Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Use "security session limit show -interface cli" to check the concurrent session limit. If the security session limit is not configured to limit the number of concurrent sessions to 1, this is a finding.
Configure session limits with the command, “security session limit modify -max-active-limit 1 -interface cli -category application".
Use "system timeout show" to check the current CLI timeout. If the system timeout is not set to 15 minute(s) or less, this is a finding.
Configure the CLI timeout value to 15 minutes with the command, "system timeout modify -timeout 15".
Use "cluster log-forwarding show" to see if a remote syslog destination is defined for ONTAP. Use commands available on the remote syslog server to check for new account creation or enabling a disabled account. If ONTAP does not automatically audit account-enabling actions, this is a finding.
Use "cluster log-forwarding show" to identify defined ONTAP remote syslog servers. If no remote syslog servers are defined, use "cluster log-forwarding create" to define a syslog destination. On the remote syslog server, use commands available to check for new account creation or enabling a disabled account.
Use "security login show -role admin -authentication-method password" to see the local administrative account. If ONTAP is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.
Configure a secure password for the local administrative account with "security login password -username <user_name>".
Use "security login show" to see all configured users and their roles. Use "security login role show" to see specific commands allowed for each role. If ONTAP does not enforce administrator privileges based on their defined roles, this is a finding.
Configure roles with "security login role create -role <name>" to create new roles, and "security login create -user-or-group-name <user_name> -role <name>" to assign the role to a specific user or group.
Use "security login role show” to see role-based access policies defined in ONTAP for privileged and unprivileged users. Privileged users have the role of admin. If ONTAP does not prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, this is a finding.
Configure privileged users with "security login create -user-or-group-name <user_name> -role admin". Configure non-privileged users with "security login create -user-or-group-name <user_name> -role <role_name>“where a non-privileged user role other than admin is used.
Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. If any role has "Maximum Number of Failed Attempts" not set to "3", this is a finding. Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Lockout Duration". Note: Lockout duration is set by default to lockout for one day or until unlocked by an administrator. It cannot be set to less than one day. If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, this is a finding.
Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. For any role that does not have "Maximum Number of Failed Attempts" set to "3", use the command "security login role config modify -role <role_name> -vserver <vserver_name> -max-failed-login-attempts 3".
Use "security login banner show" to see the current login notice and consent banner. If ONTAP is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.
Configure the Standard Mandatory DoD Notice and Consent Banner with "security login banner modify -message <Standard DoD Notice and Consent Banner>".
To ensure audit record storage capacity is sufficient, use the command "df MDV*". The output from the command will show the size of the audit volumes, amount used and amount available. Sample output from the command looks like the following: cluster ::> df MDV* Filesystem kbytes used avail capacity Mounted on /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ 1992296 532 1991764 0% /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ 1992296 384 1991912 0% /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ 1992296 1992296 0 100% /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ If any ONTAP volumes show 100 percent capacity, this is a finding.
Increase the size of the volume that is filled using the command "vol size <volume name> <size increase>". To increase vol1 by 500MB, the command would be "vol size vol1 +500m".
Use "vserver audit show -fields audit-guarantee" to see if audit guarantee is enabled. If audit-guarantee is set to false, this is a finding.
Use the command "vserver audit modify -vserver <vserver_name> -destination <audit log location> -audit-guarantee true" to set audit-guarantee to true. An example command for a vserver named svm01 with the audit logs at /audit_log would be "vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee true". Use the command "vserver audit show -fields audit-guarantee" to verify the change.
Use "cluster time-service ntp server show" to view the current network time protocol configuration for ONTAP and ensure at least two ntp servers are defined. If ONTAP is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.
Configure network time protocol for ONTAP with "cluster time-service ntp server create -server <IP address>" to add new ntp servers. Up to 10 servers can be defined.
Use "cluster date show" to see the current time zone configured. If ONTAP is not configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), this is a finding.
Configure the time zone to UTC with "cluster date modify -timezone UTC".
Use "security login show -role admin" to see users with administrative privilege that allow device configuration. If ONTAP does not enforce access restrictions associated with changes to the device configuration, this is a finding.
Configure users with administrative privilege that allows device configuration with "security login create -user-or-group-name <user_name> -role admin".
Use "security login show -authentication-method domain" to see users configured to authenticate with Active Directory. If ONTAP is not configured to use an authentication server, this is a finding.
Configure ONTAP to make use of Active Directory to authenticate users and prohibit the use of cached authenticators with "security login create -user-or-group-name <user or group name> -authentication-method domain -application ssh".
Use "set -privilege advanced" reply "y" to continue and "system configuration backup show" to see if ONTAP is configured for system backups. If ONTAP is not configured to conduct backups of system-level data when changes occur, this is a finding.
