acceptedNetApp ONTAP DSC 9.x Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 27 Jul 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001-NDM-000200<GroupDescription></GroupDescription>NAOT-AC-000001ONTAP must be configured to limit the number of concurrent sessions.<VulnDiscussion>Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000054Configure session limits with the command, “security session limit modify -max-active-limit 1 -interface cli -category application".Use "security session limit show -interface cli" to check the concurrent session limit.
If the security session limit is not configured to limit the number of concurrent sessions to 1, this is a finding.SRG-APP-000003-NDM-000202<GroupDescription></GroupDescription>NAOT-AC-000002ONTAP must be configured to create a session lock after 15 minutes.<VulnDiscussion>A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator re-authenticates. No other system activity aside from re-authentication must unlock the management session.
Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time. This requirement may only apply to local administrative sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000057Configure the CLI timeout value to 15 minutes with the command, "system timeout modify -timeout 15".Use "system timeout show" to check the current CLI timeout.
If the system timeout is not set to 15 minute(s) or less, this is a finding.SRG-APP-000319-NDM-000283<GroupDescription></GroupDescription>NAOT-AC-000004ONTAP must automatically audit account-enabling actions.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of application user accounts and notifies administrators and Information System Security Officer (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-002130Use "cluster log-forwarding show" to identify defined ONTAP remote syslog servers. If no remote syslog servers are defined, use "cluster log-forwarding create" to define a syslog destination.
On the remote syslog server, use commands available to check for new account creation or enabling a disabled account.Use "cluster log-forwarding show" to see if a remote syslog destination is defined for ONTAP.
Use commands available on the remote syslog server to check for new account creation or enabling a disabled account.
If ONTAP does not automatically audit account-enabling actions, this is a finding.SRG-APP-000148-NDM-000346<GroupDescription></GroupDescription>NAOT-AC-000005ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.<VulnDiscussion>Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.
The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001358CCI-002111Configure a secure password for the local administrative account with "security login password -username <user_name>".Use "security login show -role admin -authentication-method password" to see the local administrative account.
If ONTAP is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.SRG-APP-000033-NDM-000212<GroupDescription></GroupDescription>NAOT-AC-000006ONTAP must enforce administrator privileges based on their defined roles.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement.
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device.
The access policies must include protecting the data in all three states, i.e. Data at rest, data in use, and data in motion. An example of each state can be seen through the use of a configuration setting or file for ONTAP. When stored, the data is at rest. When the data is being updated either through CLI or some web frontend, the data is in use and when the configuration is being transmitted to the devices being managed, the data is in transit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000213CCI-001199CCI-000366CCI-002139Configure roles with "security login role create -role <name>" to create new roles, and "security login create -user-or-group-name <user_name> -role <name>" to assign the role to a specific user or group.Use "security login show" to see all configured users and their roles. Use "security login role show" to see specific commands allowed for each role.
If ONTAP does not enforce administrator privileges based on their defined roles, this is a finding.SRG-APP-000340-NDM-000288<GroupDescription></GroupDescription>NAOT-AC-000009ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-002235CCI-000366CCI-002139Configure privileged users with "security login create -user-or-group-name <user_name> -role admin".
Configure non-privileged users with "security login create -user-or-group-name <user_name> -role <role_name>“where a non-privileged user role other than admin is used.Use "security login role show” to see role-based access policies defined in ONTAP for privileged and unprivileged users. Privileged users have the role of admin.
If ONTAP does not prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, this is a finding.SRG-APP-000065-NDM-000214<GroupDescription></GroupDescription>NAOT-AC-000010ONTAP must be configured to enforce the limit of three consecutive failed logon attempts.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000044Use the command "security login role config show" to get a list of roles.
For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role.
For any role that does not have "Maximum Number of Failed Attempts" set to 3, use the command "security login role config modify -role <role_name> -vserver <vserver_name> -max-failed-login-attempts 3".Use the command "security login role config show" to get a list of roles.
For each role, use the command "security login role config show -vserver <vserver_name> -role <role_name>" to view the password requirements for each role.
If any role has "Maximum Number of Failed Attempts" not set to 3, this is a finding.
Use "security login role config show -role admin -instance" to see the settings for "Maximum Number of Failed Attempts" and “Delay after Each Failed Login Attempt".
If ONTAP is not configured to enforce a limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes, this is a finding.SRG-APP-000068-NDM-000215<GroupDescription></GroupDescription>NAOT-AC-000011ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.<VulnDiscussion>Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000048Configure the Standard Mandatory DoD Notice and Consent Banner with "security login banner modify -message <Standard DoD Notice and Consent Banner>".Use "security login banner show" to see the current login notice and consent banner.
