Pure FlashArray: Recommended Security Baseline Checks

This page provides a list of recommended secure configuration checks for Pure FlashArray, and is periodically updated. FlashArray from Pure Storage is an all-flash enterprise storage platform.

System	Category	Configuration check
Pure FlashArray	Access Control	Account Lockout duration
Pure FlashArray	Access Control	Account Lockout threshold
Pure FlashArray	Access Control	Anonymous user SMB access is enabled
Pure FlashArray	Access Control	API token_ttl settings
Pure FlashArray	Access Control	Approved admin users / AD groups
Pure FlashArray	Access Control	Approved API Clients
Pure FlashArray	Access Control	Approved cloud offload targets
Pure FlashArray	Access Control	Approved pure1 users
Pure FlashArray	Access Control	Cloud offload enabled
Pure FlashArray	Access Control	Idle session timeout
Pure FlashArray	Access Control	Inactive users
Pure FlashArray	Access Control	Non-default local users
Pure FlashArray	Access Control	Remote support auto termination timeout
Pure FlashArray	Access Control	RemoteAssist state
Pure FlashArray	Audit	Audit logging status
Pure FlashArray	Audit	External logging server
Pure FlashArray	Audit	Lossless logging server protocol
Pure FlashArray	Audit	NTP server configured
Pure FlashArray	Audit	NTP server redundancy
Pure FlashArray	Audit	Required NTP servers
Pure FlashArray	Authentication	Authentication server configuration
Pure FlashArray	Authentication	Authentication server redundancy
Pure FlashArray	Authentication	CHAP authentication mode
Pure FlashArray	Authentication	Default Passwords
Pure FlashArray	Authentication	DS server authenticity enforcement
Pure FlashArray	Authentication	iSCSI CHAP enabled
Pure FlashArray	Authentication	Kerberos settings
Pure FlashArray	Authentication	LDAP redundancy
Pure FlashArray	Authentication	LDAP settings
Pure FlashArray	Authentication	Minimum password length
Pure FlashArray	Authentication	Multifactor authentication
Pure FlashArray	Authentication	Pure1 mutual TLS authentication
Pure FlashArray	Authentication	Rest API authentication
Pure FlashArray	Authentication	SNMP authentication
Pure FlashArray	Authentication	SNMP Authentication Protocol
Pure FlashArray	Authentication	SNMP Community string
Pure FlashArray	Authentication	SNMP user authentication
Pure FlashArray	Authentication	SSO status
Pure FlashArray	Authorization	NFS/SMB permission
Pure FlashArray	Authorization	Root Squash disabled
Pure FlashArray	Authorization	User role configuration
Pure FlashArray	Backup and Recovery	Data retention period
Pure FlashArray	Backup and Recovery	Off-Site Replication Configuration
Pure FlashArray	Backup and Recovery	Secure erase holdout period
Pure FlashArray	Backup and Recovery	Tenant replication allowed
Pure FlashArray	Configuration Management	Approved snapshot offload targets
Pure FlashArray	Configuration Management	Atime synchronization
Pure FlashArray	Configuration Management	Banner configuration
Pure FlashArray	Configuration Management	Central Certificate Authority (CA) status
Pure FlashArray	Configuration Management	Certificate Algorithm
Pure FlashArray	Configuration Management	Certificate expiry date
Pure FlashArray	Configuration Management	Certificate key_size
Pure FlashArray	Configuration Management	DNS server redundancy
Pure FlashArray	Configuration Management	DNS service configuration
Pure FlashArray	Configuration Management	Domain name settings
Pure FlashArray	Configuration Management	Enabled applications
Pure FlashArray	Configuration Management	KMIP/KMS server configuration
Pure FlashArray	Configuration Management	Pure Storage FA SSMS Extension version
Pure FlashArray	Configuration Management	Pure Storage FlashArray PowerShell SDK version
Pure FlashArray	Configuration Management	PureStorage Unified Add-on for Splunk version
Pure FlashArray	Configuration Management	Purity version
Pure FlashArray	Configuration Management	Self-signed certificates
Pure FlashArray	Configuration Management	SMIS status
Pure FlashArray	Configuration Management	Snapshot offload enabled
Pure FlashArray	Configuration Management	SNMP trap host configuration
Pure FlashArray	Configuration Management	SSL certificate private key configuration
Pure FlashArray	Data Integrity	SMB digital signing
Pure FlashArray	Encryption	API used with SSL verification
Pure FlashArray	Encryption	Data encryption algorithm strength
Pure FlashArray	Encryption	Data at-rest encryption
Pure FlashArray	Encryption	Phonehome HTTPS proxy
Pure FlashArray	Encryption	Pure1 TLS level
Pure FlashArray	Encryption	Secure LDAP
Pure FlashArray	Encryption	SMTP with TLS (supported?)
Pure FlashArray	Encryption	SNMP message privacy
Pure FlashArray	Encryption	SSH cipher strength
Pure FlashArray	Encryption	SSH MAC strength
Pure FlashArray	Encryption	TLS Level
Pure FlashArray	Hardening	CC-compliance mode
Pure FlashArray	Hardening	Console lock status
Pure FlashArray	Hardening	Pure SafeMode configuration
Pure FlashArray	Hardening	Rapid Data Locking configuration
Pure FlashArray	Hardening	Restricted shell
Pure FlashArray	Monitoring	Automatic PHONE HOME Enabled
Pure FlashArray	Monitoring	Mail (SMTP) settings
Pure FlashArray	Monitoring	puresupport account configuration
Pure FlashArray	Monitoring	Remote Support Status
Pure FlashArray	Monitoring	Security email notification
Pure FlashArray	Monitoring	SMTP server configuration
Pure FlashArray	Monitoring	SNMP status
Pure FlashArray	Services and Protocols	NFS Enabled
Pure FlashArray	Services and Protocols	Pure1 Enabled
Pure FlashArray	Services and Protocols	SNMP versions allowed
... and more.

NOTE: Secure configuration checks should be performed also for Pure1, FlashBlade, Pure PowerShell SDK and other related Pure components.

Interested to learn about StorageGuard secure configuration checks for Storage and Backup systems?

CONTACT US - Our team will be happy to assist you

Articles in this section

Comments