Posted on by Robin Clarke

How to remediate a NetApp SAN to comply with PCI level security

Problem:

How to remediate a NetApp SAN to comply with PCI level security

Solution:

To remediate insecure TLS versions, open NetApp CLI:

set -privilege advanced

security config modify -interface SSL -is-fips-enabled true

 

Connect to NetApp OnCommand Manager

Check cluster status

Failover to secondary node (Monitor iSCSI connections)

Reboot primary node

Wait for primary node to return

Fail back

 

To remediate insecure 3des cipher:

security ssh remove -vserver <Enter vserver name> -ciphers 3des-cbc

 

To remediate SSH key too small:

cluster2::*> systemshell -node * -command "sudo ssh-keygen -b 4096 -t rsa -f /var/etc/ssh_host_rsa_key"
  (system node systemshell)
Node: cluster2-01
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/etc/ssh_host_rsa_key.
Your public key has been saved in /var/etc/ssh_host_rsa_key.pub.

 

Then disable DSA keys:

::*>systemshell -node * -command "sudo mv /var/etc/ssh/ssh_host_dsa_key /var/etc/ssh/ssh_host_dsa_key.old"
::*>systemshell -node * -command "sudo mv /var/etc/ssh/ssh_host_dsa_key.pub /var/etc/ssh/ssh_host_dsa_key_pub.old"

Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *