ONTAP Discussions

Ensuring STIG Settings are in Effect

Harisheldon
8,629 Views

Greetings All,

 

We are currently ensuring that our STIGs for all servers are in place and I have two areas that I cannot find a resolution for.  They are:

 

1.  The maximum number of concurrent sessions - Will need to know if there is a setting to set for a maximum number of users to access the NetApp filers at the same time.

 

2.  The ability for the system to lockout after 15 minutes if idleness. - Like the WIN10 OS, the system will lock after 15 minutes of idleness, is there a setting for the NetApp filers to also have this capability.

 

I have found the one's for the log-on banner and the one for three unsussessful log-on attempts, so I am good here.

 

Any and all help is greatly appreciated.

 

James

8 REPLIES 8

Mholtaftac
7,983 Views

 

What ever became of this? I'm in the same boat as you and I'm looking for the same type of information. What documentation did you start this process from? I still haven't found STIG to start from.

 

Thanks

 

Mike

ElephantCav
7,751 Views

We have a requirement to STIG hardend our environment as well. NetApp provided us a draft version of their Military Hardening Guide for OnTap. We applied via manual hardening based on the recommended settings and was able to pass security.

 

(Attachment removed by admin)

skH
7,490 Views

I too must meet DoD/DISA STIG requirements, but I have questions and maybe some help;

 

1st, to the OP, What STIG are you using for your NetApp because I have not found an applicable STIG. The SAN STIG in the Miscelaneous listings is a generic SAN STIG and not an OS STIG applicable to Ontap.

 

Official Guidance states that, if you don't have an applicable STIG specific to your system, that you should follow Manufacturor's Best Practice for security and hardening. Because we are using the latest 7-Mode 8.x version I have been using the best I could find, although it's very dated:  https://www.netapp.com/us/media/tr-3649.pdf

Also, our compliance guys run ACAS scans with the NetApp plug-in and I do all I can to close all those findings reported by the scans which really helps.

 

The Draft document linked by ElephantCav is great to see because it shows that NetApp wants to meet a real need that several of us have. It does make me wonder about some things, like the IPv6 statement, I've never seen IPv6 implimented anywhere in the Army networks so why does this doc claim it's a requirement, and it looks like NetApp is basing this document off the Network Device SRG and I'm not so sure about that as a basis for this document. Maybe someone at DISA pointed them in that direction.

 

Anyway, if you guys have a better doc to use please share, that's why I pointed out what I have done and I am in good shape here.

 

P.S. Something to mention about the ACAS Scans, they are bad about reporting false positives. The scans may report a vulnerability, that a value must be 5 or less, and the value is 5, but it still fails the scan. The Tenable guys incorrectly wrote the STIG checks, they did a < 5 instead of =or< 5. and good values fail the checks. Now it's up to you, argue the False Positive or just change the setting so that it passes, up to you, I changed mine, I love arguing but I hate arguing with stupid people specially when they are the customer and outside your local chain of command. Besides, some people get vindictive and you can be right and still loose.

 

 

ElephantCav
7,486 Views

skH, 

Refer to my first reply on this thread. I posted the draft STIG hardening document that NetApp provided us. We applied all but turning off the web services and our Nessus scan we have built for SANs seem to like the settings. I dont know who built the audit file we are using in Nessus to scan, but CISO is happy with the results.

AlexDawson
7,480 Views

Hi there!

 

Please reach out to your account teams/SAM teams to get a copy of TR-4754 - NetApp FAS System Data Storage Controller (DSC) DoD Unified Capabilities (UC) Deployment Guide - I think you'll find it a big help. It's an unclassified document (both in gov't terms and NetApp corp info sec policy), but we don't make it publically available

 

Hope this helps!

Mister_Mike
5,400 Views

Mr. Dawson,

 

Good day.  My office performs STIG assessments for other departments.  With that, we don't own any NetAPP appliances.  How can I get a copy of your  TR-4754 - NetApp FAS System Data Storage Controller (DSC) DoD Unified Capabilities (UC) Deployment Guide so we can evaluate those who do have them.

 

Thanks in advance.

AlexDawson
5,385 Views

Hi Mister Mike - please send me your corporate contact details and I will get our product security team to reach out. Thanks!

Mister_Mike
5,244 Views

Alex, 

 

Thanks for your assistance.  In a case of funny timing DISA released the NetAPP STIG today.  It is publicly available at the following link:

 

https://public.cyber.mil/stigs/downloads/

 

Search for NetAPP.    Also, You will need to use the STIG viewer which can be found for different operating systems at this link:

 

https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=stig-viewing

 

Please note, YMMV for those outside of the US. 

 

Public