fbpx
Continuity Software

CS NetApp Benchmark

  • July 19, 2020
  • 4 min read

This post covers security recommendations that you should follow to harden NetApp ONTAP systems.

Rule ID Severity Title Description Resolution
K12020000630 Medium Terminate idle sessions Terminate user sessions after a period of inactivity to minimize the possibility of an intruder using them to extract information. Do not use never expiring sessions.  system timeout modify -timeout {param1}

# param1 timeout in minutes

K0102I0M0683 High Block ransomware suspected traffic Configure file policies to block traffic that is suspected as ransomware.

The NetApp FPolicy solution allows organizations to block traffic based on common ransomware file extensions and file metadata. Not using the fpolicy capability may increase the risk of a ransomware attack.

fpolicy policy event create -vserver -event-name ransomware_EVENT -protocol cifs -file-operations create rename

fpolicy policy create -vserver -policy-name ransomware_POLICY -events ransomware_EVENT

fpolicy policy scope create -vserver -policy-name ransomware_POLICY -shares-to-include * -file-extensions-to-include locky, locked, encoderpass, ecc, ezz, exx, zzz, xyz, micro, encrypted, crypto, crypt, .crinf, r5a, XRNT,XTBL, R16M01D05, pzdc, good, LOL!, OMG!, RDM,RRK, encryptedRS, crjoker, EnCiPhErEd, LeChiffre

vserver fpolicy enable -vserver -policy-name ransomware_POLICY -sequence-number 2

K140200M0347 Medium Restrict anonymous user access Disable anonymous user access. Anonymous users are able to access certain types of system information from hosts on the network, including usernames, policies, and share names. vserver cifs options modify -vserver {param1} -restrict-anonymous no-access

# param1 vserver name

K0802I00P930 High Encrypt data sent to the vendor When setting up remote support, use the HTTPS transport when sending AutoSupport messages to NetApp Support.  system node autosupport modify -transport https
K0802I00P935 High Sensitive data should not be sent to the vendor If Remote Support is enabled, verify that the Remote Support feature is configured to hide private data by removing, masking, or encoding sensitive data in the messages. system node autosupport modify -remove-private-data true
K0202000P950 Medium Multifactor authentication (MFA) In environments storing sensitive information, enable ONTAP multifactor authentication for local user accounts. (1) security login modify -user-or-group-name {param1} -application ssh -authenticationmethod password -second-authentication-method publickey

#param1 user or group name

(2) Use ssh-keygen util to create an RSA public/private key pair.

(3) Use the following command to enter the public key to the ONTAP system:

security login publickey create -username {param1} -publickey key -vserver {param2}

# param1 user name

#param2 vserver name

K0302I00P517 High NDMP password security Configure the “challenge” NDMP authentication method. Do not use the plaintext authentication type.  vserver services ndmp modify -vserver {param1} -authtype challenge

# param1 vserver name

K0102I0M0110 Medium No-loss log forwarding and encryption Configure encrypted TCP-based transmission of audit log to syslog servers. Do not use UDP. cluster log-forwarding create -destination {param1} -port 514 -facility {param2} -protocol tcp-encrypted
# param1 name or ip of destination
# param2 syslog facility
K0502I0MP600 High Time synchronization Configure authorized NTP servers for time synchronization. Configure at least two NTP servers for redundancy. Clustered Data ONTAP 8.2

ntp server create -node {param1} -server {param2} -version {param3}

# param1 node name

# param2 NTP server name or IP address

# param3 NTP Version for Server

Clustered Data ONTAP 8.3/9

cluster time-service ntp server create -server {param1} -version {param2}

# param1 NTP server name or IP address

# param2 NTP Version for Server

K06020000960 High Use strong SSH Encryption Ciphers and Key Exchange Algorithm According to NetApp, because of known weaknesses with cipher block chaining ciphers, those suffixed by ‘cbc’ should be disabled and not be used. security ssh remove -vserver {param1} -ciphers {param2}

# param1  vserver name

# param2 cipher name

and/or:

security ssh modify -vserver {param1} -key-exchange-algorithms diffiehellman-group-exchange-sha256 -ciphers aes256-ctr,aes192-ctr,aes128-ctr

K0602I000805 High TLS compliance Contact us
K0602I0MP700 High Disable cleartext protocols Contact us
K1002000P130 High LUNs accessible to designated hosts only Contact us
K20020V00220 High CVE analysis Contact us
K0202I0MP120 High Local user account usage Contact us
K2002I0M0382 Medium Use Kerberos with NFS Contact us
K140200M0370 High anonymous/unknown ID account mapping Contact us
K0302I0MP295 High Local password policy Contact us
K070200M0850 High SNMP Authentication and Privacy Contact us
Interested in the complete list of rules?

Data Security Advisor includes:

⇒ The full list of rules for NetApp and other storage vendors, including hundreds of additional best practices.

⇒ The ability to automatically validate the rules in your storage environment.

⇒ Detailed remediation guidance.

⇒ Mapping to information security standards

 

Contact us to learn more about Data Security Advisor product and our risk assessment services.

 

See it in action

See how easy it is to assess the security of your storage & backup systems, and prioritize storage security risks

Book your demo
We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree