NetApp ONTAP DSC 9.x Security Technical Implementation Guide

  • Version/Release: V1R4
  • Published: 2024-02-05
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
ONTAP must be configured to limit the number of concurrent sessions.
AC-10 - Medium - CCI-000054 - V-246922 - SV-246922r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
NAOT-AC-000001
Vuln IDs
  • V-246922
Rule IDs
  • SV-246922r879511_rule
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks.
Checks: C-50354r769096_chk

Use "security session limit show -interface cli" to check the concurrent session limit. If the security session limit is not configured to limit the number of concurrent sessions to 1, this is a finding.

Fix: F-50308r769097_fix

Configure session limits with the command, “security session limit modify -max-active-limit 1 -interface cli -category application".

b
ONTAP must be configured to create a session lock after 15 minutes.
AC-11 - Medium - CCI-000057 - V-246923 - SV-246923r879513_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
NAOT-AC-000002
Vuln IDs
  • V-246923
Rule IDs
  • SV-246923r879513_rule
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator re-authenticates. No other system activity aside from re-authentication must unlock the management session. Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time. This requirement may only apply to local administrative sessions.
Checks: C-50355r835205_chk

Use "system timeout show" to check the current CLI timeout. If the system timeout is not set to 15 minute(s) or less, this is a finding.

Fix: F-50309r769100_fix

Configure the CLI timeout value to 15 minutes with the command, "system timeout modify -timeout 15".

b
ONTAP must automatically audit account-enabling actions.
AC-2 - Medium - CCI-002130 - V-246925 - SV-246925r879696_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
NAOT-AC-000004
Vuln IDs
  • V-246925
Rule IDs
  • SV-246925r879696_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of application user accounts and notifies administrators and Information System Security Officer (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Checks: C-50357r769105_chk

Use "cluster log-forwarding show" to see if a remote syslog destination is defined for ONTAP. Use commands available on the remote syslog server to check for new account creation or enabling a disabled account. If ONTAP does not automatically audit account-enabling actions, this is a finding.

Fix: F-50311r769106_fix

Use "cluster log-forwarding show" to identify defined ONTAP remote syslog servers. If no remote syslog servers are defined, use "cluster log-forwarding create" to define a syslog destination. On the remote syslog server, use commands available to check for new account creation or enabling a disabled account.

b
ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-246926 - SV-246926r879589_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001358
Version
NAOT-AC-000005
Vuln IDs
  • V-246926
Rule IDs
  • SV-246926r879589_rule
Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.
Checks: C-50358r860671_chk

Use "security login show -role admin -authentication-method password" to see the local administrative account. If ONTAP is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.

Fix: F-50312r769109_fix

Configure a secure password for the local administrative account with "security login password -username <user_name>".

c
ONTAP must enforce administrator privileges based on their defined roles.
AC-3 - High - CCI-000213 - V-246927 - SV-246927r879530_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
NAOT-AC-000006
Vuln IDs
  • V-246927
Rule IDs
  • SV-246927r879530_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device. The access policies must include protecting the data in all three states, i.e. Data at rest , data in use and data in motion. An example of each state can be seen through the use of a configuration setting or file for ONTAP. When stored, the data is at rest. When the data is being updated either through CLI or some web frontend, the data is in use and when the configuration is being transmitted to the devices being managed, the data is in transit.
Checks: C-50359r769111_chk

Use "security login show" to see all configured users and their roles. Use "security login role show" to see specific commands allowed for each role. If ONTAP does not enforce administrator privileges based on their defined roles, this is a finding.

Fix: F-50313r769112_fix

Configure roles with "security login role create -role <name>" to create new roles, and "security login create -user-or-group-name <user_name> -role <name>" to assign the role to a specific user or group.

c
ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
AC-6 - High - CCI-002235 - V-246930 - SV-246930r879717_rule
RMF Control
AC-6
Severity
High
CCI
CCI-002235
Version
NAOT-AC-000009
Vuln IDs
  • V-246930
Rule IDs
  • SV-246930r879717_rule
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.
Checks: C-50362r769120_chk

Use "security login role show” to see role-based access policies defined in ONTAP for privileged and unprivileged users. Privileged users have the role of admin. If ONTAP does not prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, this is a finding.

