12 - AutoSupport - Remove Private Data

Information

The AutoSupport feature of ONTAP allows you to proactively monitor the health of your system and automatically send messages and details to NetApp technical support, your organization's internal support team, or a support partner. By default, AutoSupport messages to NetApp technical support are enabled when the storage system is configured for the first time. In addition, AutoSupport begins sending messages to NetApp technical support 24 hours after it is enabled. This 24-hour period is configurable. To leverage the communication to an organization's internal support team, the mail host configuration must be completed.

Only the cluster administrator can perform AutoSupport management (configuration). The SVM administrator has no access to AutoSupport. The AutoSupport feature can be disabled. However, NetApp recommends enabling it because AutoSupport helps speed problem identification and resolution should an issue arise on the storage system. By default, the system collects AutoSupport information and stores it locally even if you disable AutoSupport.

For more details regarding AutoSupport messages, including what is contained in the various messages and where different types of messages are sent, see the NetApp Support portal (https://library.netapp.com/ecmdocs/ECMP1196798/html/GUID-DF931E89-B833-4DED-83B5-A97F7EC97425.html). AutoSupport messages contain sensitive data including, but not limited to, the following items:
- Log files
- Context-sensitive data regarding specific subsystems
- Configuration and status data
- Performance data

AutoSupport supports HTTPS, HTTP, and SMTP for transport protocols. Because of the sensitive nature of AutoSupport messages, NetApp strongly recommends using HTTPS as the default transport protocol for sending AutoSupport messages to NetApp support.

Solution

AutoSupport supports HTTPS, HTTP, and SMTP for transport protocols. Because of the sensitive nature of AutoSupport messages, NetApp strongly recommends using HTTPS as the default transport protocol for sending AutoSupport messages to NetApp support.

In addition, you should leverage the system node autosupport modify command to specify the targets of AutoSupport data (for example, NetApp technical support, an organization's internal operations, or partners). This command also allows you to specify what specific AutoSupport details to send (for example, performance data, log files, and so on).

ONTAP offers a unique solution that protects the privacy of sensitive information by masking or filtering sensitive information with the -remove-private-data parameter of the system node autosupport modify command. When enabled (set to true), this parameter removes, encodes, or masks sensitive data from AutoSupport attachments and headers. Use this parameter to eliminate private data from all AutoSupport messages. Eliminated data includes the following items:

- IP addresses
- MAC addresses
- URIs
- DNS names
- Email addresses
- Port numbers
- Node names
- SVM names
- Cluster names
- Aggregate names
- Volume names
- Junction paths
- Policy names
- User IDs
- Group IDs
- LUNs
- Qtree names

By default, this parameter is disabled (set to false). NetApp highly recommends enabling this parameter (set to true) in any sensitive environments that require the most robust security posture.

See Also

https://www.netapp.com/us/media/tr-4569.pdf

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11a.

Plugin: Netapp_API

Control ID: f1155a50792cb8471c44cbd763c03a8dcf755fb56329a6cf18cd43af36550d7a