StorageGRID is a distributed object storage system developed by NetApp. It provides a scalable and secure solution for storing and managing large volumes of data across multiple locations. With its geographically dispersed architecture, StorageGRID enables organizations to efficiently store, protect, and retrieve data, while offering features such as data durability, metadata management, and seamless integration with various applications and cloud platforms.
Securing StorageGRID is of utmost importance. As a distributed object storage system, StorageGRID handles vast quantities of sensitive data, including confidential documents, customer information, and valuable intellectual property. This makes it an attractive target for cyberattacks, underscoring the need for robust security measures to prevent unauthorized access and data breaches.
Ensuring the security of StorageGRID guarantees the integrity, confidentiality, and availability of stored data, mitigating the risk of disruptions to business operations and maintaining the trust of stakeholders. In addition, compliance with regulatory frameworks such as PCI DSS or HIPAA necessitates comprehensive security practices to protect the data is stored within StorageGRID.
This page provides a list of recommended secure configuration checks for NetApp StorageGRID systems, and is periodically updated.
Interested to learn about StorageGuard Benchmark Checks for NetApp? |
||
|
|
ID | System | Category | Configuration check |
K3214I0MP0425 | NetApp StorageGRID | Access Control | Accept inbound client traffic only on explicitly configured endpoints |
K3214I0MP0315 | NetApp StorageGRID | Access Control | Admin proxy for AutoSupport |
K3214I00P0415 | NetApp StorageGRID | Access Control | All internal traffic ports on the Admin Network are blocked |
K3214I0MP0420 | NetApp StorageGRID | Access Control | All internal traffic ports on the Client Network are blocked |
K3214I0MP0390 | NetApp StorageGRID | Access Control | Untrusted traffic on port 623 blocked |
K3214I0MP0385 | NetApp StorageGRID | Access Control | BMC management port status |
K3214I0MP0375 | NetApp StorageGRID | Access Control | Client Network on the Gateway Node is untrusted |
K3214I0MP0365 | NetApp StorageGRID | Access Control | Client Network on the Storage Node is untrusted |
K3214I0MP0470 | NetApp StorageGRID | Access Control | Cross-Origin Resource Sharing (CORS) |
K3214I0MP0255 | NetApp StorageGRID | Access Control | Idle session timeout |
K3214I0MP0575 | NetApp StorageGRID | Access Control | IPMI IP ACL |
K3214I0MP0595 | NetApp StorageGRID | Access Control | IPMI user list |
K3214I0MP0380 | NetApp StorageGRID | Access Control | Restrict access to SANtricity System Manager |
K3214I0MP0410 | NetApp StorageGRID | Access Control | Restrict SSH access to trusted clients |
K3214I0MP0310 | NetApp StorageGRID | Access Control | Restricted access to admin node |
K3214I0MP0335 | NetApp StorageGRID | Access Control | Restricted access to storage node |
K3214I0MP0330 | NetApp StorageGRID | Access Control | Separated Admin Nodes for grid administrators and tenant users |
K5214I0MP0570 | NetApp StorageGRID | Access Control | Separated client, administration, and internal grid networks |
K3214I0MP0320 | NetApp StorageGRID | Access Control | Separated Grid Manager and Tenant Manager communications |
K3214I0MP0325 | NetApp StorageGRID | Access Control | Shared port 443 blocked |
K3214I0MP0360 | NetApp StorageGRID | Access Control | Storage proxy for communication to external services |
K3214I0MP0355 | NetApp StorageGRID | Access Control | Untrusted tenants: no direct access to Tenant Management API |
