This page provides a list of recommended secure configuration checks for NetApp ONTAP systems, and is periodically updated. ONTAP or Data ONTAP or Clustered Data ONTAP or Data ONTAP 7-Mode is NetApp's proprietary operating system used in storage disk arrays such as NetApp FAS and AFF, ONTAP Select and Cloud Volumes ONTAP.
| ID | System | Category | Configuration check |
| K0102I0M0100 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Allowed protocols |
| K0102I00P105 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Anonymous user access is enabled |
| K0102I0MP110 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Approved admin user / group |
| K0102I0MP115 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Approved NTP Servers |
| K0602I0MP120 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Approved syslog servers |
| K0602I0MP125 | NetApp ONTAP / cDOT / 7-Mode | Access Control | banner status |
| K0602I0MP130 | NetApp ONTAP / cDOT / 7-Mode | Access Control | CIFS SMBv1 status |
| K0102I0MP135 | NetApp ONTAP / cDOT / 7-Mode | Access Control | File share client access list |
| K0102I0M0140 | NetApp ONTAP / cDOT / 7-Mode | Access Control | FIPS mode status |
| K0102I0MP145 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Firewall restrictions |
| K0102I0M0150 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Firewall status |
| K0102I0MP155 | NetApp ONTAP / cDOT / 7-Mode | Access Control | iSCSI interface acl |
| K0102I0MP160 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Motd status |
| K0102I0MP165 | NetApp ONTAP / cDOT / 7-Mode | Access Control | NFS cached credential time |
| K0102I0MP170 | NetApp ONTAP / cDOT / 7-Mode | Access Control | NFS idle connection timeout |
| K0102I0MP175 | NetApp ONTAP / cDOT / 7-Mode | Access Control | NFS privileged ports |
| K0102I0MP180 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Non-default local users |
| K0102I0MP185 | NetApp ONTAP / cDOT / 7-Mode | Access Control | root (vol0) volume export |
| K0802I0MP190 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Root user status |
| K0802I0MP195 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Sensitive data removal (autosupport) |
| K0102I0MP200 | NetApp ONTAP / cDOT / 7-Mode | Access Control | Session timeout |
| K0102I0MP205 | NetApp ONTAP / cDOT / 7-Mode | Access Control | SP SSH ACL |
| K0102I0MP210 | NetApp ONTAP / cDOT / 7-Mode | Audit | Audit logging status |
| K0102I0M0215 | NetApp ONTAP / cDOT / 7-Mode | Audit | Centralized log server |
| K0102I0MP220 | NetApp ONTAP / cDOT / 7-Mode | Audit | Centralized log server redundancy |
| K0102I0M0225 | NetApp ONTAP / cDOT / 7-Mode | Audit | External fpolicy server resilient logging |
| K0102I00P230 | NetApp ONTAP / cDOT / 7-Mode | Audit | Firewall logging status |
| K0102I0MP235 | NetApp ONTAP / cDOT / 7-Mode | Audit | NTP server configuration |
| K0102I0MP240 | NetApp ONTAP / cDOT / 7-Mode | Audit | NTP server redundancy |
| K0102I0MP245 | NetApp ONTAP / cDOT / 7-Mode | Audit | Required External (central) log servers |
| K0702I0MP250 | NetApp ONTAP / cDOT / 7-Mode | Audit | Required NTP Servers |
| K0702I0MP255 | NetApp ONTAP / cDOT / 7-Mode | Audit | Security audit logging - read-only |
| K0102I0MP260 | NetApp ONTAP / cDOT / 7-Mode | Audit | syslog min severity |
| K0102I0M0265 | NetApp ONTAP / cDOT / 7-Mode | Audit | Syslog server authentication |
| K0102I0MP270 | NetApp ONTAP / cDOT / 7-Mode | Audit | Time server (NTP) authentication |
| K0102I0MP275 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Account lockout threshold |
| K0102I0MP280 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Admin password complexity |
| K0102I0MP285 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Authentication server configuration |
| K0102I0MP290 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Autosupport digital certificate validation |
| K0102I00P295 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Central authentication for file share access |
| K0102I0MP300 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Central Certificate Authority (CA) status |
| K0102I0MP305 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Certificate Issuer |
| K0102I000310 | NetApp ONTAP / cDOT / 7-Mode | Authentication | CIFS AD session security level |
| K0102I0MP315 | NetApp ONTAP / cDOT / 7-Mode | Authentication | CIFS domain password change |
| K0102I0MP320 | NetApp ONTAP / cDOT / 7-Mode | Authentication | CIFS password complexity |
| K0102I0MP325 | NetApp ONTAP / cDOT / 7-Mode | Authentication | CIFS server minimum authentication security level |
| K0102I0MP330 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Cluster peer min passphrase length |
| K0302I0M0335 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Default passwords |
| K0302I0MP340 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Initial password change |
| K0102I0MP345 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Ipsec configuration |
| K0102I0MP350 | NetApp ONTAP / cDOT / 7-Mode | Authentication | iSCSI initiator authentication |