Configure ONTAP to conduct backups of system level information with "set -privilege advanced" reply "y" to continue and "system configuration backup create -node <node_name> -backup-type cluster -backup-name <name>".
Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed. If any of the certificates have the name or identifier of a nonapproved source in the Issuer field, this is a finding.
Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096> ECDSA: request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> Generate a CSR from ECDSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> If no filename is specified, the CSR is displayed on the standard out (terminal). After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver <vserver_name>". For SSH accounts, apply the public key from the cert to the user account with the following command. security login publickey create -vserver <vserver name> -username <username> -index 0 -publickey "ssh-rsa <cert_text>"
Use "network interface service-policy show" to see all of the configured service policies defined in ONTAP. Use "network interface show -fields service-policy" to see which network logical interfaces (LIFs) have which service policies configured. If ONTAP cannot be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding.
Configure ONTAP new or modify ONTAP service policies with "network interface service-policy create or modify" to allow specific IP addresses to access specific network services. Configure logical interfaces to use service policies with "network interface modify -service-policy <service_policy_name> -lif <logical_interface_name>".
Use "security login show -role admin -authentication-method domain" to see all configured admin users and groups that authenticate using active directory. If ONTAP is not configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role, this is a finding.
Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".
Use "security login show -role admin" to see all configured admin users and groups. If any account, other than the admin account used as the account of last resort, has an authentication method other than domain, this is a finding.
Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".
Validate that SNMP is enabled using the command "options -option-name snmp*". If snmp.enable and snmp.san.enable are set to "off", then SNMP is not enabled and this requirement is not applicable. Use "security snmpusers -authmethod usm" to see snmpV3 users using FIPS-validated Keyed-HMAC. If ONTAP is not configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC, this is a finding.
Configure a snmpV3 user using FIPS-validated Keyed-HMAC with "security login create -user-or-group-name snmptest2 -application snmp -authentication-method usm". Enter the authoritative entity's EngineID [local EngineID]: Which authentication protocol do you want to choose (none, md5, sha, sha2-256) [none]: sha2-256 Enter the authentication protocol password (minimum 8 characters long): Enter the authentication protocol password again: Which privacy protocol do you want to choose (none, des, aes128) [none]: aes128.
Use "cluster time-service ntp server show" to see authenticated NTP sources using authentication that is cryptographically based. If any of the NTP servers listed has the field "Is Authentication Enabled" set to false, this is a finding.
Configure an authenticated NTP source using authentication that is cryptographically based with "cluster time-service ntp server create -server <ip_address> -key-id <NTP_Symmetric_Authentication_Key_ID>".
Use "security login role config show -role admin -fields passwd-minlength" to see the minimum password length for the role admin. If ONTAP is not configured to enforce a minimum 15-character password length, this is a finding.
Configure the minimum password length for the role admin to 15 with "security login role config modify -vserver <vserver name> -role admin -passwd-minlength 15".
Use "security login role config show -role admin -fields passwd-min-uppercase-chars" to see the minimum number of uppercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
Configure ONTAP to enforce password complexity by requiring that at least one uppercase character be used for the role admin with "security login role config modify -role admin -passwd-min-uppercase-chars 1".
Use "security login role config show -role admin -fields passwd-min-lowercase-chars" to see the minimum number of lowercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
Configure ONTAP to enforce password complexity by requiring that at least one lowercase character be used for the role admin with "security login role config modify -role admin -passwd-min-lowercase-chars 1".
Use "security login role config show -role admin -fields passwd-alphanum" to see at least one letter and one number are required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Configure ONTAP to enforce password complexity by requiring that at least one numeric character be used with "security login role config modify -role admin -passwd-alphanum enabled".
Use "security login role config show -role admin -fields passwd-min-special-chars" to see the minimum number of special characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.
Configure ONTAP to enforce password complexity by requiring that at least one special character be used with "security login role config modify -role admin -passwd-min-special-chars 1".
Use "set -privilege advanced" reply "y" to continue and "security config show" to see if cluster FIPS mode is true. If ONTAP is not configured to implement cryptographic mechanisms using FIPS 140-2, this is a finding.
Configure ONTAP to use cryptographic mechanisms with "set -privilege advanced" reply "y" to continue and "security config modify -is-fips-enabled true -interface SSL".
Use "system timeout show" to see the session timeout in minutes. If ONTAP does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.
Configure ONTAP to timeout idle sessions after 10 minutes with "system timeout modify -timeout 10".
Use "cluster log-forwarding show" to see if audit logs are being sent to a remote logging server. Sample output from the command: Verify Syslog Destination Host Port Protocol Server Facility ------------------------ ------ ----------------------- -------- -------- 192.168.0.1 514 udp-unencrypted false user If no remote logging servers are listed, this is a finding.
Configure ONTAP for remote syslogging with "cluster log-forwarding create -destination <hostname_or_ip_address>".