CS NetApp Benchmark

This post covers security recommendations that you should follow to harden NetApp ONTAP systems.

Rule IDSeverityTitleDescriptionResolution
K12020000630MediumTerminate idle sessionsTerminate user sessions after a period of inactivity to minimize the possibility of an intruder using them to extract information. Do not use never expiring sessions. system timeout modify -timeout {param1}

# param1 timeout in minutes

K0102I0M0683HighBlock ransomware suspected trafficConfigure file policies to block traffic that is suspected as ransomware.

The NetApp FPolicy solution allows organizations to block traffic based on common ransomware file extensions and file metadata. Not using the fpolicy capability may increase the risk of a ransomware attack.

fpolicy policy event create -vserver -event-name ransomware_EVENT -protocol cifs -file-operations create rename

fpolicy policy create -vserver -policy-name ransomware_POLICY -events ransomware_EVENT

fpolicy policy scope create -vserver -policy-name ransomware_POLICY -shares-to-include * -file-extensions-to-include locky, locked, encoderpass, ecc, ezz, exx, zzz, xyz, micro, encrypted, crypto, crypt, .crinf, r5a, XRNT,XTBL, R16M01D05, pzdc, good, LOL!, OMG!, RDM,RRK, encryptedRS, crjoker, EnCiPhErEd, LeChiffre

vserver fpolicy enable -vserver -policy-name ransomware_POLICY -sequence-number 2

K140200M0347MediumRestrict anonymous user accessDisable anonymous user access. Anonymous users are able to access certain types of system information from hosts on the network, including usernames, policies, and share names.vserver cifs options modify -vserver {param1} -restrict-anonymous no-access

# param1 vserver name

K0802I00P930HighEncrypt data sent to the vendorWhen setting up remote support, use the HTTPS transport when sending AutoSupport messages to NetApp Support. system node autosupport modify -transport https
K0802I00P935HighSensitive data should not be sent to the vendorIf Remote Support is enabled, verify that the Remote Support feature is configured to hide private data by removing, masking, or encoding sensitive data in the messages.system node autosupport modify -remove-private-data true
K0202000P950MediumMultifactor authentication (MFA)In environments storing sensitive information, enable ONTAP multifactor authentication for local user accounts.(1) security login modify -user-or-group-name {param1} -application ssh -authenticationmethod password -second-authentication-method publickey

#param1 user or group name

(2) Use ssh-keygen util to create an RSA public/private key pair.

(3) Use the following command to enter the public key to the ONTAP system:

security login publickey create -username {param1} -publickey key -vserver {param2}

# param1 user name

#param2 vserver name

K0302I00P517HighNDMP password securityConfigure the “challenge” NDMP authentication method. Do not use the plaintext authentication type. vserver services ndmp modify -vserver {param1} -authtype challenge

# param1 vserver name

K0102I0M0110MediumNo-loss log forwarding and encryptionConfigure encrypted TCP-based transmission of audit log to syslog servers. Do not use UDP.cluster log-forwarding create -destination {param1} -port 514 -facility {param2} -protocol tcp-encrypted
# param1 name or ip of destination
# param2 syslog facility
K0502I0MP600HighTime synchronizationConfigure authorized NTP servers for time synchronization. Configure at least two NTP servers for redundancy.Clustered Data ONTAP 8.2

ntp server create -node {param1} -server {param2} -version {param3}

# param1 node name

# param2 NTP server name or IP address

# param3 NTP Version for Server

Clustered Data ONTAP 8.3/9

cluster time-service ntp server create -server {param1} -version {param2}

# param1 NTP server name or IP address

# param2 NTP Version for Server

K06020000960HighUse strong SSH Encryption Ciphers and Key Exchange AlgorithmAccording to NetApp, because of known weaknesses with cipher block chaining ciphers, those suffixed by ‘cbc’ should be disabled and not be used.security ssh remove -vserver {param1} -ciphers {param2}

# param1  vserver name

# param2 cipher name

and/or:

security ssh modify -vserver {param1} -key-exchange-algorithms diffiehellman-group-exchange-sha256 -ciphers aes256-ctr,aes192-ctr,aes128-ctr

K0602I000805HighTLS complianceContact us
K0602I0MP700HighDisable cleartext protocolsContact us
K1002000P130HighLUNs accessible to designated hosts onlyContact us
K20020V00220HighCVE analysisContact us
K0202I0MP120HighLocal user account usageContact us
K2002I0M0382MediumUse Kerberos with NFSContact us
K140200M0370Highanonymous/unknown ID account mappingContact us
K0302I0MP295HighLocal password policyContact us
K070200M0850HighSNMP Authentication and PrivacyContact us
Interested in the complete list of rules?

Data Security Advisor includes:

⇒ The full list of rules for NetApp and other storage vendors, including hundreds of additional best practices.

⇒ The ability to automatically validate the rules in your storage environment.

⇒ Detailed remediation guidance.

⇒ Mapping to information security standards

 

Contact us to learn more about Data Security Advisor product and our risk assessment services.

 

We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree