NetApp ONTAP DSC 9.x STIG Version Comparison
NetApp ONTAP DSC 9.x Security Technical Implementation Guide
Comparison
There are 5 differences between versions v1 r2 (July 27, 2022) (the "left" version) and v1 r4 (April 24, 2024) (the "right" version).
Check NAOT-SC-000005 was removed from the benchmark in the "right" version. The text below reflects the old wording.
This check's original form is available here.
Text Differences
Title
ONTAP must be configured to use a data authentication key to safeguard against denial-of-service (DoS) attacks.
Check Content
Validate that a data authentication key has been assigned using the command "storage encryption disk show". If any of the disks has a mode other than "full" or the Data Key ID is missing, this is a finding.
Discussion
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Usually, DoS attacks are assumed to be network related where the attacker floods the network with traffic that causes legitimate network traffic to be either slowed or blocked. For a storage device, a DoS attack can also occur when an attacker is able to make the data on the disks unreadable, thus unavailable, to the customer. This is a common attack used by ransomware where the attacker encrypts the data on the drives requesting payment for the unencryption key. By using data authentication keys, an attacker is unable to read or write data to the drives. It is also important to make sure the mode of the drives is set to full, otherwise only some of the data on the drive is protected.
Fix
Configure ONTAP to use a data authentication key for access with the command "storage encryption disk modify -disk <disk_ID> -data-key-id <key-ID>" where disk_ID is the disk and key_ID is the data authentication key. To verify the key is set, use the command "storage encryption disk show -disk <disk_ID>". The command will show the data mode. The mode must be set to full. If the mode is not set to full, use the command "disk modify -disk <disk_ID> -protection-mode full" to set the mode to full. Validate the mode changed using the command "storage encryption disk show -disk <disk_ID>".