Scribd
Upload
344 views113 pages

Onefs9500 Security Config Guide

Uploaded by

zstruk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
344 views113 pages

Onefs9500 Security Config Guide

Uploaded by

zstruk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 113

PowerScale OneFS 9.5.0.

0 Security
Configuration Guide

January 2023
Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2 Notes, cautions, and warnings


Copyright
© 2016 - 2023 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its
subsidiaries. Other trademarks may be trademarks of their respective owners.

Copyright 3
Contents
Notes, cautions, and warnings............................................................................................................................................... 2
Copyright..................................................................................................................................................................................... 3

Chapter 1: Preface........................................................................................................................ 8
Scope of document.............................................................................................................................................................8
Document references ........................................................................................................................................................ 8
Security resources ............................................................................................................................................................. 8
Where to get help................................................................................................................................................................9
Additional options for getting help............................................................................................................................ 9
Reporting vulnerabilities.....................................................................................................................................................9
Legal disclaimers.................................................................................................................................................................. 9

Chapter 2: Security Quick Reference........................................................................................... 10


Security assumptions........................................................................................................................................................ 10
Deployment models........................................................................................................................................................... 10
Security profiles.................................................................................................................................................................. 11

Chapter 3: Product and Subsystem Security................................................................................ 12


Security controls map....................................................................................................................................................... 12
Authentication ................................................................................................................................................................... 13
Kerberos authentication............................................................................................................................................. 13
Login security settings................................................................................................................................................ 14
Authentication types and setup................................................................................................................................18
User and credential management............................................................................................................................20
Authentication to external systems ....................................................................................................................... 22
Authorization...................................................................................................................................................................... 22
General authorization settings................................................................................................................................. 22
RBAC privileges............................................................................................................................................................23
Security privileges....................................................................................................................................................... 23
Network security ..............................................................................................................................................................23
Network exposure....................................................................................................................................................... 23
Disable nonessential HTTP services ...................................................................................................................... 34
Communication security settings............................................................................................................................ 35
Firewall default settings.............................................................................................................................................35
Protocols ............................................................................................................................................................................ 36
FTP security..................................................................................................................................................................36
HDFS security.............................................................................................................................................................. 36
HTTP and HTTPS security........................................................................................................................................ 36
Apache server and HTTP default configurations ................................................................................................37
NFS security................................................................................................................................................................. 38
S3 security.................................................................................................................................................................... 38
SMB security................................................................................................................................................................ 39
Mixed data-access protocol environments........................................................................................................... 40
Data security....................................................................................................................................................................... 41
Data access settings .................................................................................................................................................. 41

4 Contents
Data-at-rest encryption..............................................................................................................................................41
Data sanitization ..........................................................................................................................................................41
Data recovery................................................................................................................................................................41
Key stores...................................................................................................................................................................... 41
Cryptography......................................................................................................................................................................43
Cryptographic options................................................................................................................................................44
Certificate management ........................................................................................................................................... 47
Regulatory information............................................................................................................................................... 47
Auditing and logging..........................................................................................................................................................47
Logs................................................................................................................................................................................ 48
Log management......................................................................................................................................................... 48
Log protection..............................................................................................................................................................49
Logging format.............................................................................................................................................................49
Events and alerts.........................................................................................................................................................49
Physical security................................................................................................................................................................ 49
Security of the data center...................................................................................................................................... 50
Physical ports on nodes.............................................................................................................................................50
Statement of volatility................................................................................................................................................50
Serviceability...................................................................................................................................................................... 50
Remote connectivity.................................................................................................................................................. 50
Security checks and verifications ........................................................................................................................... 51
Maintenance Aids........................................................................................................................................................ 53
Dell Technologies Technical Advisories, Security Advisories, and OneFS patches..................................... 53
Authenticity and integrity................................................................................................................................................54
Package authenticity .................................................................................................................................................54
Verifying packages and manifests...........................................................................................................................54
Using UEFI secure boot............................................................................................................................................. 55
Checking MD5 hash files ..........................................................................................................................................55
Restricted CLI.................................................................................................................................................................... 55
Session description..................................................................................................................................................... 56
Limitations..................................................................................................................................................................... 57
Audit logs and message types.................................................................................................................................. 57
Enable and disable global restricted shell ............................................................................................................. 57
Assign shell to user profile........................................................................................................................................ 58
Emergency exit from a Restricted CLI session ................................................................................................... 58
View log files.................................................................................................................................................................58
isi_log_access.............................................................................................................................................................. 60

Chapter 4: United States Federal and DoD Standards and Compliance.........................................62


SRG and STIG Compliance............................................................................................................................................. 62
CAT 1 security requirement............................................................................................................................................ 62
Onsite customer deployment guidance........................................................................................................................63
IPv6 defaults...................................................................................................................................................................... 63
Security hardening module..............................................................................................................................................64
Licensing........................................................................................................................................................................64
Hardening concepts....................................................................................................................................................64
Using the STIG profile................................................................................................................................................ 66
Run hardening compliance reports......................................................................................................................... 69
Recurring security checks ..............................................................................................................................................72

Contents 5
Chapter 5: FIPS Standards and Compliance.................................................................................73
FIPS 140-2 compliance.....................................................................................................................................................73
Enable FIPS mode ............................................................................................................................................................ 73
Disable FIPS mode.............................................................................................................................................................74
Verify and reset FIPS mode............................................................................................................................................ 74
Certified cryptographic modules................................................................................................................................... 75
FIPS and SSO ....................................................................................................................................................................75

Chapter 6: Security Best Practices..............................................................................................76


Overview............................................................................................................................................................................. 76
Persistence of security settings ............................................................................................................................. 76
General cluster security best practices....................................................................................................................... 78
Protect /ifs and /ifs/data ........................................................................................................................................78
Set BIOS password for node physical security.................................................................................................... 78
Set iDRAC user passwords........................................................................................................................................79
Disable USB ports across the cluster ....................................................................................................................80
Enable and disable USB ports on individual nodes.............................................................................................. 80
Create a login message.............................................................................................................................................. 82
Change password on backend switches ...............................................................................................................82
UEFI secure boot ........................................................................................................................................................83
Verify install package authenticity.......................................................................................................................... 86
Set a timeout for idle CLI sessions (CLI)...............................................................................................................86
Set a timeout for idle SSH sessions........................................................................................................................88
Forward audited events to remote server............................................................................................................ 88
External to cluster firewall security........................................................................................................................ 89
Disable OneFS services that are not in use.......................................................................................................... 89
Configure WORM directories using SmartLock................................................................................................... 89
Back up cluster data...................................................................................................................................................90
Use NTP time............................................................................................................................................................... 90
Login, authentication, and privileges best practices................................................................................................. 91
Restrict root logins to the cluster............................................................................................................................ 91
Use RBAC accounts instead of root........................................................................................................................91
Disable the root account for SSH sessions........................................................................................................... 91
Privilege elevation: Assign select root-level privileges to nonroot users.......................................................92
Restrict authentication by external providers...................................................................................................... 94
Use secure connections to LDAP server...............................................................................................................95
Set password policy ...................................................................................................................................................97
SNMP security best practices....................................................................................................................................... 97
Use SNMPv3 for cluster monitoring.......................................................................................................................97
Keep SNMP disabled except for SNMP cluster monitoring............................................................................. 98
Change default community string for SNMPv2...................................................................................................98
SSH security best practices........................................................................................................................................... 98
Restrict SSH access to specific users and groups............................................................................................. 98
Disable root SSH access to the cluster................................................................................................................. 99
Data-access protocols best practices..........................................................................................................................99
Use a trusted network to protect files and authentication credentials that are sent in cleartext..........99
Use compensating controls to protect authentication credentials that are sent in cleartext................ 100
Use compensating controls to protect files that are sent in cleartext.........................................................100

6 Contents
Initial Sequence Numbers (ISNs) through TCP connections..........................................................................100
FTP best practices..................................................................................................................................................... 101
HDFS best practices..................................................................................................................................................101
HTTP file protocol best practices.......................................................................................................................... 101
NFS best practices....................................................................................................................................................102
SMB best practices................................................................................................................................................... 104
SMB signing................................................................................................................................................................ 105
Swift access................................................................................................................................................................106
Web interface security best practices........................................................................................................................107
Replace the TLS certificate.....................................................................................................................................107
Remove persistent older versions of TLS............................................................................................................ 107

Chapter 7: Miscellaneous Configuration and Management Elements ......................................... 108


Preventing malware........................................................................................................................................................ 108
Specialized security devices......................................................................................................................................... 108
Intel microarchitectural mitigations.............................................................................................................................109

Chapter 8: Glossary.................................................................................................................... 111


Terminology........................................................................................................................................................................ 111

Appendix A: Links to security standards .................................................................................... 113

Contents 7
1
Preface
This document describes the security features in Dell Technologies PowerScale OneFS. It describes how to modify
configurations to maximize the security posture of OneFS in your environment. It also explains the expectations that Dell
Technologies has of the environment in which you are deploying OneFS. The Dell Technologies capabilities for secure remote
and on-site serviceability are also described.
Topics:
• Scope of document
• Document references
• Security resources
• Where to get help
• Reporting vulnerabilities
• Legal disclaimers

Scope of document
This guide provides an overview of the security configuration controls and settings available in PowerScale OneFS. This guide
is intended to help facilitate secure deployment, usage, and maintenance of the software and hardware used in PowerScale
clusters.

Document references
The complete documentation set for OneFS is available online here.

Security resources
Resources include Dell Security Advisories (DSAs), Common Vulnerabilities and Exposures (CVEs), and a list of false positives.

Table 1. Security resources from Dell


Type Description
DSAs and CVEs Dell Security Advisories (DSAs) notify customers about potential security vulnerabilities and their
remedies for Dell Technologies products. The advisories include specific details about an issue and
instructions to help prevent or alleviate that security exposure.
Common Vulnerabilities and Exposures (CVEs) identify publicly known security concerns. A DSA can
address one or more CVEs.
All PowerScale and OneFS DSAs, together with the CVEs that they address, are listed on the Product
Advisories tab on the Dell support site.

False positives It is possible for a security scan to incorrectly identify a CVE as affecting a Dell Technologies product.
CVEs in this category are termed false positives. False positives are listed in Dell Technologies OneFS,
SDEdge, DataIQ, and InsightIQ False Positive Security Vulnerabilities.

Register for advisory notifications


On the Product Advisories tab on the Dell support site, you can register to receive email notifications of DSAs.

8 Preface
1. If you are not signed on to the support site, click Sign In on the banner and provide your Dell account information.
2. Click Contact Support on the right.
3. Click Notifications.
4. Click the Dell EMC Security Advisories button.

Where to get help


The Dell Technologies Support site contains important information about products and services including drivers, installation
packages, product documentation, knowledge base articles, and advisories.
A valid support contract and account might be required to access all the available information about a specific Dell Technologies
product or service.

Additional options for getting help


This section contains resources for getting answers to questions about PowerScale products.

Dell Technologies Support ● Contact Technical Support


Telephone support ● United States: 1-800-SVC-4EMC (1-800-782-4362)
● Canada: 1-800-543-4782
● Worldwide: 1-312-725-5401
● Local phone numbers for a specific country or region are available at Contact
Technical Support .
PowerScale OneFS Documentation ● PowerScale OneFS Info Hubs
Info Hubs

Reporting vulnerabilities
Dell Technologies takes reports of potential vulnerabilities in our products seriously. For the latest on how to report a security
issue to Dell Technologies, see the Dell Vulnerability Response Policy on the Dell.com site.

Legal disclaimers
This document might contain language from third-party content that is not under Dell Technologies control and is not consistent
with the current guidelines for Dell Technologies content. When the third-party content changes, this document will be revised.

Preface 9
2
Security Quick Reference
Topics:
• Security assumptions
• Deployment models
• Security profiles

Security assumptions
A PowerScale cluster is only one component of a complex installation. The cluster co-exists with the surrounding physical and
electronic environment. Customers must develop and maintain comprehensive security policies for the entire environment.
Physical access and backend network access are equivalent to admin access and should be protected accordingly.
Dell Technologies assumes that you implemented the following security controls before deploying the PowerScale cluster.

Table 2. Assumed security controls


Security control Description
Physical security of system unit room facilities Physical security uses locks, guards, cameras, and processes to:
● Prevent unauthorized direct access to PowerScale equipment.
● Monitor for intrusions.
● Report violations.
Comprehensive network security Network security uses network software to block unauthorized users, possibly
detect intrusions, and generate alerts on violations. The customer defines and
controls detailed implementation requirements.
Monitoring of computer-related controls Security administrators must plan and enforce policies that control which
users have privileges to perform which actions. OneFS provides the software
that implements those policies. The software enforces policies that define:
● Data and program access
● A secure organizational structure for managing login and access rights
● Change-control policies that prevent unauthorized modifications to
programs.
Service continuity Service continuity includes plans to ensure that critical services and processes
remain operational during a disaster or data breach.
Service continuity for PowerScale clusters should be part of an overall and
dedicated business continuity and disaster recovery plan that the customer
defines and controls.
OneFS offers many ways to support service continuity, including SyncIQ or
remote backups to a DataDomain/Disk Library appliance.

Deployment models
OneFS is a scale-out file system offering a multiprotocol file server. OneFS supports the following security-related deployment
models:
● General business
● Security hardening
● SmartLock

10 Security Quick Reference


General business
The default OneFS deployment includes a solid set of security controls. The main purpose of this guide is to describe those
security controls and to identify which of them are configurable.
For additional protection, the following security options are available.

Security hardening
The United States Federal Department of Defense (DoD) publishes Security Requirements Guides (SRGs) and Security
Technical Implementation Guides (STIGs). These guides describe security controls that are required for DoD implementations.
Many of the STIG guidelines are industry-accepted best practices and are incorporated into OneFS as default behavior. A
OneFS cluster benefits from those controls by default.
A subset of STIG guidelines is not implemented by default. For deployments that require full STIG compliance, the Security
Hardening module is available. For information about STIG compliance and the OneFS Security Hardening module, see United
States Federal and DoD Standards and Compliance.
The Security Hardening module also supports Federal Information Processing Standard (FIPS) 140-2 compliance. For information
about FIPS cryptography and FIPS compliance, see FIPS Standards and Compliance.

SmartLock
The SmartLock software module protects files on a PowerScale cluster from being modified, overwritten, or deleted. To protect
files in this manner, you must activate a SmartLock license.
SmartLock is deployed in one of these modes:
● Compliance mode—SmartLock compliance mode lets you protect data in compliance with U.S. Securities and Exchange
Commission (SEC) rule 17a-4.
● Enterprise mode—SmartLock enterprise mode does not conform to SEC regulations. However, it lets you create SmartLock
directories and apply SmartLock controls to protect files so that they cannot be rewritten or erased.
With SmartLock, you can identify a directory in OneFS as a write-once, read-many (WORM) domain. Files in a WORM domain
may be modified as needed until they are committed to a WORM state. After a file is committed, it is nonerasable and
nonmodifiable until a user-configurable retention period expires. When the retention period expires, the file is erasable but not
modifiable.
In SmartLock Enterprise mode, a privileged delete feature exists that allows an administrator to delete, but not modify, a file
before its specified retention expiration date. SmartLock Compliance domains do not allow for privileged delete.
For information about SmartLock, see the "File retention with SmartLock" chapter in the PowerScale OneFS 9.5.0.0 Web
Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Security profiles
Security profiles are representations of the product security posture through specific configuration setting combinations.
OneFS has a default security profile and several additional STIG hardening profiles.
● Default profile—This profile is used with the general business and SmartLock deployment models. Dell Technologies
considers STIG recommendations during all security development life cycles. Many STIG recommendations make sense for
any robust enterprise system and are implemented as default settings in the general product.
● Hardening profile—The STIG hardening profile changes the cluster configuration so that it is compliant with United
States federal government Approved Product List (APL) requirements. See United States Federal and DoD Standards and
Compliance for more information.

Security Quick Reference 11


3
Product and Subsystem Security
Topics:
• Security controls map
• Authentication
• Authorization
• Network security
• Protocols
• Data security
• Cryptography
• Auditing and logging
• Physical security
• Serviceability
• Authenticity and integrity
• Restricted CLI

Security controls map


The following diagram provides an overview of the various security controls that are available on PowerScale clusters.

Figure 1. Security controls map

12 Product and Subsystem Security


Authentication
For general information about authentication not covered in this guide, see the "Authentication" chapter in the PowerScale
OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Kerberos authentication
Kerberos is a network authentication provider that negotiates encryption tickets for securing a connection. OneFS supports
Microsoft Kerberos and MIT Kerberos authentication providers on a cluster. If you configure an Active Directory provider,
support for Microsoft Kerberos authentication is provided automatically. MIT Kerberos works independently of Active Directory.
For MIT Kerberos authentication, you define an administrative domain, also called a realm. Within this realm, an authentication
server has the authority to authenticate a user, host, or service; the server can resolve to either IPv4 or IPv6 addresses. You
can optionally define a Kerberos domain to allow additional domain extensions to be associated with a realm.
The authentication server in a Kerberos environment is called the Key Distribution Center (KDC) and distributes encrypted
tickets. When a user authenticates with an MIT Kerberos provider within a realm, a cryptographic ticket-granting ticket (TGT) is
created. The TGT enables user access to a service principal name (SPN).
Each MIT Kerberos provider is associated with a groupnet. The groupnet is a top-level networking container that manages
hostname resolution against DNS nameservers. It contains subnets and IP address pools. The groupnet specifies which
networking properties the Kerberos provider uses when it communicates with external servers. The groupnet associated with
the Kerberos provider cannot be changed. Instead, delete the Kerberos provider and create it again with the new groupnet
association.
You can add an MIT Kerberos provider to an access zone as an authentication method for clients connecting through the
access zone. An access zone may include at most one MIT Kerberos provider. The access zone and the Kerberos provider must
reference the same groupnet. You can discontinue authentication through an MIT Kerberos provider by removing the provider
from associated access zones.
NOTE: Do not use the NULL account with Kerberos authentication. Using the NULL account for Kerberos authentication
can cause issues.

Session ticket lifetimes


The duration of connections that are authenticated using Kerberos is based on the Kerberos ticket lifetime settings. These
settings are controlled on the Kerberos Distribution Center (KDC). For information about configuring maximum lifetimes, see the
appropriate provider documentation as shown in the following table.
SMB only checks ticket validity during initial authentication. As a result, SMB connections may remain valid and in use after
Kerberos tickets expire. For information about immediately closing active SMB sessions, contact Dell Technologies Support.

Provider type Documentation for configuring maximum lifetimes


Microsoft Kerberos with Active See the following Microsoft documentation:
Directory Domain Services ● Maximum lifetime for service ticket
● Maximum lifetime for user ticket
MIT Kerberos See the MIT Kerberos documentation for configuring the kdc.conf file. The
max_life setting in kdc.conf controls the lifetime duration.

Product and Subsystem Security 13


Login security settings
Login security includes login banners (usually presenting legal disclaimers and other usage and privacy policies), failed login
behavior, and account lockout options.

Login banner configuration


Login banners can display critical system information and proper usage, and they can list restrictions and privacy policies. If legal
information is relevant, such as enforcement and discipline upon failure, you can display those notices here also.
The banner contents are displayed before a user logs in.
The hardening process creates a banner file. For nonhardened systems, cluster administrators can create a root-owned banner
file.

Table 3. Login banner creation


Choices Procedure
To create a login 1. On the OneFS web administration interface, click Cluster Management > General Settings >
banner in the web Cluster Identity.
administration interface: 2. In the Login Message area, type a title in the Message Title field and a message in the
Cluster Description field.
3. Click Save Changes.
To create a login banner 1. Use the following command:
on the command line:
isi cluster identity modify --motd "This is an example of
configuring a MOTD.
Add literal newlines to get new lines
"

2. To view the current MOTD:

isi cluster identity view

Failed login behavior


The following table describes the behavior of OneFS when authentication is unsuccessful.

Table 4. Failed login behavior


Failed login scenario Expected behavior
Behavior when the number Prevents local provider logins until a given duration is exceeded.
of failed login attempts
exceeds the threshold
Number of failed login Configurable in the local provider using the following command:
attempts that are allowed
before triggering the exceed isi auth local modify --lockout-threshold=<count> <provider>
behavior
Delay between login Configurable globally using the following command:
attempts
isi auth settings global modify --failed-login-delay-time
<duration>

Where <duration> is the amount of time that a user must wait before attempting to sign in
after a failed attempt.
For example, if <duration> is 10s , a root user logging into an SSH session who receives a
failed password error must wait 10 seconds to try again.

14 Product and Subsystem Security


Table 4. Failed login behavior (continued)
Failed login scenario Expected behavior
Account lockout duration Configurable in the local provider using the following command:

isi auth local modify --lockout-duration=<duration> <provider>

Where <duration> is:


● An integer without any modifier is interpreted as seconds and is limited to 69.4 days.
● An integer followed by one of [ s | m | H | D | W | M ] to indicate the unit of
time. For example: 8H. The maximum duration time is 1M or its equivalent.

Privileges required to An administrator requires read/write ISI_PRIV_AUTH privileges to configure the lockout
resolve account lockout behavior of the local provider.
NOTE: This feature only affects the local provider. Other authentication providers do not
have this feature.

Event logging Failed login attempts are logged to /var/log/messages.

Emergency user lockout


Administrators can block access to the system using the following features.
The best practice for locking out users is to disable authentication, which prevents new logins.
For methods to terminate active user sessions, see "Terminate active user sessions" below.

Lockout scenario Details


User or role that can generate an You can disable a user or remove a privilege. This action does not log out a user
emergency user lockout event who is logged in.
For this action, the admin would need read/write ISI_PRIV_AUTH privileges to
disable the user or remove a privilege from the user.

User or role that can undo an emergency The action is similar to above. An admin with read/write ISI_PRIV_AUTH can
user lockout event enable a user.
Description of emergency user lockout Prevents new logins. For methods to terminate active user sessions, see
behavior "Terminate active user sessions" below.
How to lock out a specific user
isi auth users modify --enabled=false <user>

How to lock out all users Disabling authentication for a provider prevents new logins from that provider.
You can also disable login privileges by role.
To disable logins by provider, use the following commands. All providers in the
authentication zone must be set individually.

isi auth local modify --authentication=false <provider>


isi auth file modify --authentication=false <provider>
isi auth ads modify --authentication=false <provider>
isi auth ldap modify --authentication=false <provider>
isi auth nis modify --authentication=false <provider>

To disable logins by role, you remove a privilege from a role. For example, the
following command prevents users holding a specific role from logging in using
SSH.

isi auth roles modify <role> --remove-priv \


ISI_PRIV_LOGIN_SSH

Product and Subsystem Security 15


Lockout scenario Details
How to reenable access for a specific user Reenable a specific user:
or all users to the system
isi auth users modify --enabled=true <user>

Reenable all users by provider (the opposite of the lock out all users):

isi auth local modify --authentication=true <provider>


isi auth file modify --authentication=true <provider>
isi auth ads modify --authentication=true <provider>
isi auth ldap modify --authentication=true <provider>
isi auth nis modify --authentication=true <provider>

Terminate active user sessions


Several protocols in OneFS use the concept of a session. These instructions describe how an administrator can immediately
terminate an in-use session.
NOTE: Terminating a session that is transmitting or accessing data has potential risks for data loss or corruption.

Terminate an FTP session


FTP performs authentication at initial connection setup. FTP caches those credentials for the duration of the connection.
NOTE: Forcefully disconnecting an FTP connection could result in data loss or corruption for any files that the FTP client is
accessing.
1. Identify the IP address and user of the FTP client that must be disconnected.
2. Disable the user.

isi auth users modify --enabled=false <user>

Disabling the user ensures that they cannot authenticate again after the connection is terminated.
3. Contact Dell Technologies Support for next steps. The steps require root or account of last resort access.

Terminate an HDFS session


Dell Technologies recommends requiring Kerberos authentication for HDFS. Kerberos uses session tickets to grant access
to HDFS on OneFS. There are configurable timeouts in Kerberos that control how long a session ticket remains valid. For
information about configuring Kerberos session ticket lifetime values, see Kerberos authentication.

Terminate an NFS session


Dell Technologies recommends requiring Kerberos authentication for NFS. Kerberos uses session tickets to grant access to NFS
on OneFS. There are configurable timeouts in Kerberos that control how long a session ticket remains valid. For information
about configuring Kerberos session ticket lifetime values, see Kerberos authentication.

Terminate an S3 session
S3 continually revalidates authorization with a very short cache lifetime. Disabling or deleting a user prevents any further
requests that the user sends from succeeding.

Terminate an SMB session


SMB sessions perform authentication during the initial connection setup. The session caches these credentials for the duration
of the session.

16 Product and Subsystem Security


NOTE: Forcefully disconnecting an SMB session from OneFS could cause data loss or data corruption for any files that are
open by the SMB client. Ensure that you balance the risk of data corruption against the risk of continued access to the
cluster from this session.
To disconnect an active user on OneFS:
1. Identify the client or user that you want to disconnect from OneFS. Ensure that this user is disabled in the appropriate
authentication provider.
2. Find the node that contains the session that you want to disconnect.
Run the isi smb sessions list command on every node in the cluster. A single client may have multiple connections
to multiple nodes.

onefs-1# isi_for_array isi smb sessions list

onefs-1: Lnn Computer User


onefs-1: -----------------
onefs-1: -----------------
onefs-1: Total: 0
onefs-3: Lnn Computer User
onefs-3: ---------------------------------------
onefs-3: 3 192.168.187.49 onefs\joe
onefs-3: ---------------------------------------
onefs-3: Total: 1
onefs-2: Lnn Computer User
onefs-2: -----------------
onefs-2: -----------------
onefs-2: Total: 0

3. Using the information provided by the isi smb sessions list command, identify the node (Lnn), Computer, and
User of the session to disconnect.
4. Log in to the node that you identified.
5. Forcibly delete the SMB client session by using the isi smb sessions delete command.

onefs-3# isi smb sessions delete 192.168.187.49 --user-name onefs\\joe


Are you sure you want to disconnect SMB sessions for user=onefs\joe
computer=192.168.187.49? (yes/[no]): yes

An alternate command that has the same result is:

onefs-3# isi smb sessions delete-user onefs\\joe --computer-name 192.168.187.49


Are you sure you want to disconnect SMB sessions for user=onefs\joe
computer=192.168.187.49? (yes/[no]): yes

If the client is using the recommended Kerberos authentication and the Kerberos service ticket remains valid, the client may
continue connecting to SMB on OneFS. For information about configuring Kerberos service ticket lifetimes, see Kerberos
authentication.

Terminate an SSH session


SSH sessions perform authentication during initial connection. The session caches privileges for the duration of the session.

NOTE: Forcefully disconnecting an SSH session from OneFS could cause unintended behavior.

To disconnect an SSH connection from the cluster, follow these steps.


1. Identify the user for the SSH connection that you want to disconnect.
2. Disable the user.

isi auth users modify --enabled=false <user>

Disabling the user ensures that they cannot authenticate again after the connection is terminated.
3. Contact Dell Technologies Support for next steps. The steps require root or account of last resort access.

Product and Subsystem Security 17


Authentication types and setup
Configure the authentication types and possible different sources for the system.
For general information about Authentication types and setup, see the "Authentication" chapter in the PowerScale OneFS
9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Configuring local authentication sources

For information about configuring local authentication sources, see the Managing local users and groups section in the
"Authentication" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.

Configuring Active Directory

For information about configuring Active Directory, see the "Authentication" chapter in the PowerScale OneFS 9.5.0.0 Web
Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Certificate and key-based authentication

See the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.
● For information about client and server authentication using TLS certificates, see the Certificates section in the "General
cluster administration" chapter.
● For information about the supported key-based authentication methods, see the "Authentication" chapter.

Single Sign-on (SSO) security


OneFS supports single sign-on (SSO) authentication to the WebUi using a third-party system as the SSO Identity Provider.
The following two components work together to provide SSO authentication.
● The Identity Provider (IdP) performs user authentication. In OneFS, the verified IdP is Active Directory Federation Services
(ADFS). Other IdPs may work.
● The Service Provider (SP) forwards an authentication request to the IdP. In the OneFS SSO solution, the SP is OneFS.
SSO is implemented in access zones. You can enable or disable SSO separately in each access zone, and each access zone must
be configured with an IdP. The IdP may be the same or different for each access zone. Each access zone can have only one IdP.

SAML
Communications between OneFS and the IdP (ASDF) occur using SAML. All SAML protocol messages go through the "/
session/1/" endpoints. The isi_saml_d daemon interacts with other processes.

Certificates
By default, OneFS generates a 4096-bit RSA signing key and certificate that expires after 1 year. The admin can change the bits
and lifetime of the certificate and regenerate the signing key and certificate.
The CELOG event SW_SSO_CONFIG_CERT_EXPIRING is raised 31 days before a certificate expires. The event message
includes whether it is the IDP or SP certificate that is expiring. The message includes the affected access zone.
The OneFS CLI and WebUI interfaces generate the Service Provider certificate for the trust between OneFS and the IdP.
If the signing certificate expires, OneFS disables SSO. An authorized administrator can renew an expired certificate.
1. On the WebUI, go to Access > Authentication providers > SSO > <access-zone> .
2. Click the link that appears under the SSO Enable/Disable switch.

18 Product and Subsystem Security


For more information about managing, replacing, and renewing certificates, see the Certificates section in the "General cluster
administration" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.

SSO and the STIG hardening profile


The STIG hardening profile requires SSO for all users. When SSO login is required, all users must have ISI_PRIV_LOGIN_PAPI
privilege and log in using SSO.
The hardening profile checks that each access zone has SSO enabled and that each zone has an IDP and SP configured for it.

SSO with MFA


To combine single sign-on with multifactor authentication (MFA), you must configure the MFA feature in the IdP, rather than in
OneFS.

Multifactor authentication

See the Multi-factor authentication section in the "Authentication" chapter of the PowerScale OneFS 9.5.0.0 Web
Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Other authentication sources

OneFS authentication providers are:


● Local
● File
● AD
● LDAP
● NIS
● MIT Kerberos
For information about configuring these authentication sources, see thePowerScale OneFS 9.5.0.0 Web Administration Guide or
the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Unauthenticated interfaces
The following interfaces do not require authentication for access.
● LCD front panel and buttons
● File over HTTP without Basic authentication, and not using RAN
● SNMPv1
● Using syslog to remote server
● Anonymous FTP
● Joining to the cluster
● SyncIQ, if configured without authentication. SyncIQ supports authentication.
NOTE: Activities related to the LCD front-panel and cluster joining require physical access. The others are described in
appropriate chapters in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.

Selecting authentication sources

For general information about selecting authentication sources, see the PowerScale OneFS 9.5.0.0 Web Administration Guide or
the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Product and Subsystem Security 19


User and credential management

Preloaded accounts

OneFS includes preloaded accounts. Most preloaded accounts are for internal system usage and are not available for user logins.
The table below lists the preloaded accounts and provides the following additional information:
● Username—FreeBSD provides some predefined accounts. OneFS hides some of the FreeBSD accounts using the isi
auth interface. OneFS defines a few additional accounts.
● Login enabled—Indicates whether the account is active and usable for user logins by default.
NOTE: Do not enable inactive accounts unless instructed to do so by Dell Technologies support.
● Not listable—Indicates whether isi auth user list lists the account. An x means that the account is not listable.
● Not modifiable—Indicates whether you can change the underlying properties of the account, such as the environment or
home directory. An x means that the account is not modifiable.

Table 5. Preloaded accounts


Username Login enabled Not listable Not modifiable
root Yes
sys No x x
daemon No x x
operator No x x
bin No x x
tty No x x
kmem No x x
news No x x
man No x x
Guest No
The SMB guest account is disabled by
default. Do not enable unless directed
to do so by Dell Technologies Support.
In that case, read https://www.dell.com/
support/kbdoc/000158610 for descriptions
of exposures that can result from each
impersonate guest option.

admin Yes
PowerScale UI Administrator

compadmin No
PowerScale SmartLock Compliance
Administrator

remotesupport Yes
ESRS remote user

ese No
Internal account used by SupportAssist
to communicate with PAPI. No login is
permitted.

ftp No

20 Product and Subsystem Security


Table 5. Preloaded accounts (continued)
Username Login enabled Not listable Not modifiable
insightiq No
isdmgmt No
sshd No x x
smmsp No x x
mailnull No x x
bind No x x
unbound No x x
proxy No x x
_pflogd No x x
_dhcp No x x
uucp Yes x x
pop No x x
auditdistd No x x
www No
_ypldap No
hast No x x
_lldpd No
nobody No
everyone No
null No x x
group No x x
git_daemon No

Predefined groups

Type Description
Groups that are not listable The following groups are not listable: daemon, kmem, sys, tty, operator, mail,
bin, news, man, staff, sshd, smmsp, mailnull, bind, proxy, authpf,
_pflogd, _dhcp, uucp, dialer, network, audit, www, nogroup, null,
insightiq, isdmgmt, vapi, unbound, hast, webkit.

Groups that are not The following groups are not modifiable: daemon, kmem, sys, tty, operator, mail,
modifiable bin, news, man, staff, sshd, smmsp, mailnull, bind, proxy, authpf,
_pflogd, _dhcp, uucp, dialer, network, audit, www, nogroup, nobody,
null, insightiq, isdmgmt, vapi, unbound, hast, webkit.

Disable local accounts


You can disable a local account. This action does not remove the home directory for the user account.
Delete the home directory of the user account to avoid inadvertently exposing data to an unauthorized account. that uses the
same UID and GID. Delete a home directory using the rm or rmdir commands.
For information about creating, disabling, deleting, and modifying local accounts, see the section "Managing local users and
groups" in the "Authentication" chapter of the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Product and Subsystem Security 21


Managing credentials

For information about managing credentials, see thePowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale
OneFS 9.5.0.0 CLI Administration Guide.

Securing credentials

For information about securing credentials, see the File provider section in the "Authentication" chapter of the PowerScale
OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Password complexity

For information about password complexity, see the Managing local users or groups section in the "Authentication" chapter of
the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Authentication to external systems


Configure OneFS to communicate with and authenticate to external systems.

Remote component authentication


OneFS can connect to an AD domain or an LDAP server.
Connection requires the external component usernames and passwords that have required privileges.
● For AD configuration, you need a username with Domain Admin Privileges.
● For LDAP, you need the username and password for an LDAP account that can authenticate and view all accounts.
For configuration information to connect and authenticate to these components, see the "Authentication" chapter of the
PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Authorization
Authorization controls which actions a user is allowed to perform. Authorization is a critical component of any security model for
OneFS.
In addition to general settings, OneFS includes Role-Based Access Control (RBAC)

General authorization settings


A new user has a clean directory and some UNIX and SMB permissions on various files throughout the system. In general, user
access must be explicitly granted. UNIX permissions and SMB ACLs can grant users read, write, and execute permissions
on specific files. All other access is granted through RBAC privileges.
Regarding processes, most processes run as root. By default, only root has access to act directly on those processes. However,
RBAC can allow nonroot users to explicitly act on components that they otherwise would not be allowed to access.
NOTE: Dell Technologies recommends using RBAC to fine-tune access to needed components per user, as opposed to
granting root-level access to many users.
For details about authorization and RBAC in particular, see the "Administrative Roles and Privileges" chapter of the PowerScale
OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

22 Product and Subsystem Security


RBAC privileges
Role-Based Access Control (RBAC) assigns privileges to users through roles.
NOTE: OneFS RBAC is session-based. If roles are changed while a user is logged in, the new assignments do not take
effect until the user logs out and logs back in.
OneFS supports a hierarchy of privileges. Broad reaching privileges are intended for administrators. Granular privileges can
restrict user access to a specific feature set, a specific subfeature, or even specific attributes within a feature.
For information about RBAC and privileges, including default roles, configuring roles with privileges, and role mapping, see the
"Administrative Roles and Privileges" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide and the PowerScale
OneFS 9.5.0.0 CLI Administration Guide.

Security privileges
The following table describes the privileges and subprivileges that allow users to assign privileges to others. Subprivileges inherit
their permission type from their parent privilege. Permission types are No permission (-), Read (r), Execute (x), and Write (w).
The permission listed for each privilege is the highest permission allowed.

Privilege / Subprivilege Description Permission


ISI_PRIV_AUTH Configure external authentication Write
providers, including root-level accounts.
ISI_PRIV_AUTH_GROUPS User groups from authentication provider Write
ISI_PRIV_AUTH_PROVIDERS Configure authentication providers Write
ISI_PRIV_AUTH_RULES User mapping rules Write
ISI_PRIV_AUTH_SETTINGS_ACLS Configure ACL policy settings Write
ISI_PRIV_AUTH_SETTINGS_GLOBAL Configure global authentication settings Write
ISI_PRIV_AUTH_USERS Users from authentication providers Write
ISI_PRIV_AUTH_ZONES Configure access zones Write
ISI_PRIV_RESTRICTED_AUTH Find and list users, set user passwords, Write
unlock user accounts, and add or remove
users and groups. Administrators with this
privilege can modify only users and groups
that have the same or less privilege.
ISI_PRIV_RESTRICTED_AUTH_ Configure groups with the same or less Write
privilege.
GROUPS

ISI_PRIV_RESTRICTED_AUTH_USERS Configure users with the same or less Write


privilege.
ISI_PRIV_ROLE Create roles and assign privileges, Write
including root-level accounts.

Network security
OneFS security includes the security of networked subsystems and interfaces.

Network exposure
The following sections describe the network exposure of OneFS, including ports, protocols, services exposed, and default
states.

Product and Subsystem Security 23


Network port usage
Standardized protocols enable other system units to exchange data with OneFS.
The TCP/IP protocol suite uses numbered ports to describe the communication channel within the protocol. Generally, the
OneFS system uses a well-known port for receiving incoming data. The client uses that ephemeral port number to send data.
Port numbers and IP addresses are included with a data packet, which enables other systems to make determinations about the
data stream. TCP and UDP protocols within the TCP/IP suite use ports that range from 1 to 65535.
The Internet Assigned Numbers Authority (IANA) assigns and maintains port numbers. They are divided into three ranges:
1. Well-known ports—Ranges are from 0 to 1023.
2. Registered ports—Ranges are from 1024 to 49151.
3. Dynamic or private ports—Ranges are from 49152 to 65535.
Protocols support both IPv4 and IPv6 addresses, except where noted.
As a security best practice, use an external firewall or enable the OneFS host-based firewall. Configure the firewall to:
● Limit access to the cluster to trusted clients and servers that require access.
● For ports that are required for communication, allow restricted access only.
● Block access to all other ports.

Table 6. Network ports


Port Service name Protocol Connectio Usage and description Effect if closed Installed
n type default
20 ftp-data TCP Outbound ● FTP access (disabled by default) FTP access is unavailable. Disabled
● Data channel for FTP service
21 ftp TCP Inbound ● FTP access FTP access is unavailable. Disabled
● Control channel for FTP access
22 ssh TCP Inbound ● SSH login service SSH secure shell access is Enabled
● console management unavailable.
NOTE: does not support
IPv6.

25 smtp TCP Outbound Email deliveries Outbound email alerts from Disabled
OneFS are unavailable.
53 DNS UDP Outbound Domain Name Service resolution Services are not able to Enabled
resolve domain names.
53 DNS TCP, Inbound SmartConnect DNS requests and SmartConnect DNS Enabled
UDP incoming DNS request responses resolution is unavailable.
68 DHCP UDP Inbound The cloud provider allocates primary Primary IP addresses are Enabled
IP addresses in cloud deployments removed causing cluster only in
and communicates them over DHCP. data unavailability. cloud
deploymen
ts.
80 http TCP Inbound File access (Basic file access and HTTP access to files is Disabled
WebDav) unavailable.
88 Kerberos TCP, Outbound Kerberos authentication services that Kerberos authentication is Disabled
UDP are used to authenticate users unavailable.
against Microsoft Active Directory
domains
111 rpc.bind TCP, Inbound ONC RPC portmapper that is used to Cannot be closed; disrupts Enabled
UDP locate services such as NFS, mountd, core functionality.
and isi_cbind_d
123 ntp UDP Outbound Network Time Protocol used to Cluster time cannot be Enabled
synchronize host clocks within the synchronized with an
cluster external NTP time source.

24 Product and Subsystem Security


Table 6. Network ports (continued)
Port Service name Protocol Connectio Usage and description Effect if closed Installed
n type default
135 dcerpc TCP, Inbound RPC Endpoint mapper service Witness connections for Enabled
UDP SMB continuous availability
are not established.
137 netbios-ns UDP Inbound NetBIOS Name Service that provides None. Disabled
name resolution service for pre-
Windows 2000 SMB1 clients
138 netbios-dgm UDP Inbound NetBIOS Datagram Service that None. Disabled
provides legacy connectionless
service for pre-Windows 2000 SMB1
clients
139 netbios-ssn TCP Inbound NetBIOS Session Service that Old SMB1 clients unable to Disabled
provides SMB1 support for pre- use port 445 cannot access
Windows 2000 clients the server.
161 snmp UDP Inbound Simple Network Management SNMP communications are Enabled
Protocol support. Typically, agents not available.
listen on port 161.
162 snmptrap UDP Outbound Simple Network Management SNMP communications are Enabled
Protocol support. Typically, not available.
asynchronous traps are received on
port 162.
300 mountd TCP, Inbound NFSv3 mount service NFSv3 mount service is not Disabled
UDP available.
302 statd TCP, Inbound NFS Network Status Monitor (NSM) The NSM service is not Disabled
UDP available.
304 lockd TCP, Inbound NFS Network Lock Manager (NLM) The NLM service is not Disabled
UDP available.
305 nfsrquotad TCP, Inbound nfs rpc.quota daemon The daemon is not Disabled
UDP available.
306 nfsmgmtd Inbound nfs management daemon The daemon is not Disabled
available.
389 ldap TCP, Outbound Microsoft Active Directory domain The cluster cannot fetch a Enabled
UDP service. Used to fetch the list list of AD domains or verify
of servers from the Active that they are active.
Directory domain and other domain
information.
389 ldap UDP Outbound CLDAP pings. Used to determine if a The cluster cannot perform Enabled
domain server is running. user or group lookups
or authentications against
LDAP or Active Directory.
389 ldap TCP Outbound LDAP SASL (secure LDAP). Typically The cluster cannot perform Enabled
used to query for user and group user or group lookups
information after authentication. or authentications against
NOTE: SASL is configured on LDAP or Active Directory.
the AD or LDAP servers, not
on the cluster. During LDAP
connection setup, there is an
option to determine whether to
use a secure connection.

443 https TCP Inbound File access (Basic file access and Access to files is Disabled
WebDav) unavailable over TLS.

Product and Subsystem Security 25


Table 6. Network ports (continued)
Port Service name Protocol Connectio Usage and description Effect if closed Installed
n type default
443 https TCP Outbound A port for CloudPools access to a If CloudPools is using this Disabled
cloud storage provider. port, CloudPools features
NOTE: Port 443 is typical, but are not available.
not always the correct port. The
cloud storage provider (or other
archive location such as ECS or
another PowerScale cluster) may
use or require a different port.
Customer load balancers may
also affect which port is required
for CloudPools connections.

445 microsoft-ds TCP Outbound SMB1 and SMB2 client Joining an Active Directory Disabled
(SMB) domain and the NTLM
authentication against it
are not possible.
514 syslog UDP Outbound syslog Cannot be closed; disrupts Enabled
core functionality.
585 hdfs TCP Inbound HDFS (Hadoop file system) HDFS is unavailable. Disabled
(datanode) (IPv4
only)
623 N/A TCP, Inbound Reserved for hardware N/A Enabled
UDP
636 ldap TCP Outbound ● LDAP Directory service queries LDAP is unavailable. Disabled
used by OneFS Identity services.
● Default port for LDAPS
664 N/A TCP, Inbound Reserved for hardware N/A Enabled
UDP
692 pcnfs UDP Inbound and PCNFS Unavailable Disabled
Outbound
989 ftps-data TCP Outbound ● Secure FTP access (disabled by Secure FTP access is Disabled
(implicit) default). unavailable.
● Secure data channel for FTP
service
990 ftps (implicit) TCP Inbound ● Secure FTP access Secure FTP access is Disabled
● Control channel for FTP access unavailable.

1013 pcnfs UDP Inbound and PCNFS Unavailable Disabled


Outbound
2049 nfs TCP, Inbound Network File Service (NFS) server The NFS server and Disabled
UDP all related NFS services
(including mount, NSM,
and NLM) are not available.
NFS is an important
component of the OneFS
interaction, even if no
NFS exports are visible
externally.
2097 SyncIQ TCP Inbound SyncIQ: isi_migr_pworker SyncIQ is unavailable. Disabled
2098 SyncIQ TCP Inbound SyncIQ: isi_migr_pworker SyncIQ is unavailable. Disabled
3147 isi_replicate TCP Inbound isi_replicate SyncIQ is unavailable. Disabled

26 Product and Subsystem Security


Table 6. Network ports (continued)
Port Service name Protocol Connectio Usage and description Effect if closed Installed
n type default
3148 SyncIQ TCP Inbound SyncIQ: isi_migr_bandwidth SyncIQ is unavailable. Disabled
3149 SyncIQ TCP Inbound SyncIQ: isi_migr_bandwidth SyncIQ is unavailable. Disabled
3268 lsass TCP Outbound Used for unencrypted Some forms of Active Disabled
communications with a Microsoft Directory authentication
Active Directory Global Catalog might not work, depending
LDAP server. on the configuration.
5019 ifs TCP Inbound or PowerScale file system Intracluster communication Enabled
Outbound is not available.
(Internal)
5055 smartconnect UDP Inbound SmartConnect SmartConnect is Enabled
(Internal) unavailable.
5666 isi_replicate TCP Inbound isi_replicate SyncIQ is unavailable. Disabled
5667 SyncIQ TCP Inbound SyncIQ: isi_migr_sworker SyncIQ is unavailable. Disabled
5668 SyncIQ TCP Inbound SyncIQ: isi_migr_sworker SyncIQ is unavailable. Disabled
6514 syslog TCP Outbound syslog over TLS syslog only uses port 514. Disabled

6557 isi_ph_rpcd TCP Inbound Performance collector Performance collection and Disabled
analysis are unavailable.
7722 isi_dm_d TCP Inbound SmartSync daemon control and data SmartSync is unavailable. Disabled
transfer
8020 hdfs TCP Inbound HDFS (Hadoop file system) HDFS is unavailable. Enabled
(namenode) (IPv4
only)
8080 isi_webui HTTPS, Inbound ● OneFS Web UI ● HTTPS access to the Enabled
TCP ● PAPI Web UI is unavailable.
(IPv4 ● Remote service ● PAPI is unavailable.
only) ● CloudPools archive to
● CloudPools, when a second
PowerScale cluster is used for another PowerScale
archiving. cluster is unavailable.

8082 WebHDFS http, TCP Inbound webhdfs, jmx, imagetransfer over Access to HDFS data Disabled
(IPv4 HTTP is unavailable through
only) WebHDFS.
8083 lwswift https, Inbound SWIFT protocol access SWIFT protocol access is Disabled
TCP unavailable.
8440 Ambari agent TCP Outbound Handshake from Ambari agent to Ambari Agent is unavailable Disabled
(IPv4 Ambari server. to monitor and report the
only) status of HDFS access
zone.
8441 Ambari agent TCP Outbound Heartbeat status from Ambari agent Ambari Agent is unavailable Disabled
(IPv4 to Ambari server. to monitor and report the
only) status of HDFS access
zone.
8443 webhdfs_ran https, Inbound ● Restful access to namespace ● Unable to access RAN Disabled
TCP (RAN) ● Unable to access
● webhdfs, jmx, imagetransfer webhdfs, jmx,
imagetransfer over
HTTPS
8470 SyncIQ TCP Inbound SyncIQ: isi_replicate SyncIQ is unavailable. Disabled

Product and Subsystem Security 27


Table 6. Network ports (continued)
Port Service name Protocol Connectio Usage and description Effect if closed Installed
n type default
9020 s3 http Inbound ● S3 service access ● S3 access is Disabled
● CloudPools, when S3 or ECS unavailable.
is used as the archive service ● CloudPools archive to
provider. S3 or to ECS is
unavailable.
9021 s3 https Inbound ● S3 service access ● S3 access is Disabled
● CloudPools, when S3 or ECS unavailable.
is used as the archive service ● CloudPools archive to
provider. S3 or to ECS is
unavailable.
9443 isi_esrs_d TCP Outbound outbound alerts PowerScale is unable to Disabled
send alerts, log gathers,
and other event data to
Dell Technologies technical
support.
10000 NDMP TCP Inbound Network data management for NDMP backup is disabled. Disabled
backup
12228 CEE http Outbound The same CEE software handles The CAVA servers are Disabled
CEE/CAVA CAVA anti-virus and Audit requests. unreachable. Audit records (both
CEE/Audit Both CAVA and Audit use this port. are not forwarded to the CAVA and
The CEE service handles the request audit server. Audit)
packets, which are HTTP with an
XML body. CEE forwards the request
to one of the other services.
CAVA scan requests and heartbeats
travel between the cluster and the
CEE and CAVA servers using HTTP
on port 12228. Audit records are
forwarded to an Audit server.
NOTE: Also, SMB must be
enabled. The CEE software reads
and updates files over SMB (port
445) using configured IP pool
addresses.

15000 isi_lcd_d TCP Inbound Internal communication None Enabled


(Internal)
15100 isi_upgrade_ag UDP Inbound PowerScale upgrade daemon Cluster reimages are Enabled
ent_d (Internal) unavailable.
20049 NFSv3 over RDMA Inbound or Transport NFSv3 data access RDMA transport not Disabled
RDMA Outbound communication over RDMA as an possible
alternative to TCP or UDP, for
enhanced performance.
28080 lwswift TCP Inbound Swift protocol access Swift protocol access is Disabled
unavailable.
Dynamic lwwit TCP, Inbound SMB witness Tied to SMB service Disabled
UDP (both
CAVA and
Audit)
Dynamic isi_cbind_d UDP Inbound or The dynamic port that is used isi_cbind_d Enabled
Outbound for communicating with the DNS
server for sending and receiving DNS
queries and responses. There could

28 Product and Subsystem Security


Table 6. Network ports (continued)
Port Service name Protocol Connectio Usage and description Effect if closed Installed
n type default
be multiple dynamic ports; a port is
created for each groupnet that is
configured on the cluster.

Network port controls


The following table shows the commands that enable or disable the network ports.

Table 7. Commands to enable or disable network ports


Port Service Install Command usage
name default
20 ftp-data Disabled Opened on use when the FTP service is enabled.
isi services vsftpd <enable or disable>

21 ftp Disabled isi services vsftpd <enable or disable>

22 ssh Enabled See SSH security best practices.


25 smtp Disabled See the Configure SMTP email settings section in the "General cluster
administration" chapter of the PowerScale OneFS 9.5.0.0 Web Administration
Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.
53 DNS Enabled Not modifiable.
68 DHCP Enabled Not modifiable. Specific to cloud versions.
80 http Disabled isi http settings modify --service <enabled or
disabled>

88 kerberos Disabled isi auth krb5 delete <provider-name>


To reenable Kerberos, create a Kerberos provider by running:
isi auth krb5 create <realm> { <user> | --keytab-file
<string> }
View all options for Kerberos provider creation using isi auth krb5
create --help.

111 rpc.bind Enabled isi services -a rpcbind <enable or disable>

123 ntp Enabled Not modifiable


135 dcerpc Disabled To stop and start:
/usr/likewise/bin/lwsm stop dcerpc
/usr/likewise/bin/lwsm start dcerpc

137 netbios-ns Disabled Not modifiable.

138 netbios- Disabled Not modifiable.


dgm
139 netbios-ssn Disabled Not modifiable.

161 snmp Enabled isi services snmp <enable or disable>

162 snmptrap Enabled isi services snmp <enable or disable>

300 mountd Enabled Not modifiable.

Product and Subsystem Security 29


Table 7. Commands to enable or disable network ports (continued)
Port Service Install Command usage
name default
302 statd Enabled Not modifiable.
304 lockd Enabled Not modifiable.
305 nfsquotad Disabled isi services nfs <enable or disable>
306 nfsmgmtd Disabled isi services nfs <enable or disable>
389 ldap Enabled The port is opened on usage. To ensure nonusage, delete the LDAP
configuration:
isi auth ldap delete <provider name>
To reenable this service, create a provider.
1. View all options for LDAP provider creation:
isi auth ldap create --help

2. Create a provider:
isi auth ldap create <provider name> <additional
options>

443 https Disabled isi http settings modify --https <enable or disable>
NOTE: This command takes effect immediately, unless the --service
flag is not enabled. Otherwise, enable the service.

445 microsoft- Disabled isi services -a smb <enable or disable>


ds
514 syslog Enabled Not modifiable.
585 hdfs Enabled isi hdfs settings modify --service <true or false>
(datanode)
623 N/A Enabled Not modifiable.
636 ldap Disabled The port is opened on usage. To ensure nonusage, delete the LDAP
configuration:
isi auth ldap delete <provider name>
To reenable this service, create a provider.
1. View all options for LDAP provider creation:
isi auth ldap create --help

2. Create a provider:
isi auth ldap create <provider name> <additional
options>

664 N/A Enabled Not modifiable.


989 ftps-data Disabled Not modifiable.
(implicit)
990 ftps Disabled Not modifiable.
(implicit)
2049 nfs Enabled isi services nfs <enable or disable>

2097 SyncIQ Disabled isi sync settings modify --service <on or off>

2098 SyncIQ Disabled isi sync settings modify --service <on or off>

30 Product and Subsystem Security


Table 7. Commands to enable or disable network ports (continued)
Port Service Install Command usage
name default
3147 isi_replicate Disabled isi services -a isi_replicate <enable or disable>

3148 SyncIQ Disabled isi sync settings modify --service <on or off>

3149 SyncIQ Disabled isi sync settings modify --service <on or off>

3268 lsass Disabled Enabled on use. For information about using AD, see the PowerScale OneFS
9.5.0.0 CLI Administration Guide.
5019 ifs Enabled Not modifiable.
5055 smartconne Enabled Not modifiable.
ct
5666 isi_replicate Disabled isi services -a isi_replicate <enable or disable>

5667 SyncIQ Disabled isi sync settings modify --service <on or off>

5668 SyncIQ Disabled isi sync settings modify --service <on or off>

6514 syslog Disabled To enable:


isi audit settings global modify --config-auditing-
enabled true --config-syslog-enabled true --config-
syslog-tls-enabled true --config-syslog-servers <IP
address>:6514
To disable: isi audit settings global modify --config-
syslog-tls-enabled false

6557 isi_ph_rpcd Disabled Modifiable to enable or disable performance collection. The isi_ph_dump
process controls this service. The isi_ph_dump process does the following:
● It automatically opens the 6557 port and starts the isi_ph_rpcd
performance collection service.
● When collection is finished, it automatically closes the port and disables
the service.
Use the following command to start performance collecting:
isi_ph_dump --run
You can proactively disable the collection service:
isi services -a isi_ph_rpcd disable
For information about performance collection, use the help option:

isi_ph_dump -h

and

isi_ph_pc --help

7722 isi_dm_d Disabled isi services -a isi_dm_d <enable or disable>


8020 hdfs Enabled isi services hdfs <enable or disable>
(namenode)
8080 isi_webui Enabled Not modifiable.
8082 WebHDFS Disabled Not modifiable, but you can switch WebHDFS settings:
isi hdfs settings modify --webhdfs-enabled <true or
false>

8083 lwswift Enabled Not modifiable, but you can configure Swift with isi swift accounts.