If ONTAP is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>NAOT-AU-000001ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>Audit records are stored on staging volumes when auditing is enabled. If the staging volumes do not exist when auditing is enabled, the auditing subsystem creates the staging volumes. These volumes hold the audit logs until they can be consolidated.
Enabling auditing will also enable guaranteed auditing by default. This feature will guarantee audit records are not lost even when a node goes offline or the disk becomes filled.
Audit records are stored on staging volumes prior to consolidation and conversion.
Staging volumes can only be created by ONTAP and are given volume names that begin with MDV_aud_ followed by the UUID of the aggregate containing the staging volume.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001819Increase the size of the volume that is filled using the command "vol size <volume name> <size increase>".
To increase vol1 by 500MB, the command would be "vol size vol1 +500m".To ensure audit record storage capacity is sufficient, use the command "df MDV*". The output from the command will show the size of the audit volumes, amount used and amount available. Sample output from the command looks like the following:
cluster ::> df MDV*
Filesystem kbytes used avail capacity Mounted on
/vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/ 1992296 532 1991764 0% /vol/MDV_aud_4a9d8065eac9454bbe042ffddd0df645/
/vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/ 1992296 384 1991912 0% /vol/MDV_aud_62a9aebc8f3d4fe2990e39bb34c66999/
/vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/ 1992296 1992296 0 100% /vol/MDV_aud_fdb78598bd5945ffa6f7bd1197a9f975/
If any ONTAP volumes show 100 percent capacity, this is a finding.SRG-APP-000360-NDM-000295<GroupDescription></GroupDescription>NAOT-AU-000003ONTAP must have audit guarantee enabled.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. With audit guarantee enabled, all SMB operations must generate an audit event before an ACK is returned to the client and the operation completed. If the audit event cannot be written, then the client operation is delayed or denied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001858Use the command "vserver audit modify -vserver <vserver_name> -destination <audit log location> -audit-guarantee true" to set audit-guarantee to true.
An example command for a vserver named svm01 with the audit logs at /audit_log would be "vserver audit modify -vserver svm01 -destination /audit_log -audit-guarantee true".
Use the command "vserver audit show -fields audit-guarantee" to verify the change.Use "vserver audit show -fields audit-guarantee" to see if audit guarantee is enabled.
If audit-guarantee is set to false, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>NAOT-AU-000004ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000366CCI-001893Configure network time protocol for ONTAP with "cluster time-service ntp server create -server <IP address>" to add new ntp servers. Up to 10 servers can be defined.Use "cluster time-service ntp server show" to see the current network time protocol configuration for ONTAP and ensure there are at least three ntp servers defined.
If ONTAP is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.SRG-APP-000374-NDM-000299<GroupDescription></GroupDescription>NAOT-AU-000006ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001890Configure the time zone to UTC with "cluster date modify -timezone UTC".Use "cluster date show" to see the current time zone configured.
If ONTAP is not configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), this is a finding.SRG-APP-000380-NDM-000304<GroupDescription></GroupDescription>NAOT-CM-000001ONTAP must enforce access restrictions associated with changes to the device configuration.<VulnDiscussion>Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system.
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device could potentially have significant effects on the overall security of the device.
Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications.
Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001813Configure users with administrative privilege that allows device configuration with "security login create -user-or-group-name <user_name> -role admin".Use "security login show -role admin" to see users with administrative privilege that allow device configuration.
If ONTAP does not enforce access restrictions associated with changes to the device configuration, this is a finding.SRG-APP-000516-NDM-000336<GroupDescription></GroupDescription>NAOT-CM-000002ONTAP must be configured to use an authentication server to provide multifactor authentication.<VulnDiscussion>Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000149-NDM-000247, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000370CCI-000764CCI-000765CCI-000166CCI-000185CCI-000187Configure ONTAP to make use of Active Directory to authenticate users and prohibit the use of cached authenticators with "security login create -user-or-group-name <user or group name> -authentication-method domain -application ssh".Use "security login show -authentication-method domain" to see users configured to authenticate with Active Directory.
If ONTAP is not configured to use an authentication server, this is a finding.SRG-APP-000516-NDM-000340<GroupDescription></GroupDescription>NAOT-CM-000007ONTAP must be configured to conduct backups of system level information.<VulnDiscussion>System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component.
This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000366CCI-000537Configure ONTAP to conduct backups of system level information with "set -privilege advanced" reply "y" to continue and "system configuration backup create -node <node_name> -backup-type cluster -backup-name <name>".Use "set -privilege advanced" reply "y" to continue and "system configuration backup show" to see if ONTAP is configured for system backups.
