NetApp ONTAP DSC 9.x Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates ✎ 2
Comparison against the immediately-prior release (V2R3). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Content changes 2
- RMF Control
- AC-10
- Severity
- M
- CCI
- CCI-000054
- Version
- NAOT-AC-000001
- Vuln IDs
-
- V-246922
- Rule IDs
-
- SV-246922r1156802_rule
Checks: C-50354r1156800_chk
Use "security session limit show -interface cli" to check the concurrent session limit. If the security session limit is not configured to limit the number of concurrent sessions to 3, this is a finding.
Fix: F-50308r1156801_fix
Configure session limits with the command, "security session limit modify -max-active-limit 3 -interface cli -category application".
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- NAOT-AC-000002
- Vuln IDs
-
- V-246923
- Rule IDs
-
- SV-246923r1207671_rule
Checks: C-50355r835205_chk
Use "system timeout show" to check the current CLI timeout. If the system timeout is not set to 15 minute(s) or less, this is a finding.
Fix: F-50309r769100_fix
Configure the CLI timeout value to 15 minutes with the command, "system timeout modify -timeout 15".
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-002130
- Version
- NAOT-AC-000004
- Vuln IDs
-
- V-246925
- Rule IDs
-
- SV-246925r961290_rule
Checks: C-50357r769105_chk
Use "cluster log-forwarding show" to see if a remote syslog destination is defined for ONTAP. Use commands available on the remote syslog server to check for new account creation or enabling a disabled account. If ONTAP does not automatically audit account-enabling actions, this is a finding.
Fix: F-50311r769106_fix
Use "cluster log-forwarding show" to identify defined ONTAP remote syslog servers. If no remote syslog servers are defined, use "cluster log-forwarding create" to define a syslog destination. On the remote syslog server, use commands available to check for new account creation or enabling a disabled account.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001358
- Version
- NAOT-AC-000005
- Vuln IDs
-
- V-246926
- Rule IDs
-
- SV-246926r1051115_rule
Checks: C-50358r860671_chk
Use "security login show -role admin -authentication-method password" to see the local administrative account. If ONTAP is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.
Fix: F-50312r769109_fix
Configure a secure password for the local administrative account with "security login password -username <user_name>".
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- NAOT-AC-000006
- Vuln IDs
-
- V-246927
- Rule IDs
-
- SV-246927r1137874_rule
Checks: C-50359r769111_chk
Use "security login show" to see all configured users and their roles. Use "security login role show" to see specific commands allowed for each role. If ONTAP does not enforce administrator privileges based on their defined roles, this is a finding.
Fix: F-50313r769112_fix
Configure roles with "security login role create -role <name>" to create new roles, and "security login create -user-or-group-name <user_name> -role <name>" to assign the role to a specific user or group.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- NAOT-AC-000009
- Vuln IDs
-
- V-246930
- Rule IDs
-
- SV-246930r961353_rule
Checks: C-50362r769120_chk
Use "security login role show” to see role-based access policies defined in ONTAP for privileged and unprivileged users. Privileged users have the role of admin. If ONTAP does not prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, this is a finding.
Fix: F-50316r769121_fix
Configure privileged users with "security login create -user-or-group-name <user_name> -role admin". Configure non-privileged users with "security login create -user-or-group-name <user_name> -role <role_name>“where a non-privileged user role other than admin is used.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- NAOT-AC-000010
- Vuln IDs
-
- V-246931
- Rule IDs
-
- SV-246931r960840_rule
Checks: C-50363r877994_chk
Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. If any role has "Maximum Number of Failed Attempts" not set to "3", this is a finding. Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Lockout Duration". Note: Lockout duration is set by default to lockout for one day or until unlocked by an administrator. It cannot be set to less than one day. If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, this is a finding.
Fix: F-50317r877995_fix
Use the command "security login role config show" to get a list of roles. For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role. For any role that does not have "Maximum Number of Failed Attempts" set to "3", use the command "security login role config modify -role <role_name> -vserver <vserver_name> -max-failed-login-attempts 3".
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- NAOT-AC-000011
- Vuln IDs
-
- V-246932
- Rule IDs
-
- SV-246932r960843_rule
Checks: C-50364r835217_chk
Use "security login banner show" to see the current login notice and consent banner. If ONTAP is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.