Product and Subsystem Security 31


Table 7. Commands to enable or disable network ports (continued)
Port Service Install Command usage
name default

NOTE: Support for Open Stack Swift will be removed in a future OneFS
release. Use the S3 protocol instead.

8440 Ambari Disabled isi hdfs settings modify --ambari-server


agent
For more information and options, see the HDFS Reference Guide on the
Support site.

8441 Ambari Disabled isi hdfs settings modify --ambari-server


agent
8443 webhdfs- Disabled isi hdfs settings modify --webhdfs-enabled=<true/false>
ran
8470 N/A Disabled Not modifiable.
9020 s3 Disabled isi services -a s3 <enable or disable>

9021 s3 Disabled isi services -a s3 <enable or disable>

9443 isi_esrs_d Disabled isi services -a isi_esrs_d <enable or disable>

10000 NDMP Disabled isi services -a ndmpd <enable or disable>

12228 cava Disabled isi services -a antivirus <enable or disable>


15000 isi_lcd_d Enabled Not modifiable.
15100 isi_upgrade Enabled isi services isi_upgrade_d <enable or disable>
_agent_d
NOTE: This port is not modifiable. You can modify the TCP port on all
interfaces, but the UDP port on the backend interface is unaffected.

20049 nfsordma Disabled


28080 lwswift Disabled isi services -a lwswift <enable or disable>

Dynam isi_cbind_d Enabled Not modifiable.


ic
Dynam lwwit Disabled isi services -a smb <enable or disable>
ic
NOTE: This turns off SMB since Witness is tied to SMB.

Services safe to disable


To improve security, you should restrict access to the PowerScale cluster by disabling network services that you do not use.
NOTE: There are some services that you should not disable, because doing so could have a detrimental effect on cluster
operations. The list below includes only those services that can be disabled without disrupting other operations on the
cluster. This list does not include all the network services available on OneFS.
You can disable network services by running the following command, where <service> is the name of the service to disable:

isi services -a <service> disable

NOTE: Use the -a option to get access to all services. Without -a, you can receive a misleading error stating that the
service is not modifiable when it is modifiable.
Disable the following services when they are not in use:

32 Product and Subsystem Security


Table 8. Services to disable when not in use
Service name Service description Service function Corresponding daemons Default
and processes setting
apache2 Apache2 Web Server Connects to the Apache web httpd Disabled
server.
Disabling apache2 disables file
sharing over HTTP or HTTPS,
but the OneFS web interface is
still available.

isi_webui The following command Controls services for HTTP Enabled


disables multiple communications.
services.
Another option is to use isi
isi services http services modify to
-a isi_webui individually disable and enable
disable WebUI, Papi-External, rsapi and
RAN services. See the section
Disables all the "Disable nonessential HTTP
following: services" for more information.
● WebUI, Papi-
External, rsapi and
RAN
● WebHDFS
● Swift

hdfs HDFS Server Connects to Hadoop Distributed lw-container hdfs Disabled


File System (HDFS).
isi_migrate SyncIQ Service Replicates data from one isi_migr_sched Enabled
PowerScale cluster (source) to
another cluster (target). isi_migrate Disabled
isi_migr_bandwidth Enabled
isi_migr_pworker Enabled
isi_migr_sworker Enabled
isi_object_d PowerScale Object Services OneFS API requests. isi_object_d Enabled
Interface
isi_ph_rpcd Performance collector Collects performance metrics. isi_ph_dump (a process Disabled
that starts isi_ph_rpcp)
lwswift Swift Server Enables access to file-based lw-container lwswift Disabled
data that is stored on the
cluster as objects.
The Swift API is implemented
as a set of Representational
State Transfer (REST) web
services over HTTP or secure
HTTP (HTTPS). Content and
metadata can be ingested
as objects and concurrently
accessed through other
supported Dell Technologies
PowerScale protocols. For more
information, see the PowerScale
Swift Technical Note.

Product and Subsystem Security 33


Table 8. Services to disable when not in use (continued)
Service name Service description Service function Corresponding daemons Default
and processes setting
ndmpd Network Data Backs up and restores services. isi_ndmp_d Disabled
Management Protocol
Daemon
nfs NFS Server Manages Network File System ● isi_netgroup_d Disabled
(NFS) protocol settings. ● mountd
● gssd
● nfsd
● rpc.statd
● rpc.locked
s3 S3 Service Connects to the S3 server. lw-container s3 Disabled
smb SMB Service Enables or disables the Server ● srv Disabled
Message Block (SMB) server. ● rdr
● srvsvc
snmp SNMP Server Connects to the Simple snmpd Disabled
Network Management Protocol
(SNMP) server.
vsftpd VSFTPD Server Connects to the Very Secure vsftpd Disabled
FTP (VSFTPD) server.

Disable nonessential HTTP services


You can disable and enable nonessential capabilities that listen on 8080 ports. The capabilities can be disabled and enabled
independently of each other. For security reasons, it is a best practice to disable services that are not required.
You can disable services using the CLI or API. The required privilege is ISI_PRIV_HTTP. In the CLI, use the isi http
services modify command. For example, to disable the PowerScale Web UI while still allowing other remote access through
the PAPI and CLI:

isi http services modify --service-id=PowerScaleUI --enabled=false

The following table shows the services that you can control with this command and the results of disabling each service.

Service id Description Results when disabled


PowerScaleUI The PowerScale Web Administration UI (Web The Web UI is not available.
UI)
Platform-API- The external interface to the PowerScale API API queries originating external to the cluster are not
External (PAPI) accepted. The WebUI is not available. Internal platform
APIs continue to operate.
RAN The restful access namespace Web UI pages that depend on REST are not available:
● Remote file browser
● File system explorer
RemoteService The remote support service interface Secure Remote Services management capabilities in the
(rsapi) UI are not available. For example, the Manage Remote
Services and Licensing pages are not available.
SWIFT The SWIFT interface SWIFT service is not available.

When a service is disabled and a user tries to use that service, a 503 HTTP error Service Not Available is returned.
There are some dependencies among the services, as described in the following table.

34 Product and Subsystem Security


Service name Affects on other services when enabled Affects on other services when disabled
PowerScaleUI When you enable the PowerScaleUI service,
the Platform-API-External service is
also enabled. The Web UI requires the PAPI
for all functions.
NOTE: When you disable the
PowerScaleUI, the Platform-API-
External service is not automatically
disabled. The PAPI can continue to service
other external requests when the Web UI
is disabled.

Platform-API- If you disable the Platform-API-External service,


External the PowerScaleUI service is also disabled. The Web
UI cannot operate without the PAPI.
NOTE: If you enable the Platform-API-
External service, the system does not
automatically enable the PowerScaleUI service.

Communication security settings


For information about how to authenticate between client nodes and Dell Technologies PowerScale systems, see the
"Authentication" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.

Firewall default settings


PowerScale 9.5.0.0 and later supports a host-based firewall. The firewall controls inbound traffic on the front-end network.
The firewall is disabled by default. The STIG hardening profile enables the firewall and the default policies.
The firewall is based on policies, which are collections of rules. You apply policies to subnets or network pools.
The firewall comes with predefined default policies that protect the PowerScale default ports. You can modify the default
policies. You can reset the default policies back to their original installed state.
NOTE: If your installation does not use the default port for an inbound traffic protocol, you must change the rules for those
protocols in the default firewall policies. Otherwise, the default policies do not protect your changed ports.
You can create custom policies and custom rules that define a firewall for your specific network management and security
requirements. For convenience in developing custom policies, you can start by creating a clone of an existing policy.
The following table describes the default policies that are installed with OneFS.

Policy Summary
default_pools_policy Contains rules for the inbound default ports for TCP and UDP services in OneFS. For a list of
default ports, see Network port usage.
default_subnets_policy Contains rules for:
● DNS port 53
● Rule for ICMP
● Rule for ICMP6

For information about configuring the firewall, see the "Host-based firewall" section in the "Networking" chapter of the
PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Product and Subsystem Security 35


Protocols
OneFS includes several communication protocols.
NOTE:

On new installations of OneFS, all protocols are disabled by default. You must enable any protocols that you plan to use. In
addition, the default /ifs export and the /ifs share no longer exist.

Upgrading to or from other versions does not affect existing configurations. If a service or share is enabled, it continues to be
enabled after upgrades.
As a security best practice, it is recommended that you disable or place restrictions on all protocols that you do not plan to
support. For instructions, see Data-access protocols best practices.

FTP security
The FTP service is disabled by default. You can set the FTP service to allow any node in the cluster to respond to FTP requests
through a standard user account.
When configuring FTP access, ensure that the specified FTP root is the home directory of the user who logs in. For example,
the FTP root for local user jsmith should be /ifs/home/jsmith. You can enable the transfer of files between remote FTP
servers and enable anonymous FTP service on the root by creating a local username anonymous or ftp.

NOTE: OneFS supports FTP, the gate-ftp variant of FTP, pftp, and sftp. OneFS does not support tftp.

CAUTION: The FTP service supports cleartext authentication. If you enable the FTP service, the remote FTP
server allows username and password transmission in cleartext. As a result, authentication credentials might be
intercepted. If you must use FTP, it is recommended that you enable TLS on the FTP service, and then connect
with an FTP client that supports TLS.
To enable TLS on the FTP service:
1. Change the <ssl_enable> property in the /etc/mcp/sys/vsftpd_config.xml file to the following:

<ssl_enable default="NO">YES<isi-meta-tag id="ssl_enable" can-mod-text="yes"/></


ssl_enable>

2. With that change, the FTP service requires a TLS certificate. The following parameter indicates where vsftpd looks for a
certificate:

<rsa_cert_file default="/usr/share/ssl/certs/vsftpd.pem">/usr/share/ssl/certs/
vsftpd.pem<isi-meta-tag id="r sa_cert_file" can-mod-text="yes"/></rsa_cert_file>

3. If needed, acquire a certificate from a trusted certificate authority and add it to the cluster. For more information, see the
Certificates section in the "General cluster administration" chapter in the PowerScale OneFS 9.5.0.0 Web Administration
Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

HDFS security
See the PowerScale OneFS HDFS Reference Guide for security information.
One additional security consideration is that Cloudera Data Platform (CDP) Hadoop supports only secure URLs.

HTTP and HTTPS security

Basic authentication
On new installations, the HTTP Basic authentication method is disabled by default.

36 Product and Subsystem Security


WARNING: Enabling HTTP Basic authentication increases the risk that is associated with cross site request
forgery (CSRF) attacks.
Session-based authentication is a recommended alternative. If you are disabling Basic authentication after having it enabled,
URIs that worked with Basic authentication will no longer work by default.

Accessing the Web UI when HTTP is disabled


HTTPS is always available for accessing the Web UI, even when HTTP is disabled.
To access the web UI with HTTPS, specify the port number in the URL. The default port is 8080. For example, access the
OneFS web UI as follows:

https://<ip>:8080

Apache server and HTTP default configurations


The OneFS Apache server and HTTP services are configured by default for a secure and accessible experience.

NOTE: Changing the default Apache configurations may weaken the security of the system.

The following default configurations are implemented.


● OneFS runs two instances of the Apache server. One instance handles HTTP requests for data access (the data path). The
other instance handles administrative functions (the control path). These Apache instances monitor the following ports by
default:
○ Port 8080 is used for administrative access, which includes:
■ Web UI and PAPI
■ RAN in nonhardened mode
○ Ports 80, 443, 8082, 8443, and 8083 are used for data access.

Ports 80 and 443 Basic file and WebDav access


Port 8082 webhdfs, jmx, and imagetransfer HTTP access

Port 8083 SWIFT HTTPS access


Port 8443 RAN and webhdfs, jmx, and imagetransfer HTTPS access

For more information about port usage, see Network port usage.
● The server is run under a reduced privileged user.
● Apache web server application directories, libraries, and configuration files are accessible only to privileged users.
● Legacy TLS protocols (SSL, TLSv1.0, TLSv1.1) are disabled in favor of TLS v1.2.
● Strong cipher suites are enabled for key exchange, bulk encryption, and hashing to strengthen the confidentiality, integrity,
and authenticity of the communication channel.
● The HTTP layer on top of TLS is strengthened through the following security best practice HTTP headers:
○ Content-Security-Policy—specifies policy for HTTPS access.
○ Strict-Transport-Security—specifies that browsers use HTTPS rather than HTTP.
○ X-Frame-Options: sameorigin—secures data access to the same HTTP instance.
○ X-Content-Type-Options: nosniff—prevents clients from determining the MIME type of the requested asset.
○ X-XSS-Protection "1; mode=block"—prevents cross-site scripting attacks on older browsers.
● To reduce unnecessary information disclosure of the specific server version and technology, the HTTP response headers
contain a generic server string.
● The PAPI defines explicit limits on allowed HTTP verbs. Limits are defined individually on each resource and are operationally
appropriate for each resource.
● Authentication is required and integrated with the OneFS authentication providers.
● Sessions are maintained using industry standard HTTP cookies. Security attributes are enabled for such cookies.
● OneFS detects HTTP and HTTPS session inactivity and closes inactive sessions. Configurable timeout values control session
closing.

Product and Subsystem Security 37


Session timeouts
Sessions that are allowed to remain open indefinitely are a security risk. An attacker could use an already authenticated session
to access a hosted application. As a protection against this type of attack, OneFS detects HTTP and HTTPS session inactivity
and closes inactive sessions using configurable timeouts.
Use the isi http settings modify command to configure timeouts. The following table shows the timeout parameters,
the corresponding Apache directives that they implement, and their default values.

Parameter in isi http settings Apache directive Defaults (in seconds)


modify
Nonhardened Hardened cluster
cluster
--service-timeout Timeout 500 10
This parameter affects the Apache
instance and each HTTP service.

--inactive-timeout RequestReadTimeout 500 10


--session-max-age SessionMaxAge 500 10

For usage information about isi http settings modify and other commands that are related to HTTP configuration and
services, see PowerScale OneFS 9.5.0.0 CLI Administration Guide.

HTTP services
The isi http services list command shows supported HTTP services and whether the service is enabled or disabled on
your cluster. For example:

isi http services list


ID Enabled
------------------------------
Platform-API-External Yes
PowerScaleUI Yes
RAN Yes
RemoteService Yes
SWIFT No
------------------------------
Total: 5

NOTE: The RestFul Access to Namespace (RAN) is the data access service.

The PowerScaleUI service is enabled by default. Other services are disabled by default. You can use the isi http
services modify command to enable and disable services.

NFS security
On new installations of OneFS, all protocols are disabled by default. If you support NFS, you must enable it. Dell Technologies
recommends using authenticated NFSv4.
To enable NFS and learn about NFS security options, see the "File sharing" chapter of the PowerScale OneFS 9.5.0.0 Web
Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

S3 security
The S3 service is disabled by default. With the S3 service enabled, only HTTPS access to S3 is enabled by default.
NOTE: The S3 service is independent of HTTP Server configuration.

For more information about S3, see the "S3 support" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or
the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

38 Product and Subsystem Security


SMB security
On new installations, SMB data access to the cluster is disabled by default. On upgrades, if SMB was explicitly being used
before the upgrade, it remains enabled.
To use SMB, you must:
1. Enable the SMB service.
2. Create an SMB share.
NOTE: Enabling the SMB service enables SMB1 by default unless you specifically disabled SMB1. You must disable SMB1
manually, preferably before enabling SMB. See the next section, Disable SMB1.

NOTE: For maximum security, do not enable SMB unless you intend to use it. Even though a share is required before SMB
is usable, an attack might be possible without a share if there is vulnerability in the OneFS implementation of SMB.
For more detail and to read about other SMB features and configuration, see the "File sharing" chapter of the PowerScale
OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Disable SMB1
Enabling SMB enables the SMB1 protocol. You must disable SMB1 manually.
It is recommended that you manually disable the SMB1 protocol before enabling SMB. For existing clusters, it is recommended
that you manually disable SMB1.
NOTE: FIPS mode and the STIG hardening profile both disable SMB1 by default. Regardless, it is a good practice to disable
SMB1 in case FIPS mode or the STIG hardening profile are disabled in the future.
1. Log in to an SSH session using root or account of last resort.
2. On a new cluster when the SMB service is not yet enabled, use these steps:
a. Disable SMB1.

isi_gconfig registry.Services.lwio.Parameters.Drivers.srv.SupportSmb1=0

b. Enable the SMB service.


3. On an existing cluster when the SMB service is already running, use these steps:
a. (Optional) Examine the protocol statistics for connected SMB1 clients.

isi statistics client --protocols smb1

If any clients are using SMB1, reconfigure or upgrade them to use SMB2. Otherwise, replace them with a client that
supports SMB2.

b. Disable SMB1.

isi_gconfig registry.Services.lwio.Parameters.Drivers.srv.SupportSmb1=0

c. Restart the smb service.


This step disconnects any current SMB1 clients and updates the configuration to prevent new SMB1 connections.

SMB share security settings


You can view and configure the security settings of an SMB share. You can also view and configure default share settings that
are used as a template for creating shares. The default share settings help to create more consistent configurations across all
shares.
NOTE: Changes that are made directly to an SMB share override the default settings that are configured from the Default
Share Settings tab.
There are many security options that you can use either on their own or in combination. The following steps get you started
with viewing and configuring the settings. For descriptions of all options and their usage, see the "SMB security" section in

Product and Subsystem Security 39


the "File Sharing" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.
1. To view and configure the security settings for an individual SMB share, use either the CLI or web administration UI.
On the CLI, use variations of the following command:

isi smb shares ...

On the web administration UI:


a. Click Protocols > Windows Sharing (SMB) > SMB Shares.
b. Select the share.
c. Click View/Edit.
d. Click Edit SMB Share.
2. To view and configure the default SMB share security settings, use either the CLI or web administration UI.
On the CLI, use variations of the following command:

isi smb settings ...

On the web administration UI:


a. Click Protocols > Windows Sharing (SMB) > Default Share Settings.
b. Click Advanced Settings.

Limit NetSessionEnum to admins only


A configuration setting can limit usage of the SMB NetSessionEnum function to admins only.
The SMB NetSessionEnum function lists all the SMB sessions running against the SMB server, which exposes usernames and
could be a potential security risk.
By default, the SMB implementation in OneFS adheres to the Microsoft specification regarding NetSessionEnum. The
specification permits any authenticated user to run NetSessionEnum.
In OneFS, you can limit NetSessionEnum usage to admins only. This enhancement affects any implementation of
NetSessionEnum, including when the function is compiled within third-party tools that are commonly used in the public
domain.
To implement this enhancement:
1. If SMB is enabled, disable it.

isi services -a smb disable

2. Enable the NetSessionEnum limiting feature.

# isi_gconfig registry.Services.srvsvc.Parameters.RequireAdministratorAccess=1

3. Enable the SMB service.

isi services -a smb enable

NOTE: To make SMB usable, you must also create a share. For information, see the "File sharing" chapter of the
PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Mixed data-access protocol environments


With the OneFS operating system, you can access data with multiple file-sharing and transfer protocols. As a result, Microsoft
Windows, UNIX, Linux, HDFS, and MacOS X clients can share the same directories and files.
For more information about data access protocol environments, see the Mixed Protocol Environment section of the PowerScale
OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide. Also see the Dell
EMC PowerScale OneFS: Authentication, Identity Management, and Authorization , which is a technical white paper about
multiprotocol data access and the OneFS unified permission model.

40 Product and Subsystem Security


Data security
This section describes configuration options for securing stored data in OneFS clusters. For recommended best practices that
protect data, also see Data-access protocols best practices.

Data access settings


OneFS supports two types of permissions data on files and directories that control who has access: Windows-style access
control lists (ACLs) and POSIX mode bits (UNIX permissions). You can configure global policy settings that enable you to
customize default ACL and UNIX permissions to best support your environment.
For more information, see the "Data access control" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the
PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Data-at-rest encryption
You can enhance data security on a cluster that contains only self-encrypting-drive nodes by providing data-at-rest encryption
(DARE) protection. Data-at-rest encryption requires FIPS cryptography. Some drives are shipped to comply with FIPS 140-2
requirements. Otherwise, apply either STIG hardening or FIPS-enabled mode to the cluster. For more information about STIG
hardening and FIPS, see United States Federal and DoD Standards and Compliance or FIPS Standards and Compliance.
You can enable external key management for self-encrypting drives (SED). This feature moves the data encryption keys off the
drives. A KMIP 1.2 compatible external key management server is required.
For more information, see:
● The "Data-at-rest encryption" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale
OneFS 9.5.0.0 CLI Administration Guide administration guides
● The Key stores section in this guide
● The PowerScale OneFS Data-at-Rest Encryption white paper

Data sanitization
You can use the Instant Secure Erase (ISE) functionality to remove confidential data out of a drive before returning the
equipment.
For more information, see the "Data Removal with Instant Secure Erase (ISE)" chapter in the PowerScale OneFS 9.5.0.0 Web
Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Data recovery
In OneFS, you can back up and recover file-system data through the Network Data Management Protocol (NDMP). From a
backup server, you can direct backup and recovery processes between a PowerScale cluster and backup devices.
For more information, see the "Administering NDMP" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or
the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Key stores
OneFS maintains key stores for storing sensitive information. The Key Manager is a backend service that manages the key
stores.
The OneFS key stores are provider databases. A key store consists of backend storage and an encryption key that is used to
encrypt the entries. All entries in the key stores are encrypted.
There are two key store domains in OneFS:
● Cluster key store
● Self-encrypted drive (SED) key store

Product and Subsystem Security 41


The cluster key store manages keys for all cluster-wide domains, such as CloudPools, S3, JWT, Datamover, IPMI Mgmt, SSO,
and so on. The isi keymanager cluster status command shows all domains that have keys in the cluster key store.
The SED key stores are stored locally on each node. You can optionally migrate the local key stores to a remote KMIP server.
For information, see the "Data-at-rest encryption" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the
PowerScale OneFS 9.5.0.0 CLI Administration Guide.
The key manager service maintains the key stores mostly without administrator involvement. If a breach or loss of trust occurs,
administrators with ISI_PRIV_KEY_MANAGER privilege can rekey the key stores.

Rekey and reencrypt the data stores


The key stores should be reencrypted if the site experiences a security breach.
If you suspect a security breach or loss of trust, you should start the process to reencrypt the key stores. For example, if an
employee with access to the root account leaves, that might be a reason to reencrypt.
The OneFS rekey operation does the following:
● Generates a new encryption key.
● Deencrypts each entry in the key store and reencrypts them with the new key.
● Preserves the old encryption key until reencryption with the new key is completed successfully.
The rekeying process does not interrupt any processing. OneFS can create entries and read existing entries in a key store during
a rekeying operation.

Start a rekey operation


You can start a rekey operation using the Web UI or CLI.
1. Log in to OneFS with ISI_PRIV_KEY_MANAGER privilege.
2. Start the rekey operation.

Option Description
On the Web UI a. Go to Access > Key Management > SED/Cluster Rekey.
b. Click Rekey Now in the SED keys or Cluster keys section.
On the CLI To rekey the cluster key store:

isi keymanager cluster rekey start

To rekey the SED key stores:

isi keymanager sed rekey start

3. View the status of the rekey operation.

Option Description
On the Web UI The SED/Cluster Rekey page shows the status of the current operation and the last time that the key
store was rekeyed.
On the CLI To view the cluster rekey status:

isi keymanager cluster status

To view the SED rekey status:

isi keymanager sed status

The Key Creation Date column shows the last time that the key store was rekeyed.

42 Product and Subsystem Security


Set automatic rekey schedule
Rekeying is typically performed on demand, only as needed. If security regulations at your site require more frequent rekeying,
you can optionally set up an automatic rekeying schedule.
● On the Web UI, go to Access > Key Management > SED/Cluster Rekey.
● On the CLI, use either the isi keymanager cluster rekey modify or the isi keymanager sed rekey
modify command.
You specify the schedule as a duration interval. On the Web UI, you can set the interval in days, months, and years. On the CLI,
you have more granular options.
1. Log in to OneFS with ISI_PRIV_KEY_MANAGER privilege.
2. Set up the interval between rekey operations.

Option Description
On the Web UI a. Go to Access > Key Management > SED/Cluster Rekey.
b. Click the Automatic Rekey checkbox in the SED keys or Cluster keys section.
c. Use integers in the Day, Month, and Year text boxes to specify the interval between rekey operations.
On the CLI To set a schedule for rekeying the cluster key store:

isi keymanager cluster rekey modify --key-rotation <duration>

To set a schedule for rekeying the SED key stores:

isi keymanager sed rekey modify --key-rotation <duration>

3. View scheduling information.

Option Description
On the Web UI The SED/Cluster Rekey page shows the interval and the date of the next scheduled rekey operation.
On the CLI To view the cluster rekey schedule:

isi keymanager cluster rekey view

To view the SED rekey schedule:

isi keymanager sed rekey view

The Key Rotation field shows the schedule.

Cryptography
OneFS uses globally recognized cryptographic algorithms and protocols, including:
● HTTPS
● Kerberos
● SSH
● Transport Layer Security (TLS)
● TLS to Lightweight Directory Access Protocol (LDAP)
The following sections describe cryptographic use in OneFS, including the current cryptographic releases, which algorithms are
used, and where in the product the algorithms are used.
NOTE: Different releases of OneFS may support different cryptographic inventories. If you have questions about the
cryptographic inventory for different versions of OneFS, contact Dell Technologies Support.

Product and Subsystem Security 43


Cryptographic options
The following sections describe supported cryptographic options for each protocol.

Cryptographic inventory for HTTPS


The HTTPS cryptography applies to HTTPS clients and to the OneFS web administration interface.

TLSv1.2 cipher suites supported by HTTPS

NOTE: See the next section for the list of supported cipher suites when FIPS mode is enabled.

