

b
ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-246936 - SV-246936r835228_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
NAOT-AU-000004
Vuln IDs
  • V-246936
Rule IDs
  • SV-246936r835228_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-50368r835226_chk

Use "cluster time-service ntp server show" to see the current network time protocol configuration for ONTAP and ensure there are at least three ntp servers defined. If ONTAP is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

Fix: F-50322r835227_fix

Configure network time protocol for ONTAP with "cluster time-service ntp server create -server <IP address>" to add new ntp servers. Up to 10 servers can be defined.

b
ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-246938 - SV-246938r835232_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001890
Version
NAOT-AU-000006
Vuln IDs
  • V-246938
Rule IDs
  • SV-246938r835232_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-50370r835230_chk

Use "cluster date show" to see the current time zone configured. If ONTAP is not configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), this is a finding.

Fix: F-50324r835231_fix

Configure the time zone to UTC with "cluster date modify -timezone UTC".

b
ONTAP must enforce access restrictions associated with changes to the device configuration.
CM-5 - Medium - CCI-001813 - V-246939 - SV-246939r835234_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001813
Version
NAOT-CM-000001
Vuln IDs
  • V-246939
Rule IDs
  • SV-246939r835234_rule
Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device could potentially have significant effects on the overall security of the device. Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).
Checks: C-50371r835233_chk

Use "security login show -role admin" to see users with administrative privilege that allow device configuration. If ONTAP does not enforce access restrictions associated with changes to the device configuration, this is a finding.

Fix: F-50325r769148_fix

Configure users with administrative privilege that allows device configuration with "security login create -user-or-group-name <user_name> -role admin".

c
ONTAP must be configured to use an authentication server to provide multifactor authentication.
CM-6 - High - CCI-000370 - V-246940 - SV-246940r835236_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000370
Version
NAOT-CM-000002
Vuln IDs
  • V-246940
Rule IDs
  • SV-246940r835236_rule
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000149-NDM-000247, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263
Checks: C-50372r835235_chk

Use "security login show -authentication-method domain" to see users configured to authenticate with Active Directory. If ONTAP is not configured to use an authentication server, this is a finding.

Fix: F-50326r769151_fix

Configure ONTAP to make use of Active Directory to authenticate users and prohibit the use of cached authenticators with "security login create -user-or-group-name <user or group name> -authentication-method domain -application ssh".

b
ONTAP must be configured to conduct backups of system level information.
CM-6 - Medium - CCI-000366 - V-246944 - SV-246944r835241_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
NAOT-CM-000007
Vuln IDs
  • V-246944
Rule IDs
  • SV-246944r835241_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-50376r835240_chk

Use "set -privilege advanced" reply "y" to continue and "system configuration backup show" to see if ONTAP is configured for system backups. If ONTAP is not configured to conduct backups of system-level data when changes occur, this is a finding.

Fix: F-50330r769163_fix

Configure ONTAP to conduct backups of system level information with "set -privilege advanced" reply "y" to continue and "system configuration backup create -node <node_name> -backup-type cluster -backup-name <name>".

b
ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates.
CM-6 - Medium - CCI-000366 - V-246945 - SV-246945r835244_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
NAOT-CM-000008
Vuln IDs
  • V-246945
Rule IDs
  • SV-246945r835244_rule
Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice.
Checks: C-50377r835242_chk

Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed. If any of the certificates have the name or identifier of a non-approved source in the Issuer field, this is a finding.

Fix: F-50331r835243_fix

Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the http://iase.disa.mil/ website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096> ECDSA: request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> Generate a CSR from ECDSA key-pair use the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> If no filename is specified, the CSR is displayed on the standard out (terminal) After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver <vserver_name>".

c
ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
CM-7 - High - CCI-000382 - V-246946 - SV-246946r835246_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000382
Version
NAOT-CM-000009
Vuln IDs
  • V-246946
Rule IDs
  • SV-246946r835246_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Checks: C-50378r835245_chk

Use "system services firewall policy show" to see all of the configured firewall policies defined in ONTAP. Use "network interface show -fields firewall-policy" to see which network logical interfaces (LIFs) have which firewall policies configured. Note: Because the cluster LIF is completely open with no configurable firewall policy, it must be on a private IP subnet on a secure isolated network. If ONTAP is not configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding.

Fix: F-50332r769169_fix

Configure ONTAP new or modify ONTAP firewall policies with "system services firewall policy create or modify" to allow specific IP addresses to access specific network services or ports. Configure logical interfaces to use firewall policies with "network interface modify -firewall-policy <firewall_policy_name> -lif <logical_interface_name>".

b
ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
IA-2 - Medium - CCI-000770 - V-246947 - SV-246947r835248_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
NAOT-IA-000001
Vuln IDs
  • V-246947
Rule IDs
  • SV-246947r835248_rule
To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. If a device allows or provides for group authenticators, it must first individually authenticate administrators prior to implementing group authenticator functionality. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.
Checks: C-50379r835247_chk

Use "security login show -role admin -authentication-method domain" to see all configured admin users and groups that authenticate using active directory. If ONTAP is not configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role, this is a finding.