K3214I0MP0350 | NetApp StorageGRID | Access Control | Untrusted tenants: no direct access to the Tenant Manager |
K3214I0MP0535 | NetApp StorageGRID | Authentication | Anonymous access is disabled for S3 accounts |
K3214I0MP0455 | NetApp StorageGRID | Authentication | Certificate expiration time |
K3214I0MP0505 | NetApp StorageGRID | Authentication | Certificate issuer |
K3214I0MP0430 | NetApp StorageGRID | Authentication | Default certificates replaced |
K3214I0MP0225 | NetApp StorageGRID | Authentication | Federated user group status |
K3214I0MP0605 | NetApp StorageGRID | Authentication | IPMI anonymous user access |
K3214I0MP0590 | NetApp StorageGRID | Authentication | IPMI default password |
K3214I0MP0220 | NetApp StorageGRID | Authentication | Local identity provider |
K3114I0MP0440 | NetApp StorageGRID | Authentication | Management Interface Server Certificate |
K3214I0MP0450 | NetApp StorageGRID | Authentication | No use of wildcard certificates (except S3 virtual hosted style endpoint) |
K3214I0MP0445 | NetApp StorageGRID | Authentication | Object Storage API Service Endpoints Server Certificate |
K3214I0MP0435 | NetApp StorageGRID | Authentication | Self-signed certificates not used |
K3214I0MP0135 | NetApp StorageGRID | Authentication | SNMP authentication |
K3214I0MP0165 | NetApp StorageGRID | Authentication | SNMP community default string |
K3214I0MP0530 | NetApp StorageGRID | Authentication | SSH authentication types |
K3214I0M00215 | NetApp StorageGRID | Authentication | Tenant identity provider |
K3214I0MP0340 | NetApp StorageGRID | Authentication | Untrusted tenant: identity source limited |
K3214I0MP0150 | NetApp StorageGRID | Authorization | SNMPv3 Read-Only user |
K3214I0MP0245 | NetApp StorageGRID | Configuration Management | Approved DNS servers |
K3214I0MP0615 | NetApp StorageGRID | Configuration Management | Approved IPMI version |
K3214I0MP0105 | NetApp StorageGRID | Configuration Management | Approved KMS servers |
K3214I0MP0190 | NetApp StorageGRID | Configuration Management | Approved NTP servers |
K3214I0MP0405 | NetApp StorageGRID | Configuration Management | Approved StorageGRID software version |
K3214I0MP0460 | NetApp StorageGRID | Configuration Management | AutoSupport state |
K3214I0MP0370 | NetApp StorageGRID | Configuration Management | CLB service on Gateway Nodes not used |
K3214I0MP0235 | NetApp StorageGRID | Configuration Management | DNS server configuration |
K3214I0MP0230 | NetApp StorageGRID | Configuration Management | DNS server Redundancy |
K3214I0MP0585 | NetApp StorageGRID | Configuration Management | IPMI status |
K3214I0MP0240 | NetApp StorageGRID | Configuration Management | Required DNS servers |
K3214I0MP0185 | NetApp StorageGRID | Configuration Management | Required NTP servers |
K3214I0MP0160 | NetApp StorageGRID | Configuration Management | SNMP communication protocol (TCP) |
K3214I0MP0145 | NetApp StorageGRID | Configuration Management | SNMP version status |
K3214I0MP0155 | NetApp StorageGRID | Configuration Management | SNMPv3 user status |
K8214I0MP0510 | NetApp StorageGRID | Configuration Management | SSH version |
K3214I0MP0610 | NetApp StorageGRID | Configuration Management | Target BMC firmware |
K3214I0MP0555 | NetApp StorageGRID | Data Integrity | Hashing function for S3 access keys |
K3214I0M00515 | NetApp StorageGRID | Data Integrity | MAC algorithm for SSH connections |
K3214I0MP0550 | NetApp StorageGRID | Data Integrity | Version for signing S3 API requests |
K3214I0MP0125 | NetApp StorageGRID | Data Retention and Immutability | Approved ILM policy configuration |
K3214I0MP0275 | NetApp StorageGRID | Data Retention and Immutability | Bucket versioning status |
