ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246947 | NAOT-IA-000001 | SV-246947r835248_rule | Medium |
| Description |
|---|
| To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. If a device allows or provides for group authenticators, it must first individually authenticate administrators prior to implementing group authenticator functionality. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device. |
| STIG | Date |
|---|---|
| NetApp ONTAP DSC 9.x Security Technical Implementation Guide | 2022-06-07 |
Details
| Check Text ( C-50379r835247_chk ) |
|---|
| Use "security login show -role admin -authentication-method domain" to see all configured admin users and groups that authenticate using active directory. If ONTAP is not configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role, this is a finding. |
| Fix Text (F-50333r769172_fix) |
|---|
| Configure new administrator active directory users or groups with "security login create -user-or-group-name |