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)


TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)

Cryptographic inventory for HTTPS in FIPS enabled mode


The following cryptography applies to REST clients. It also applies to the OneFS web administration interface when FIPS mode is
enabled.

TLSv1.2 cipher suites supported by HTTPS in FIPS enabled mode


For more information about FIPS support, see FIPS Standards and Compliance.

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)


TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)

Cryptographic inventory for NFS


This section lists the NFS cryptographic algorithms that are available in OneFS.
Usage of these algorithms depends on your configuration and workflow. For configuration information, refer to the PowerScale
OneFS 9.5.0.0 CLI Administration Guide.

NOTE: When kerberos is used, it is important that a time sync for NTP be set up in common with the KDC.

44 Product and Subsystem Security


NFS default settings

Setting Enabled/disabled
NFS service Disabled
NFSv3 Disabled
NFSv4 Disabled

NFSv3 algorithms

Algorithm Description
Key Exchange Algorithms RPCSEC_GSS, KerberosV5
Authentication Algorithms *see NFS authentication algorithms table
Encryption Algorithms AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
Message Authentication Code Algorithms (integrity) RPCSEC_GSS, enforces TCP protocol at transport layer

NFSv4 algorithms

Algorithm Description
Key Exchange Algorithms RPCSEC_GSS, KerberosV5
Authentication Algorithms *see NFS authentication algorithms table
Encryption Algorithms AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
Message Authentication Code Algorithms (integrity) RPCSEC_GSS, enforces TCP protocol at transport layer

NFS authentication algorithms


Authentication depends on the security approach but can be overridden if the device is blocked in a netgroup, or there is a rule
mapping a uid to something else.

Security approach Description


AUTH_UNIX AUTH_UNIX, trust the remote device for authentication, no integrity check, no encryption
krb5 Trust the kdc, no integrity check, no encryption
krb5i Trust as krb5, integrity check using (RPCSEC_GSS) RPC headers are signed and headers and data are
hashed, no encryption
krb5p Trust as krb5, integrity as krb5i, encryption in (AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC)

Cryptographic inventory for OpenSSH


The following table shows the OpenSSH cryptographic algorithms that are supported in OneFS.

Algorithm Description
Encryption Algorithms aes192-ctr, aes256-ctr, aes256-gcm@openssh.com, chacha20-
poly1305@openssh.com
Key Exchange Algorithms curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-
sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-

Product and Subsystem Security 45


Algorithm Description

hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-


sha256

Host Key Algorithms rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519


Authentication Algorithms Depends on cluster configuration
Message Authentication Code hmac-sha2-256
Algorithms(integrity)

Cryptographic inventory for OpenSSH in FIPS enabled mode


The following table describes the OpenSSH cryptographic algorithms that are automatically used when FIPS mode is enabled.
NOTE: More cryptographic changes are desirable for FIPS compliance. In OneFS 9.5.0.0, you must perform these additional
changes with CLI commands. To enable FIPS mode, ensure that you perform all the steps in Enable FIPS mode .
For more information about FIPS support, see FIPS Standards and Compliance.

Algorithm Description
Encryption Algorithms aes256-ctr
Key Exchange Algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-
hellman-group14-sha256, diffie-hellman-group-exchange-sha256
Host Key Algorithm rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
Authentication Algorithms Depends on cluster configuration
Message Authentication Code Algorithms hmac-sha2-256
(integrity)

Cryptographic inventory for SNMPv3


This section lists the SNMPv3 cryptographic algorithms as used in OneFS.

Algorithm Description
Authentication Algorithms HMAC-SHA-96, MD5
Privacy 3DES, AES-128-CFB

NOTE: The SNMPv3 authentication algorithm defaults to MD5 and to privacy AES.

Cryptographic inventory for SMB


This section lists the SMB cryptographic algorithms that are available in OneFS.

NOTE: For ultimate security in your OneFS environment, it is recommended that you use encryption, and not signing.

Usage of these algorithms depends on your configuration and workflow. For configuration information, see the PowerScale
OneFS 9.5.0.0 CLI Administration Guide.
The SMB service in OneFS supports SMBv1, SMBv2, and SMBv3.

46 Product and Subsystem Security


SMB algorithms

Algorithm Description
Authentication Algorithm ● krb5
● NTLM (GSS-SPNEGO)
SMBv3 Encryption Algorithm ● AES-128-CCM
● AES-128-GCM (faster)

SMB signing algorithms

NOTE: For signing information, see the SMB Signing section in Design and Considerations for SMB Environments.

SMB protocol version SMB signing algorithm description


SMB 1 MD5
SMB 2.0.2, 2.1 HMAC-SHA256
GSS-API SessionKey (key derivation)
SMB 3.0, 3.0.2, 3.11 AES-128-CMAC (signing)
GSS-API SessionKey and KDF (key derivation)
Used by the GSS-API, NTLM mechanism:
● RC4 (schannel encryption)
● MD5-HMAC (signing)
Used by the GSS-API, KRB5 mechanism (all encryption types provide signing and
encryption):
● AES256-CTS
● AES128-CTS
● RC4-HMAC
● DES-CBC-MD5
● DES-CBC-CRC

Certificate management
PowerScale clusters ship with a self-signed TLS certificate. It is recommended that you replace the default TLS certificate with
a signed certificate.
For instructions, see the Certificates section in the "General Cluster Administration" chapter in the PowerScale OneFS 9.5.0.0
Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Regulatory information
For information about regulatory information for OneFS, see the Dell Export Compliance List on the Support site.

Auditing and logging


OneFS supports several auditing, events, logging, and similar capabilities.

Table 9. Auditing and logging capabilities


Name Description
Auditing You can enable the following types of auditing on a cluster:

Product and Subsystem Security 47


Table 9. Auditing and logging capabilities (continued)
Name Description
● Configuration change auditing—Configuration auditing tracks all system configuration events
that the platform API handles, including writes, modifications, and deletions.
● Protocol activity auditing—Protocol audits record activity that occurs through SMB, NFS,
and HDFS protocol connections. You can enable and configure protocol auditing for one or
more access zones in a cluster. By default, audited access zones track only certain events
on the PowerScale cluster, including successful and failed attempts to access files and
directories. The events that are tracked by default are create, close, delete, rename,
and set_security.
● System level auditing—System auditing tracks system platform events and user account
events. Examples of platform events are node startup and shutdown, module loads and unloads,
and user logins. User account events track user account and password changes.
Syslog forwarding You can configure auditing to forward logs to one or more remote syslog servers. TLS
communication is an option for syslog forwarding. You can enable forwarding separately for each of
the auditing types.
The recommended secure configuration for auditing is syslog forwarding with TLS properly
configured.

Common Event Enabler You can configure OneFS to send protocol auditing logs to servers that support the Common
(CEE) Event Enabler (CEE).OneFS integration with the Common Event Enabler (CEE) enables third-party
auditing applications to collect and analyze protocol auditing logs.
Tracking node splits and OneFS monitors every node in a cluster. If a node is unreachable over the internal network, OneFS
merges separates the node from the cluster. The node separation is called splitting. When the cluster can
reconnect to the node, OneFS merges the node back into the cluster.
When a node is split from a cluster, it continues to capture event information locally. When
the node that was split rejoins the cluster, local events that were gathered during the
split are deleted. You can view split node events in the node event log file at /var/log/
isi_celog_events.log.

For more information about auditing, syslog forwarding, and CEE integration, see the "Auditing" chapter in the PowerScale
OneFS 9.5.0.0 Web Administration Guide or the "Auditing and Logging" chapter in PowerScale OneFS 9.5.0.0 CLI
Administration Guide. Information about node splits and merges is in the "PowerScale scale-out NAS" chapter in the
Administration guides.

Logs
For information about logs, see the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.
Dell Technologies recommends that you send syslogs to an external syslog server. This best practice protects logged events in
cases where cluster access is compromised. For more information and the configuration steps, see Forward audited events to
remote server.

Log management
OneFS supports the following methods for managing logs.

Log levels
The default logging level is controlled with the following command:

sysctl ilog.syslog

48 Product and Subsystem Security


Output should include the following:

ilog.syslog: error,warning,notice

Available levels are Error, Warning, Notice, Info, and Debug.

NOTE: Avoid using Info and Debug, unless Dell Technologies Customer Support instructs you to enable them.

Logging to the console is off by default.

Log rotation
Log rotation capabilities are available in the /etc/newsyslog.conf file. You can modify the rotation of the logs.
The /var/log/messages file defaults to five stored iterations.

System behavior on failed log attempts


When a log attempt fails, the log entry does not occur.

Log protection
For integrity protection, configure permissions in the /etc/newsyslog.conf file. Use permissions that you consider
appropriate. The standard configuration is recommended.

Logging format
For information about logging formats, see the "Auditing and Logging" section of the PowerScale OneFS 9.5.0.0 CLI
Administration Guide or the "Auditing" section of the PowerScale OneFS 9.5.0.0 Web Administration Guide.

Events and alerts


OneFS continuously monitors the health and performance of your cluster and generates events when situations occur that
might require your attention.
Events can be related to file system integrity, network connections, jobs, hardware, and other vital operations and components
of your cluster. OneFS analyzes the captured events. Events with similar root causes are organized into event groups.
An event group is a single point of management for numerous events that are related to a particular situation. You can
determine which event groups you want to monitor, ignore, or resolve.
An alert is the message that reports on a change that has occurred in an event group. For some events, you can set the
thresholds at which to raise alerts.
You can control how alerts in an event group are distributed. Alerts are distributed through channels that you create. A channel
can send alerts to a specific audience, control the content that the channel distributes, and limit the frequency of the alerts.
For information about viewing and managing events and configuring alerts, see the "Events and alerts" section in the "General
cluster administration" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0
CLI Administration Guide.

Physical security
Physical security addresses a different class of threats than the operating environment and user access security concepts that
are discussed elsewhere in this guide. The objective of physical security is to safeguard company personnel, equipment, and
facilities from theft, vandalism, sabotage, accidental damage, and natural or human-made disasters.
Physical security concepts are applicable to all corporate facilities, but data center security is most relevant in terms of
PowerScale deployment.

Product and Subsystem Security 49


Security of the data center
PowerScale components are not designed to be self-secure in either resource discrimination or physical access. For example,
drive data encryption keys reside on node hardware. If access is gained to these components, security of the data cannot be
guaranteed. Thus, data center physical security is a necessary compensating control.
In addition to superior resource delivery, a secure data center protects PowerScale components from security violations at the
physical level including:
● Malicious power reset
● Interference with internal cabling
● Unauthorized local access to communication ports
● Unauthorized local access to internal node components
Optimal operation of a PowerScale cluster is achieved when the cluster is installed in a data center where proper measures
are taken to protect equipment and data. See the PowerScale Site Preparation and Planning Guide for complete data center
requirements.

Physical ports on nodes


For locations and descriptions of various ports on a node, see the node installation guide for your specific Isilon or PowerScale
node type.
Follow these security guidelines when using the ports on a node:
● Connect only the minimum number of cables required. Leave unused ports empty.
● Follow the instructions in the node installation guide about which ports to use and which ports not to use.
● You can connect to a node using a serial cable and enter single user mode. Exception: SmartLock compliance clusters do not
allow you to boot into single user mode.
● Use isi security settings modify --usb-ports-disabled=true to disable (or enable) USB ports.
● Contact Dell Technologies Support if you have any questions.

Statement of volatility
A Statement of Volatility (SOV) describes the conditions under which the nondisk components of physical PowerScale products
retain data when power is removed. Examples of physical products include storage arrays and physical appliances. Customers
should understand which parts of a product contain (and retain) customer-specific data when power is removed. Such data may
be sensitive or affected by breaches, scrubbing, or data retention requirements.
Statements of Volatility are not directly customer accessible but can be made available to customers on request. Contact your
account team for assistance.

Serviceability
This section describes the following OneFS features which assist customers in maintaining and troubleshooting a cluster.
● Remote connectivity and remote support—Remove connectivity sends events, logs, and telemetry from your cluster to Dell
Technologies Support. Remote support allows secure access to your cluster, with permission, by Dell Technologies Support.
● Security checks—A security check command scans the cluster for security and health anomalies.
● Maintenance aids—Diagnostic commands in OneFS gather information about a cluster.
● Technical advisories, Security advisories, and OneFS Patches—This information is gathered in one place and is accessible on
the Dell Support Site. You can register to receive email notifications when new notices are posted.

Remote connectivity
OneFS includes the ability for a cluster to connect remotely to Dell Technologies Support for support purposes. Customers can
limit or manage such access.
Remote connectivity enables the transmission of events, logs, and telemetry from a OneFS cluster to Dell Technologies Support.
Remote connectivity also enables remote support, where Dell support personnel can access a cluster to assist customers.

50 Product and Subsystem Security


OneFS 9.5.0.0 supports both the Dell Technologies SupportAssist product and the legacy SRS product for remote connectivity
functionality.
NOTE: SupportAssist is replacing SRS. SRS is still available to use for current OneFS clusters. It is recommended that new
OneFS clusters use the SupportAssist service, as SRS will eventually be unsupported.

NOTE: Clusters using IPv6 must use SRS. SupportAssist does not support IPv6.

SupportAssist
SupportAssist is the remote connectivity system for transmitting events, logs, and telemetry from a PowerScale OneFS cluster
to Dell Support.
SupportAssist integrates an Embedded Service Enabler (ESE) into OneFS. Using an access key and pin, ESE can connect
directly to Dell Support or connect through a supported Secure Connect Gateway (SCG). SupportAssist is recommended for all
clusters that can send telemetry data off-cluster.
For information about configuring a cluster to use SupportAssist, see the SupportAssist section in the "General cluster
administration" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.
For information about SupportAssist and the Secure Connect Gateway (SCG), see the respective product pages on the Dell
Support site here.

SRS
OneFS clusters can continue to use SRS and set up new connections using SRS. SRS must connect through a gateway.
Administrators are encouraged to install and use the Secure Connect Gateway (SCG) v5.x or later, which supports both SRS
and SupportAssist.
For information about configuring a cluster to use SRS, see the SRS Summary section in the "General cluster administration"
chapter of the PowerScale OneFS 9.5.0.0 CLI Administration Guide.
For information about Secure Remote Services (SRS) and the Secure Connect Gateway (SCG), see the respective product
pages on the Dell Support site here.

Security checks and verifications


The OneFS security check monitors the cluster for security anomalies. Administrators can configure specific actions when
anomalies are discovered.
The OneFS security check runs the following types of security verifications.

Type of security Description


check
STIG hardening NOTE: This check applies only to clusters that have the STIG hardening profile applied.
verifications
This check invokes the hardening reports. The reports compare the current configuration against the
STIG hardening profile. Configurations that are not compliant with the hardening profile are identified.
For more information about the hardening reports, see Run hardening compliance reports.
Security-related This check runs the checks in the security checklist in the OneFS HealthCheck utility. To see a list of the
health checks security checks, use the following command:

isi healthcheck checklists view security

For more information, see the OneFS HealthCheck Guide.

FreeBSD security This check runs the periodic(8) FreeBSD security checks. These checks are standard daily system
checks security checks.

The security check runs automatically and on-demand:


● The security check is a cron job. The job runs across the cluster on the first day of each month, at 12:20 am.

Product and Subsystem Security 51


● The security check runs automatically on a node at every reboot.
● Administrators can run a security check on demand with the isi security check start command or Platform APIs.
An on-demand security check runs on the cluster or on a specified list of nodes.
The default action when anomalies are discovered is to issue a CELOG event. You can change the default action using the isi
security check settings modify command. The supported actions are:
● Send a CELOG event.
● Reboot the affected node.
● Shut down the affected node.
For on-demand security checks, the following options are available:
● Run all the security check types, or run a subset of them.
● Run checks against the entire cluster or against a specified list of nodes.
● Specify an action other than the default action for each on-demand run.
To view the results of the last security run, use the isi security check report view command.
The following topics show how to use the CLI commands to change default settings, run an on-demand check, and view results.
For command usage details, see the PowerScale OneFS 9.5.0.0 CLI Command Reference.

Configure security check default values


You can change the default configuration for automatic security checks.
1. Log in to the cluster with ISI_PRIV_CLUSTER privilege.
2. View the current default security check settings.

# isi security check settings view


Action: celog

3. Change the default security check settings.


The following example changes the default action.

# isi security check settings modify --action shutdown

4. Confirm the change.

# isi security check settings view


Action: shutdown

Run a security check on demand and view the results


You can run a security check on demand.
1. Log in to the cluster with ISI_PRIV_CLUSTER privilege.
2. Run a security check.
The following example runs the STIG profile security check across all nodes in the cluster. The example specifies a node
shutdown if anomalies are discovered.

# isi security check start --name StigComplianceCheck --mode cluster --action shutdown
Security check started.

3. View the results of the security check.

# isi security check report view --format table


Last run passed successfully.

52 Product and Subsystem Security


Maintenance Aids

Accounts
The ese account is required for Dell Technologies Support.
The remotesupport account is required for SRS behavior. This account is disabled by default and should not be enabled
unless it is needed. If the account is enabled, a unique password for a trusted user is recommended.
As a general best practice to protect the SRS gateway, an external gateway is recommended that allows only remotesupport
access between endpoints.

Tools and Applications


The isi diagnostics gather and isi diagnostics netlogger commands gather information from the cluster.
These tools are described in the PowerScale OneFS 9.5.0.0 CLI Administration Guide, in the "General Cluster Administration"
chapter, in the SRS Telemetry section.

Security Diagnostics
The following commands and utilities provide security-related diagnostics.

Name For more information


isi healthcheck For general information and for the isi healthcheck command reference pages, see
the OneFS 9.5.0.0 isi healthcheck guide.
IOCA script For instructions about updating the IOCA script, see "Update IOCA within Healthcheck
framework" in the OneFS 9.5.0.0 isi healthcheck guide.
isi security check For information about configuring and running consolidated security checks on nodes and
clusters, see Security checks and verifications .

For general diagnostics, run the isi healthcheck command. Some security-centric health checks exist. For a list of them,
run isi healthcheck checklists view security.
You can run the IOCA script outside of isi_healthcheck. This utility runs as root and provides basic diagnostic information
about a running system.

/usr/libexec/isilon/ioca/IOCA

You can run on-demand security checks on a node or cluster with the isi security check start command.

Dell Technologies Technical Advisories, Security Advisories, and


OneFS patches
Dell Technologies technical advisories (DTAs), Dell Technologies security advisories (DSAs), and OneFS patches are available
on the Dell Technologies Support site. These documents provide important information and solutions for issues that affect the
OneFS operating system.

Technical advisories
For the most up-to-date list of DTAs, go to the PowerScale product page on the Dell Technologies Support site, click the
Advisories tab, and then select Technical.
To subscribe to receive email notifications about new DTAs:
1. Go to the PowerScale product page on the Dell Technologies Support site.
2. Ensure that you are logged in with a Dell Technologies customer account.

Product and Subsystem Security 53


3. Locate the Contact Us tab on the right side of the browser window, and click Contact Us > Notifications.
4. Select the Dell Technical Advisory slider.

Security advisories
For the most up-to-date list of DSAs, go to the PowerScale product page on the Dell Technologies Support site, click the
Advisories tab, and then select Security.
To subscribe to receive email notifications about new DSAs:
1. Go to the PowerScale product page on the Dell Technologies Support site.
2. Ensure that you are logged in with a Dell Technologies customer account.
3. Locate the Contact Us tab on the right side of the browser window, and click Contact Us > Notifications.
4. Select the Dell Security Advisory slider.

OneFS patches
For a list of patches for specific versions of OneFS, see Current PowerScale OneFS Patches on the Dell support site.

Authenticity and integrity


Digital signing, cryptographic checksums, and internal verification processes ensure the authenticity and integrity of product
modules.

Package authenticity
Dell Technologies digitally signs all software and firmware upgrade packages before distribution.
In OneFS 9.4.0.0 and later, OneFS provides additional protection against compromised upgrade packages with a package
catalog. The catalog stores, manages, and verifies upgrade packages. For upgrades to OneFS 9.4.0.0 and later clusters, OneFS
automatically verifies authenticity and integrity during the upgrade process.
Packages that apply to OneFS 9.4.0.0 and later use a customized .isi file format that contains an embedded signature. For
legacy compatibility, the .isi files may be named using the normal .tar.gz file extension. The .isi file format includes the
following:
● The software package
● A readme file, if appropriate
● Supporting files such as manifests, signatures, timestamps, and other details.
The isi upgrade catalog commands manage the .isi files. You can import and export the files, list the available
packages, view the readme files, and verify package contents. For information about using the isi upgrade catalog
commands, see the "Catalog" section under "Cluster maintenance" in the "General cluster administration" chapter of the
PowerScale OneFS 9.5.0.0 CLI Administration Guide.
The catalog and the isi upgrade catalog commands apply to all upgrade package types: OneFS upgrades, patches, node
firmware packages (NFPs), and DSPs. Users with ISI_PRIV_SYS_UPGRADE privilege can access the catalog.

Verifying packages and manifests


OneFS verifies package authenticity and integrity during the upgrade process.
Administrators with ISI_PRIV_SYS_UPGRADE privilege can manually verify authenticity of packages and manifests. The isi
upgrade catalog verify command does the following:
● Uses the OpenSSL library that is included with OneFS
● Verifies the SHA256 hash in the manifest against the included certificate
● Compares the chain-of-trust for included certificate against /etc/ssl/certs
● Compares the distinguished name on certificates against values in /etc/upgrade/identities
● Compares the SHA256 hash of data regions against values from the manifest

54 Product and Subsystem Security


● Verifies the signature

Using UEFI secure boot


UEFI secure boot checks software authenticity at every reboot.
Secure boot is an optional feature for supported PowerScale nodes. A PowerScale cluster may include nodes with and without
secure boot. For more information, see UEFI secure boot .

Checking MD5 hash files


The OneFS installer tarball file contains a complete list of MD5 hashes for OneFS.
The MD5 hashes are in the /boot/.md5 file. If you store them in a separate, secure location, those hashes are useful in
verifying the authenticity and integrity of the files. You can generate hashes for each file and compare them to the values in
the .md5 file.
To generate a hash value:

# md5 <filename>

For example, the following command displays the hash of the kernel:

# md5 /boot/kernel.amd64/kernel.gz
MD5 (/boot/kernel.amd64/kernel.gz) = baac9b1d6a71030476a1c21e3e7c714d

Then, compare the returned hash value (baac9b1d6a71030476a1c21e3e7c714d) to the hash value of /boot/
kernel.amd64/kernel.gz in the /boot/.md5 file.

Restricted CLI
The OneFS Restricted command-line interface (Restricted CLI) is an audited interface for managing a cluster without access to
the underlying file system. This scenario is required for US federal government sites. It can provide a high level of security for
business customers.
The Restricted CLI is independent of the STIG hardening profile. Restricted CLI is available on hardened clusters and
nonhardened clusters.
The primary features of the Restricted CLI are:
● No file access
● Limited configuration activities
● Audited sessions
● Users with the correct privilege can view audit logs.
● Selected users who have special privilege can temporarily escape out of a Restricted CLI session. These users must have
access to the password of root or user of last resort. They are placed into the default OneFS CLI (a zsh).
You can implement Restricted CLI in two modes.

mode Explanation
Global restricted shell enabled This mode requires all SSH logins to use the Restricted CLI. In this mode, a root account and
the specially assigned escape mechanism are the only ways to bypass the Restricted CLI shell
usage.
This mode is required for compliance with the United States federal government Approved
Products List (APL).
The STIG hardening profile enables this mode.
You may enable this mode on nonhardened clusters.
This mode is not compatible with SmartLock Compliance mode.

Product and Subsystem Security 55


mode Explanation
Global restricted shell disabled This mode allows mixed assignments for shell usage. You can assign shell usage in a tiered
approach.
● For security, assign most users to use Restricted CLI.
● For configuration flexibility, assign a select few administrators to the default OneFS CLI
(zsh).
This mode is available only on nonhardened clusters.

Session description
The following table describes the characteristics of a Restricted CLI session.

Topic Restricted CLI


Required user privileges User accounts must have specific login privileges to log in to OneFS. The following privileges are
required for any logins, whether using the Restricted CLI or the default OneFS CLI.

Access type Privilege


SSH access ISI_PRIV_LOGIN_SSH
Web UI access ISI_PRIV_LOGIN_CONSOLE

Required shell The user profile defines a path for a default SSH shell. For Restricted CLI, this path is:
assignment in user
profile “/usr/local/restricted_shell/bin/restricted_shell.py”.

In force mode, only users with the above path in their profiles can log in to any SSH session. If
there are no users with the above path in their profile, no user can log in.
NOTE: The root user is an exception. However, Dell does not recommend enabling a root user.

RBAC The OneFS role-based access control (RBAC) works the same in Restricted CLI as in the default
OneFS CLI. The default privileges, users, and roles remain in effect in the restricted environment.
The Restricted CLI adds another layer of restrictions to existing RBAC settings.
SSH description The Restricted CLI is not a full-featured shell. Shell commands that access the underlying file
system are not available. For example, the cat command is not available in Restricted CLI.
In contrast, the default OneFS CLI is a zsh session.

Allowed commands Allowed commands in Restricted CLI are:


● clear—Clears the screen.
● isi commands—Users can enter any OneFS isi command in the Restricted CLI. The
commands and options that are not executable in the restricted environment return a
permissions error. This response is the same that a user receives when trying to run a command
that is not authorized because of RBAC permissions.
● isi_log_access—Allows examination of local node log files in /var/log.
● exit
● logout
● isi_recovery_shell—Enters the default OneFS CLI zsh. Available only for users that
have a specially assigned privilege and can provide the password of root or user of last resort .
Auditing All commands that are issued in a Restricted CLI session are captured in the audit stream.
Sessions ● When a user logs in to the Restricted CLI, a message of the day (MOTD) appears.
● When an SSH session ends, the following message appears:

You are being disconnected from OneFS.

● A Restricted CLI session is terminated after 10 minutes of inactivity.

56 Product and Subsystem Security


Limitations

Root users
Root users can interact with OneFS without auditing. The root user can access all files. It is recommended that you follow
OneFS best practices and do not use a root account.
It is acceptable to configure one user of last resort account.

SmartLock Compliance mode


You can use Restricted CLI is compatible with SmartLock Compliance mode when global restricted shell mode is disabled. You
can assign a small set of users to use the default OneFS CLI.
By definition, SmartLock Compliance mode does not support a root account or account of last resort. Without such a user,
enabling the global restricted shell is not compatible with SmartLock Compliance mode. The global restricted shell is too
restrictive in Compliance mode for the following reasons:
● The recovery shell capabilities would not work. That feature requires a password for root or account of last resort.
● You cannot configure any user profile to use the default OneFS CLI.

Audit logs and message types


The recommended best practice for auditing configuration changes is to send audit records off cluster with the OneFS auditing
service.

Restricted CLI default messaging


The Restricted CLI captures all commands that are issued in a session. The logging is in /var/log/messages on the node
where the commands are issued. The messages have an IDENT value of limited. For example:
/var/log/messages:2022-12-14T02:00:03.131075+00:00 <1.5> onefs-1(id1) limited[21467]:
Called ['/usr/bin/isi_log_access', '--list'], which returned 0.
Users with the correct privileges can view these logs. See View log files.

Recommended audit best practice


The OneFS auditing module offers comprehensive features for capturing and preserving configuration changes. OneFS auditing
includes the ability to forward logs off cluster. The following configurations are recommended:
● Enable the OneFS configuration change audit feature. This feature captures all configuration changes that are issued
through the OneFS Platform API (PAPI). By definition, all Restricted CLI commands are PAPI commands.
● Enable syslog forwarding for configuration change auditing.
● Enable TLS for syslog forwarding.
For configuration steps for these recommendations, see the "Auditing and Logging" chapter in the PowerScale OneFS 9.5.0.0
Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Enable and disable global restricted shell


When global restricted shell is enabled, all users must use the restricted CLI. When global restricted shell is disabled, you can
specify any shell in the user profiles, including the Restricted CLI.
If global restricted shell is enabled, all user profiles must have the Restricted CLI pathname in their user profile as their default
shell. Users without that setting cannot log in.

NOTE: The STIG hardening profile enables global restricted shell.

Product and Subsystem Security 57


1. Log in to OneFS with ISI_PRIV_CLUSTER privilege.
2. To enable global restricted shell:
a. Run:

isi security settings modify --restricted-shell-enabled true

b. Change all user profiles to “/usr/local/restricted_shell/bin/restricted_shell.py” . See Assign shell


to user profile.
3. To disable global restricted shell, run:

isi security settings modify --restricted-shell-enabled false

In this mode, user profiles can specify any shell, such as the Restricted CLI, the default zsh, bash, or csh.

Assign shell to user profile


A user profile specifies the shell that opens for an SSH session.
The step to assign or change a user shell depends on the authorization provider and the customer setup scenario.
For information about authentication providers, see the chapter "Home Directories" in the PowerScale OneFS 9.5.0.0 Web
Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.
1. Assign a local user to the Restricted CLI:

isi auth users modify tom --shell “/usr/local/restricted_shell/bin/


restricted_shell.py”

2.

Emergency exit from a Restricted CLI session


Administrators with the correct privilege can exit the Restricted CLI and enter the default OneFS CLI. An emergency exit might
be required for recovery operations or for unforeseen support issues in Restricted CLI.
The administrator prerequisites are:
1. Have ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE privilege.
2. Have their login shell set to "/usr/local/restricted_shell/bin/restricted_shell.py".
3. Have ISI_PRIV_RECOVERY_SHELL privilege.
NOTE: No default roles have this privilege by default. It is recommended that you create a unique role for this privilege
and assign that role to a limited set of administrators.
4. Know the password for root or user of last resort.
1. From within a Restricted Shell session, run the following command:

isi_recovery_shell

2. Provide the root account password when prompted.


If the administrator has the required privileges and provides the correct password, they are logged into an unrestricted OneFS
session. Actions in the OneFS session are treated as root user actions and not logged or audited.
It is recommended that the root password or password of last resort be changed after the recovery shell is used.

View log files


The OneFS isi_log_access command provides access to local node logs.

1. Log in to a Restricted CLI session with ISI_PRIV_SYS_SUPPORT privilege.

58 Product and Subsystem Security


2. View syntax for the isi_log_access command.

% isi_log_access --help

3. List filenames that are valid to access with isi_log_access.

% isi_log_access --list
LAST MODIFICATION TIME SIZE FILE
Tue Oct 4 15:37:41 2022 55 alert.log
Mon Oct 10 00:30:00 2022 72 all.log
Mon Oct 10 00:30:00 2022 111 all.log.0.gz
Mon Oct 10 00:00:00 2022 118 all.log.1.gz
Sun Oct 9 00:30:00 2022 110 all.log.2.gz
Sun Oct 9 00:00:00 2022 117 all.log.3.gz
Sat Oct 8 00:30:00 2022 110 all.log.4.gz
Sat Oct 8 00:00:00 2022 117 all.log.5.gz
Fri Oct 7 00:30:00 2022 109 all.log.6.gz
Tue Oct 4 15:37:41 2022 55 audit_config.log
Tue Oct 4 15:37:41 2022 55 audit_protocol.log
Mon Oct 10 16:46:11 2022 27224 auth.log
Tue Oct 4 16:04:38 2022 0 bam.log
Tue Oct 4 15:37:41 2022 55 boxend.log
Tue Oct 4 15:37:41 2022 55 bwt.log
Tue Oct 4 15:37:41 2022 55 cloud_interface.log
Tue Oct 4 15:37:41 2022 55 console.log
Mon Oct 10 17:00:00 2022 75429 cron
Mon Oct 10 08:30:00 2022 8594 cron.0.gz
Sun Oct 9 21:15:00 2022 8338 cron.1.gz
Sun Oct 9 09:45:00 2022 8680 cron.2.gz
Mon Oct 10 03:01:13 2022 2130 daily.log
Mon Oct 10 00:30:00 2022 113 daily.log.0.gz
Mon Oct 10 00:00:00 2022 948 daily.log.1.gz

.
.
.
Sat Oct 8 00:30:00 2022 113 weekly.log.0.gz
Sat Oct 8 00:00:00 2022 134 weekly.log.1.gz
Tue Oct 4 15:37:41 2022 0 wtmp
Tue Oct 4 15:37:41 2022 55 xferlog
Tue Oct 4 16:09:28 2022 1591 apache2/httpd.py.log
Sat Oct 8 09:54:40 2022 109641 apache2/webui_httpd_access.log
Sat Oct 8 02:45:20 2022 3091 apache2/webui_httpd_error.log
Tue Oct 4 15:37:41 2022 55 apache2/access.log
Tue Oct 4 15:37:41 2022 55 apache2/error.log
Tue Oct 4 16:34:23 2022 201 apache2/apache2.log
Mon Oct 10 16:46:11 2022 26585 audit/auth.log
Tue Oct 4 15:37:41 2022 55 audit/smb.log
Mon Oct 10 16:46:11 2022 26585 audit/auth.log.20221004T153741.0883180
68Z.not-terminated
Tue Oct 4 15:37:41 2022 0 audit/isi_pw.log
Tue Oct 4 15:51:43 2022 225 audit/pw.log
Tue Oct 4 15:51:43 2022 225 audit/pw.log.20221004T153741.104921016
Z.not-terminated
Tue Oct 4 15:37:41 2022 0 audit/isi_pw.log.20221004T153741.10499
0229Z.not-terminated
Sat Oct 8 09:54:40 2022 111048 audit/httpd.log
Sat Oct 8 09:54:40 2022 111048 audit/httpd.log.20221004T153741.105053
644Z.not-terminated

4. View contents of a file.

% isi_log_access --view apache2/apache2.log


2022-04-06T08:56:43 Shutting down webui httpd and its children
2022-04-06T08:56:43 Stopping webui httpd
2022-04-06T08:56:43 Removing potentially stale pid file
2022-04-06T08:56:43 Starting webui httpd
2022-04-06T08:56:52 Stopping apache2
2022-04-06T08:56:56 Shutting down webui httpd and its children

Product and Subsystem Security 59


2022-04-06T08:56:56 Stopping webui httpd
2022-04-06T08:56:56 Removing potentially stale pid file
2022-04-06T08:56:56 Starting webui httpd
2022-04-06T08:57:15 Shutting down webui httpd and its children
2022-04-06T08:57:15 Stopping webui httpd
2022-04-06T08:57:15 Failed to stop webui httpd:
2022-04-06T08:57:15
2022-04-06T08:57:15 Removing potentially stale pid file
2022-04-06T08:57:15 Starting webui httpd

To view the contents of compressed files, use the --zview option.

% isi_log_access --zview daily.log.0.gz

5. Watch the end of a file.


The following example displays the end of the messages file and waits for more messages.

% isi_log_access --watch messages


2022-04-06T09:20:40.741647+00:00 <1.5> test1(id1) pkg[11797]: test-snapshot-b-
ps113325-001-1.0 installed
2022-04-06T09:20:45.043265+00:00 <3.3> test1(id1) isi_mcp[1859]: [0x801a30000]:
failed to get file /etc/mcp/override/sysctl.conf from namespace
2022-04-06T09:20:45.058405+00:00 <3.3> test1(id1) isi_mcp[1859]: [0x801a30000]:
failed to perform the pull from the namespace
2022-04-06T09:21:25.376730+00:00 <1.5> test1(id1) boxend.py[12524]: chassis 0 is
DTRDUONEFS1183321
2022-04-06T09:21:25.376771+00:00 <1.5> test1(id1) boxend.py[12524]: Caching internal
machine name succeeded.
2022-04-06T10:21:28.849025+00:00 <1.5> test1(id1) boxend.py[12524]: chassis 0 is
DTRDUONEFS1183321
2022-04-06T10:21:28.849064+00:00 <1.5> test1(id1) boxend.py[12524]: Caching internal
machine name succeeded.
2022-04-06T11:11:17.996214+00:00 <3.5> test1(id1) isi_snapshot_d[9463]:
cleanup_snapshot_papi_requests: Removed 1 files with no errors.
2022-04-06T11:21:32.324441+00:00 <1.5> test1(id1) boxend.py[12524]: chassis 0 is
DTRDUONEFS1183321
2022-04-06T11:21:32.324514+00:00 <1.5> test1(id1) boxend.py[12524]: Caching internal
machine name succeeded.

6. Search the contents of one or more files for a given pattern.


The following example searches apache2/apache2.log for occurrences of webui.

% isi_log_access --grep "webui" apache2/apache2.log


2022-04-06T08:56:43 Shutting down webui httpd and its children
2022-04-06T08:56:43 Stopping webui httpd
2022-04-06T08:56:43 Starting webui httpd

To search compressed files, use the --zgrep option.

isi_log_access --zgrep test1user daily.log.0.gz

isi_log_access
Displays log file content.

Syntax

isi_log_access
[--grep pattern filename [filename ...]]
[{--help | -h}]
[--list]

60 Product and Subsystem Security


[--less filename]
[--more filename]
[--view filename]
[--watch filename]
[--zgrep pattern filename [filename ...]]
[--zview filename]

Usage
The isi_log_access command cannot access files outside of /var/log on the node where the command is run.

Options
--grep pattern filename [filename...]
Searches one or more files for a specified pattern and displays the lines on standard output. This option
uses a subset of the BSD grep program. It is intended for simple patterns and basic regular expressions.
The pattern you provide in the command is passed to BSD grep.
--help | -h
Gets help for this command.
--list
Lists the filenames that are valid values for usage with isi_log_access.
--less filename
Operates the same as --more. On OneFS, --more and --less are the exact same binary that
changes its behavior depending on if it was executed as less or more..
--more filename
Pages through a file. Press Enter to progress one line at a time. Press the space bar to progress one
screenful. To gain context on a screenful progression, scroll up one line to see the last line of the
previous screen. Use q to exit.
--view filename
Displays file content on standard output.
--watch filename
Displays the end of a file and new lines as they are added. To exit, use Ctrl+C which also closes the
Restricted CLI session.
--zgrep filename [filename ... ]
Searches one or more compressed files (.gz files) for a specified pattern and displays the lines on
standard output. This option uses the basic regular expression pattern from GNU zgrep.
--zview filename
Displays file content for a compressed file (.gz file) on standard output.

Product and Subsystem Security 61


4
United States Federal and DoD Standards
and Compliance
OneFS supports deployments in United States federal and Department of Defense (DoD) networks.
Topics:
• SRG and STIG Compliance
• CAT 1 security requirement
• Onsite customer deployment guidance
• IPv6 defaults
• Security hardening module
• Recurring security checks

SRG and STIG Compliance


A OneFS cluster is secure in its default configuration. The United States federal government requires configurations and
limitations that are more strict than the default OneFS configurations.
The United States Federal Department of Defense (DoD) requires specific security controls to protect its information systems
and software. The DoD Security Requirements Guides (SRGs) and Security Technical Implementation Guides (STIGs) define
required security controls. These DoD publications contain technical guidance measures to protect information systems and
software that may otherwise be vulnerable to exploitation. OneFS clusters that are deployed in US government agencies might
be required to comply with SRGs.
To help with SRG and STIG compliance, OneFS provides a security hardening module. This module automates configuration
changes to meet defined guidelines. It also provides a reporting mechanism that checks the cluster for continued compliance
with the guidelines.
NOTE: Security hardening helps to make a cluster comply with SRGs by changing OneFS cluster configurations. The
ecosystem that surrounds the OneFS cluster must be secure as well.

CAT 1 security requirement


The United States Defense Information Systems Agency (DISA) requires identification and remediation instructions for CAT 1
vulnerabilities.
DISA defines Severity Category Codes that are used to assess the vulnerability security posture of a system. A CAT I Severity
Category Code describes findings that allow primary security protections to be bypassed, allowing immediate access by
unauthorized personnel or unauthorized use of superuser privileges.
The STIG hardening profile in the OneFS security hardening module has no known CAT 1 weaknesses. If a CAT 1 weakness is
discovered after a OneFS version is released, those discoveries are disclosed to customers in a Dell Security Advisory (DSA).
DSAs notify customers about potential security vulnerabilities and their remedies for Dell products. The advisories include
specific details about an issue and instructions to help prevent or alleviate that security exposure. Common Vulnerabilities and
Exposures (CVEs) identify publicly known security concerns. A DSA can address one or more CVEs. All OneFS DSAs and the
CVEs that they address are listed on the Product Advisories tab on the Dell Technologies Support site.
To receive email notifications of advisories, see Register for advisory notifications.

62 United States Federal and DoD Standards and Compliance


Onsite customer deployment guidance

Enabling STIG
STIG compliance requires the OneFS Security Hardening module and periodic compliance checks. For information about
licensing and using the hardening module, see Security hardening module. For information about compliance checks, see Run
hardening compliance reports. For information about automatic compliance checks, see Recurring security checks .

Upgrading a previously hardened cluster to OneFS 9.5.0.0


The Hardening Module in releases before OneFS 9.5.0.0 is not compatible with the Hardening Module in OneFS 9.5.0.0 and
later. For this reason, hardening must be turned off on the cluster before upgrading to OneFS 9.5.0.0.
The upgrade workflow for previously hardened clusters is:
1. Before upgrading, use the appropriate hardening command to revert hardening on the cluster.
2. Perform all upgrade activities.
3. Reapply the STIG hardening profile on the cluster using the OneFS 9.5.0.0 isi hardening apply command.

User management with STIG hardening


User account management on a OneFS cluster is the same with or without STIG hardening. All isi auth commands work the
same whether the STIG profile is applied to a cluster.

Administrator functions
In general, administrator functions on a OneFS cluster work the same with or without STIG hardening. Some STIG rules limit
scope or permissions.
OneFS does not provide a way to manually lock a user account. An administrator can manually disable a user account. For
information about creating, disabling, deleting, and modifying local accounts, see the section "Managing local users and groups"
in the "Authentication" chapter of the PowerScale OneFS 9.5.0.0 CLI Administration Guide.
An administrator can unlock a user account with the following command:

isi auth users modify <user> --unlock

IPv6 defaults
Administrators can enable and configure IPv6 using the CLI.
IPv6 configuration defaults are as follows:
● On OneFS 9.5.0.0 and later, IPv6 support is disabled by default on new clusters. You can override this default by specifying
to enable IPv6 in the initial configuration script.
● On an existing OneFS cluster that has IPv6 enabled, an upgrade to OneFS 9.5.0.0 or later does not change the IPv6
configurations. In this case, IPv6 remains enabled.
● IPv6 configuration options are disabled by default when you first enable IPv6 support. You can enable each option using the
isi network external modify command.
The following table shows the IPv6 configuration options and how to change their configuration.

Option Description Command


Enable or disable IPv6 on the Global setting isi network external command
cluster

United States Federal and DoD Standards and Compliance 63


Option Description Command
Enable auto configuration Global setting that discovers and applies isi network external command
network settings from the IPv6 router
advertisements (RAs)
Generate link-local IPs Global setting isi network external command
NOTE: Disabling this option does not
impact backend Ethernet clusters.

Enable or disable ICMP redirects Global setting that controls if OneFS isi network external command
processes ICMPv6 redirect messages.
Enable or disable Duplicate Global setting isi network external command
Address Detection (DAD) on the
cluster
Enable or disable DAD on Controls whether to perform DAD on Enable global DAD and SSIP DAD using the
SmartConnect Service IPs (SSIPs) SSIPs isi network external command

Enable or disable DAD on individual Applies to a specific network pool 1. Enable global DAD using the isi
static network pools network external command.
2. Enable DAD on a pool using isi
network pools modify or isi
network pools create.

For information about configuring IPv6 options, see the "IPv6" section under "External Networks" in the "Networking" chapter
of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Security hardening module


Security hardening is a separately licensed OneFS module. It is intended primarily for United States federal government
accounts. This module provides automated support for compliance with FIPS, SRG, and STIG requirements.
Most hardening commands require the ISI_PRIV_HARDENING privilege.

Licensing
Security hardening is a licensed software feature of OneFS.
For information about obtaining, activating, and viewing status of licenses, see the Licensing section in the chapter "General
cluster administration" of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.
Use these steps to activate a trial license for hardening.
1. Run the isi license command:

isi license add --evaluation=HARDENING

2. Read the license terms and enter q at the colon.


3. Answer yes to acknowledge the license terms.

Hardening concepts
The Hardening Module helps to ensure that a cluster complies with a defined set of rules.
With a single command, you can apply a long list of predefined configuration rules to your cluster. With hardening reports, you
can review the rules and see whether your cluster is in compliance with each rule.

64 United States Federal and DoD Standards and Compliance


Hardening profiles
The Hardening Module is profile-based.
A hardening profile is a collection of rules that define cluster configurations. The defined configuration changes make the cluster
comply with security guidelines.
To apply a hardening profile to a cluster, use isi hardening commands or the OneFS Platform API (PAPI). Hardening applies
to all nodes in the cluster and extends to new nodes that are added to the cluster.

Supported profile
OneFS 9.5.0.0 supports one hardening profile. The profile name is STIG.

Smart rules
When possible, the rules in the STIG profile use the concept of smart rules to preserve current security settings.
Hardening does not change a configuration to a value that is less secure than the current setting. Smart rules compare the
current setting to the expected hardened value. If the existing setting is already more secure than the hardened value, the
existing setting remains in effect.
For example, an administrator might change the password policy to the strictest level possible. The STIG hardening profile
requires a medium strict password policy. If you apply the STIG profile, smart rules ensure that the password policy remains at
the strict level.
Smart rules only apply to configuration settings that are controlled with a single cluster-wide value. They do not apply to rules
that are set separately on each node. See Run hardening compliance reports for information about distinguishing cluster-wide
compared with node-specific rules.
Smart rules also do not apply to configurations that require edits to a text file. The hardening profile overwrites text file
configurations.
Smart rules are not implemented by the isi hardening disable command. That command returns the cluster to the
system default settings.

Hardening commands
Use the OneFS isi hardening commands to manage and apply profiles.
The following table shows the actions available when you have a Hardening Module license. These actions are also available
using the PAPI.

Action CLI command


View available profiles. isi hardening list

Discover whether a profile is applied on the isi hardening list


cluster or not.
Apply a profile to the cluster. isi hardening apply

Return the security settings to the original isi hardening disable


installed default values.
Gather compliance information about the isi hardening report create
cluster and all nodes.
View the list of rules in a profile and the isi hardening report view
status of the cluster against each rule.

United States Federal and DoD Standards and Compliance 65


Using the STIG profile
The STIG hardening profile is designed to make the OneFS cluster compliant with United States federal government Approved
Product List (APL) requirements.

Unsupported and disabled services


Some services that run successfully on OneFS 9.5.0.0 clusters in nonhardened mode do not offer support for operating under
the STIG hardening profile.
These services either cannot support the FIPS cryptography or cannot run on the infrastructure that the STIG hardening profile
requires.
The STIG hardening profile disables these services. Enabling those services after applying the STIG profile is not supported and
renders the cluster noncompliant.
The following services are unsupported in the STIG hardening profile:
● Dell Common Event Enabler (CEE)
● Common Anti-Virus Agent (CAVA)
● SmartLock Compliance
● NIS Authentication Provider
● Duo MFA Provider
Other services may not support FIPS cryptography. For a list of all rules in the STIG hardening profile, see Run hardening
compliance reports.

View complete list of STIG profile rules


You can list all rules in the STIG profile. You can see a comparison of the expected settings after applying the profile compared
to the current settings on your cluster.
The following table summarizes how to use the hardening reports to research the rules in the STIG profile. For detailed steps
and examples of the output, see Run hardening compliance reports.

Command for reporting on the STIG profile Description


isi hardening reports create This command gathers information from the cluster. It is a required first
step before using the isi hardening reports view command.
isi hardening reports view STIG This command lists all the rules in the profile and the location of the
relevant configuration setting.
isi hardening reports view STIG -- The verbose option adds the expected value for each rule and the
verbose values that are discovered on your cluster.
The cluster settings that appear in the reports reflect the status at the
time the isi hardening reports create command was last run.

Required: Update password hash scheme


Before applying the STIG hardening profile, you must change the hash scheme for the root account password to a FIP-
compliant scheme.
The default password hash type is NTHash. That scheme is not FIPS-compliant. The following steps change the hash type to
SHA512.
1. Login as root.
2. Set the password hash type to a FIPS 140-2-compliant value in the file provider.

isi auth file modify System --password-hash-type=SHA512

66 United States Federal and DoD Standards and Compliance


3. Set the password hash type to a FIPS 140-2-compliant value in the local provider.

isi auth local modify System --password-hash-type=SHA512

4. Reset passwords for the account of last resort and root accounts.
This step is required to encode the passwords using the updated hash type.
All accounts with a UID equal to 0 must reset their password whether they are defined in the file provider or local. You can
reset passwords using the user-name or numeric user identifier 0.

isi auth users change-password root


or
isi auth users change-password 0

Apply the hardening profile


Harden a cluster by applying the STIG profile to the cluster.
Before applying the STIG profile, ensure that the steps in Required: Update password hash scheme are completed on the
cluster.
1. Login with ISI_PRIV_HARDENING privilege.
2. Apply the STIG profile.

# isi hardening apply STIG


..........

OneFS works in the background to check settings for each rule in the profile on each node in the cluster. OneFS changes
the settings that are not in compliance with a rule.

3. If the command returns any error messages, fix the reported conditions and rerun the command.
4. Wait for the following message to appear:

Hardening operation complete.

5. Restore SSH access. Do this step before logging out to ensure that you are not locked out.

isi ssh settings modify --host-key-algorithms='+ssh-dss,ssh-dss-cert-v01@openssh.com'

You can rerun hardening at any time. See Maintain compliance after hardening.

Adjust user accounts after hardening


Some user account settings must be changed after applying the STIG profile.
The STIG profile enforces rules that may require user account changes.
1. Change the shell pathname on all user accounts that log in to an SSH session.
All SSH logins must use the Restricted CLI after the STIG profile is applied. The shell path must be changed to "/usr/
local/restricted_shell/bin/restricted_shell.py".
For more information, see Assign shell to user profile.
2. Instruct users to change their passwords to comply with the STIG password complexity and password length rules.

Minimum password length 15 characters


Percentage of characters that must 50 (percent)
change on password change
Required character types lowercase, numeric, symbol, uppercase
Repeating character sets not allowed

United States Federal and DoD Standards and Compliance 67


Password history Five changes before reuse

Maintain compliance after hardening


In a hardened cluster, certain administrative actions could cause noncompliance.
The Hardening Module identifies some noncompliance issues immediately. For example, if any file or local user has an
insufficiently safe password, that account is disabled automatically.
The following steps describe proactive ways for you to catch noncompliance issues and how to correct those issues.
1. After adding new users, changing user profiles, adding zones, or changing cluster configurations, check for noncompliance
using one of the following methods.

Option Description
Run the isi hardening reports The hardening reports detect noncompliance and provide enough details for
view command. you to address the issues.

Run the isi security check You can run this command on demand at any time. It runs the hardening
command. reports in addition to performing other security checks.

Run the isi security check The isi security check command runs routinely as a cron job.
command on a scheduled basis.
2. Based on the output of the security reports, bring the cluster back into compliance using one of the following methods.

Option Description
Use OneFS Based on the output of the security reports, choose specific OneFS CLI commands to reconfigure
commands to noncompliant issues. For example, if the reports show that new user accounts are not in compliance,
manually correct use isi auth commands to bring those accounts into compliance. This method provides the following
issues. advantages:
● It preserves any customized changes that you made after the STIG profile was applied.
● It offers the freedom to configure the exact values that you need, rather than using the STIG profile
defaults.
Reapply the The isi hardening apply command catches all new instances of noncompliance and fixes them.
STIG profile. For example, administrators can add new users without enabling certain hardening profile settings that
are required for STIG compliance. When you reapply the STIG profile, the hardening engine correctly
sets those profile values in the new accounts.
NOTE: This action applies changes uniformly across the cluster. If you made customized changes on
settings that the STIG profile monitors and changes, your customizations are lost when the profile is
reapplied.

Reset configurations to the cluster default values


Administrators can disable an applied profile and reset configurations to the original cluster default settings.

1. Run the isi hardening disable command.

isi hardening disable STIG

2. Restore SSH access. Do this step before logging out to ensure that you are not locked out.

isi ssh settings modify --host-key-algorithms='+ssh-dss,ssh-dss-cert-v01@openssh.com'

68 United States Federal and DoD Standards and Compliance


List profile name and view status
List the profile name and whether it is applied on the cluster.
Run isi hardening list.

isi hardening list


Name Description Status
--------------------------------------------------------------------------------
STIG Enable all STIG security settings (includes STIG_Legacy) Applied
--------------------------------------------------------------------------------
Total: 1

The status indicates whether the profile is applied to the cluster. Values are:

Status Description
Applied The profile is applied on the cluster. Configuration settings that were not in compliance with rules in the
profile were changed.
NOTE: Administrators can change configurations after the profile is applied. Use the hardening
reports to ensure continuing compliance status.

Not Applied The profile is not applied on the cluster.

Run hardening compliance reports


Hardening reports list each rule in the profile and show status information about cluster compliance with the hardening rules.

To ensure that your cluster remains compliant with STIG standards, periodically run a hardening report. The hardening report
checks all security configuration settings against the profile requirements. If the current configuration is less strict than the
defined profile value, the report shows that the cluster is out of compliance.
NOTE: Values that are more strict than the defined profile value are in compliance.

For settings that can potentially be set or changed on a node, the reports show status per node. You can generate default or
detailed (verbose) reports.
● The default report shows the status for each rule per node or clusterwide.
● A verbose report shows the status plus the configured and expected values for each rule, per node or clusterwide.

Noncompliance
Clusters or nodes can become noncompliant by manual changes to settings after a hardening profile is applied. Administrators
with appropriate permissions might change configurations that are less strict than the applied hardening profile values.
To handle noncompliance, you can either:
● Reapply the profile, which resets out of compliance configurations to the value defined in the profile.
● Manually change a configuration so that it is in compliance.

Create report information


Use isi hardening reports create to gather and store detailed information about compliance status. The hardening
engine uses this information later to generate reports.
● A Hardening Module license is required.
● The user must have ISI_PRIV_HARDENING privilege.
The isi hardening reports create command gathers status for all rules on all nodes in the cluster. The information
is stored in \ifs for use later by the hardening engine to format requested reports. To update status information, rerun this
command.

