Privilege level for NetApp Ontap

What authentication record do I use for NetApp Ontap targets?

You'll need to create a Unix authentication record and choose Target Type "NetApp Ontap (Policy Compliance)" on the Login Credentials tab. 

What privileges are needed for compliance scans of NetApp Ontap?

The scan user account you provide for authentication needs to have the "admin" role for a complete compliance scan. This role permits access to all of the commands required for scanning. 

Commands required for scanning

Here's a list of commands required for scanning:

cmd: "security login role config show -fields username-minlength"
cmd: "security login role config show -fields username-alphanum"
cmd: "security login role config show -fields passwd-minlength"
cmd: "security login role config show -fields passwd-alphanum"
cmd: "security login role config show -fields passwd-min-special-chars"
cmd: "security login role config show -fields passwd-expiry-time"
cmd: "security login role config show -fields require-initial-passwd-update"
cmd: "security login role config show -fields max-failed-login-attempts"
cmd: "security login role config show -fields lockout-duration"
cmd: "security login role config show -fields disallowed-reuse"
cmd: "security login role config show -fields change-delay"
cmd: "security login role config show -fields delay-after-failed-login"
cmd: "security login role config show -fields passwd-min-lowercase-chars"
cmd: "security login role config show -fields passwd-min-uppercase-chars"
cmd: "security login role config show -fields passwd-expiry-warn-time"
cmd: "security login role config show -fields account-inactive-limit"
cmd: "system timeout show"
cmd: "cluster log-forwarding show"
cmd: "event notification show"
cmd: "security ssh show -fields max-authentication-retry-count"
cmd: "timezone"
cmd: "vserver services dns show -fields vserver,domains,name-servers"
cmd: "vserver services nis-domain show -fields vserver,domain,nis-servers"
cmd: "vserver services ldap client show"
cmd: "vserver iscsi status -fields vserver,status-admin"
cmd: "vserver fcp show -fields vserver,target-name,status-admin"
cmd: "security login role config show -fields passwd-min-digits"
cmd: "security login role config show -fields account-expiry-time"
cmd: "vserver nfs show" 

How to create a scan user account on the system to scan 

You'll need to create a scan user account (e.g. qualys_scan) and assign the admin role. Then provide this user account in your authentication record.

Using Web UI

1) Log on to the Netapp system. Go to the Management/Users page and add a new user.

2) Provide a username and password for the new user account. Then make sure the following settings are selected in the User Login Methods section: 

Application: ssh
Authentication: password
Role: admin

Using CLI

1) Log on to the Netapp system via SSH using an admin account.

2) Use the following command:

security login create -user <username> -application ssh -authentication-method password -role admin

3) When prompted, enter the password. 

 

Note: NetApp Data ONTAP 9.x is supported only for share access-related controls. It is recommended to perform a full scan instead of a policy-specific scan that includes only the supported controls.