Fix: F-50333r769172_fix

Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".

b
ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts.
IA-2 - Medium - CCI-001941 - V-246948 - SV-246948r835250_rule
RMF Control
IA-2
Severity
M
CCI
CCI-001941
Version
NAOT-IA-000002
Vuln IDs
  • V-246948
Rule IDs
  • SV-246948r835250_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-50380r835249_chk

Use "security login show -role admin" to see all configured admin users and groups. If any account, other than the admin account used as the account of last resort, has an authentication method other than domain, this is a finding.

Fix: F-50334r769175_fix

Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".

b
ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC.
IA-3 - Medium - CCI-001967 - V-246949 - SV-246949r835252_rule
RMF Control
IA-3
Severity
M
CCI
CCI-001967
Version
NAOT-IA-000003
Vuln IDs
  • V-246949
Rule IDs
  • SV-246949r835252_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.
Checks: C-50381r835251_chk

Validate that SNMP is enabled using the command "options -option-name snmp*". If snmp.enable and snmp.san.enable are set to "off", then SNMP is not enabled and this requirement is not applicable. Use "security snmpusers -authmethod usm" to see snmpV3 users using FIPS-validated Keyed-HMAC. If ONTAP is not configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC, this is a finding.

Fix: F-50335r769178_fix

Configure a snmpV3 user using FIPS-validated Keyed-HMAC with "security login create -user-or-group-name snmptest2 -application snmp -authentication-method usm". Enter the authoritative entity's EngineID [local EngineID]: Which authentication protocol do you want to choose (none, md5, sha, sha2-256) [none]: sha2-256 Enter the authentication protocol password (minimum 8 characters long): Enter the authentication protocol password again: Which privacy protocol do you want to choose (none, des, aes128) [none]: aes128.

b
ONTAP must authenticate NTP sources using authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-246950 - SV-246950r835254_rule
RMF Control
IA-3
Severity
M
CCI
CCI-001967
Version
NAOT-IA-000004
Vuln IDs
  • V-246950
Rule IDs
  • SV-246950r835254_rule
If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Checks: C-50382r835253_chk

Use "cluster time-service ntp server show" to see authenticated NTP sources using authentication that is cryptographically based. If any of the NTP servers listed has the field "Is Authentication Enabled" set to false, this is a finding.

Fix: F-50336r769181_fix

Configure an authenticated NTP source using authentication that is cryptographically based with "cluster time-service ntp server create -server <ip_address> -key-id <NTP_Symmetric_Authentication_Key_ID>".

b
ONTAP must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-246951 - SV-246951r835256_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
NAOT-IA-000005
Vuln IDs
  • V-246951
Rule IDs
  • SV-246951r835256_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-50383r835255_chk

Use "security login role config show -role admin -fields passwd-minlength" to see the minimum password length for the role admin. If ONTAP is not configured to enforce a minimum 15-character password length, this is a finding.

Fix: F-50337r769184_fix

Configure the minimum password length for the role admin to 15 with "security login role config modify -role admin -passwd-minlength 15".

b
ONTAP must enforce password complexity by requiring that at least one uppercase character be used.
IA-5 - Medium - CCI-000192 - V-246952 - SV-246952r835259_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000192
Version
NAOT-IA-000006
Vuln IDs
  • V-246952
Rule IDs
  • SV-246952r835259_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50384r835257_chk

Use "security login role config show -role admin -fields passwd-min-uppercase-chars" to see the minimum number of uppercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.

Fix: F-50338r835258_fix

Configure ONTAP to enforce password complexity by requiring that at least one uppercase character be used for the role admin with "security login role config modify -role admin -passwd-min-uppercase-chars 1".

b
ONTAP must enforce password complexity by requiring that at least one lowercase character be used.
IA-5 - Medium - CCI-000193 - V-246953 - SV-246953r835262_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000193
Version
NAOT-IA-000007
Vuln IDs
  • V-246953
Rule IDs
  • SV-246953r835262_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50385r835260_chk

Use "security login role config show -role admin -fields passwd-min-lowercase-chars" to see the minimum number of lowercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.

Fix: F-50339r835261_fix

Configure ONTAP to enforce password complexity by requiring that at least one lowercase character be used for the role admin with "security login role config modify -role admin -passwd-min-lowercase-chars 1".

b
ONTAP must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-246954 - SV-246954r835264_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000194
Version
NAOT-IA-000008
Vuln IDs
  • V-246954
Rule IDs
  • SV-246954r835264_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50386r835263_chk

Use "security login role config show -role admin -fields passwd-alphanum" to see at least one letter and one number are required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.