United States Federal and DoD Standards and Compliance 69


1. Gather compliance status information:

isi hardening reports create

This command may take some time to run.


2. To view the results, see the next task.

View hardening report


Use isi hardening reports view to format and print hardening compliance status reports.
● A Hardening Module license is required.
● The user must have ISI_PRIV_HARDENING privilege.
1. Display a default report for rules in the STIG hardening profile.

isi hardening reports view STIG

The output defaults to table format. To see additional options, use --help.

The following example shows the beginning of the report on standard output.

test-2# isi hardening reports view STIG


Name Location Status Setting

--------------------------------------------------------------------------------
----------
logout_zsh_clear_screen Node 1 Applied /etc/zlogout

logout_profile_clear_screen Node 1 Applied /etc/profile

logout_csh_clear_screen Node 1 Applied /etc/csh.logout

set_umask_77_root_cshrc Node 1 Applied /root/.cshrc

set_umask_077_root_profile Node 1 Applied /root/.profile

set_umask_77_etc_cshrc Node 1 Applied /etc/csh.cshrc

set_umask_077_etc_profile Node 1 Applied /etc/profile

set_umask_077_etc_login_dot_conf Node 1 Applied /etc/login.conf

set_umask_077_root_zshrc Node 1 Applied /root/.zshrc

require_password_single_user_mode Node 1 Applied /etc/ttys

password_min_length_pam_01 Node 1 Applied /etc/pam.d/system

password_min_length_pam_02 Node 1 Applied /etc/pam.d/other


.
.
.

The following table describes the fields in the report.

Name Description
Name The rule name.
Location A node identifier or the word Cluster for clusterwide settings.
Status The status of the rule on the node or cluster
● Applied—The node or cluster is compliant with the rule.
NOTE: This status can appear on clusters that do not have the profile applied to it. This
condition happens because many SRG requirements are accepted best practices that OneFS
implements by default.

70 United States Federal and DoD Standards and Compliance


Name Description
● Not Applied—The node or cluster is noncompliant with the rule and the STIG hardening profile is
not applied.
● Errors—The system encountered an error while trying to check the status of the rule.
To discover more information about node errors, see the next step.

Setting The location of the configuration setting that the rule verifies.
2. Display a verbose report in list format for rules in the STIG profile

isi hardening reports view STIG --verbose --format list

The following example shows the beginning of the report on standard output.

test-2# isi hardening reports view STIG --verbose --format list


Name: logout_zsh_clear_screen
Location: Node 1
Status: Applied
Setting: /etc/zlogout
Current: N/A
Operator: N/A
Prescribed: N/A
Message: Text clear was found as expected
--------------------------------------------------------------------------------
Name: logout_profile_clear_screen
Location: Node 1
Status: Applied
Setting: /etc/profile
Current: N/A
Operator: N/A
Prescribed: N/A
Message: Text trap 'clear; echo You are being disconnected from OneFS' EXIT was
found as expected
--------------------------------------------------------------------------------
.
.
.

More rules later in the list illustrate the Current, Operator, and Prescribed fields.

--------------------------------------------------------------------------------
Name: disable_webui_access_ran
Location: Cluster
Status: Applied
Setting: webui_ran_access
Current: False
Operator: ==
Prescribed: False
Message:
--------------------------------------------------------------------------------
Name: set_ssh_config_client_alive_interval
Location: Cluster
Status: Applied
Setting: client_alive_interval
Current: 200
Operator: ==
Prescribed: 200
Message:
--------------------------------------------------------------------------------
Name: set_nfs_default_security_flavors
Location: Cluster
Status: Applied
Setting: /protocols/nfs/settings/export:security_flavors
Current: ['krb5p']
Operator: ==
Prescribed: ['krb5p']
Message:
--------------------------------------------------------------------------------

United States Federal and DoD Standards and Compliance 71


The following table describes the fields in the verbose report.

Column header Description


Name The rule name.
Location A node identifier or the word Cluster for clusterwide settings.
Status The status of the rule on the node or cluster.
● Applied—The node or cluster is compliant with the rule.
NOTE: This status can appear on clusters that do not have the profile applied to it. This
condition happens because many SRG requirements are accepted best practices that OneFS
implements by default.
● Errors—The node or cluster is noncompliant with the rule.
Setting The location of the configuration setting that the rule verifies.
Current The configured value on the node or cluster setting.
Operator The operator used to compare the prescribed value to the current value.
Prescribed The value that is expected for compliance.
Not Applicable (N/A) means that the configuration cannot be stated as a value. For example, the
configuration may be contained in a file.

Message Additional information about the rule.

If you make configuration changes, you must rerun isi hardening reports create before those changes are reflected
in the isi hardening reports view output.

Recurring security checks


OneFS runs recurring security checks that include verifications of the STIG hardening profile settings.
The security check does the following:
● It runs the hardening compliance reports to check the current configuration against the STIG hardening profile.
● It runs the checks in the security checklist in the OneFS HealthCheck utility.
● It runs the periodic(8) FreeBSD security checks.
The security check runs automatically and on-demand:
● The security check is a cron job. The job runs across the cluster on the first day of each month, at 12:20 am.
● The security check runs automatically on a node at every reboot.
● Administrators can run a security check on demand with the isi security check start command or PAPIs. These
security checks can run across the cluster or on a specified list of nodes.
To see the results of the latest security check, use the isi security check report view command.
The default action when anomalies are discovered is to issue a CELOG event. You can change the default action using the isi
security check settings modify command. The supported actions are:
● Send a CELOG event.
● Reboot the affected node.
● Shut down the affected node.
For more information about the security check, how to configure options, and how to run an on-demand security check, see
Security checks and verifications .

72 United States Federal and DoD Standards and Compliance


5
FIPS Standards and Compliance
This chapter describes how OneFS supports the FIPS 140-2 standard.
Topics:
• FIPS 140-2 compliance
• Enable FIPS mode
• Disable FIPS mode
• Verify and reset FIPS mode
• Certified cryptographic modules
• FIPS and SSO

FIPS 140-2 compliance


You can configure a OneFS cluster to use FIPS cryptographic modules by following the instructions in this chapter.
Federal Information Processing Standard (FIPS) 140-2 defines United States federal government security requirements for
cryptographic modules. FIPS defines four levels of security that protect sensitive but unclassified information in IT systems. To
learn more about FIPS 140, see the FIPS 140 publication in Appendix A.
Enabling FIPS mode does the following:
● It enforces FIPS cryptography by enabling the FIPS cryptographic algorithms and restarting appropriate services that use
them. See the section "Certified cryptographic modules" for a list of OneFS modules that support FIPS cryptography.
NOTE: The services that do not support FIPS remain running after FIPS mode is enabled. You may optionally disable
those services.
● It configures OpenSSL to support FIPS.
For lists of the FIPS algorithms that FIPS mode supports, see:
● Cryptographic inventory for HTTPS in FIPS enabled mode
● Cryptographic inventory for OpenSSH in FIPS enabled mode
You can enable and disable FIPS mode using the CLI or PAPI.
NOTE: The STIG hardening profile enables FIPS mode and also disables the services that do not support FIPS. For more
information about the STIG profile, see the chapter "United States Federal and DoD Standards and Compliance".

Enable FIPS mode


Enable the cluster to use FIPS related cryptographic algorithms.
1. Log in to OneFS with ISI_PRIV_CLUSTER privilege.
2. Enable FIPS mode.

isi security settings modify --fips-mode-enabled=true

The --fips-mode-enabled option acts as a switch, ensuring that all FIPS-related configurations are either set for FIPS
mode or returned to their non-FIPS mode system defaults.
3. Update SSH key exchange algorithms.

isi ssh settings modify --kex-algorithms 'diffie-hellman-group16-sha512,diffie-


hellman-group16-sha512,ecdh-sha2-nistp384'

FIPS Standards and Compliance 73


4. Update SSH ciphers.

isi ssh settings modify --ciphers 'aes256-ctr,aes256-gcm@openssh.com'

5. Update SSH host key algorithms and accepted key types.

isi ssh settings modify --host-key-algorithms 'ecdsa-sha2-nistp384'


isi_for_array 'yes | /usr/local/bin/ssh-keygen -t ecdsa -f /etc/ssh/
ssh_host_ecdsa_key -b 384 -N ""'
isi ssh settings modify --pubkey-accepted-key-types 'ssh-rsa'

6. Update SSH tags.

isi ssh settings modify --macs 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-


etm@openssh.com,hmac-sha2-256-etm@openssh.com'

7. Restore SSH access. Do this step before logging out to ensure that you are not locked out.

isi ssh settings modify --host-key-algorithms='+ssh-dss,ssh-dss-cert-v01@openssh.com'

Disable FIPS mode


You can return the cluster to non-FIPS mode. You can return the cryptographic set to the non-FIPS default.

1. Log in to OneFS with ISI_PRIV_CLUSTER privilege.


2. Disable FIPS mode or ensure that cryptography is set to the system default.

isi security settings modify --fips-mode-enabled=false

If cryptography was changed on the cluster, you can always return to the default set by reissuing --fips-mode-
enabled=false, even if the mode is already false.
3. Restore SSH access. Do this step before logging out to ensure that you are not locked out.

isi ssh settings modify --host-key-algorithms='+ssh-dss,ssh-dss-cert-v01@openssh.com'

All cryptographic modules are returned to their system default values.

Verify and reset FIPS mode


Ensure that FIPS settings remain accurate.
1. Log in to OneFS with ISI_PRIV_CLUSTER privilege.
2. View the current FIPS mode setting.

isi security settings view

It is possible for authorized administrators to change some FIPS-related configurations individually using other commands.
Those independent actions can make the cluster noncompliant. For example, the isi ssh command can change the
cryptographic algorithms in use to a noncompliant set even when FIPS mode is enabled. In that case, the output of the isi
security settings view command may not accurately reflect the true state of FIPS compliance.

3. Reset FIPS mode to ensure FIPS settings.


You can ensure FIPS settings by periodically reissuing the isi security settings modify --fips-mode-
enabled=true command at any time to reset all configurations.

isi security settings modify --fips-mode-enabled=true

74 FIPS Standards and Compliance


4. Verify that the ssh cryptographic settings are accurate.

isi ssh settings view

Compare the cryptographic algorithms in the output to the ones that are listed in Enable FIPS mode . If there are any
differences, use isi ssh settings modify to update the algorithms.

Certified cryptographic modules


OneFS uses validated cryptographic modules.
The National Institute of Standards and Technology (NIST) participates in the Cryptographic Module Validation Program
(CMVP). The CMVP promotes the use of validated cryptographic modules. It provides Federal agencies with a security
metric to use in procuring equipment containing validated cryptographic modules. For information about CMVP, see https://
csrc.nist.gov/projects/cryptographic-module-validation-program.
When FIPS mode is enabled, OneFS uses validated modules in the following areas:
● NTP server
● HTTP server
● SSH server
● CloudPools
● Key Manager
In addition, all self-encrypting drives (SEDs) within PowerScale platforms use firmware that is FIPS 140-2 validated. For more
information, see the Data-at-Rest Encryption white paper.

FIPS and SSO


FIPS mode and SSO are independent of each other and compatible with each other in OneFS. No special procedures or
configurations are required.

FIPS Standards and Compliance 75


6
Security Best Practices
Topics:
• Overview
• General cluster security best practices
• Login, authentication, and privileges best practices
• SNMP security best practices
• SSH security best practices
• Data-access protocols best practices
• Web interface security best practices

Overview
Administrators can maximize security on PowerScale clusters using the best practices here. Consider these recommendations in
the context of your specific business policies and use cases.
Although root-level privileges are required to perform many of these procedures, the following options are available instead:
● Restrict the root account, and use an RBAC account with root privileges.
● Restrict the root account, and use the sudo command with privilege elevation.
If a procedure requires you to "log in as root," you must log in using a business-authorized privileged account. Examples are root,
an RBAC account with root privileges, or sudo.
NOTE:

Ensure that the latest security updates are installed. For more information, see the PowerScale OneFS Current Patches
document on the Dell support site.

Persistence of security settings


Some of these best practice configurations do not persist after OneFS is upgraded, and might not persist after a patch for
OneFS is applied. For best results, track which best practices you implement, so that if the settings do not persist, you can
configure them again.

76 Security Best Practices


The following table lists all the best practices that are described in this chapter. Use the second column to record the security
settings that you implement on the cluster.

Table 10. List of best practices


Security setting Implemented on cluster?
General cluster best practices

Protect /ifs and /ifs/data


Set BIOS password for node physical security
Set iDRAC user passwords
Disable USB boot on nodes
Create a login message
Change password on backend switches
Consider implementing UEFI secure boot
Confirm install authenticity and integrity
Set a timeout for idle CLI sessions
Set a timeout for idle SSH sessions
Forward audited events to a remote server
Set firewall security
Disable OneFS services that are not in use
Configure WORM directories using SmartLock
Back up cluster data
Specify an NTP time server
Login, authentication, and privileges best practices
Restrict root logins to the cluster
Use RBAC accounts instead of root
Disable the root account for SSH sessions
Privilege elevation: Assign select root-level privileges to nonroot
users
Use zones other than System zone for protocol access
Restrict authentication by external providers
Use secure connections to LDAP server
Set password policy
SNMP best practices
Use SNMPv3 for cluster monitoring
Keep SNMP disabled except for SNMP monitoring
Change default community string for SNMPv2
SSH best practices
Restrict SSH access to specific users and groups
Disable root SSH access to the cluster
Data-access protocols best practices

Security Best Practices 77


Table 10. List of best practices (continued)
Security setting Implemented on cluster?
Use a trusted network to protect files and authentication
credentials that are sent in cleartext
Use compensating controls to protect authentication credentials
that are sent in cleartext
Use compensating controls to protect files that are sent in
cleartext
Initial Sequence Numbers (ISNs) through TCP connections
FTP best practices
HDFS best practices
HTTP file protocol best practices
NFS best practices
SMB best practices
SMB signing
Swift access
Web interface best practices
Replace the TLS certificate
Remove persistent older versions of TLS

General cluster security best practices


The following general security recommendations can be applied to any cluster.

Protect /ifs and /ifs/data


Ensure that permissions on the /ifs and /ifs/data directories are set to 755. This setting preserves administrative write
permissions and prevents unintended access.
For new installations of OneFS 9.3.0.0 and later, the recommended permission of 755 is set by default.
For upgrades to OneFS 9.3.0.0 and later from earlier releases, the upgrade does not change the permissions from the current
setting. If you are doing an upgrade, check the permissions on /ifs and /ifs/data. If needed, change the permissions as
follows:

chmod 755 /ifs /ifs/data


chmod +a# 1 group admin allow dir_gen_write,std_write_dac,delete_child /ifs /ifs/data
chmod +a# 1 user compadmin allow dir_gen_write,std_write_dac,delete_child /ifs /ifs/data

Set BIOS password for node physical security


There are many disruptive changes that could occur with BIOS access. Dell Technologies recommends that you protect the
physical security of a node by setting a password to secure access to BIOS operations. The steps to set a password are
different for various node models.

Set BIOS password using BIOS options


These steps apply to the following nodes. For other nodes, see the next sections.

78 Security Best Practices


F-Series: F800, F810
H-Series: H400, H500, H600, H5600, H700, H7000
A-Series: A200, A2000, A300, A3000

1. Reboot.
2. F2 (to enter Setup).
3. Use arrows to select Security.
4. Select Administrator Password.
5. For Create New Password, enter the new password.
6. For Confirm New Password, reenter the new password.
7. F4 (Save and Exit).

Set BIOS password using iDRAC


The following nodes have an Integrated Dell Remote Access Controller (iDRAC) for management purposes. These steps apply to
those nodes.

F-series: F200, F600, F900

1. Log in to iDRAC.
2. Select Configuration.
3. Select BIOS Settings.
4. Expand System Security.
5. Enter password in Setup Password.
6. Reenter password in Confirm Setup Password.
7. Click Apply.
8. Click Apply And Reboot.

Set BIOS password using BIOS options on older supported nodes


These steps apply to the following nodes.

A-Series: A100
S-Series: S210
X-Series: X210, X410
HD-Series: HD400
NL-Series: NL410

1. Reboot.
2. F2 (to enter Setup).
3. Use arrows to select Security.
4. Select Set Administrator Password.
5. In Create New Password, enter the new password.
6. In Confirm New Password, reenter the new password.
7. F10 (Save).
8. ESC (Exit).

Set iDRAC user passwords


The following nodes have an Integrated Dell Remote Access Controller (iDRAC) for management purposes.

Security Best Practices 79


F-series: F200, F600, F900

There are many disruptive changes that could occur with iDRAC access. Dell Technologies recommends that you protect the
physical security of nodes with iDRACs by setting passwords to secure access to iDRAC operations.
1. Log in to iDRAC.
2. Select iDRAC Settings.
3. Select Users.
4. For each user, ensure that a password is set and that it is a secure nondefault password.

Disable USB ports across the cluster


USB ports are enabled on all Isilon and PowerScale nodes by default. Dell recommends that you disable the USB ports on all
nodes as a security best practice.

NOTE: The STIG hardening profile disables all USB ports.

A disabled USB port prevents USB devices from interacting with OneFS. By disabling USB ports, you prevent unauthorized
copying of data onto USB storage devices. A CLI command can disable (or enable) all USB ports across the cluster.
Manage all USB ports across the cluster.

Disable all USB ports


isi security settings modify --usb-ports-disabled=true

Enable all USB ports


isi security settings modify --usb-ports-disabled=false

Enable and disable USB ports on individual nodes


USB boot ports are enabled on all Isilon and PowerScale nodes by default. Dell Technologies recommends that you disable the
USB ports on all nodes across the cluster for security reasons. If you need a USB port to update the OneFS version, reimage a
node, or perform a field replaceable unit (FRU) operation, you can temporarily reenable the port on an individual node.
The steps to manually enable (and disable) USB ports on individual nodes are different for the various node types.

Enable (or disable) USB boot with BIOS


These steps apply to the following node types.

F-Series: F800, F810


H-Series: H400, H500, H600, H5600, H700, H7000
A-Series: A200, A2000, A300, A3000

1. Reboot the node.


2. F2 to enter Setup.
3. Use arrows to move to Advanced.
4. Select USB Configuration.
5. Select USB Mass Storage Driv * or *USB Mass Storage Driver Support .
NOTE: The field is labeled differently on different nodes.

6. Select Enabled to enable the port, or Disabled to disable the port.


7. F4 to Save and Exit.

80 Security Best Practices


Enable (or disable) USB boot with iDRAC
These steps apply to nodes that have an Integrated Dell Remote Access Controller (iDRAC) for management purposes. The
node types with an iDRAC are:

F-series: F200, F600, F900

1. Log in to iDRAC.
2. Select Configuration.
3. Select BIOS Settings.
4. Expand Integrated Devices.
5. In User Accessible USB Ports:
● Select All Ports On to enable.
● Select All Ports Off to disable.
6. Click Apply.
7. Click Apply And Reboot.

Enable (or disable) USB boot with BIOS on older supported nodes
These steps apply to the following node types.

A-Series: A100
S-Series: S210
X-Series: X210, X410
HD-Series: HD400
NL-Series: NL410

1. Reboot.
2. F2 (to enter Setup).
3. Use arrows to move to Boot Options.
4. Select USB Boot Priority.
5. Select Enabled to enable the port or Disabled to disable the port.
6. F10 (Save).
7. ESC (Exit).

Enable (or disable) USB boot with OneFS


You may be able to use OneFS commands to disable or enable USB boot for a local node or across a PowerScale cluster. These
instructions apply to nodes that support the isi_config_usb command.
To locate the command:

# /usr/bin/isi_hwtools/isi_config_usb
usage: isi_config_usb [-h] [--nodes NODES] --mode {display,on,off}

isi_config_usb: error: argument --mode is required


#

NOTE: As indicated in the output, the --mode argument is always required.

● isi_config_usb - -mode {display,on,off} is supported on the following nodes running OneFS 9.2.1.0 and later.

F-series: F200, F600, F900


H-Series: H700, H7000

Security Best Practices 81


A-Series: A300, A3000
● isi_config_usb -mode {display,on,off} is supported on some nodes running earlier releases. If you try running
the command and receive an error, the command is not supported for the node and software combination. In that case, use
the BIOS procedure above.
To disable USB boot on the local node:

isi_config_usb --mode off


reboot

To disable USB boot across the cluster, for all nodes that support the isi_config_usb command:

isi_config_usb --nodes all --mode off


isi cluster reboot --node-lnn all

To enable USB boot on the local node:

isi_config_usb --mode on
reboot

To enable USB boot across the cluster, for all nodes that support the isi_config_usb command:

isi_config_usb --nodes all --mode on


isi cluster reboot --node-lnn all

Create a login message


A login message appears as a separate box on the login page of the OneFS web administration interface. The message also
appears at the end of the introductory text on the command-line interface after a user logs in.
A login message is a best practice. The login message can convey information, instructions, or warnings that a user should know
before using the cluster.

NOTE: Login messages convey policy information and are typically written with a legal team.

For additional information and instructions for creating the login message, see the section "Login banner configuration".

Change password on backend switches


To ensure backend switch security, change the default password on backend switches.
PowerScale OneFS ships with hard-coded default usernames and passwords for access to backend switches. The hard-coded
defaults in OneFS are due to Dell Networking OS10 use of hard-coded default credentials. For security, you should change the
backend switch password to a value other than the default. To do so, you must change the password values on the switches
and in OneFS.
OneFS stores the changed backend switch credentials in the OneFS Key Manager. If no values are stored in Key Manager,
OneFS continues to use the shipped default credentials.
1. Change the password on the backend switches.
a. Reenter the command for setting the administrator username, and use a new password.

OS10(config)# username admin password newpassword@1 role sysadmin

b. Repeat on each backend switch.


NOTE: All switches must be configured to use the same credential values.

NOTE: In a leaf-spine architecture:


● Change the password on all the leaf switches.
● It is not required to change the password on the spine switches. If you do change them, there are no negative
effects.

82 Security Best Practices


2. Change the credentials in OneFS:
a. Log in to any node in the OneFS cluster.
b. Run this command:

sudo isi_config_be_cred -u <username> -p <password>

OneFS verifies that the new credentials are valid on all backend switches before successfully changing the values in Key
Manager. For example:

Accelerator9-1# sudo isi_config_be_cred -u admin -p admin


Verifying credentials ...
Switch credentials valid on int -a
Switch credentials valid on int -b
Credentials saved to Keymanager.
Both isi_dump_fabric int -a | int -b commands are operational
again.

UEFI secure boot


UEFI secure boot verifies the authenticity of the OneFS software at every reboot of any node that enables the feature. If any of
the cited checks fail, UEFI secure boot prevents the system from booting . Secure boot is turned off by default on PowerScale
nodes.
When secure boot is enabled on a node, the node firmware uses a sha256 hash to check the authenticity of the OneFS software
at every reboot. The firmware verifies the following items at each reboot:
● Checks whether kernel modules and operating system start-up files are altered.
● Checks whether the manifest was altered.
● Checks OneFS authenticity.
The OneFS software package is signed by default with a Dell Technologies encryption key. A separate installation package for
secure boot is not required.
Consider the following to decide whether to enable secure boot:
● Secure boot is an optional feature that offers an enhanced layer of security to a data center.
● A PowerScale cluster can include nodes with secure boot enabled and nodes with secure boot disabled.
● Secure boot must be enabled individually on each node.
Secure boot is turned off by default. You can enable it through the BIOS during OneFS boot or reboot. Instructions for each
node type follow. Also see https://infohub.delltechnologies.com/section-assets/h18941-powerscale-onefs-secure-boot-wp.

Supported node types and prerequisites for UEFI secure boot


UEFI secure boot is supported on the following node types when those nodes are running the required OneFS version and node
firmware package (NFP).

Table 11. Required software and firmware for UEFI secure boot
Supported nodes Required OneFS Required NFP Required actions for using secure boot
version
A2000 9.3.0.0 or later 11.4 or later 1. If needed, upgrade OneFS and the NFP.
2. Enable secure boot.

A300, A3000 9.3.0.0 or later 11.4 or later 1. If needed, upgrade OneFS and the NFP.
H700, H7000 2. Enable secure boot.

The following nodes 9.3.0.0 or later 11.4 or later 1. If needed, upgrade OneFS and the NFP.
preexisting in a cluster: 2. Manually change the BIOS.
B100 3. Enable secure boot.
F200, F600, F900
P100

Security Best Practices 83


Table 11. Required software and firmware for UEFI secure boot (continued)
Supported nodes Required OneFS Required NFP Required actions for using secure boot
version
The following nodes, 9.4.0.0 or later 11.4 or later 1. Enable secure boot.
shipped new with installed at the factory NOTE: The BIOS changes were performed at
OneFS 9.4.0.0: the factory.
B100
F200, F600, F900
P100

Use the following references to prepare nodes for UEFI secure boot:
● To upgrade the OneFS version, see the PowerScale OneFS Upgrade Guide.
● To upgrade the NFP, see the firmware release notes:
1. On the Dell Support site PowerScale page, click the Downloads tab.
2. In the version box, select only the top-level button. Do not select a specific OneFS version.
3. In the list of available downloads, click the name of the Node Firmware Package.
4. Click Related Content to see the Release Notes.
● To make required changes to the BIOS on preexisting B100, F200, F600, F900, and P100 nodes, contact Customer Support.
● To enable (or disable) secure boot on any node, see the next section, Enable and disable UEFI secure boot.

Enable and disable UEFI secure boot


You can enable or disable secure boot in the BIOS during initial boot up or a reboot.
1. Ensure that the nodes are running the required OneFS and NFP versions, as listed in Supported node types and prerequisites
for UEFI secure boot.
2. (Optional but recommended) To prevent unauthorized disabling of secure boot, set a BIOS password on nodes that are
enabled with secure boot. For detailed steps, see Set BIOS password for node physical security.
Using the BIOS user interface, perform the following procedure individually on each node for which you want to enable UEFI
secure boot.
1. During firmware loading, F2 to interrupt the loader.
NOTE: If you see the OK prompt with a blinking cursor, you were too late. Type reboot to start over.

2. Select Security > Secure boot.


3. Set secure boot to Enabled or Disabled.
4. Disable CSM support on the A2000, A300, A3000, H700, and H7000 nodes.
NOTE: This step is required for the listed nodes.

a. Select Advanced > CSM Configuration.


b. Set CSM Support to Disabled.
5. Select Save.
The loading process proceeds.

Determine if secure boot is enabled


The EFI boot loader generates messages that describe whether secure boot is enabled or disabled.

Secure boot disabled When secure boot is disabled, the following settings are reported:

SecureBoot: 0, SetupMode: 0

84 Security Best Practices


Secure boot enabled When secure boot is enabled, the following settings are reported:

SecureBoot: 1, SetupMode: 0

Interpret secure boot verification messages


Secure boot issues messages indicating secure boot status and verification results.

Secure boot disabled


When secure boot is disabled, the following settings are reported:

SecureBoot: 0, SetupMode: 0

Those settings are followed by messages similar to:

/boot/manifest.rcerts: Validation failed, err = 54


Unverified <module-name>.ko

Those messages are normal when secure boot is disabled. The firmware cannot verify software.