If ONTAP is not configured to conduct backups of system-level data when changes occur, this is a finding.SRG-APP-000516-NDM-000344<GroupDescription></GroupDescription>NAOT-CM-000008ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates.<VulnDiscussion>Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority (CA) at medium assurance or higher, this CA will suffice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000366CCI-001159Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the http://iase.disa.mil/ website for procedures for NIPRNet and SIPRNet.
RSA:
request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096>
ECDSA:
request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384>
Generate a CSR from RSA key-pair using the following command and options.
request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>,
L=<city>,ST=<state>,C=<us>” filename <path/filename>
Generate a CSR from ECDSA key-pair use the following command and options.
request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>,
L=<city>,ST=<state>,C=<us>” filename <path/filename>
If no filename is specified, the CSR is displayed on the standard out (terminal)
After receiving the approved certificate from the CA, install the certificate with the command "security certificate install -type client-ca -vserver <vserver_name>".Use the command "security certificate show -instance -type client-ca" to show information about the ca-certificates that are installed.
If any of the certificates have the name or identifier of a non-approved source in the Issuer field, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>NAOT-CM-000009ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.
Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000382Configure ONTAP new or modify ONTAP firewall policies with "system services firewall policy create or modify" to allow specific IP addresses to access specific network services or ports.
Configure logical interfaces to use firewall policies with "network interface modify -firewall-policy <firewall_policy_name> -lif <logical_interface_name>".Use "system services firewall policy show" to see all of the configured firewall policies defined in ONTAP.
Use "network interface show -fields firewall-policy" to see which network logical interfaces (LIFs) have which firewall policies configured.
Note: Because the cluster LIF is completely open with no configurable firewall policy, it must be on a private IP subnet on a secure isolated network.
If ONTAP is not configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding.SRG-APP-000153-NDM-000249<GroupDescription></GroupDescription>NAOT-IA-000001ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.<VulnDiscussion>To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated.
Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account.
If a device allows or provides for group authenticators, it must first individually authenticate administrators prior to implementing group authenticator functionality.
Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000770Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".Use "security login show -role admin -authentication-method domain" to see all configured admin users and groups that authenticate using active directory.
If ONTAP is not configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role, this is a finding.SRG-APP-000156-NDM-000250<GroupDescription></GroupDescription>NAOT-IA-000002ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001941Configure new administrator active directory users or groups with "security login create -user-or-group-name <user_name> -role admin -authentication-method domain".Use "security login show -role admin" to see all configured admin users and groups.
If any account, other than the admin account used as the account of last resort, has an authentication method other than domain, this is a finding.SRG-APP-000395-NDM-000310<GroupDescription></GroupDescription>NAOT-IA-000003ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).
Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001967Configure a snmpV3 user using FIPS-validated Keyed-HMAC with "security login create -user-or-group-name snmptest2 -application snmp -authentication-method usm".
Enter the authoritative entity's EngineID [local EngineID]:
Which authentication protocol do you want to choose (none, md5, sha, sha2-256) [none]: sha2-256
Enter the authentication protocol password (minimum 8 characters long):
Enter the authentication protocol password again:
Which privacy protocol do you want to choose (none, des, aes128) [none]: aes128.Validate that SNMP is enabled using the command "options -option-name snmp*".
If snmp.enable and snmp.san.enable are set to "off", then SNMP is not enabled and this requirement is not applicable.
Use "security snmpusers -authmethod usm" to see snmpV3 users using FIPS-validated Keyed-HMAC.
If ONTAP is not configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC, this is a finding.SRG-APP-000395-NDM-000347<GroupDescription></GroupDescription>NAOT-IA-000004ONTAP must authenticate NTP sources using authentication that is cryptographically based.<VulnDiscussion>If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001967Configure an authenticated NTP source using authentication that is cryptographically based with "cluster time-service ntp server create -server <ip_address> -key-id <NTP_Symmetric_Authentication_Key_ID>".Use "cluster time-service ntp server show" to see authenticated NTP sources using authentication that is cryptographically based.
If any of the NTP servers listed has the field "Is Authentication Enabled" set to false, this is a finding.SRG-APP-000164-NDM-000252<GroupDescription></GroupDescription>NAOT-IA-000005ONTAP must enforce a minimum 15-character password length.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000205Configure the minimum password length for the role admin to 15 with "security login role config modify -role admin -passwd-minlength 15".Use "security login role config show -role admin -fields passwd-minlength" to see the minimum password length for the role admin.
