CS NetApp Benchmark
About Continuity™
Continuity™ provides the industry’s ONLY storage & backup security solution, to help you protect your most valuable data.
This post covers security recommendations that you should follow to harden NetApp ONTAP systems.
| Rule ID | Severity | Title | Description | Resolution |
| K12020000630 | Medium | Terminate idle sessions | Terminate user sessions after a period of inactivity to minimize the possibility of an intruder using them to extract information. Do not use never expiring sessions. | system timeout modify -timeout {param1}
# param1 timeout in minutes |
| K0102I0M0683 | High | Block ransomware suspected traffic | Configure file policies to block traffic that is suspected as ransomware.
The NetApp FPolicy solution allows organizations to block traffic based on common ransomware file extensions and file metadata. Not using the fpolicy capability may increase the risk of a ransomware attack. |
fpolicy policy event create -vserver -event-name ransomware_EVENT -protocol cifs -file-operations create rename
fpolicy policy create -vserver -policy-name ransomware_POLICY -events ransomware_EVENT fpolicy policy scope create -vserver -policy-name ransomware_POLICY -shares-to-include * -file-extensions-to-include locky, locked, encoderpass, ecc, ezz, exx, zzz, xyz, micro, encrypted, crypto, crypt, .crinf, r5a, XRNT,XTBL, R16M01D05, pzdc, good, LOL!, OMG!, RDM,RRK, encryptedRS, crjoker, EnCiPhErEd, LeChiffre vserver fpolicy enable -vserver -policy-name ransomware_POLICY -sequence-number 2 |
| K140200M0347 | Medium | Restrict anonymous user access | Disable anonymous user access. Anonymous users are able to access certain types of system information from hosts on the network, including usernames, policies, and share names. | vserver cifs options modify -vserver {param1} -restrict-anonymous no-access
# param1 vserver name |
| K0802I00P930 | High | Encrypt data sent to the vendor | When setting up remote support, use the HTTPS transport when sending AutoSupport messages to NetApp Support. | system node autosupport modify -transport https |
| K0802I00P935 | High | Sensitive data should not be sent to the vendor | If Remote Support is enabled, verify that the Remote Support feature is configured to hide private data by removing, masking, or encoding sensitive data in the messages. | system node autosupport modify -remove-private-data true |
| K0202000P950 | Medium | Multifactor authentication (MFA) | In environments storing sensitive information, enable ONTAP multifactor authentication for local user accounts. | (1) security login modify -user-or-group-name {param1} -application ssh -authenticationmethod password -second-authentication-method publickey
#param1 user or group name (2) Use ssh-keygen util to create an RSA public/private key pair. (3) Use the following command to enter the public key to the ONTAP system: security login publickey create -username {param1} -publickey key -vserver {param2} # param1 user name #param2 vserver name |
| K0302I00P517 | High | NDMP password security | Configure the “challenge” NDMP authentication method. Do not use the plaintext authentication type. | vserver services ndmp modify -vserver {param1} -authtype challenge
# param1 vserver name |
| K0102I0M0110 | Medium | No-loss log forwarding and encryption | Configure encrypted TCP-based transmission of audit log to syslog servers. Do not use UDP. | cluster log-forwarding create -destination {param1} -port 514 -facility {param2} -protocol tcp-encrypted # param1 name or ip of destination # param2 syslog facility |
| K0502I0MP600 | High | Time synchronization | Configure authorized NTP servers for time synchronization. Configure at least two NTP servers for redundancy. | Clustered Data ONTAP 8.2
ntp server create -node {param1} -server {param2} -version {param3} # param1 node name # param2 NTP server name or IP address # param3 NTP Version for Server Clustered Data ONTAP 8.3/9 cluster time-service ntp server create -server {param1} -version {param2} # param1 NTP server name or IP address # param2 NTP Version for Server |
| K06020000960 | High | Use strong SSH Encryption Ciphers and Key Exchange Algorithm | According to NetApp, because of known weaknesses with cipher block chaining ciphers, those suffixed by ‘cbc’ should be disabled and not be used. | security ssh remove -vserver {param1} -ciphers {param2}
# param1 vserver name # param2 cipher name and/or: security ssh modify -vserver {param1} -key-exchange-algorithms diffiehellman-group-exchange-sha256 -ciphers aes256-ctr,aes192-ctr,aes128-ctr |
| K0602I000805 | High | TLS compliance | Contact us | |
| K0602I0MP700 | High | Disable cleartext protocols | Contact us | |
| K1002000P130 | High | LUNs accessible to designated hosts only | Contact us | |
| K20020V00220 | High | CVE analysis | Contact us | |
| K0202I0MP120 | High | Local user account usage | Contact us | |
| K2002I0M0382 | Medium | Use Kerberos with NFS | Contact us | |
| K140200M0370 | High | anonymous/unknown ID account mapping | Contact us | |
| K0302I0MP295 | High | Local password policy | Contact us | |
| K070200M0850 | High | SNMP Authentication and Privacy | Contact us | |
| … | … | … | Interested in the complete list of rules?
StorageGuard includes: ⇒ The full list of rules for NetApp and other storage vendors, including hundreds of additional best practices. ⇒ The ability to automatically validate the rules in your storage environment. ⇒ Detailed remediation guidance. ⇒ Mapping to information security standards Contact us to learn more about StorageGuard product and our risk assessment services. |
|
| … | … | … | ||
| … | … | … | ||
| … | … | … | ||
| … | … | … | ||
| … | … | … | ||
| … | … | … | ||
Talk To An Expert
It’s time to automate the secure configuration of your storage & backup systems.