Fix: F-50316r769121_fix

Configure privileged users with "security login create -user-or-group-name <user_name> -role admin". Configure non-privileged users with "security login create -user-or-group-name <user_name> -role <role_name>“where a non-privileged user role other than admin is used.

b
ONTAP must be configured to enforce the limit of three consecutive failed logon attempts.
AC-7 - Medium - CCI-000044 - V-246931 - SV-246931r879546_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
NAOT-AC-000010
Vuln IDs
  • V-246931
Rule IDs
  • SV-246931r879546_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Checks: C-50363r877994_chk

Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver &lt;vserver_name&gt; -role &lt;role_name&gt;" to view the password requirements for each role. If any role has "Maximum Number of Failed Attempts" not set to "3", this is a finding. Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Lockout Duration". Note: Lockout duration is set by default to lockout for one day or until unlocked by an administrator. It cannot be set to less than one day. If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, this is a finding.

Fix: F-50317r877995_fix

Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. For any role that does not have "Maximum Number of Failed Attempts" set to "3", use the command "security login role config modify -role <role_name> -vserver <vserver_name> -max-failed-login-attempts 3".

b
ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-246932 - SV-246932r879547_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
NAOT-AC-000011
Vuln IDs
  • V-246932
Rule IDs
  • SV-246932r879547_rule
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-50364r835217_chk

Use "security login banner show" to see the current login notice and consent banner. If ONTAP is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.

Fix: F-50318r769127_fix

Configure the Standard Mandatory DoD Notice and Consent Banner with "security login banner modify -message <Standard DoD Notice and Consent Banner>".

b
ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
AU-4 - Medium - CCI-001849 - V-246933 - SV-246933r879730_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
NAOT-AU-000001
Vuln IDs
  • V-246933
Rule IDs
  • SV-246933r879730_rule
Audit records are stored on staging volumes when auditing is enabled. If the staging volumes do not exist when auditing is enabled, the auditing subsystem creates the staging volumes. These volumes hold the audit logs until they can be consolidated. Enabling auditing will also enable guaranteed auditing by default. This feature will guarantee audit records are not lost even when a node goes offline or the disk becomes filled. Audit records are stored on staging volumes prior to consolidation and conversion. Staging volumes can only be created by ONTAP and are given volume names that begin with MDV_aud_ followed by the UUID of the aggregate containing the staging volume.
Checks: C-50365r860675_chk

To ensure audit record storage capacity is sufficient, use the command "df MDV*". The output from the command will show the size of the audit volumes, amount used and amount available. Sample output from the command looks like the following: cluster ::&gt; df MDV* Filesystem kbytes used avail capacity Mounted on /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ 1992296 532 1991764 0% /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ 1992296 384 1991912 0% /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ 1992296 1992296 0 100% /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ If any ONTAP volumes show 100 percent capacity, this is a finding.

Fix: F-50319r860676_fix

Increase the size of the volume that is filled using the command "vol size <volume name> <size increase>". To increase vol1 by 500MB, the command would be "vol size vol1 +500m".

b
ONTAP must have audit guarantee enabled.
AU-5 - Medium - CCI-001858 - V-246935 - SV-246935r879733_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001858
Version
NAOT-AU-000003
Vuln IDs
  • V-246935
Rule IDs
  • SV-246935r879733_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. With audit guarantee enabled, all SMB operations must generate an audit event before an ACK is returned to the client and the operation completed. If the audit event cannot be written, then the client operation is delayed or denied.
Checks: C-50367r856966_chk

Use "vserver audit show -fields audit-guarantee" to see if audit guarantee is enabled. If audit-guarantee is set to false, this is a finding.