If ONTAP is not configured to enforce a minimum 15-character password length, this is a finding.SRG-APP-000166-NDM-000254<GroupDescription></GroupDescription>NAOT-IA-000006ONTAP must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000192Configure ONTAP to enforce password complexity by requiring that at least one uppercase character be used for the role admin with "security login role config modify -role admin -passwd-min-uppercase-chars 1".Use "security login role config show -role admin -fields passwd-min-uppercase-chars" to see the minimum number of uppercase characters required in a password for the role admin.
If ONTAP is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.SRG-APP-000167-NDM-000255<GroupDescription></GroupDescription>NAOT-IA-000007ONTAP must enforce password complexity by requiring that at least one lowercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000193Configure ONTAP to enforce password complexity by requiring that at least one lowercase character be used for the role admin with "security login role config modify -role admin -passwd-min-lowercase-chars 1".Use "security login role config show -role admin -fields passwd-min-lowercase-chars" to see the minimum number of lowercase characters required in a password for the role admin.
If ONTAP is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.SRG-APP-000168-NDM-000256<GroupDescription></GroupDescription>NAOT-IA-000008ONTAP must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000194Configure ONTAP to enforce password complexity by requiring that at least one numeric character be used with "security login role config modify -role admin -passwd-alphanum enabled".Use "security login role config show -role admin -fields passwd-alphanum" to see at least one letter and one number are required in a password for the role admin.
If ONTAP is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.SRG-APP-000169-NDM-000257<GroupDescription></GroupDescription>NAOT-IA-000009ONTAP must enforce password complexity by requiring that at least one special character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001619Configure ONTAP to enforce password complexity by requiring that at least one special character be used with "security login role config modify -role admin -passwd-min-special-chars 1".Use "security login role config show -role admin -fields passwd-min-special-chars" to see the minimum number of special characters required in a password for the role admin.
If ONTAP is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.SRG-APP-000412-NDM-000331<GroupDescription></GroupDescription>NAOT-MA-000002ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
Satisfies: SRG-APP-000412-NDM-000331, SRG-APP-000411-NDM-000330, SRG-APP-000179-NDM-000265</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-000803CCI-003123CCI-002890Configure ONTAP to use cryptographic mechanisms with "set -privilege advanced" reply "y" to continue and "security config modify -is-fips-enabled true".Use "set -privilege advanced" reply "y" to continue and "security config show" to see if cluster FIPS mode is true.
If ONTAP is not configured to implement cryptographic mechanisms using FIPS 140-2, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>NAOT-SC-000001ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001133Configure ONTAP to timeout idle sessions after 10 minutes with "system timeout modify -timeout 10".Use "system timeout show" to see the session timeout in minutes.
If ONTAP does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.SRG-APP-000435-NDM-000315<GroupDescription></GroupDescription>NAOT-SC-000005ONTAP must be configured to use a data authentication key to safeguard against denial-of-service (DoS) attacks.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Usually, DoS attacks are assumed to be network related where the attacker floods the network with traffic that causes legitimate network traffic to be either slowed or blocked. For a storage device, a DoS attack can also occur when an attacker is able to make the data on the disks unreadable, thus unavailable, to the customer. This is a common attack used by ransomware where the attacker encrypts the data on the drives requesting payment for the unencryption key. By using data authentication keys, an attacker is unable to read or write data to the drives. It is also important to make sure the mode of the drives is set to full, otherwise only some of the data on the drive is protected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-002385Configure ONTAP to use a data authentication key for access with the command "storage encryption disk modify -disk <disk_ID> -data-key-id <key-ID>" where disk_ID is the disk and key_ID is the data authentication key.
To verify the key is set, use the command "storage encryption disk show -disk <disk_ID>". The command will show the data mode. The mode must be set to full.
If the mode is not set to full, use the command "disk modify -disk <disk_ID> -protection-mode full" to set the mode to full. Validate the mode changed using the command "storage encryption disk show -disk <disk_ID>".Validate that a data authentication key has been assigned using the command "storage encryption disk show".
If any of the disks has a mode other than "full" or the Data Key ID is missing, this is a finding.SRG-APP-000516-NDM-000350<GroupDescription></GroupDescription>NAOT-SI-000001ONTAP must be configured to send audit log data to a central log server.<VulnDiscussion>The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target NetApp ONTAP DSC 9.xDISADPMS TargetNetApp ONTAP DSC 9.x5415CCI-001851Configure ONTAP for remote syslogging with "cluster log-forwarding create -destination <hostname_or_ip_address>".Use "cluster log-forwarding show" to see if audit logs are being sent to a remote logging server.
Sample output from the command:
Verify Syslog
Destination Host Port Protocol Server Facility
------------------------ ------ ----------------------- -------- --------
192.168.0.1 514 udp-unencrypted false user
If no remote logging servers are listed, this is a finding.