| K0102I0MP355 | NetApp ONTAP / cDOT / 7-Mode | Authentication | kerberos configuration |
| K0102I0MP360 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Maximum password age |
| K0102I0iP365 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Minimum account lockout duration |
| K0102I0MP370 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Minimum password age |
| K0102I0MP375 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Minimum password digits |
| K0102I0MP380 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Minimum password length |
| K0102I0MP385 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Minimum password lowercase characters |
| K0102I0MP390 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Minimum password special characters |
| K0102I0M0395 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Minimum password uppercase characters |
| K0102I0M0400 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Multifactor authentication status |
| K0102I0M0405 | NetApp ONTAP / cDOT / 7-Mode | Authentication | NDMP authentication type |
| K0102I0M0410 | NetApp ONTAP / cDOT / 7-Mode | Authentication | NDMP cleartext password |
| K0102I0M0415 | NetApp ONTAP / cDOT / 7-Mode | Authentication | NDMP password length |
| K0102I0MP420 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Number of disallowed past passwords |
| K0102I0MP425 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Password hash strength |
| K0102I0MP430 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Password rules status |
| K0102I0MP435 | NetApp ONTAP / cDOT / 7-Mode | Authentication | Peer to peer communication authentication |
| K0102I0MP440 | NetApp ONTAP / cDOT / 7-Mode | Authentication | SNMP community default string |
| K0102I0M0445 | NetApp ONTAP / cDOT / 7-Mode | Authorization | Admin group mapping |
| K0102I0MP450 | NetApp ONTAP / cDOT / 7-Mode | Authorization | Anonymous user mapping |
| K0102I0MP455 | NetApp ONTAP / cDOT / 7-Mode | Authorization | CIFS anonymous user access restriction |
| K0102I0MP460 | NetApp ONTAP / cDOT / 7-Mode | Authorization | CIFS file access to non-owners |
| K0102I0MP465 | NetApp ONTAP / cDOT / 7-Mode | Authorization | NFS export rule setuid status |
| K0602I0MP470 | NetApp ONTAP / cDOT / 7-Mode | Authorization | NFS File ownership change permission |
| K0602I000475 | NetApp ONTAP / cDOT / 7-Mode | Authorization | NFS unknown UID mapping |
| K0102I0MP480 | NetApp ONTAP / cDOT / 7-Mode | Authorization | nosuid option enabled |
| K0102I0MP485 | NetApp ONTAP / cDOT / 7-Mode | Authorization | Security types for NFS export |
| K0102I0MP490 | NetApp ONTAP / cDOT / 7-Mode | Authorization | Share access rights |
| K0102I0MP495 | NetApp ONTAP / cDOT / 7-Mode | Authorization | SNMP community permission |
| K010200MP500 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Aggr mirror status |
| K010200MP505 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Configuration backup |
| K010200MP510 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Remote copy |
| K010200MP515 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Secure data copy retention (snaplock config) |
| K0102I00P520 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Snaplock retention |
| K0102I0MP525 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Snaplock type |
| K0102I0MP530 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Snapshot autodelete configuration |
| K0102I0MP535 | NetApp ONTAP / cDOT / 7-Mode | Backup and Recovery | Snapshot autodelete status |
| K0102I0MP540 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | Approved DNS servers |
| K0102I0MP545 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | CIFS dialect for widelinks access |
| K0102I000550 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | DDNS status |
| K0102I0MP555 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | DNS service redundancy |
| K0102I0MP560 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | DNS service status |
| K0102I0MP565 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | iSNS configuration |
| K0102I0MP570 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | NDMP node-scoped mode |
| K0102I0MP575 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | NetBIOS over TCP status |
| K0102I0MP580 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | NetBIOS status |
| K0102I0MP585 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | NFS AUTH_SYS extended groups status |
| K0102I00P590 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | NFS over UDP |
| K0102I0MP595 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | NFSv3 MS-DOS client support |
| K0102I0MP600 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | NFSv3 security changes |
| K0102I0MP605 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | Remote support status |
| K0102I0MP610 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | SP firmware image |
| K0102I0MP615 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | Target ONTAP version |