Fix: F-50340r769193_fix

Configure ONTAP to enforce password complexity by requiring that at least one numeric character be used with "security login role config modify -role admin -passwd-alphanum enabled".

b
ONTAP must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-246955 - SV-246955r835266_rule
RMF Control
IA-5
Severity
M
CCI
CCI-001619
Version
NAOT-IA-000009
Vuln IDs
  • V-246955
Rule IDs
  • SV-246955r835266_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50387r835265_chk

Use "security login role config show -role admin -fields passwd-min-special-chars" to see the minimum number of special characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.

Fix: F-50341r769196_fix

Configure ONTAP to enforce password complexity by requiring that at least one special character be used with "security login role config modify -role admin -passwd-min-special-chars 1".

c
ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.
IA-7 - High - CCI-000803 - V-246958 - SV-246958r835271_rule
RMF Control
IA-7
Severity
H
CCI
CCI-000803
Version
NAOT-MA-000002
Vuln IDs
  • V-246958
Rule IDs
  • SV-246958r835271_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Satisfies: SRG-APP-000412-NDM-000331, SRG-APP-000411-NDM-000330, SRG-APP-000179-NDM-000265
Checks: C-50390r835270_chk

Use "set -privilege advanced" reply "y" to continue and "security config show" to see if cluster FIPS mode is true. If ONTAP is not configured to implement cryptographic mechanisms using FIPS 140-2, this is a finding.

Fix: F-50344r769205_fix

Configure ONTAP to use cryptographic mechanisms with "set -privilege advanced" reply "y" to continue and "security config modify -is-fips-enabled true".

c
ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - High - CCI-001133 - V-246959 - SV-246959r769209_rule
RMF Control
SC-10
Severity
H
CCI
CCI-001133
Version
NAOT-SC-000001
Vuln IDs
  • V-246959
Rule IDs
  • SV-246959r769209_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-50391r769207_chk

Use "system timeout show" to see the session timeout in minutes. If ONTAP does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.

Fix: F-50345r769208_fix

Configure ONTAP to timeout idle sessions after 10 minutes with "system timeout modify -timeout 10".

b
ONTAP must be configured to use a data authentication key to safeguard against denial-of-service (DoS) attacks.
SC-5 - Medium - CCI-002385 - V-246963 - SV-246963r835277_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
NAOT-SC-000005
Vuln IDs
  • V-246963
Rule IDs
  • SV-246963r835277_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Usually, DoS attacks are assumed to be network related where the attacker floods the network with traffic that causes legitimate network traffic to be either slowed or blocked. For a storage device, a DoS attack can also occur when an attacker is able to make the data on the disks unreadable, thus unavailable, to the customer. This is a common attack used by ransomware where the attacker encrypts the data on the drives requesting payment for the unencryption key. By using data authentication keys, an attacker is unable to read or write data to the drives. It is also important to make sure the mode of the drives is set to full, otherwise only some of the data on the drive is protected.
Checks: C-50395r835275_chk

Validate that a data authentication key has been assigned using the command "storage encryption disk show". If any of the disks has a mode other than "full" or the Data Key ID is missing, this is a finding.

Fix: F-50349r835276_fix

Configure ONTAP to use a data authentication key for access with the command "storage encryption disk modify -disk <disk_ID> -data-key-id <key-ID>" where disk_ID is the disk and key_ID is the data authentication key. To verify the key is set, use the command "storage encryption disk show -disk <disk_ID>". The command will show the data mode. The mode must be set to full. If the mode is not set to full, use the command "disk modify -disk <disk_ID> -protection-mode full" to set the mode to full. Validate the mode changed using the command "storage encryption disk show -disk <disk_ID>".

c
ONTAP must be configured to send audit log data to a central log server.
AU-4 - High - CCI-001851 - V-246964 - SV-246964r835279_rule
RMF Control
AU-4
Severity
H
CCI
CCI-001851
Version
NAOT-SI-000001
Vuln IDs
  • V-246964
Rule IDs
  • SV-246964r835279_rule
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
Checks: C-50396r835278_chk

Use "cluster log-forwarding show" to see if audit logs are being sent to a remote logging server. Sample output from the command: Verify Syslog Destination Host Port Protocol Server Facility ------------------------ ------ ----------------------- -------- -------- 192.168.0.1 514 udp-unencrypted false user If no remote logging servers are listed, this is a finding.

Fix: F-50350r769223_fix

Configure ONTAP for remote syslogging with "cluster log-forwarding create -destination <hostname_or_ip_address>".