This is sort of an open-ended question - more seeing what folks out there are doing in this particular space than necessarily looking for the "right" answer. Anyway, we've dabbled with various approaches to standardizing our Data ONTAP builds and security lock-down procedures. Several years ago, we worked with our Nessus scanning team to integrate the Tenable compliance template for NetApp into their scanners (for our 7mode systems):
This wasn't a perfect check, but it was a nice view to show to auditors and it gave us a warm fuzzy that we weren't leaving anything obvious hanging in the breeze. We'd also leverage the OpsMgr configuration comparison tool to see if a new 7mode system that we rolled out was substantively different (security-wise) than our already built "gold" systems.
Fast forward to ONTAP and a lot of those tools are gone. NetApp and Tenable haven't collaborated on an ONTAP 9.x compliance template and the configuration comparison tools have sort of lagged behind the times as well. We’ve mostly relied up on the TRs and such associated with best practices and built audit files for our provisioning procedures. These work fine at build, but we don’t have our NetApp equipment locked down behind a CM tool (like TripWire) that would “flag” any updated variations to that configuration in compliance with our build standard.
Anyway, what else have folks done in this area? Any great ideas out there for automating cluster provisioning and SVM builds in a secure manner? Automated checks for security compliance?