Secure boot enabled, verification successful


When secure boot is enabled, the following settings are reported:

SecureBoot: 1, SetupMode: 0

Those settings are followed by messages indicating whether verification was successful or not. Successful verification messages
look similar to:

verify loader.lua, cli.lua, config.lua, hook.lua, core.lua, color.lua,


password.lua, screen.lua
verify /boot/kernel.amd64/isi_glue_lz4.ko

Secure boot enabled, verification not successful


When secure boot is enabled, the following settings are reported:

SecureBoot: 1, SetupMode: 0

The following types of messages indicate failed verifications:

/boot/kernel.amd64/isi_glue_lz4.ko: sha256 hash != manifest hash


panic: cannot continue
Unverified /boot/lua/../manifest (Dell Technologies Inc.)
Startup error in /boot/lua/loader.lua:
LUA ERROR: cannot open /boot/lua/loader.lua: no error.

Unverified /boot/lua/../manifest (Dell Technologies Inc.)


Startup error in /boot/lua/loader.lua:
LUA ERROR: cannot open /boot/lua/loader.lua: no error.

The previous messages indicate a corrupted, changed, or attacked software package. Contact Dell Technologies Support.

Security Best Practices 85


Verify install package authenticity
Verify the authenticity of a software package before running an upgrade or patch.

On-cluster verification on OneFS 9.4.0.0 and later


The OneFS Catalog stores upgrade, patch, and DSP packages. All packages are securely stored as artifacts in
the /ifs/.ifsvar/catalog directory, and each artifact has an ID that corresponds to the package SHA256 hash. The
packages are verified against included certificates. The upgrade procedures use packages from the OneFS Catalog.
Administrators use the isi upgrade catalog command to interact with the OneFS Catalog. They can list the contents of
the catalog, import and export packages, verify packages, and remove packages.
For usage instructions, see the OneFS Catalog section under the Cluster maintenance section in the "General cluster
administration" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.

On-cluster verification on OneFS versions earlier than 9.4.0.0


The OneFS Catalog was introduced in OneFS 9.4.0.0. If you are upgrading from a version earlier than 9.4.0.0, the PowerScale
OneFS Security Configuration Guide for OneFS 9.3.0.0 or earlier includes instructions for verifying an upgrade package.

Off-cluster verification
If your site requires verification before the packages are moved to the OneFS cluster, contact Dell Technologies Support for
instructions.

Set a timeout for idle CLI sessions (CLI)


The timeout value is the maximum period after which an inactive CLI user session is terminated. This timeout applies to both
SSH connections and serial console connections that are running directly in the defined shells.
For additional security, it is recommended that you also configure an idle SSH session timeout (see the Set a timeout for idle
SSH sessions section of this guide). If you configure both timeouts, the shorter timeout applies to SSH sessions only.
NOTE: These changes take effect for all new shell logins for all existing and new users. The changes do not affect existing
login sessions until the user logs out and logs in again.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Check whether the /etc/profile file exists on every node in the cluster:

isi_for_array 'test -f /etc/profile || echo /etc/profile \


missing on node `hostname`'

If the file exists on every node in the cluster, there is no output. If the file does not exist on every node, the output displays
which nodes do not contain the file.
5. Perform one of the following actions:
● If the file exists on every node in the cluster, make a working copy and a backup copy in the /ifs/data/backup
directory:

86 Security Best Practices


a. Run this command:

cp /etc/profile /ifs/data/backup/profile

b. Check if a file with the name profile.bak exists in the backup directory.
CAUTION: If so, decide if you can safely overwrite the existing file. To save the old backups, rename
the new file with a timestamp or other identifier.
c. Run this command:

cp /etc/profile /ifs/data/backup/profile.bak

● If the file does not exist on every node in the cluster, the integrity of the OneFS installation is in doubt. Stop here and
contact Dell Technologies Support to check the OneFS installation on the node. This file is part of a normal installation,
and you should understand how and why it was removed.
6. Open the /ifs/data/backup/profile file in a text editor.
7. Add the following lines at the end of the file, after the # End Isilon entry. Replace <seconds> with the timeout value in
seconds. For example, a 10-minute timeout would be 600 seconds.

# Begin Security Best Practice


# Set shell idle timeout to <seconds> seconds
TMOUT=<seconds>
export TMOUT
readonly TMOUT
# End Security Best Practice

8. Confirm that the changes are correct. Then save the file and exit the text editor.
9. Check whether the /etc/zprofile file exists, and then do one of the following things:
● If the file exists, run the following commands to create a working and a backup copy in the /ifs/data/backup
directory:

cp /etc/zprofile /ifs/data/backup/zprofile

cp /etc/zprofile /ifs/data/backup/zprofile.bak

NOTE: If the zprofile.bak file name exists in the backup directory, decide whether to overwrite the existing
backups or save the old backups. To save the old backups, rename the new file with a timestamp or other identifier.
● If the file does not exist, create it in the /ifs/data/backup directory:

touch /ifs/data/backup/zprofile

10. Open the /ifs/data/backup/zprofile file in a text editor.


11. Add the same lines that you added to the /ifs/data/backup/profile file, where <seconds> is the timeout value in
seconds. Add these lines at the end of the file:

# Begin Security Best Practice


# Set shell idle timeout to <seconds> seconds
TMOUT=<seconds>
export TMOUT
readonly TMOUT
# End Security Best Practice

12. Confirm that the changes are correct. Then save the file and exit the text editor.
13. Set the permissions on both files to 644 by running the following command:

chmod 644 /ifs/data/backup/profile /ifs/data/backup/zprofile

Security Best Practices 87


14. Run the following two commands to copy the two files to the /etc directory on all the nodes in the cluster:

isi_for_array 'cp /ifs/data/backup/profile /etc/profile'

isi_for_array 'cp /ifs/data/backup/zprofile /etc/zprofile'

15. (Optional) Delete the working and backup copies from the /ifs/data/backup directory:

rm /ifs/data/backup/profile /ifs/data/backup/profile.bak \
/ifs/data/backup/zprofile /ifs/data/backup/zprofile.bak

Set a timeout for idle SSH sessions


The timeout value is the maximum period after which an inactive SSH session is terminated.
An idle SSH session is an unresponsive SSH session where the client and server are experiencing an interruption in SSH protocol
data flow. Such an interruption is typically caused by network interruption. The steps described here do not apply to user
inactivity. They also do not apply to connections to the cluster through a serial console.
For additional security that responds to user inactivity, it is recommended that you configure an idle CLI session timeout. See
Set a timeout for idle CLI sessions (CLI).
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Configure SSH timeouts with the following commands:

isi_gconfig -t ssh-config client_alive_count_max=<count>


isi_gconfig -t ssh-config client_alive_interval=<interval>
isi_gconfig -t ssh-config tcp_keep_alive=<yes | no>

For information about these configuration options, see the ClientAliveCountMax, ClientAliveInterval, and
TCPKeepAlive sections of the manual page for sshd_config.
The client alive messages are sent after the SSH server detects that the SSH client is unresponsive. If
client_alive_count_max is set to 0, the system sends a client alive message and then immediately drops the
connection.
3. Confirm the timeout values:

isi_gconfig -t ssh-config client_alive_count_max


isi_gconfig -t ssh-config client_alive_interval
isi_gconfig -t ssh-config tcp_keep_alive

Forward audited events to remote server


The auditing and audit forwarding capabilities in OneFS are recommended. Auditing can detect many potential sources of data
loss, including fraudulent activities, inappropriate entitlements, and unauthorized access attempts.
Forwarding audited events to a remote server has the following security benefits:
● You can scan the data for security issues on the remote server and avoid interfering with cluster operation or performance.
● You can send syslog output from multiple locations to the same remote server and run scanning software on all the logs in
one location. This method may be easier and more convenient than trying to run scanning software on the cluster.
● When hackers access a system such as an PowerScale cluster, they try to erase their tracks. If audit information is
forwarded to a remote server, the audit trail on the server is preserved, making identification and containment of the breach
simpler.
● If the cluster node that contains the syslog events fails, you can access the information that was forwarded to the remote
server for diagnosis and troubleshooting.
To forward protocol access auditing and system configuration changes to a remote server, follow these steps:
1. Enable auditing.
2. Send audited events to syslog.

88 Security Best Practices


3. Configure syslog forwarding.
For detailed instructions, see the Managing audit settings section in the "Auditing and Logging" chapter of the PowerScale
OneFS 9.5.0.0 CLI Administration Guide or the "Auditing" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide.

External to cluster firewall security


Use a firewall to limit access to the cluster to only those trusted clients and servers that require access. Allow restricted access
only to ports that are required for communication. Block access to all other ports.
OneFS includes a host-based firewall that comes with predefined global policies. The global policies allow the OneFS default
ports and block all others. You can also define custom policies. The firewall is disabled by default.
Dell Technologies recommends enabling the firewall and using the default policies, with adjustments as needed.
1. Ensure that the cluster uses a default SSH or HTTP port before enabling. The default firewall policies block all nondefault
ports until you change the policies.
2. Enable the OneFS firewall.
3. Compare your cluster network port configurations against the default ports listed in the section "Network port usage".
4. Change the default firewall policies to accommodate any nondefault ports in use in the cluster.
NOTE: The firewall policies do not automatically update when port configurations are changed.
5. Limit access to the OneFS Web UI to specific administrator terminals through an IP address. Another option is to isolate
web-based access to a specific management network.
In addition to the OneFS firewall, you may use an external firewall as a defense-in-depth method.
For more information about the OneFS firewall, see the "Host-based firewall" sections under "External networks" in the
"Networking" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI
Administration Guide.

Disable OneFS services that are not in use


OneFS has some services that are safe to disable when they are not in use.
See Services safe to disable for a list of the services that should be disabled when not in use and instructions for disabling them.

Configure WORM directories using SmartLock


Use the SmartLock feature to create write-once read-many (WORM) directories to protect files from being modified for a
specified retention period.
There are two options for SmartLock implementation:
● Compliance mode: This mode is designed for organizations that are legally required to comply with the United States
Securities and Exchange Commission’s (SEC) rule 17-a4(f).
● Enterprise mode: This mode is designed for organizations that have no legal requirement but want to use WORM
technology to protect their data. SmartLock compliance mode commits files to a WORM state.
NOTE: WORM file access does not protect against hardware or file system issues. If the data on the cluster becomes
unavailable, the WORM files are also unavailable. It is recommended that you also back up the cluster data to separate
physical devices.

Security Best Practices 89


Back up cluster data
OneFS offers various backup options to preserve user and application data. These options protect data from accidental or
malicious modification, deletion, or encryption (for example, through a ransomware attack).
To protect data, use local snapshots plus Network Data Management Protocol (NDMP) backups. If you have SyncIQ hardware
already in place, you can use SyncIQ replication in place of NDMP.

Option Required license Description


NDMP backups None Back up and restore data through NDMP. From a backup server, you
can direct backup and restore processes between the cluster and backup
devices. Backup devices include tape devices, media servers, and virtual
tape libraries (VTLs). Although this option does not make the original data
more secure, it does provide a backup if the data is compromised or lost.
It is recommended that you locate the external backup system in a
different geographical area from the PowerScale cluster to protect
against physical disasters.

Local snapshots SnapshotIQ Snapshots protect data against accidental deletion and modification by
enabling you to restore deleted and modified files.
Snapshots do not protect against hardware or file system issues.
Snapshots reference data that is stored on a cluster. If the data on
the cluster becomes unavailable, the snapshots are also unavailable. It is
recommended that you also back up the cluster data to separate physical
devices.

Replication to a SyncIQ Replicate data from one PowerScale cluster to another. You can specify
secondary PowerScale which files and directories to replicate. SyncIQ also offers automated
cluster failover and failback capabilities so that you can continue operations on
the secondary cluster should the primary cluster become unavailable.
While this option does not make the data more secure, it does provide
a backup if the data is compromised or lost.
It is recommended that you locate the secondary cluster in a different
geographical area or media from the primary cluster to protect against
physical disasters. It is also recommended that the secondary cluster has
a different password from the primary cluster in case the primary cluster
is compromised.

Datamover SyncIQ Datamover ensures that you have a consistent copy of your data on
another PowerScale cluster or cloud platform. Datamover allows you to
control the frequency of data transfers at scheduled times using policies.
Similar to the SyncIQ module, you can transfer data at the directory level,
while optionally excluding specific files and subdirectories from being
transferred. The embedded Datamover feature provides data replication
for file and object deployments on-premises or in the cloud. Datamover
enables file-to-file transfers between PowerScale clusters using RPC and
file-to-object copy transfers to S3 (ECS, AWS) and Azure cloud systems.

Use NTP time


Network Time Protocol (NTP) is recommended as the most consistent source for cluster time. In a Windows environment, it is
recommended to use the Active Directory domain controller NTP service.
Use the OneFS web administration interface to configure NTP time service synchronization to an external time service.

NOTE: It is recommended that you point the cluster to an NTP server within the perimeter of your network environment.

For additional recommendations for using NTP time with SmartLock directories and SmartLock compliance mode, see the "File
retention with SmartLock" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS
9.5.0.0 CLI Administration Guide.

90 Security Best Practices


Specify an NTP time server
You can specify one or more Network Time Protocol (NTP) servers to synchronize the system time on the PowerScale cluster.
The cluster periodically contacts the NTP servers and sets the date and time using information from the NTP servers.
1. Click Cluster Management > General Settings > NTP.
2. In the NTP Servers area, type the IPv4 or IPv6 address of one or more NTP servers. If you want to use a key file, type the
key numbers in the field next to the server IP address.
Click Add Another NTP Server if you are specifying multiple servers.
3. Optional: If you are using a key file for the NTP server, type the file path for that file in the Path to Key File field.
4. In the Chimer Settings area, specify the number of chimer nodes that contact NTP servers (the default is 3).
5. To exclude a node from chiming, type its logical node number (LNN) in the Nodes Excluded from Chiming field.
6. Click Save Changes.

Login, authentication, and privileges best practices


This section describes security best practice recommendations for configuring user logins, authentication, and access privileges.

Restrict root logins to the cluster


A strong security stance entails using the root account as little as possible.
You can use one or more of the following methods to restrict root access to the cluster:
● Use SmartLock compliance mode to completely remove root access to the cluster. This method is the most restrictive
option. When you are logged in to a SmartLock compliance mode cluster through the compliance administrator account, you
can perform administrative tasks through the sudo command. Using the sudo command provides an audit trail by logging all
command activity to /var/log/auth.log.
● Disable root SSH access to the cluster. See Disable root SSH access to the cluster for instructions. You can still log in as
root using other methods, such as console access or an RBAC-authorized account.
● Limit the number of people who know the root password by doing one or both of the following:
○ Assign admin users an RBAC role with only the privileges that they require to do their job.
○ If an admin user needs greater privileges than the RBAC role can provide, use privilege elevation to give them select
root-level privileges.

Use RBAC accounts instead of root


Instead of using the root account, assign roles and privileges to users and groups as needed by using the role-based access
control (RBAC) functionality.
The following RBAC best practices are recommended:
● Ensure that each administrator has a unique user account. Do not allow users to share accounts.
● For each user and group, assign the lowest level of privileges required.
● Use privilege elevation to assign select root-level privileges to specified users as needed.

Disable the root account for SSH sessions


If security procedures at your site require it, you can disable the root account for SSH sessions. If SSH access is still needed for
other users, you can provide individual users or groups with SSH privileges.
See SSH security best practices for details about both procedures.

Security Best Practices 91


Privilege elevation: Assign select root-level privileges to nonroot
users
A root account is necessary for some cluster administration purposes. For security reasons, the root privileges should be closely
monitored.
Instead of providing the root account to administrators, you can elevate their privileges so that they can run selected root-level
commands using sudo. Using the sudo command also provides an audit trail by logging all command activity to /var/log/
auth.log.
NOTE: This procedure is not intended for use on clusters that are in SmartLock compliance mode. In SmartLock compliance
mode, the compadmin account exists with the correct sudo infrastructure.

NOTE: Logged in users are unaffected by the following changes. They must log out and log in again for the changes to take
effect.
You can perform steps 1 to 5 below using the OneFS web interface. See the PowerScale OneFS 9.5.0.0 Web Administration
Guide.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Create a group to assign elevated privileges to, where <groupname> is the name of the group. This group must be in the
local provider and System zone.

isi auth groups create <groupname> --provider local --zone system

For example, you can create a group that is named SPECIAL, as follows:

isi auth groups create SPECIAL --provider local --zone system

3. (Optional) Verify that the users that you want to add to the SPECIAL group are already members of either the SystemAdmin
or the SecurityAdmin role. Since these two roles have strong security privileges, this step ensures that the user has already
been approved for a high level of access. To check whether the user is a member of the SystemAdmin or SecurityAdmin role,
run the following two commands to list the members of those roles:

isi auth roles members list SystemAdmin

isi auth roles members list SecurityAdmin

4. Add a user to the group that has the elevated privileges.

isi auth groups modify <groupname> –-add-user <username>

For example, to add a user who is named bob to the SPECIAL group:

isi auth groups modify SPECIAL --add-user bob

5. Confirm that the user is in the group:

isi auth groups members list <groupname>

6. Create a backup directory:

mkdir /ifs/data/backup/

7. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

92 Security Best Practices


8. Make a working copy of the /etc/mcp/override/sudoers file in the backup directory:

cp /etc/mcp/override/sudoers /ifs/data/backup

9. Make a backup copy of the /etc/mcp/override/sudoers file in the backup directory:

cp /etc/mcp/override/sudoers /ifs/data/backup/sudoers.bak

NOTE: If a file with the same name exists in the backup directory, there are two options:
● Overwrite the existing file.
● Name the new file with a timestamp or other identifier. This option saves the old backups.
.

10. Open the /ifs/data/backup/sudoers file in a text editor and add the following entry:

# Begin Security Best Practices


%<groupname> ALL=(ALL) PASSWD: PROCESSES, SYSADMIN, ISI, ISI_ADMIN, ISI_SUPPORT, \
ISI_HWTOOLS, ISI_HARDENING
# End Security Best Practices

For example, the entry for the SPECIAL group is:

%SPECIAL ALL=(ALL) PASSWD: PROCESSES, SYSADMIN, ISI, ISI_ADMIN, ISI_SUPPORT, \


ISI_HWTOOLS, ISI_HARDENING

NOTE: You can change the entry as described in the last bullet below.

This entry in the sudoers file provides the following security benefits:
● It requires the user to preface all root-level commands with sudo.
● It requires the user to type the user password the first time that they run a sudo command in a session. The system
caches these credentials for five minutes. After five minutes, the user must retype the password to run sudo commands.
● A comma-separated list of command sets (called command aliases) is assigned to the group (for example,
PROCESSES, SYSADMIN, ISI, and so on). These command aliases include all the diagnostic and hardware tools available,
making the privileges equivalent to the compadmin role in a SmartLock compliance mode cluster. You can modify the
line to include fewer command aliases, or different command aliases, to allow only the privileges that you want the group
to have. To see the available command aliases and the lists of commands that are in each alias, review the /etc/mcp/
templates/sudoers file.
CAUTION: Do not modify the /etc/mcp/templates/sudoers file.
11. Confirm that the changes are correct. Then save the file and exit the text editor.
12. Copy the /ifs/data/backup/sudoers file to the /etc/mcp/override/sudoers file.

cp /ifs/data/backup/sudoers /etc/mcp/override/sudoers

13. To identify the commands that are now available to the user, log in as the user and run the following command:

sudo -l

The output looks similar to the following.

User bob may run the following commands on <hostname>:


(ALL) NOPASSWD: ISI_PRIV_SYS_TIME, (ALL) /usr/sbin/isi_upgrade_logs, (ALL)
ISI_PRIV_ANTIVIRUS, (ALL) /usr/sbin/isi_audit_viewer, (ALL)
ISI_PRIV_CLOUDPOOLS, (ALL) ISI_PRIV_CLUSTER, (ALL) ISI_PRIV_DEVICES, (ALL)
ISI_PRIV_EVENT, (ALL) ISI_PRIV_FILE_FILTER, (ALL) ISI_PRIV_FTP, (ALL)
ISI_PRIV_HARDENING, (ALL) ISI_PRIV_HDFS, (ALL) ISI_PRIV_HTTP, (ALL)
ISI_PRIV_JOB_ENGINE, (ALL) ISI_PRIV_LICENSE, (ALL) ISI_PRIV_NDMP, (ALL)
ISI_PRIV_NETWORK, (ALL) ISI_PRIV_NFS, (ALL) ISI_PRIV_NTP, (ALL)
ISI_PRIV_QUOTA, (ALL) ISI_PRIV_REMOTE_SUPPORT, (ALL) ISI_PRIV_SMARTPOOLS,
(ALL) ISI_PRIV_SMB, (ALL) ISI_PRIV_SNAPSHOT, (ALL) ISI_PRIV_SNMP, (ALL)
ISI_PRIV_STATISTICS, (ALL) ISI_PRIV_SWIFT, (ALL) ISI_PRIV_SYNCIQ, (ALL)
ISI_PRIV_VCENTER, (ALL) ISI_PRIV_WORM

Security Best Practices 93


(ALL) PASSWD: /bin/date, /sbin/sysctl, /sbin/shutdown, /bin/ps,
/usr/sbin/ntpdate, /sbin/ifconfig, /usr/sbin/newsyslog, /usr/sbin/nfsstat,
/usr/sbin/pciconf, /usr/sbin/tcpdump, (ALL) /usr/bin/isi_classic,
/usr/bin/isi_for_array, /usr/bin/isi_gconfig, /usr/bin/isi_job_d,
/usr/bin/isi_vol_copy

● The privileges listed after (ALL) NOPASSWD are the privileges for the assigned RBAC role. Those privileges do not
require the user to retype the password.
● The commands listed after (ALL) PASSWD are the sudo commands that are available to the user. Those commands
require the user to type the user password after typing the command.
NOTE: It could happen that the privilege elevation includes commands that the user already has privileges to through an
existing RBAC role. In that case, the user is not required to retype the password to access those commands.
14. Verify that everything looks correct.
15. (Optional) Delete the working and backup copies from the /ifs/data/backup directory:

rm /ifs/data/backup/sudoers /ifs/data/backup/sudoers.bak

CAUTION: The ISI_PRIV_JOB_ENGINE privilege allows the user to run jobs through the Job Engine. These jobs
run as root. Under specific circumstances, a user could use some of these jobs to delete entire sections of
OneFS. Also, a user could potentially acquire ownership of files that they otherwise would not have permission
to access. Care must be exercised when granting this privilege. The recommendation is to only grant this level
to trusted users.

Restrict authentication by external providers


OneFS provides certain system-defined accounts for the file provider in the System zone (also known as the System file
provider). OneFS relies on the identity of these system-defined accounts to ensure normal cluster functionality and security.
The identity includes the UID, GID, shell, passwords, privileges, permissions, and so on. Problems can arise if an external
authentication provider authenticates a user or group with the same name as one of these system-defined accounts.
The OneFS mapping service consolidates all user or group accounts with the same name from all authentication providers into a
single access token. This token identifies the user and controls access to directories and files. For each access zone in OneFS,
there is an ordered list of providers.
CAUTION: When an identity is found in more than one authentication provider, the provider that comes earliest
in the list acts as the source for that identity. If the external provider comes earlier in the list than the System
file provider, the externally provided identity overrides the system-defined identity. In this case, unintended
users could gain inappropriate access to the cluster and appropriate administrators could lose access to the
cluster.

OneFS provides the following cluster management accounts for the System file provider:

User accounts ● root


● admin
● compadmin
● ftp
● www
● nobody
● insightiq
● remotesupport
● _lldpd
● _ypldap

Group accounts ● wheel


● admin
● ftp

94 Security Best Practices


● guest
● ifs
● nobody
● video
● _lldpd
● _ypldap

To prevent externally provided identities from overriding the system-defined identities, use the unfindable-users and
unfindable-groups options of the isi auth ads|ldap|nis CLI command. Run the command for each user or group
account that you do not want to be overridden. These accounts can be in any access zone. They can include the system-
defined accounts that are described here and accounts that you create. For details on how to use the commands, see the
PowerScale OneFS 9.5.0.0 CLI Command Reference.
On the Web UI, to view the users and groups that the System file provider manages, click Access > Membership & Roles.
Click either the Users or the Groups tab. Select System from the Current Access Zone list, and select FILE: System from
the Providers list.
Alternatively, you can run one of the following commands on the command-line interface:

isi auth users list --provider='lsa-file-provider:System'

isi auth groups list --provider='lsa-file-provider:System'

Use secure connections to LDAP server


By default, communications between the PowerScale cluster and an LDAP server are not secure and occur in plain text.
To make communications more secure, configure the LDAP provider to use TLS when it communicates with the LDAP server.
For maximum security, you can also configure the LDAP provider to require strict verification of the certificates that are used to
establish the secure connection.
The parameters to set these configurations are valid in either of the following commands:
● isi auth ldap create used to create the LDAP provider
● isi auth ldap modify used to change a previously created LDAP provider
The following information describes only the parameters in those commands that are related to TLS. There are more parameters
that are used to create or modify an LDAP provider. For complete syntax and usage information, see the PowerScale OneFS
9.5.0.0 CLI Command Reference.

Parameters for configuring TLS


This section describes the parameters that configure TLS.

Purpose Syntax and description


Enable or disable TLS.
--require-secure-connection={yes|no}

Where:
● yes—Encrypts all communication between the cluster and the LDAP server using TLS.
Checks that certificates are valid and not expired.
● no—Sends all communication between the cluster and the LDAP server in plain text.
The same result occurs when the parameter is never specified on the cluster.
Set a valid certificate authority
file. --certificate-authority-file <path/to/cacert/file>

This parameter is required when --require-secure-connection=yes. Provide the


path to the root certificates file.

Security Best Practices 95


Purpose Syntax and description
Do not allow TLS errors.
--ignore-tls-errors={yes|no}

The recommended setting for security best practices is no. The default setting is no.
If TLS is enabled and this parameter is set to yes, the LDAP provider uses TLS regardless
of errors. TLS may issue certificate verification errors, but the LDAP provider continues to
use the certificate and TLS communication. TLS logs the errors.

Enforce additional verifications


of certificates received from --tls-revocation-check-level={strict|allowNoSrc|allowNoData|
none}
the LDAP server in the TLS
handshake.
Where:
● strict—Requires valid and current revocation information for all certificates that are
received from the LDAP server in the TLS handshake. If any certificates do not comply,
the LDAP provider ends the TLS session.
● allowNoSrc—Accepts certificates from the LDAP server if no revocation retrieval
information is available for them. A warning is logged for such certificates. Otherwise,
the LDAP provider ends the TLS session if either of the following is true for any
certificate:
○ It is not possible to retrieve the revocation information.
○ The revocation state indicates that the certificate is not valid and current.
● allowNoData—Accepts certificates from the LDAP server if it is not possible to
retrieve the revocation state. A warning is logged for such certificates. If revocation
state is successfully retrieved, it must indicate that the certificate is valid and current.
Otherwise the LDAP provider ends the TLS session.
● none—No revocation checking is performed. This is the default setting.

