Recently we released a compliance plugin for VMware vCenter/vSphere, and before that we did a .audit for Cisco NX-OS which targeted the networking layer, and today we are adding support for another critical piece of the virtual infrastucture by releasing a new plugin for NetApp Data Ontap which targets the storage layer.
Storage systems are a critical piece in today's virtualized enviroments. After all they are the ones holding all the "data" in a typical data center. But they rarely get the same kind of a scrutiny a general purpose OS or a router OS gets, even though they are equally (if not more) important. From a compliance perspective auditing these systems help us prove two things, first that the data is tucked away safely and securely. And second, companies that have strict data retention (for e.g. e-mail) or backup requirements can prove they are in compliance with various regulatory requirements with a simple switch of an option.
- root/admin credentials for NetApp Data ONTAP filer.
- Audit policy for NetApp Data ONTAP Compliance Checks, documented here.
- Plugin ID #66934 (NetApp Data ONTAP Compliance Checks)
Setting up the scan
- Create a new policy
- Enter SSH credentials.
- Enable Plugin ID #66934
- Apply .audit policy
- Save the policy and run the scan.
Sample Results :
NetApp Data ONTAP syntax :
The syntax is indentical to our CheckPoint plugin.
Here's an example :
type : CONFIG_CHECK
description : "1.2 Secure Storage Design, Enable Kerberos with NFS - 'nfs.kerberos.enable = on'"
info : "NetApp recommends the use of security features in IP storage protocols to secure client access"
solution : "Enable Kerberos with NFS"
reference : "PCI|2.2.3"
see_also : "http://media.netapp.com/documents/tr-3649.pdf"
regex : "nfs.kerberos.enable[\\s\\t]+"
expect : "nfs.kerberos.enable[\\s\\t]+on"
That wraps up our today's discussion on NetApp Data ONTAP. If you have any questions please feel free to contact Tenable support or post a reply to this post.