15 Replies Latest reply: May 4, 2016 7:41 AM by snap326 RSS

Auditing NetApp Data ONTAP with Nessus

Mehul Guru

Recently we released a compliance plugin for VMware vCenter/vSphere, and before that we did a .audit for Cisco NX-OS which targeted the networking layer, and today we are adding support for another critical piece of the virtual infrastucture by releasing a new plugin for NetApp Data Ontap which targets the storage layer.

 

Storage systems are a critical piece in today's virtualized enviroments. After all they are the ones holding all the "data" in a typical data center. But they rarely get the same kind of a scrutiny a general purpose OS or a router OS gets, even though they are equally (if not more) important. From a compliance perspective auditing these systems help us prove two things, first that the data is tucked away safely and securely. And second, companies that have strict data retention (for e.g. e-mail) or backup requirements can prove they are in compliance with various regulatory requirements with a simple switch of an option.

 

Scan Requirements:

 

- root/admin credentials for NetApp Data ONTAP filer.

 

- Audit policy for NetApp Data ONTAP Compliance Checks, documented here.

 

- Plugin ID #66934 (NetApp Data ONTAP Compliance Checks)

 

Setting up the scan

 

- Create a new policy

 

- Enter SSH credentials.

 

ssh.png

 

- Enable Plugin ID #66934

 

plugin.png

- Apply .audit policy

audit.png

- Save the policy and run the scan.

 

Sample Results :

 

NetApp-BP-Summary.png

 

NetApp-BP-PASS.png

NetApp-BP-FAIL.png

 

NetApp Data ONTAP syntax :

 

The syntax is indentical to our CheckPoint plugin.

 

Here's an example :

 

<custom_item>

   type            : CONFIG_CHECK

   description    : "1.2 Secure Storage Design, Enable Kerberos with NFS - 'nfs.kerberos.enable = on'"

   info            : "NetApp recommends the use of security features in IP storage protocols to secure client access"

   solution        : "Enable Kerberos with NFS"

   reference    : "PCI|2.2.3"

   see_also        : "http://media.netapp.com/documents/tr-3649.pdf"

   regex        : "nfs.kerberos.enable[\\s\\t]+"

   expect        : "nfs.kerberos.enable[\\s\\t]+on"

  </custom_item>

 

That wraps up our today's discussion on NetApp Data ONTAP. If you have any questions please feel free to contact Tenable support or post a reply to this post.

 

-Mehul

  • Re: Auditing NetApp Data ONTAP with Nessus
    Novice

    Ran this from Security Center 4.4, but only got back one result (saying NFSv4 was disabled -- PASSED).  Would expect many more results from looking at the audit file source.

     

    I had enabled *only* this one plugin though and provided valid SSH login credentials.  It isn't clear if I need to explicitly enable additional plugins (I would assume they'd be enabled via dependency checking).

     

    Of note -- we ran the scan against on ONTAP simulator.

  • Re: Auditing NetApp Data ONTAP with Nessus
    Novice

    Do NetApps need to be running in Cluster-Mode in order to audit the configuration? Local security checks aren't being run because "uname -a" fails. We're running our NetApps in 7-mode.

    • Re: Auditing NetApp Data ONTAP with Nessus
      Mehul Guru

      AFAIK, the mode shouldn't matter as long as you have SSH enabled. Could you please run the scan from command line, and report back the output?

       

      /opt/nessus/bin/nasl -t netapp_ip netapp_dataontap_compliance_check.nbin

       

      Thanks.

       

      -Mehul

      • Re: Auditing NetApp Data ONTAP with Nessus
        Mehul Guru

        Running a Nessus scan with root/admin credentials is ideal, but if that's not an option, here are minimum set of instructions that would allow Nessus to login over ssh and perform the audit.

         

        1. Create a new role e.g. nessus_audit

           role add nessus_audit -a login-ssh,cli-version,cli-options,cli-uptime

         

        2. Assign the role to a group e.g. nessus_admins

            group add nessus_admins -r nessus_audit

         

        3. And, finally assign the group to a user

           useradmin user add nessus -g nessus_admins

         

        -Mehul

        • Re: Auditing NetApp Data ONTAP with Nessus
          walcy Apprentice

          When I am looking at my scan results for net app devices, what should I be looking for to determine what is a successful scan result when scanning net app devices ?

           

          Which plugins should I see if it is a successful scan result ? and what should the plugin out put be for these plugins if they are successful ?

           

          What plugins should I see if it is a failed scan result ? and what should the plugin out put be for these plugins if they are not successful ?

    • Re: Auditing NetApp Data ONTAP with Nessus
      walcy Apprentice

      When I am looking at my scan results for net app devices, what should I be looking for to determine what is a successful scan result when scanning net app devices ?

       

      Which plugins should I see if it is a successful scan result ? and what should the plugin out put be for these plugins if they are successful ?

       

      What plugins should I see if it is a failed scan result ? and what should the plugin out put be for these plugins if they are not successful ?