Fix: F-50321r856967_fix

Use the command "vserver audit modify -vserver <vserver_name> -destination <audit log location> -audit-guarantee true" to set audit-guarantee to true. An example command for a vserver named svm01 with the audit logs at /audit_log would be "vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee true". Use the command "vserver audit show -fields audit-guarantee" to verify the change.

b
ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources.
AU-8 - Medium - CCI-001893 - V-246936 - SV-246936r945865_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001893
Version
NAOT-AU-000004
Vuln IDs
  • V-246936
Rule IDs
  • SV-246936r945865_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-50368r945864_chk

Use "cluster time-service ntp server show" to view the current network time protocol configuration for ONTAP and ensure at least two ntp servers are defined. If ONTAP is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

Fix: F-50322r860679_fix

Configure network time protocol for ONTAP with "cluster time-service ntp server create -server <IP address>" to add new ntp servers. Up to 10 servers can be defined.

b
ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-246938 - SV-246938r879747_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
NAOT-AU-000006
Vuln IDs
  • V-246938
Rule IDs
  • SV-246938r879747_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-50370r860681_chk

Use "cluster date show" to see the current time zone configured. If ONTAP is not configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), this is a finding.

Fix: F-50324r860682_fix

Configure the time zone to UTC with "cluster date modify -timezone UTC".

b
ONTAP must enforce access restrictions associated with changes to the device configuration.
CM-5 - Medium - CCI-001813 - V-246939 - SV-246939r879753_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
NAOT-CM-000001
Vuln IDs
  • V-246939
Rule IDs
  • SV-246939r879753_rule
Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device could potentially have significant effects on the overall security of the device. Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).
Checks: C-50371r860684_chk

Use "security login show -role admin" to see users with administrative privilege that allow device configuration. If ONTAP does not enforce access restrictions associated with changes to the device configuration, this is a finding.

Fix: F-50325r769148_fix

Configure users with administrative privilege that allows device configuration with "security login create -user-or-group-name <user_name> -role admin".

c
ONTAP must be configured to use an authentication server to provide multifactor authentication.
CM-6 - High - CCI-000370 - V-246940 - SV-246940r916111_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
NAOT-CM-000002
Vuln IDs
  • V-246940
Rule IDs
  • SV-246940r916111_rule
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000149-NDM-000247, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263
Checks: C-50372r835235_chk

Use "security login show -authentication-method domain" to see users configured to authenticate with Active Directory. If ONTAP is not configured to use an authentication server, this is a finding.

Fix: F-50326r769151_fix

Configure ONTAP to make use of Active Directory to authenticate users and prohibit the use of cached authenticators with "security login create -user-or-group-name <user or group name> -authentication-method domain -application ssh".

b
ONTAP must be configured to conduct backups of system level information.
CP-9 - Medium - CCI-000537 - V-246944 - SV-246944r916221_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000537
Version
NAOT-CM-000007
Vuln IDs
  • V-246944
Rule IDs
  • SV-246944r916221_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-50376r835240_chk

Use "set -privilege advanced" reply "y" to continue and "system configuration backup show" to see if ONTAP is configured for system backups. If ONTAP is not configured to conduct backups of system-level data when changes occur, this is a finding.

Fix: F-50330r769163_fix

Configure ONTAP to conduct backups of system level information with "set -privilege advanced" reply "y" to continue and "system configuration backup create -node <node_name> -backup-type cluster -backup-name <name>".

b
ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates.
SC-17 - Medium - CCI-001159 - V-246945 - SV-246945r945868_rule
RMF Control
SC-17
Severity
Medium
CCI
CCI-001159
Version
NAOT-CM-000008
Vuln IDs
  • V-246945
Rule IDs
  • SV-246945r945868_rule
Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice.
Checks: C-50377r945866_chk

Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed. If any of the certificates have the name or identifier of a nonapproved source in the Issuer field, this is a finding.

Fix: F-50331r945867_fix

Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096> ECDSA: request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> Generate a CSR from ECDSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> If no filename is specified, the CSR is displayed on the standard out (terminal). After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver <vserver_name>". For SSH accounts, apply the public key from the cert to the user account with the following command. security login publickey create -vserver <vserver name> -username <username> -index 0 -publickey "ssh-rsa <cert_text>"

c
ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
CM-7 - High - CCI-000382 - V-246946 - SV-246946r879588_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
NAOT-CM-000009
Vuln IDs
  • V-246946
Rule IDs
  • SV-246946r879588_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Checks: C-50378r878001_chk

Use "network interface service-policy show" to see all of the configured service policies defined in ONTAP. Use "network interface show -fields service-policy" to see which network logical interfaces (LIFs) have which service policies configured. If ONTAP cannot be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding.

