ONTAP must terminate shared/group account credentials when members leave the group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246924	NAOT-AC-000003	SV-246924r769104_rule		Medium

Description
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates.

Description

A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates.

STIG	Date
NetApp ONTAP DSC 9.x Security Technical Implementation Guide	2021-07-28

Details

Check Text ( C-50356r769102_chk )
Use "security login show" to see all configured users and groups in ONTAP. Use AD cmdlet "Get-ADGroupMember -Identity " to find the member to be removed from the ONTAP group. If Active Directory does not terminate shared/group account credentials when members leave the group to prevent access to ONTAP, this is a finding.

Fix Text (F-50310r769103_fix)
Use AD cmdlet "Remove-ADGroupMember -Identity -Members " to remove a member from an ONTAP group. Use AD cmdlet "Get-ADGroupMember -Identity " to see the member was removed from the ONTAP group.