Fix: F-50318r769127_fix
Configure the Standard Mandatory DoD Notice and Consent Banner with "security login banner modify -message <Standard DoD Notice and Consent Banner>".
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- NAOT-AU-000001
- Vuln IDs
-
- V-246933
- Rule IDs
-
- SV-246933r961392_rule
Checks: C-50365r860675_chk
To ensure audit record storage capacity is sufficient, use the command "df MDV*". The output from the command will show the size of the audit volumes, amount used and amount available. Sample output from the command looks like the following: cluster ::> df MDV* Filesystem kbytes used avail capacity Mounted on /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ 1992296 532 1991764 0% /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ 1992296 384 1991912 0% /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ 1992296 1992296 0 100% /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ If any ONTAP volumes show 100 percent capacity, this is a finding.
Fix: F-50319r860676_fix
Increase the size of the volume that is filled using the command "vol size <volume name> <size increase>". To increase vol1 by 500MB, the command would be "vol size vol1 +500m".
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-001858
- Version
- NAOT-AU-000003
- Vuln IDs
-
- V-246935
- Rule IDs
-
- SV-246935r961401_rule
Checks: C-50367r856966_chk
Use "vserver audit show -fields audit-guarantee" to see if audit guarantee is enabled. If audit-guarantee is set to false, this is a finding.
Fix: F-50321r856967_fix
Use the command "vserver audit modify -vserver <vserver_name> -destination <audit log location> -audit-guarantee true" to set audit-guarantee to true. An example command for a vserver named svm01 with the audit logs at /audit_log would be "vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee true". Use the command "vserver audit show -fields audit-guarantee" to verify the change.
- RMF Control
- Severity
- M
- CCI
- CCI-004928
- Version
- NAOT-AU-000004
- Vuln IDs
-
- V-246936
- Rule IDs
-
- SV-246936r1015268_rule
Checks: C-50368r945864_chk
Use "cluster time-service ntp server show" to view the current network time protocol configuration for ONTAP and ensure at least two ntp servers are defined. If ONTAP is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.
Fix: F-50322r860679_fix
Configure network time protocol for ONTAP with "cluster time-service ntp server create -server <IP address>" to add new ntp servers. Up to 10 servers can be defined.
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001890
- Version
- NAOT-AU-000006
- Vuln IDs
-
- V-246938
- Rule IDs
-
- SV-246938r961443_rule
Checks: C-50370r860681_chk
Use "cluster date show" to see the current time zone configured. If ONTAP is not configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), this is a finding.
Fix: F-50324r860682_fix
Configure the time zone to UTC with "cluster date modify -timezone UTC".
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001813
- Version
- NAOT-CM-000001
- Vuln IDs
-
- V-246939
- Rule IDs
-
- SV-246939r961461_rule
Checks: C-50371r860684_chk
Use "security login show -role admin" to see users with administrative privilege that allow device configuration. If ONTAP does not enforce access restrictions associated with changes to the device configuration, this is a finding.
Fix: F-50325r769148_fix
Configure users with administrative privilege that allows device configuration with "security login create -user-or-group-name <user_name> -role admin".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000370
- Version
- NAOT-CM-000002
- Vuln IDs
-
- V-246940
- Rule IDs
-
- SV-246940r1211037_rule
Checks: C-50372r1211035_chk
Use "security login show -authentication-method domain" to see users configured to authenticate with Active Directory. If ONTAP is not configured to use an authentication server, this is a finding. Note: The authentication method "domain" is one example. Other authentication methods such as "publickey" and "saml" are also acceptable.
Fix: F-50326r1211036_fix
Configure ONTAP to use Active Directory to authenticate users and prohibit the use of cached authenticators with "security login create -user-or-group-name <user or group name> -authentication-method domain -application ssh". Note: The authentication method "domain" is one example. Other authentication methods such as "publickey" and "saml" are also acceptable.
- RMF Control
- CP-9
- Severity
- M
- CCI
- CCI-000537
- Version
- NAOT-CM-000007
- Vuln IDs
-
- V-246944
- Rule IDs
-
- SV-246944r961863_rule
Checks: C-50376r835240_chk
Use "set -privilege advanced" reply "y" to continue and "system configuration backup show" to see if ONTAP is configured for system backups. If ONTAP is not configured to conduct backups of system-level data when changes occur, this is a finding.
