-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecure_template.ini
257 lines (212 loc) · 6.03 KB
/
secure_template.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
[SECURITY]
;
; Number of concurrent console sessions
; - Required
;
concurrent_sessions = 1
; Number of minutes before session timeout due to inactivity
; - Required
;
session_timeout = 10
; Number of maximum login attempts before lockout
; - Required
;
max_login_attempts = 3
; Banner - displayed BEFORE login prompt (opening screen for System Manager and ssh)
; - Optional
; - Example: banner = You are accessing a U.S. Government (USG) Information System (IS) ......
;
banner =
; Message of the Day - displayed AFTER successful login (ssh)
; - Optional
; - Example: motd = Your user ID is \N. Your last successful login was \L.
;
motd =
; Time Zone
; - Optional
; - If BLANK, will be set to Etc/UTC as a default
; - Valid Time Zones are restricted to [ Etc/UTC | UTC | GMT | GMT+0 | GMT-0 | GMT0 | Greenwich ]
; - Example: set_timezone = GMT
;
set_timezone =
; Enable or Disable FIPS 140-2 Compliance
; - Required
; - enable | disable
fips = enable
; Apply restrictive service policy settings (allowed IP addresses) to all LIFs
; - Required
; - filter | unfilter
; - filter : will apply a rule based on the IP address and netmask of the associated LIFs
; - unfilter : will apply a rule of 0.0.0.0/0 (default/unsecure) to all in-use service policies
;
service_policies = filter
[NTP]
;
; Server list and Key list align (ntp_servers[1] = ntp_keys[1])
; - Optional
; - Comma-separated lists
; - If ntp_keys list is BLANK, then not used (server is added without key)
; - ntp_servers and ntp_keys align (ntp_servers[0] matches with ntp_keys[0])
;
ntp_servers =
ntp_keys =
[SNMP]
;
; Enable and configure SNMP v1
; - If FIPS 140-2 is ENABLED then only SNMP v3 is supported
; - To configure SNMP, snmp_enable and traps_enable must both be true
; - trap_host is required if SNMPv1/v2
; - community defaults to {cluster_name} if BLANK
;
; true | false
snmp_enable = true
; true | false
traps_enable = true
; FQDN or IP address of Trap Host
; - Required if using SNMP v1
; - Leave BLANK if SNMP v3
;
trap_host =
; Community Name for Traps
; - Required if using SNMP v1
; - If BLANK, will be set to the cluster name as a default
community =
[SNMPV3]
;
; Configure SNMPv3
; - If FIPS 140-2 is ENABLED then only SNMPv3 is supported
; - Scope will be 'cluster' and use the cluster management LIF/network to reach SNMP v3 host
; - Authentication protocol set to 'sha2_256'
; - Privacy protocol set to 'aes128'
; FQDN or IP address to SNMPv3 host
; - Required for SNMP v3
;
snmpv3_host =
; USM Account Name
; - Required for SNMP v3
;
usm_user_name =
; Min of 8 characters
; - Required for SNMP v3
;
usm_auth_password =
; Min of 8 characters
; - Required for SNMP v3
;
usm_privacy_password =
; If both SNMP and SNMP v3 settings are provided, SNMP v3 will be configured
; If FIPS 140-2 is Enabled, SNMP v1 is not supported and SNMP v3 is required
[PASSWORDCOMPLEXITY]
;
; Minimum REQUIRED # characters allowed in password
minlength = 15
; Minimum REQUIRED # of uppercase characters in password
minuppercase = 1
; Minimum REQUIRED # of lowercase characters in password
minlowercase = 1
; Minimum REQUIRED # of special characters in password
minspecial = 1
; Require an alphanumeric character
;
; enabled | disabled
alphanum = enabled
[LOCALADMIN]
;
; Create a Local administrator account
; - Optional
;
account =
; Local administrator account password
; - Required if account is set above
password =
; Lock the Default/built-in administrator account (admin)
; - Optional
; - ONTAP requires at least one local admin account and will not lock account if only one available
;
; true | false
lock_default_admin = false
[DOMAINAUTH]
;
; Create CIFS SVM for Domain Tunnel Use (REQUIRES ALL SETTINGS)
; - Optional
; - To configure, ALL settings are REQUIRED
; - Recommendation is to use a separate SVM specifically for domain tunnel / domain authentication
;
; Domain tunnel SVM name
svm_name =
; Active Directory domain
ad_name =
; Active Directory domain controller
ad_fqdn =
; Domain account with JOIN permissions for CIFS server
ad_join_account =
; Domain account password with JOIN permissions
ad_join_password =
; SVM management LIF name
lif_name =
; SMV management LIF network settings
lif_ip =
lif_netmask =
lif_gateway =
lif_ipspace =
lif_broadcastdomain =
lif_homenode =
; Comma-separated list of search domains
dns_domains =
; Comma-separated list of DNS servers (Active Directory domain controllers)
dns_servers =
[DOMAINACCOUNTS]
;
; List of domain accounts (user or group) - comma-separated (domain\user-or-group format)
; - Optional
; - Accounts will get applications http,ontapi,ssh with domain authentication and 'admin' role
; - Requires a domain tunnel to exist
; - Example: accounts = domain.com\administrators,domain.com\storageadmins, domain.com\bobsmith
;
accounts =
[AUDIT]
; Enable auditing for specific ONTAP interfaces
;
; true | false
cli = false
http = false
ontapi = false
[AUDITSVM]
;
; Configure auditing for NAS SVMs
; - Optional
; - All settings are required or auditing will not be configured on CIFS & NFS SVMs
; - An 'auditlogs' export policy will be created with a RO Rule (sys)
; - {svm name} will be prepended to volume name (i.e. svmcifs1_audit_logs)
;
; Audit log volume
volume_name =
; Audit log Volume Size in GB
volume_sizeGB = 10
; Audit log Volume Path
path = /audit_log
; Size limit for audit log file in MB
rotate_sizeMB = 200
; # of audit logs to retain
rotate_limit = 5
; Audit Log file format
; - evtx | xml
;
log_format = evtx
[LOGGING]
;
; Configure cluster logging
; - ALL Settings are REQUIRED to configure
; - ipaddress : Destination syslog|splunk host
; - facility : kern | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7
; - ipspace : name
; - dest_port : Destination port for unencrypted default port is 514, encrypted port is 6514
; - protocol : udp_unencrypted | tcp_unencrypted | tcp_encrypted
; - verify : true | false Enforce certification validation of remote server
;
ipaddress =
facility =
ipspace =
dest_port = 514
protocol =
verify = false