Fix: F-50332r878002_fix

Configure ONTAP new or modify ONTAP service policies with "network interface service-policy create or modify" to allow specific IP addresses to access specific network services. Configure logical interfaces to use service policies with "network interface modify -service-policy <service_policy_name> -lif <logical_interface_name>".

b
ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
IA-2 - Medium - CCI-000770 - V-246947 - SV-246947r879594_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
NAOT-IA-000001
Vuln IDs
  • V-246947
Rule IDs
  • SV-246947r879594_rule
To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. If a device allows or provides for group authenticators, it must first individually authenticate administrators prior to implementing group authenticator functionality. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.
Checks: C-50379r835247_chk

Use "security login show -role admin -authentication-method domain" to see all configured admin users and groups that authenticate using active directory. If ONTAP is not configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role, this is a finding.

Fix: F-50333r769172_fix

Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".

b
ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts.
IA-2 - Medium - CCI-001941 - V-246948 - SV-246948r879597_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
NAOT-IA-000002
Vuln IDs
  • V-246948
Rule IDs
  • SV-246948r879597_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-50380r860686_chk

Use "security login show -role admin" to see all configured admin users and groups. If any account, other than the admin account used as the account of last resort, has an authentication method other than domain, this is a finding.

Fix: F-50334r769175_fix

Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".

b
ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC.
IA-3 - Medium - CCI-001967 - V-246949 - SV-246949r879768_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
NAOT-IA-000003
Vuln IDs
  • V-246949
Rule IDs
  • SV-246949r879768_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.
Checks: C-50381r860688_chk

Validate that SNMP is enabled using the command "options -option-name snmp*". If snmp.enable and snmp.san.enable are set to "off", then SNMP is not enabled and this requirement is not applicable. Use "security snmpusers -authmethod usm" to see snmpV3 users using FIPS-validated Keyed-HMAC. If ONTAP is not configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC, this is a finding.

Fix: F-50335r769178_fix

Configure a snmpV3 user using FIPS-validated Keyed-HMAC with "security login create -user-or-group-name snmptest2 -application snmp -authentication-method usm". Enter the authoritative entity's EngineID [local EngineID]: Which authentication protocol do you want to choose (none, md5, sha, sha2-256) [none]: sha2-256 Enter the authentication protocol password (minimum 8 characters long): Enter the authentication protocol password again: Which privacy protocol do you want to choose (none, des, aes128) [none]: aes128.

b
ONTAP must authenticate NTP sources using authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-246950 - SV-246950r879768_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
NAOT-IA-000004
Vuln IDs
  • V-246950
Rule IDs
  • SV-246950r879768_rule
If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Checks: C-50382r860690_chk

Use "cluster time-service ntp server show" to see authenticated NTP sources using authentication that is cryptographically based. If any of the NTP servers listed has the field "Is Authentication Enabled" set to false, this is a finding.

Fix: F-50336r769181_fix

Configure an authenticated NTP source using authentication that is cryptographically based with "cluster time-service ntp server create -server <ip_address> -key-id <NTP_Symmetric_Authentication_Key_ID>".

b
ONTAP must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-246951 - SV-246951r945870_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
NAOT-IA-000005
Vuln IDs
  • V-246951
Rule IDs
  • SV-246951r945870_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-50383r835255_chk

Use "security login role config show -role admin -fields passwd-minlength" to see the minimum password length for the role admin. If ONTAP is not configured to enforce a minimum 15-character password length, this is a finding.

Fix: F-50337r945869_fix

Configure the minimum password length for the role admin to 15 with "security login role config modify -vserver <vserver name> -role admin -passwd-minlength 15".

b
ONTAP must enforce password complexity by requiring that at least one uppercase character be used.
IA-5 - Medium - CCI-000192 - V-246952 - SV-246952r879603_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
NAOT-IA-000006
Vuln IDs
  • V-246952
Rule IDs
  • SV-246952r879603_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50384r835257_chk

Use "security login role config show -role admin -fields passwd-min-uppercase-chars" to see the minimum number of uppercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.