Fix: F-50330r769163_fix
Configure ONTAP to conduct backups of system level information with "set -privilege advanced" reply "y" to continue and "system configuration backup create -node <node_name> -backup-type cluster -backup-name <name>".
- RMF Control
- SC-17
- Severity
- M
- CCI
- CCI-001159
- Version
- NAOT-CM-000008
- Vuln IDs
-
- V-246945
- Rule IDs
-
- SV-246945r961863_rule
Checks: C-50377r945866_chk
Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed. If any of the certificates have the name or identifier of a nonapproved source in the Issuer field, this is a finding.
Fix: F-50331r945867_fix
Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096> ECDSA: request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> Generate a CSR from ECDSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> If no filename is specified, the CSR is displayed on the standard out (terminal). After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver <vserver_name>". For SSH accounts, apply the public key from the cert to the user account with the following command. security login publickey create -vserver <vserver name> -username <username> -index 0 -publickey "ssh-rsa <cert_text>"
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000382
- Version
- NAOT-CM-000009
- Vuln IDs
-
- V-246946
- Rule IDs
-
- SV-246946r1043177_rule
Checks: C-50378r1007836_chk
Use "network interface service-policy show" to see all of the configured service policies defined in ONTAP. Use "network interface show -fields service-policy" to see which network logical interfaces (LIFs) have which service policies configured. If ONTAP does not have service policies defined for each interface, this is a finding.
Fix: F-50332r1007837_fix
Configure logical interfaces to use service policies with "network interface modify -service-policy <service_policy_name> -lif <logical_interface_name>".
- RMF Control
- Severity
- M
- CCI
- CCI-004045
- Version
- NAOT-IA-000001
- Vuln IDs
-
- V-246947
- Rule IDs
-
- SV-246947r1015269_rule
Checks: C-50379r835247_chk
Use "security login show -role admin -authentication-method domain" to see all configured admin users and groups that authenticate using active directory. If ONTAP is not configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role, this is a finding.
Fix: F-50333r769172_fix
Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001941
- Version
- NAOT-IA-000002
- Vuln IDs
-
- V-246948
- Rule IDs
-
- SV-246948r1211039_rule
Checks: C-50380r1211038_chk
Use "security login show -role admin" to see all configured admin users and groups. If any account, other than the admin account used as the account of last resort, has an authentication method password, this is a finding.
Fix: F-50334r769175_fix
Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-001967
- Version
- NAOT-IA-000003
- Vuln IDs
-
- V-246949
- Rule IDs
-
- SV-246949r961506_rule
Checks: C-50381r860688_chk
Validate that SNMP is enabled using the command "options -option-name snmp*". If snmp.enable and snmp.san.enable are set to "off", then SNMP is not enabled and this requirement is not applicable. Use "security snmpusers -authmethod usm" to see snmpV3 users using FIPS-validated Keyed-HMAC. If ONTAP is not configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC, this is a finding.
Fix: F-50335r769178_fix
Configure a snmpV3 user using FIPS-validated Keyed-HMAC with "security login create -user-or-group-name snmptest2 -application snmp -authentication-method usm". Enter the authoritative entity's EngineID [local EngineID]: Which authentication protocol do you want to choose (none, md5, sha, sha2-256) [none]: sha2-256 Enter the authentication protocol password (minimum 8 characters long): Enter the authentication protocol password again: Which privacy protocol do you want to choose (none, des, aes128) [none]: aes128.
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-001967
- Version
- NAOT-IA-000004
- Vuln IDs
-
- V-246950
- Rule IDs
-
- SV-246950r961506_rule
Checks: C-50382r860690_chk
Use "cluster time-service ntp server show" to see authenticated NTP sources using authentication that is cryptographically based. If any of the NTP servers listed has the field "Is Authentication Enabled" set to false, this is a finding.
Fix: F-50336r769181_fix
Configure an authenticated NTP source using authentication that is cryptographically based with "cluster time-service ntp server create -server <ip_address> -key-id <NTP_Symmetric_Authentication_Key_ID>".
