Privilege level for NetApp Ontap

What authentication record do I use for NetApp Ontap targets?

You must create a Unix authentication record and choose Target Type as NetApp Ontap (Policy Compliance) on the Login Credentials tab.

Selecting the target type as Netapp ontap.

What privileges are needed for compliance scans of NetApp Ontap?

The scan user account you provide for authentication must have the admin role for a complete compliance scan. This role permits access to all of the commands required for scanning.

Commands required for scanning

Here's a list of commands required for scanning:

cmd: "security login role config show -fields username-minlength"
cmd: "security login role config show -fields username-alphanum"
cmd: "security login role config show -fields passwd-minlength"
cmd: "security login role config show -fields passwd-alphanum"
cmd: "security login role config show -fields passwd-min-special-chars"
cmd: "security login role config show -fields passwd-expiry-time"
cmd: "security login role config show -fields require-initial-passwd-update"
cmd: "security login role config show -fields max-failed-login-attempts"
cmd: "security login role config show -fields lockout-duration"
cmd: "security login role config show -fields disallowed-reuse"
cmd: "security login role config show -fields change-delay"
cmd: "security login role config show -fields delay-after-failed-login"
cmd: "security login role config show -fields passwd-min-lowercase-chars"
cmd: "security login role config show -fields passwd-min-uppercase-chars"
cmd: "security login role config show -fields passwd-expiry-warn-time"
cmd: "security login role config show -fields account-inactive-limit"
cmd: "system timeout show"
cmd: "cluster log-forwarding show"
cmd: "event notification show"
cmd: "security ssh show -fields max-authentication-retry-count"
cmd: "timezone"
cmd: "vserver services dns show -fields vserver,domains,name-servers"
cmd: "vserver services nis-domain show -fields vserver,domain,nis-servers"
cmd: "vserver services ldap client show"
cmd: "vserver iscsi status -fields vserver,status-admin"
cmd: "vserver fcp show -fields vserver,target-name,status-admin"
cmd: "security login role config show -fields passwd-min-digits"
cmd: "security login role config show -fields account-expiry-time"
cmd: "vserver nfs show"

How to create a scan user account on the system to scan

You must create a scan user account (e.g. qualys_scan) and assign the admin role. Then, provide this user account in your authentication record.

Using Web UI

1) Log in to the Netapp system. Go to the Management/Users page and add a new user.

2) Provide a username and password for the new user account. Then make sure the following settings are selected in the User Login Methods section:

Application: ssh
Authentication: password
Role: admin

Using CLI

1) Log in to the Netapp system via SSH using an admin account.

2) Use the following command:

security login create -user <username> -application ssh -authentication-method password -role admin

3) When prompted, enter the password.

Note:

NetApp Data Ontap 9.x is supported only for share access-related controls(CID 4528, 7196, 7197, 7198).It is required to perform a full scan instead of a policy-specific scan that includes only the supported controls.
Unix and Windows authentication records are required for the scanner to support NetApp Ontap share related controls.