Harisheldon

What ever became of this? I'm in the same boat as you and I'm looking for the same type of information. What documentation did you start this process from? I still haven't found STIG to start from.

Thanks

Mike

We have a requirement to STIG hardend our environment as well. NetApp provided us a draft version of their Military Hardening Guide for OnTap. We applied via manual hardening based on the recommended settings and was able to pass security. 

I too must meet DoD/DISA STIG requirements, but I have questions and maybe some help;

1st, to the OP, What STIG are you using for your NetApp because I have not found an applicable STIG. The SAN STIG in the Miscelaneous listings is a generic SAN STIG and not an OS STIG applicable to Ontap.

Official Guidance states that, if you don't have an applicable STIG specific to your system, that you should follow Manufacturor's Best Practice for security and hardening. Because we are using the latest 7-Mode 8.x version I have been using the best I could find, although it's very dated:  https://www.netapp.com/us/media/tr-3649.pdf

Also, our compliance guys run ACAS scans with the NetApp plug-in and I do all I can to close all those findings reported by the scans which really helps.

The Draft document linked by ElephantCav is great to see because it shows that NetApp wants to meet a real need that several of us have. It does make me wonder about some things, like the IPv6 statement, I've never seen IPv6 implimented anywhere in the Army networks so why does this doc claim it's a requirement, and it looks like NetApp is basing this document off the Network Device SRG and I'm not so sure about that as a basis for this document. Maybe someone at DISA pointed them in that direction.

Anyway, if you guys have a better doc to use please share, that's why I pointed out what I have done and I am in good shape here.

P.S. Something to mention about the ACAS Scans, they are bad about reporting false positives. The scans may report a vulnerability, that a value must be 5 or less, and the value is 5, but it still fails the scan. The Tenable guys incorrectly wrote the STIG checks, they did a < 5 instead of =or< 5. and good values fail the checks. Now it's up to you, argue the False Positive or just change the setting so that it passes, up to you, I changed mine, I love arguing but I hate arguing with stupid people specially when they are the customer and outside your local chain of command. Besides, some people get vindictive and you can be right and still loose.

skH, 

Refer to my first reply on this thread. I posted the draft STIG hardening document that NetApp provided us. We applied all but turning off the web services and our Nessus scan we have built for SANs seem to like the settings. I dont know who built the audit file we are using in Nessus to scan, but CISO is happy with the results.

Hi there!

Please reach out to your account teams/SAM teams to get a copy of TR-4754 - NetApp FAS System Data Storage Controller (DSC) DoD Unified Capabilities (UC) Deployment Guide - I think you'll find it a big help. It's an unclassified document (both in gov't terms and NetApp corp info sec policy), but we don't make it publically available

Hope this helps!