| K0902I0MP620 | NetApp ONTAP / cDOT / 7-Mode | Configuration Management | Updated node security settings |
| K0102I000625 | NetApp ONTAP / cDOT / 7-Mode | Data Integrity | NFS checksum for replay-cache |
| K0102I0MP630 | NetApp ONTAP / cDOT / 7-Mode | Encryption | AES encryption for CIFS |
| K0102I00P635 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Certificate algorithm |
| K0102I0MP640 | NetApp ONTAP / cDOT / 7-Mode | Encryption | CIFS encryption for DC connections |
| K0102I00P645 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Data encryption status |
| K0102I0MP650 | NetApp ONTAP / cDOT / 7-Mode | Encryption | External policy engine SSL option |
| K0102I0MP655 | NetApp ONTAP / cDOT / 7-Mode | Encryption | FTP service status |
| K0102I0MP660 | NetApp ONTAP / cDOT / 7-Mode | Encryption | HTTP service status |
| K0102I0MP665 | NetApp ONTAP / cDOT / 7-Mode | Encryption | HTTP service status (node) |
| K0102I0MP670 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Key size |
| K0102I0MP675 | NetApp ONTAP / cDOT / 7-Mode | Encryption | KMIP configuration |
| K0102I0MP680 | NetApp ONTAP / cDOT / 7-Mode | Encryption | LDAP client session security |
| K0102I0MP685 | NetApp ONTAP / cDOT / 7-Mode | Encryption | NFS encryption strength |
| K0502I0MP690 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Node Autosupport unsecure transport |
| K0502I0MP695 | NetApp ONTAP / cDOT / 7-Mode | Encryption | OCSP configuration |
| K0102I000700 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Peer to peer communication encryption |
| K0102I0MP705 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Permitted encryption types for NFS Kerberos |
| K0102I0MP710 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Secure LDAP for CIFS connections |
| K0102I0MP715 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Secure NDMP (NDMP SSL) used |
| K0102I0MP720 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Signing for CIFS traffic |
| K0102I00P725 | NetApp ONTAP / cDOT / 7-Mode | Encryption | SMB encryption enabled |
| K0102I00P730 | NetApp ONTAP / cDOT / 7-Mode | Encryption | SSH cipher strength |
| K0102I00P735 | NetApp ONTAP / cDOT / 7-Mode | Encryption | SSH MAC strength |
| K0102I0MP740 | NetApp ONTAP / cDOT / 7-Mode | Encryption | SSL certificate status |
| K0102I0MP745 | NetApp ONTAP / cDOT / 7-Mode | Encryption | SSL options |
| K0102I0MP750 | NetApp ONTAP / cDOT / 7-Mode | Encryption | TLS level |
| K0102I0MP755 | NetApp ONTAP / cDOT / 7-Mode | Encryption | Unencrypted syslog traffic |
| K0102I0MP760 | NetApp ONTAP / cDOT / 7-Mode | Information Security | object store security settings |
| K0102I0MP765 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | Anti-ransomware configuration |
| K0102I0MP770 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | Antivirus server redundancy |
| K0802I000775 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | External file policy server |
| K0802I0MP780 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | Ransomware protection Policy |
| K0102I0MP785 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | Ransomware protection policy definition |
| K0102I0MP790 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | Share scan status |
| K0102I0MP795 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | vscan-on-access-policy status |
| K0102I0MP800 | NetApp ONTAP / cDOT / 7-Mode | Malware Protection | Vserver vscan status |
| K0102I0MP805 | NetApp ONTAP / cDOT / 7-Mode | Monitoring | Email notification |
| K0102I0M0810 | NetApp ONTAP / cDOT / 7-Mode | Monitoring | SMTP configuration |
| K0102I0MP815 | NetApp ONTAP / cDOT / 7-Mode | Monitoring | SNMP min severity |
| K0102I0MP820 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | NFS versions enabled |
| K0102I0MP825 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | RSH service status |
| K0102I0MP830 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | SMB version enabled |
| K0102I0MP835 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | SMB version enabled for DC connections |
| K0102I0MP840 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | SNMP versions enabled |
| K0102I0MP845 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | SP IPv6 |
| K010200MP850 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | Storage protocol status |
| K0102I0MP855 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | Telnet service status |
| K0402I0MP860 | NetApp ONTAP / cDOT / 7-Mode | Services and Protocols | Unused protocols |
| ... and more. |
NOTE: Additional security baseline checks should be performed against NetApp storage management products such as Active IQ Unified Manager, OnCommand Insight, OnCommand Workflow Automation, NetApp cluster switches, ONTAP tools, NetApp plugins, ONTAP connectors, Snap Manager, SnapDrive, CloudVolumes, Amazon FSx for NetApp and other NetApp software components.
|
Interested to learn about StorageGuard Security Posture Management for ONTAP?
|
||
|
|
|
|
Comments
0 comments
Please sign in to leave a comment.