Fix: F-50338r835258_fix

Configure ONTAP to enforce password complexity by requiring that at least one uppercase character be used for the role admin with "security login role config modify -role admin -passwd-min-uppercase-chars 1".

b
ONTAP must enforce password complexity by requiring that at least one lowercase character be used.
IA-5 - Medium - CCI-000193 - V-246953 - SV-246953r879604_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
NAOT-IA-000007
Vuln IDs
  • V-246953
Rule IDs
  • SV-246953r879604_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50385r835260_chk

Use "security login role config show -role admin -fields passwd-min-lowercase-chars" to see the minimum number of lowercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.

Fix: F-50339r835261_fix

Configure ONTAP to enforce password complexity by requiring that at least one lowercase character be used for the role admin with "security login role config modify -role admin -passwd-min-lowercase-chars 1".

b
ONTAP must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-246954 - SV-246954r879605_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
NAOT-IA-000008
Vuln IDs
  • V-246954
Rule IDs
  • SV-246954r879605_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50386r835263_chk

Use "security login role config show -role admin -fields passwd-alphanum" to see at least one letter and one number are required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.

Fix: F-50340r769193_fix

Configure ONTAP to enforce password complexity by requiring that at least one numeric character be used with "security login role config modify -role admin -passwd-alphanum enabled".

b
ONTAP must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-246955 - SV-246955r879606_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
NAOT-IA-000009
Vuln IDs
  • V-246955
Rule IDs
  • SV-246955r879606_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-50387r835265_chk

Use "security login role config show -role admin -fields passwd-min-special-chars" to see the minimum number of special characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.

Fix: F-50341r769196_fix

Configure ONTAP to enforce password complexity by requiring that at least one special character be used with "security login role config modify -role admin -passwd-min-special-chars 1".

c
ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.
IA-7 - High - CCI-000803 - V-246958 - SV-246958r945872_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
NAOT-MA-000002
Vuln IDs
  • V-246958
Rule IDs
  • SV-246958r945872_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Satisfies: SRG-APP-000412-NDM-000331, SRG-APP-000411-NDM-000330, SRG-APP-000179-NDM-000265
Checks: C-50390r860692_chk

Use "set -privilege advanced" reply "y" to continue and "security config show" to see if cluster FIPS mode is true. If ONTAP is not configured to implement cryptographic mechanisms using FIPS 140-2, this is a finding.

Fix: F-50344r945871_fix

Configure ONTAP to use cryptographic mechanisms with "set -privilege advanced" reply "y" to continue and "security config modify -is-fips-enabled true -interface SSL".

c
ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - High - CCI-001133 - V-246959 - SV-246959r916342_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
NAOT-SC-000001
Vuln IDs
  • V-246959
Rule IDs
  • SV-246959r916342_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-50391r769207_chk

Use "system timeout show" to see the session timeout in minutes. If ONTAP does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.

Fix: F-50345r769208_fix

Configure ONTAP to timeout idle sessions after 10 minutes with "system timeout modify -timeout 10".

c
ONTAP must be configured to send audit log data to a central log server.
AU-4 - High - CCI-001851 - V-246964 - SV-246964r916114_rule
RMF Control
AU-4
Severity
High
CCI
CCI-001851
Version
NAOT-SI-000001
Vuln IDs
  • V-246964
Rule IDs
  • SV-246964r916114_rule
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
Checks: C-50396r860697_chk

Use "cluster log-forwarding show" to see if audit logs are being sent to a remote logging server. Sample output from the command: Verify Syslog Destination Host Port Protocol Server Facility ------------------------ ------ ----------------------- -------- -------- 192.168.0.1 514 udp-unencrypted false user If no remote logging servers are listed, this is a finding.

Fix: F-50350r769223_fix

Configure ONTAP for remote syslogging with "cluster log-forwarding create -destination <hostname_or_ip_address>".