Default administrative accounts
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- Security and data encryption
- Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
The admin account should be restricted because the role of administrator is allowed access using all applications. The diag account allows access to the system shell and should be reserved only for technical support to perform troubleshooting tasks.
There are two default administrative accounts: admin
and diag
.
Orphaned accounts are a major security vector that often leads to vulnerabilities, including the escalation of privileges. These are unnecessary and unused accounts that remain in the user account repository. They are primarily default accounts that were never used or for which passwords were never updated or changed. To address this issue, ONTAP supports the removal and renaming of accounts.
ONTAP cannot remove or rename built-in accounts. However, NetApp recommends locking any unneeded built-in accounts with the lock command. |
Although orphaned accounts are a significant security issue, NetApp strongly recommends testing the effect of removing accounts from the local account repository.
List local accounts
To list the local accounts, run the security login show
command.
cluster1::*> security login show -vserver cluster1 Vserver: cluster1 Authentication Acct Is-Nsswitch User/Group Name Application Method Role Name Locked Group ---------------- ----------- --------- ---------------- ------ ----------- admin console password admin no no admin http password admin no no admin ontapi password admin no no admin service-processor password admin no no admin ssh password admin no no autosupport console password autosupport no no 6 entries were displayed.
Remove the default admin account
The admin
account has the role of administrator and is allowed access using all applications.
-
Create another admin-level account.
To completely remove the default
admin
account, you must first create another admin-level account that uses theconsole
login application.Making these changes might cause some undesired effects. Always test new settings that might affect the security status of the solution on a nonproduction cluster first. Example:
cluster1::*> security login create -user-or-group-name NewAdmin -application console -authentication-method password -vserver cluster1
cluster1::*> security login show -vserver cluster1 Vserver: cluster1 Authentication Acct Is-Nsswitch User/Group Name Application Method Role Name Locked Group ---------------- ----------- --------- ---------------- ------ ----------- NewAdmin console password admin no no admin console password admin no no admin http password admin no no admin ontapi password admin no no admin service-processor password admin no no admin ssh password admin no no autosupport console password autosupport no no 7 entries were displayed.
-
After you create the new admin account, test access to that account with the
NewAdmin
account login. With theNewAdmin
login, configure the account to have to same login applications as the default or previous admin account (for example,http
,ontapi
,service-processor
, orssh
). This step makes sure that access control is maintained.Example:
cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application ssh -authentication-method password cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application http -authentication-method password cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application ontapi -authentication-method password cluster1::*> security login create -vserver cluster1 -user-or-group-name NewAdmin -application service-processor -authentication-method password
-
After all functions have been tested, you can disable the admin account for all applications before removing it from ONTAP. This step serves as a final test to confirm that there are no lingering functions that rely on the previous admin account.
cluster1::*> security login lock -vserver cluster1 -user-or-group-name admin -application *
-
To remove the default admin account and all entries for it, run the following command:
cluster1::*> security login delete -vserver cluster1 -user-or-group-name admin -application * cluster1::*> security login show -vserver cluster1 Vserver: cluster1 Authentication Acct Is-Nsswitch User/Group Name Application Method Role Name Locked Group ---------------- ----------- --------- ---------------- ------ ----------- NewAdmin console password admin no no NewAdmin http password admin no no NewAdmin ontapi password admin no no NewAdmin service-processor password admin no no NewAdmin ssh password admin no no autosupport console password autosupport no no 7 entries were displayed.
Set the diagnostic (diag) account password
A diagnostic account named diag
is provided with your storage system. You can use the diag
account to perform troubleshooting tasks in the systemshell
. The diag
account is the only account that can be used to access the systemshell through the diag
privileged command systemshell
.
The systemshell and the associated diag account are intended for low-level diagnostic purposes. Their access requires the diagnostic privilege level and is reserved only to be used with guidance from technical support to perform troubleshooting tasks. Neither the diag account nor the systemshell is intended for general administrative purposes.
|
Before accessing the systemshell
, you must set the diag
account password by using the security login password
command. You should use strong password principles and change the diag
password at regular intervals.
-
Set the
diag
account user password:cluster1::> set -privilege diag Warning: These diagnostic commands are for use by NetApp personnel only. Do you want to continue? \{y|n}: y cluster1::*> systemshell -node node-01 (system node systemshell) diag@node-01's password: Warning: The system shell provides access to low-level diagnostic tools that can cause irreparable damage to the system if not used properly. Use this environment only when directed to do so by support personnel. node-01%