K3214I00P0130 | NetApp StorageGRID | Data Retention and Immutability | ILM rule configuration |
K3214I0MP0540 | NetApp StorageGRID | Data Retention and Immutability | Minimum data protection level |
K3214I0MP0290 | NetApp StorageGRID | Data Retention and Immutability | Object-lock status |
K3214I0MP0545 | NetApp StorageGRID | Data Retention and Immutability | WORM protection |
K3214I0MP0465 | NetApp StorageGRID | Encryption | AutoSupport transport protocol |
K3214I0MP0560 | NetApp StorageGRID | Encryption | Data encryption algorithm strength |
K3214I0MP0120 | NetApp StorageGRID | Encryption | Data in Transit encryption algorithm |
K3214I0MP0395 | NetApp StorageGRID | Encryption | Drive Security keys configured |
K3214I0MP0600 | NetApp StorageGRID | Encryption | IPMI security |
K3214I0MP0520 | NetApp StorageGRID | Encryption | Key exchange algorithms for SSH connections |
K9214I00P0110 | NetApp StorageGRID | Encryption | KMS server redundancy |
K3214I0MP0115 | NetApp StorageGRID | Encryption | KMS server status |
K3214I0MP0205 | NetApp StorageGRID | Encryption | Local Azure secure LDAP |
K3214I0MP0210 | NetApp StorageGRID | Encryption | Local secure LDAP |
K3214I0MP0400 | NetApp StorageGRID | Encryption | Node encryption with KMS |
K3214I0MP0100 | NetApp StorageGRID | Encryption | Required KMS servers |
K5214I0MP0140 | NetApp StorageGRID | Encryption | SNMP privacy |
K3214I0MP0525 | NetApp StorageGRID | Encryption | SSH ciphers |
K3214I0MP0195 | NetApp StorageGRID | Encryption | Tenant Azure secure LDAP |
K3214I0MP0270 | NetApp StorageGRID | Encryption | Tenant Object encryption status |
K3214I0MP0200 | NetApp StorageGRID | Encryption | Tenant secure LDAP |
K3214I0MP0500 | NetApp StorageGRID | Encryption | TLS level |
K3214I0MP0285 | NetApp StorageGRID | Encryption | Weak object encryption algorithms |
K3214I0MP0286 | NetApp StorageGRID | Data Integrity | Weak object hash algorithms |
K3214I0MP0250 | NetApp StorageGRID | Hardening | Deactivated system features |
K3214I0MP0565 | NetApp StorageGRID | Hardening | FIPS compliance |
K2214I0MP0295 | NetApp StorageGRID | Hardening | Hardware variance |
K3214I0MP0580 | NetApp StorageGRID | Hardening | IPMI Serial over LAN |
K3214I0MP0345 | NetApp StorageGRID | Hardening | untrusted tenant: use of platform services disallowed |
K3214I0MP0480 | NetApp StorageGRID | Logging | Audit level |
K3214I0MP0260 | NetApp StorageGRID | Logging | Event types enabled for audit logging |
K3214I0MP0180 | NetApp StorageGRID | Logging | NTP server configuration |
K3214I0MP0175 | NetApp StorageGRID | Logging | NTP server redundancy |
K3214I0MP0475 | NetApp StorageGRID | Logging | syslog server |
K3214I0MP0490 | NetApp StorageGRID | Monitoring | Alarms configuration |
K3214I0MP0495 | NetApp StorageGRID | Monitoring | Alerts configuration |
K3214I0MP0265 | NetApp StorageGRID | Monitoring | Silenced critical alerts |
K3214I0MP0485 | NetApp StorageGRID | Monitoring | SMTP server configuration |
K3214I0MP0280 | NetApp StorageGRID | Services and Protocols | HTTP protocol status |
K3214I0MP0170 | NetApp StorageGRID | Services and Protocols | SNMP service Status |
K3214I0MP0300 | NetApp StorageGRID | Services and Protocols | Unused CIFS |
K3214I0MP0305 | NetApp StorageGRID | Services and Protocols | Unused NFS |
... and more. |
NOTE: Additional configuration control checks should be performed for the underlying node OS, hypervisor, AWS account and other components commonly used in a StorageGRID deployment.
Interested to learn about StorageGuard secure configuration checks for StorageGRID?
|
||
|
|
Comments
0 comments
Please sign in to leave a comment.