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- NAOT-IA-000005
- Vuln IDs
-
- V-246951
- Rule IDs
-
- SV-246951r1015270_rule
Checks: C-50383r835255_chk
Use "security login role config show -role admin -fields passwd-minlength" to see the minimum password length for the role admin. If ONTAP is not configured to enforce a minimum 15-character password length, this is a finding.
Fix: F-50337r945869_fix
Configure the minimum password length for the role admin to 15 with "security login role config modify -vserver <vserver name> -role admin -passwd-minlength 15".
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- NAOT-IA-000006
- Vuln IDs
-
- V-246952
- Rule IDs
-
- SV-246952r1015271_rule
Checks: C-50384r835257_chk
Use "security login role config show -role admin -fields passwd-min-uppercase-chars" to see the minimum number of uppercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
Fix: F-50338r835258_fix
Configure ONTAP to enforce password complexity by requiring that at least one uppercase character be used for the role admin with "security login role config modify -role admin -passwd-min-uppercase-chars 1".
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- NAOT-IA-000007
- Vuln IDs
-
- V-246953
- Rule IDs
-
- SV-246953r1015272_rule
Checks: C-50385r835260_chk
Use "security login role config show -role admin -fields passwd-min-lowercase-chars" to see the minimum number of lowercase characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
Fix: F-50339r835261_fix
Configure ONTAP to enforce password complexity by requiring that at least one lowercase character be used for the role admin with "security login role config modify -role admin -passwd-min-lowercase-chars 1".
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- NAOT-IA-000008
- Vuln IDs
-
- V-246954
- Rule IDs
-
- SV-246954r1015273_rule
Checks: C-50386r835263_chk
Use "security login role config show -role admin -fields passwd-alphanum" to see at least one letter and one number are required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Fix: F-50340r769193_fix
Configure ONTAP to enforce password complexity by requiring that at least one numeric character be used with "security login role config modify -role admin -passwd-alphanum enabled".
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- NAOT-IA-000009
- Vuln IDs
-
- V-246955
- Rule IDs
-
- SV-246955r1015274_rule
Checks: C-50387r835265_chk
Use "security login role config show -role admin -fields passwd-min-special-chars" to see the minimum number of special characters required in a password for the role admin. If ONTAP is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.
Fix: F-50341r769196_fix
Configure ONTAP to enforce password complexity by requiring that at least one special character be used with "security login role config modify -role admin -passwd-min-special-chars 1".
- RMF Control
- IA-7
- Severity
- H
- CCI
- CCI-000803
- Version
- NAOT-MA-000002
- Vuln IDs
-
- V-246958
- Rule IDs
-
- SV-246958r961557_rule
Checks: C-50390r860692_chk
Use "set -privilege advanced" reply "y" to continue and "security config show" to see if cluster FIPS mode is true. If ONTAP is not configured to implement cryptographic mechanisms using FIPS 140-2, this is a finding.
Fix: F-50344r945871_fix
Configure ONTAP to use cryptographic mechanisms with "set -privilege advanced" reply "y" to continue and "security config modify -is-fips-enabled true -interface SSL".
- RMF Control
- SC-10
- Severity
- H
- CCI
- CCI-001133
- Version
- NAOT-SC-000001
- Vuln IDs
-
- V-246959
- Rule IDs
-
- SV-246959r961068_rule
Checks: C-50391r769207_chk
Use "system timeout show" to see the session timeout in minutes. If ONTAP does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.
Fix: F-50345r769208_fix
Configure ONTAP to timeout idle sessions after 10 minutes with "system timeout modify -timeout 10".
- RMF Control
- AU-4
- Severity
- H
- CCI
- CCI-001851
- Version
- NAOT-SI-000001
- Vuln IDs
-
- V-246964
- Rule IDs
-
- SV-246964r1137890_rule
Checks: C-50396r860697_chk
Use "cluster log-forwarding show" to see if audit logs are being sent to a remote logging server. Sample output from the command: Verify Syslog Destination Host Port Protocol Server Facility ------------------------ ------ ----------------------- -------- -------- 192.168.0.1 514 udp-unencrypted false user If no remote logging servers are listed, this is a finding.
Fix: F-50350r769223_fix
Configure ONTAP for remote syslogging with "cluster log-forwarding create -destination <hostname_or_ip_address>".