(Optional) Define location of


revocation information --ocsp-server-uris <uri-list>

Where: <uri-list> is a comma-separated list of URIs. Use this parameter to provide the
location of revocation information to the LDAP provider. If this option is not set, the LDAP
provider looks for the Online Certificate Status Protocol (OCSP) responder URI within the
certificates.

Examples for configuring TLS


The following example creates an LDAP provider that requires TLS encryption.

isi auth ldap create myLDAPProvider \


--require-secure-connection=yes \
--ignore-tls-errors=no \
--certificate-authority-file /ifs/.ifsvar/modules/isi_certs/system/ca/zone_1/
certs.cer \
<other required and optional settings>

The following example adds TLS encryption to a previously created LDAP provider.

isi auth ldap modify myLDAPProvider \


--require-secure-connection=yes \
--ignore-tls-errors=no \
--certificate-authority-file /path/to/root/ca/file.cer \
<other required and optional settings>

The following example creates an LDAP provider that requires TLS encryption and strict certificate validations of certificates
that are received from the LDAP server. The OCSP URIs are not provided, so the LDAP provider uses information in the
certificate.

isi auth ldap create myLDAPProvider \


--require-secure-connection=yes \
--ignore-tls-errors=no \

96 Security Best Practices


--certificate-authority-file /path/to/root/ca/file.cer \
--tls-revocation-check-level=strict \
<other required and optional settings>

The following isi auth ldap modify example adds an OCSP responder URI for validating certificates from the LDAP
server.

isi auth ldap modify myLDAPProvider \


--ocsp-server-uris http://ocsp.entrust.net/ocsp \
<other required and optional settings>

Set password policy


Password complexity increases the number of possible passwords that an attacker must check before the correct password is
guessed.
You can configure local password policy and specify the default for each setting using the isi auth local modify
command.
For the detailed procedure and descriptions of each password policy setting, see the "Managing local users and groups" section
in the "Authentication" chapter of the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

SNMP security best practices


If you plan to monitor cluster statistics, it is recommended that you use SNMPv3. If you do not plan to monitor cluster statistics,
you should leave the SNMP service disabled.
For more information about how to configure SNMP, see the Cluster monitoring section in the "General cluster administration"
chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide

Use SNMPv3 for cluster monitoring


The recommended configuration for network devices is SNMP Version 3 with authentication and privacy, using FIPS 140-2
validated cryptography.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Configure SNMPv3. All the following settings are required for cluster monitoring using SNMPv3.

isi snmp settings modify


...
--snmp-v3-access=yes
--snmp-v3-read-only-user
--snmp-v3-auth-protocol {SHA | MD5}
--snmp-v3-priv-protocol {AES | DES}
--snmp-v3-security-level {noAuthNoPriv | authNoPriv | authPriv}
--set-snmp-v3-password
--set-snmp-v3-priv-password

Where:

--snmp-v3-access yes Enables SNMPv3


--snmp-v3-read-only-user <string> Sets the read-only user for SNMP v3 read requests
--snmp-v3-auth-protocol {SHA | MD5} Sets the authentication protocol. For maximum security, use SHA.
--snmp-v3-priv-protocol {AES | DES} Sets the privacy protocol. For maximum security, use AES.
--snmp-v3-security-level {noAuthNoPriv | Specifies the cryptography to use for monitoring the cluster. The value
authNoPriv | authPriv} authPriv is the most secure.

--set-snmp-v3-password Change the SNMPv3 authentication password so that it is not the default
value. The CLI prompts you for the new password value.

Security Best Practices 97


--set-snmp-v3-priv-password Change the SNMPv3 privacy password so that it is not the default value. The
CLI prompts you for the new password value. The value must be complex and
greater than or equal to 8 bytes in length. Otherwise, you receive an error.

3. (Recommended) Disable SNMPv1 and SNMPv2 access:

isi snmp settings modify --snmp-v1-v2c-access no

For more information about SNMP configuration, see the "SNMP monitoring" section in the "General cluster administration"
chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration
Guide.

Keep SNMP disabled except for SNMP cluster monitoring


The SNMP service is disabled by default.
If you enable cluster monitoring as described previously in Use SNMPv3 for cluster monitoring, that procedure enables SNMP.
SNMP must remain enabled for cluster monitoring to work.
Disabling SNMP on the cluster does not affect the sending of SNMP trap alerts from the cluster to an SNMP server.

Change default community string for SNMPv2


If SNMPv2 is needed, change the default community string (I$ilonpublic) to something different.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Edit the <string> in the gconfig file:

isi_gconfig -t bsnmpd-config ro_community=<new string>

3. Disable and then enable snmpd:

isi services -a snmp disable


isi services -a snmp enable

SSH security best practices


Choose from the following practices depending on what is best for your environment.

Restrict SSH access to specific users and groups


By default, only the SecurityAdmin, SystemAdmin, and AuditAdmin roles have SSH access privileges. You can grant SSH access
for specific cluster management tasks to users and groups that have more restricted roles.
To perform these steps, you must log in as a user who has the ISI_PRIV_ROLE privilege. That privilege allows you to create
roles and assign privileges.
To grant SSH access to users and groups using custom roles:
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Create a custom role:

isi auth roles create <role_name>

Where <role_name> is the custom role.

98 Security Best Practices


3. Add the ISI_PRIV_LOGIN_SSH privilege to the role:

isi auth roles modify <role_name> --add-priv ISI_PRIV_LOGIN_SSH

4. Add a user or a group to the role with one of these commands:

isi auth roles modify <role_name> --add-user <user_name>

isi auth roles modify <role_name> --add-group <group_name>

Where:
● <user_name> is an existing username.
● <group_name> is an existing group name.

Disable root SSH access to the cluster


Disabling root SSH access to the cluster prevents attackers from accessing the cluster by brute-force hacking the root
password.
After disabling root SSH access, you can still log in as root by performing one of the following actions:
● Physically connect to the cluster using a serial cable, and log in as root.
● Open a secure shell (SSH) connection to any node in the cluster, and log in using an RBAC-authorized account. At the
command prompt, type login root and press ENTER. Type the root password when prompted. This method has the
security benefit of requiring two passwords (the user password and the root password).
You can also elevate the privileges for select users to give them access to specified root-level commands. See Restrict SSH
access to specific users and groups.
1. If needed, you can ensure that there is at least one user with SSH privileges on the cluster.
● On the command-line interface, run the following command and confirm that there is at least one nonroot user listed:

isi auth roles view SecurityAdmin

● On the web administration interface, click Access > Membership and Roles > Roles . Select the view/edit button in
the SecurityAdmin section.
2. Open a secure shell (SSH) connection to any node in the cluster and log in as a user that has ISI_PRIV_AUTH privileges.

NOTE: Users with that privilege have the right to "Configure external authentication providers."

3. Run the following command to disable the ability of the root user to log in through an SSH session:

isi ssh settings modify --permit-root-login False

Data-access protocols best practices


To prevent unauthorized client access through unused or unmonitored protocols, disable protocols that you do not support. For
those protocols that you do support, limit access to only the clients who require it.

Use a trusted network to protect files and authentication


credentials that are sent in cleartext
The security between a client and the PowerScale cluster depends on the protocol. Some protocols send files and
authentication credentials in cleartext.
Use the following methods to protect your data and authentication information from interception:
● Implement a compensating control, as described in the following sections.
● Ensure that the path between clients and the cluster is on a trusted network.

Security Best Practices 99


Even if you implement a compensating control, a trusted network provides an additional layer of security.

Use compensating controls to protect authentication credentials


that are sent in cleartext
Some protocols send authentication credentials in cleartext. You can use compensating controls to enable more secure
authentication.
Protocols that send authentication credentials in cleartext include:
● FTP
● HDFS (and WebHDFS)
● HTTP
● NFS
● Swift
Compensating controls for cleartext authentication in OneFS include:
● Kerberos authentication (supported by some protocols)
● NTLM authentication (supported by some protocols)
● Secure impersonation on HDFS
● TLS enabled on the FTP service
● SSH tunneling (Wraps an existing nonsecure protocol and moves all communication to an encrypted channel.)
● The OneFS API sends all authentication credentials over TLS.

Use compensating controls to protect files that are sent in


cleartext
Files specific to the web administration interface are sent over TLS. Files specific to /ifs are sent differently depending on the
protocol. You can use compensating controls to increase the security of files that are sent in cleartext.
Protocols that may send /ifs files in cleartext include:
● FTP
● HDFS (and WebHDFS)
● HTTP
● NFS
● Some versions of SMB
Compensating controls for data transmission in OneFS include:
● The OneFS API (all file access communication is sent over TLS).
● SSH tunneling (wraps an existing nonsecure protocol and moves all communication to an encrypted channel).

Initial Sequence Numbers (ISNs) through TCP connections


During a TCP connection, the syncache is used to limit the amount of data that the kernel tracks until the connection is
established. If the syncache is full, the kernel switches to syncookies to prevent DOS attempts through a SYN flood
attack. However, these cached values could be susceptible to attacks on the initial sequence numbers (ISN) which, by default,
are based on source and destination ports. If you disable syncookies, OneFS generates more random ISNs. The ISNs are
generated every fifteen seconds.
The syncookies setting is enabled by default. To disable it (to generate random ISNs), use the sysctl command to set
net.inet.tcp.syncookies to zero:

sysctl net.inet.tcp.syncookies=0

100 Security Best Practices


FTP best practices
The FTP service is disabled by default. It should remain disabled unless your site requires it.
Only use FTP for anonymous FTP. Do not use FTP for authenticated communication on an insecure network.
If you must use FTP, it is recommended that you enable TLS on the FTP service, and then connect with an FTP client that
supports TLS. For configuration instructions for enabling TLS on FTP, see FTP security.

HDFS best practices


The HDFS service on the cluster is disabled by default, and should remain disabled unless you intend to support it.
If you support Hadoop, enable the HDFS service:
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services -a hdfs enable

Limit HDFS access to specific access zones


HDFS is configured on a per-access-zone basis. Disable HDFS access from any access zones that do not require it.
NOTE: Disabling HDFS for an individual access zone prevents HDFS access to that zone. It does not disable the HDFS
service on the cluster.
1. From the OneFS web administration interface, click Protocols > Hadoop (HDFS) > Settings.
2. From the Current Access Zone list, select the access zone for which you want to disable HDFS.
3. In the HDFS Service Settings area, clear the checkbox for Enable HDFS service for zonename zone.
4. Click Save.
HDFS is disabled for the selected access zone.

General HDFS security

The following security features for HDFS are recommended:


● Use HDFS with Kerberos if the network is not completely trusted.
● Use the HDFS Transparent Data Encryption (TDE). This feature requires that you enable Kerberos authentication. For more
information about this recommendation, see the PowerScale OneFS HDFS Reference Guide.
● Use TLS with WebHDFS.

HTTP file protocol best practices


HTTP is disabled by default.
You can enable HTTP to support the HTTP file protocol for file sharing.
● When the file protocol service is enabled, the server uses port 80.
● When encryption is enabled, port 443 is used and requests to 80 are redirected to 443.
For file access on a nonsecure network, use only HTTPS.
HTTP allows access only to files that are readable by others. However, those files are readable without requiring a valid user
account on the cluster. If you do not support the HTTP file protocol, HTTP should remain disabled on the cluster.
Beginning in OneFS 9.5.0.0, all data path operations are separated from all control path operations. Control path services,
including the OneFS WebUI service, use different ports than the data path services.
The OneFS WebUI service always uses HTTPS and port 8080. This service is enabled by default. HTTPS is always available for
accessing the web administration interface even when HTTP is disabled.

Security Best Practices 101


If it is required at your site, you may disable the OneFS WebUI service. For information about the various HTTP and HTTPS
services and how to enable and disable them individually, see HTTP services.

Enable HTTP file protocol


The HTTP file protocol service name is apache2.
1. To enable HTTP on the web administration interface:
a. Click Protocols > HTTP Settings .
b. In the Service area, select Enable HTTP.
c. Click Save Changes.
2. To enable HTTP on the command line:
a. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
b. Run the following command:

isi http settings modify --service=enabled

NFS best practices


NFS data access to the cluster is disabled by default.
To support NFS, you must:
1. Enable the service.
2. Create one or more directories to share.
A default /ifs directory exists in the file system. Create subdirectories under it to share.
NOTE: Dell Technologies does not recommend sharing the entire /ifs.

3. Create exports for the directories to share.


No default NFS exports are created automatically. Create the export for each directory to share over the front-end protocol.
NOTE: It is recommended to create the exports in subdirectories of /ifs, not in /ifs itself.

For details about these tasks, see the "File sharing" chapter of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the
PowerScale OneFS 9.5.0.0 CLI Administration Guide.
If you support NFS, recommendations for limiting access are provided in the following sections. If you do not support NFS, the
service should remain disabled on the cluster.

Use Kerberos on nontrusted networks

Use NFS with Kerberos if the network is not completely trusted.

Limit access to NFS exports


Use the OneFS web administration interface or command-line interface to control which IP addresses or machines can access
NFS shares and to configure their access levels.
For details, see the "File sharing" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS
9.5.0.0 CLI Administration Guide.

Limit access to parent directories


To hide parent directories of NFSv4 exports, use NFS aliases.
For details, see the "NFS aliases" section of the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS
9.5.0.0 CLI Administration Guide.

102 Security Best Practices


Enable export hiding
OneFS includes a way to hide export paths from unauthorized hosts.
By default, when a client connects to an export path that does not exist, it will receive a No such file or directory
error. This exposure of non-exported paths might not be desired and can be changed to an access denied error.
Export hiding prevents unauthorized hosts from viewing the mounts. To enable export hiding:
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Set the value of MountdDeniedStatusOnNotAllowed to 1, as follows:

isi_gconfig
registry.Services.lwio.Parameters.Drivers.nfs.MountdDeniedStatusOnNotAllowed=1

3. Restart NFS on the cluster by disabling and then reenabling the service.
NOTE: The restart action could cause loss of service for NFS clients that are connected when the restart is conducted.

isi services nfs disable


isi services nfs enable

When export hiding is disabled, hosts receive the following error when they try to mount an export that does not exist.

mount.nfs: mounting 10.20.30.4:/ifs/data/testdir failed, reason given by server: No such


file or directory

When export hiding is enabled, hosts receive the following error when they try to mount an export that does not exist.

mount.nfs: access denied by server while mounting 10.20.30.4:/ifs/data/testdir

Disable showmount command


The showmount command allows an NFS client to see all exports on a cluster. An option was introduced to prevent off-node
clients from performing showmount -e.
To enable the option to prevent off-node clients from performing showmount -e:
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Modify the setting and refresh NFS using the following two commands:

isi_gconfig
registry.Services.lwio.Parameters.Drivers.nfs.MountdAllowForeignShowmountERequests=0

isi_for_array '/usr/likewise/bin/lwsm refresh nfs'

To revert to the default setting, use these commands:

isi_gconfig
registry.Services.lwio.Parameters.Drivers.nfs.MountdAllowForeignShowmountERequests=1

isi_for_array '/usr/likewise/bin/lwsm refresh nfs'

When export hiding is enabled, unauthorized hosts receive the following error when they try to list exports using showmount
-e <cluster-domainname>.

"rpc mount export: RPC: Authentication error; why = Client credential too weak"

Security Best Practices 103


SMB best practices
SMB data access to the cluster is disabled by default.
To enable data access through SMB, you must enable the service, create shares, and manage access through ACLs and other
identity management features.

Enable SMB and create shares


See SMB security for important practices and procedures regarding SMB. They include:
● Enable SMB only if needed.
● Ensure that SMB1 is disabled.
● Create shares in subdirectories of /ifs, rather than in /ifs itself.
Also see the note about using the SMB Guest account in Preloaded accounts.
If you support SMB, it is recommended that you limit access to the shares. That process is described in the following section.

Limit access to SMB shares


It is possible to restrict access to a share by using the share access control list (ACL). However, it is preferred to configure the
share ACL to grant full control to everyone. Then use file system ACLs to manage access to individual files and directories.
Limiting the entire share to read or read/write permissions can complicate management because these restrictions override
existing more permissive permissions on individual files and directories. For example, if the share is configured for read-only
access, but an individual file is configured for read/write, only read access is granted to the file. More permissive permissions on
the share do not override more restrictive permissions that exist on individual files and directories.
For details, see the "File sharing" chapter in the PowerScale OneFS 9.5.0.0 Web Administration Guide or the PowerScale OneFS
9.5.0.0 CLI Administration Guide.

More about access control lists (ACLs)


See Access Control Lists on PowerScale OneFS. This paper provides an overview of ACLs in OneFS. It describes how OneFS
works internally with various ACLs to provide seamless, multiprotocol access.

More about authentication, identity management, and authorization (AIMA)


For information about the expected security workflow regarding SMB data access, see PowerScale OneFS: Authentication,
Identity Management, and Authorization. This paper describes the OneFS AIMA stack, OneFS multiprotocol data access, and the
unified permissions model.

Nontrusted network

Use signing or encryption if the network is not completely trusted.

More SMB security

Use these practices for more SMB security:


● Kerberos authentication is preferred over NTLM.
● Join the cluster to the AD domain or the Kerberos realm.
● Access the cluster through the DNS name. Do not access it directly using the IP.
● Only use AD or Kerberos accounts for SMB access. Do not use accounts from the local provider or file provider.

104 Security Best Practices


SMB signing
SMB is used for file sharing.
In addition, SMB is a transport protocol for Remote Procedure Call (RPC) services such as:
● SAMR (modify local users).
● LSAR (look up local users).
● SRVSVC (modify SMB shares configuration).
SMB and the Distributed Computing Environment Remote Procedure Call (DCERPC) services, which use SMB for transport,
are susceptible to man-in-the-middle attacks. In a man-in-the-middle attack, an attacker intercepts and potentially alters
communication between parties who believe that they are in direct communication with one another.
SMB signing can prevent man-in-the-middle attacks within the SMB protocol. However, SMB signing has performance
implications and is disabled by default on PowerScale clusters. Customers should carefully consider whether the security
benefits of SMB signing outweigh the performance costs. The performance degradation SMB signing causes can vary widely
depending on the network and storage system implementation. Performance can be verified only through testing in your
network environment.
If SMB signing is needed, you can perform one of the following actions:
● Enable SMB signing for all connections. This action is the easiest and most secure solution. However, this option causes
significant performance degradation because it requires SMB signing for both file transfer and control path DCERPC
connections.
● Enable SMB signing for the control path only. This solution requires that clients use SMB signing when accessing all DCERPC
services on the cluster, but does not require signed connections for the data path. This option requires you to enable four
advanced parameters on the cluster. With these parameters enabled, the OneFS server rejects any nonsigned IPC request
that a client initiates. If clients are configured not to sign, they can access files over SMB but cannot perform certain other
functions, such as SMB share enumeration.

Enable SMB signing for all connections


To enable SMB signing for all connections, perform the following steps.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi smb settings global modify --require-security-signatures yes

3. Configure the client to enable SMB signing. SMB signing may already be enabled by default. See the client documentation
for instructions.

Enable SMB signing for the control path only


To enable SMB signing for the control path only, perform the following steps.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

Security Best Practices 105


2. Run the following four commands. The value of 1 at the end of the command enables the parameter:

isi_gconfig \
registry.Services.lsass.Parameters.RPCServers.dssetup.RequireConnectionIntegrity=1

isi_gconfig \
registry.Services.lsass.Parameters.RPCServers.lsarpc.RequireConnectionIntegrity=1

isi_gconfig \
registry.Services.lsass.Parameters.RPCServers.samr.RequireConnectionIntegrity=1

isi_gconfig \
registry.Services.srvsvc.Parameters.RequireConnectionIntegrity=1

isi_gconfig \
registry.Services.lsass.Parameters.RPCServers.wkssvc.RequireConnectionIntegrity=1

3. To review the value for each of the settings, run the commands again omitting the settings at the end. In the response, the
value at the end of the line indicates whether the parameter is enabled (1) or disabled (0).
For example:

# isi_gconfig \
registry.Services.lsass.Parameters.RPCServers.dssetup.RequireConnectionIntegrity

registry.Services.lsass.Parameters.RPCServers.dssetup.RequireConnectionIntegrity
(uint32) = 0

4. Configure the client to require SMB signing. This step is required for the DCERPC services to function. See the client
documentation for instructions.

Swift access
The Swift service on the cluster is disabled by default. If Swift is not being used to access the cluster, a strong security posture
requires that you leave the service disabled.
Plans exist to remove support for OpenStack Swift from OneFS in a future release. The OneFS S3 protocol is recommended
instead. For more information, see https://www.dell.com/support/kbdoc/000067100.
If you support Swift, enable it as follows:
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services -a lwswift enable

106 Security Best Practices


Web interface security best practices
This section provides recommendations for limiting access to the OneFS web administration interface, configuring security
headers, and strengthening the posture of TLS. You can perform one or more of these procedures depending on what is best for
your environment.

Replace the TLS certificate


PowerScale clusters ship with a self-signed TLS certificate. It is recommended that you replace the default TLS certificate with
a certificate that is signed by a trusted Certificate Authority.
For instructions, see the Certificates section in the "General Cluster Administration" chapter of the PowerScale OneFS 9.5.0.0
Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Remove persistent older versions of TLS


Some upgrade paths or manual customer updates can cause an older TLS version to persist. If your current configuration
at /etc/mcp/templates/webui_httpd.conf contains +TLSv1 or +TLSv1.1, install the latest security patches. For
more information, see the Current PowerScale OneFS Patches document on the Customer Support site.

Security Best Practices 107


7
Miscellaneous Configuration and
Management Elements
Any miscellaneous configuration changes to OneFS are not recommended. Only use OneFS security and roll-up patches to
modify your environment, and check your manifest to verify the installation. For links to Dell Security Advisories (DSAs) and
related patches, see Security resources .
Topics:
• Preventing malware
• Specialized security devices
• Intel microarchitectural mitigations

Preventing malware
CAUTION: When an ICAP or CAVA anti-virus server is configured, the network between the cluster and the
anti-virus server must be a trusted network. The file contents are visible to people and programs that have
access to the network packets.
CAVA requires that the SMB protocol is enabled. Scan requests and heartbeats travel between the cluster and CEE/CAVA
servers via HTTP on port 12228. The antivirus software reads and updates files via SMB (port 445) using the configured IP pool
addresses.
For information about preventing malware using either ICAP or CAVA, see the "Anti-virus" chapter of the PowerScale OneFS
9.5.0.0 Web Administration Guide or the PowerScale OneFS 9.5.0.0 CLI Administration Guide.

Specialized security devices


OneFS supports several security device integration and configuration options.
OneFS supports multifactor authentication (MFA) using the DUO 2FA for authentication over SSH.
MFA is a system access control method that grants access to a user who has successfully presented several separate pieces of
evidence to an authentication mechanism. Typically, authentication uses at least two of the following categories:
● Knowledge (something they know).
● Possession (something they have).
● Inherence (something they are).
MFA enables the LSASS daemon to require and accept multiple forms of credentials other than a username and password
combination for some forms of authentication.
For more information, see the following sections in the "Authentication" chapter in the PowerScale OneFS CLI Administration
Guide:
● Multifactor authentication (MFA)
● SSH Authentication and Configuration section (contains MFA Prerequisites).

108 Miscellaneous Configuration and Management Elements


Intel microarchitectural mitigations
PowerScale incorporates microarchitectural mitigations from Intel. Some mitigations are implemented as tunable options that
may be enabled or disabled by default.

Background
In early 2018, researchers discovered several side-channel vulnerabilities in Intel processors, including vulnerabilities named
Spectre and Meltdown. Later, new variants of these and other vulnerabilities against Intel processors and their memory caches
were announced. Intel releases fixes, also known as mitigations, to these vulnerabilities on a regular quarterly cadence. Dell
Technologies implements the mitigations into PowerScale.
To prevent potential attacks, Dell Technologies recommends that you install the most recent node firmware packages (NFP)
and software patches for your PowerScale hardware and software. Some vulnerabilities are addressed with operating system
fixes. Other vulnerabilities occur in the BIOS and are addressed in NFP fixes that directly update the system firmware. You are
encouraged to consume all fixes regardless of how tightly you control your login environment.

How to tune
To make a temporary change to a tunable, type:

sysctl <component.subcomponent.name>=<value>

The value remains in effect until you reboot. The reboot loads the default.
To make a permanent change, add the tunable to /etc/mcp/override/sysctl.conf. On bootup, values in that file
override the defaults.

Informational commands
It can be difficult to determine which value turns a mitigation on or off. Sometimes, a 0 value indicates on and in other cases,
the 0 value indicates off.
The informational commands that are listed in the sections below interpret whether the mitigation is on (active) or off
(inactive). The informational output also shows you the setting value.

Tunable mitigations
A tunable option is provided for mitigations that may affect performance. You can enable or disable these mitigations. Make your
choices by assessing your vulnerability risk against performance needs.
NOTE: Risks exist when nonadmin users are allowed to run arbitrary code. If you do not allow SSH access by nontrusted
users, you can safely disable all the following mitigations, restoring performance with no security risk.
Enabling the restricted CLI for accounts with the ISI_PRIV_LOGIN_SSH or the ISI_PRIV_LOGIN_CONSOLE privileges is
another mitigation that will prevents users from being able to run arbitrary code.
The following table describes the tunable mitigations in PowerScale, their default state, associated informational command, and
tuning options.

Name Description and instructions


Speculative Store
Bypass (SSB) # sysctl hw.spec_store_bypass_disable
hw.spec_store_bypass_disable: 0
/* mitigation off (0) by default */

# sysctl hw.spec_store_bypass_disable_active
hw.spec_store_bypass_disable_active: 0
/* informational command*/

Miscellaneous Configuration and Management Elements 109


Name Description and instructions

To enable this mitigation, change hw.spec_store_bypass_disable. Dell Technologies


recommends using 2, which allows the system to automatically determine when to apply the
mitigation. Valid settings are:
● 2—Auto
● 1—On
● 0—Off

Microarchitectural
Data Sampling (MDS) # sysctl hw.mds_disable
hw.mds_disable: 0
/* mitigation off (0) by default */

# sysctl hw.mds_disable_state
hw.mds_disable_state: inactive
/* informational command */

To enable this mitigation, set hw.mds_disable to 1. That setting verifies whether processing data
segment is readable or writable from the current privilege level. It is the recommended setting.

Spectre v2 For Spectre v2, the mitigation is on by default.

# sysctl hw.ibrs_disable
hw.ibrs_disable: 0
/* Mitigation on (0) by default*/

# sysctl hw.ibrs_active
hw.ibrs_active: 1
/* informational command */

To disable this mitigation, set hw.ibrs_disable to 1. However, Dell Technologies recommends


the default setting.

Meltdown
# sysctl vm.pmap.pti
vm.pmap.pti: 1 | 0
/* Mitigation on or off by default.*/
/* See note.*/

NOTE: This value can be on or off by default. The software automates the setting of this value.
The value is determined by whether the hardware itself or the microcode already completely
mitigates the issue.
Because the software analyzes the hardware requirement regarding the setting of this value, it is
recommended that you leave the default setting. However, if your environment does not require local
nonroot logins and the default setting is 1, you can safely change it to 0.
The meltdown mitigation is tuned in a different way from the other mitigations that are described
above. To change:
1. On each node in the cluster, do the following:
a. Edit the /boot/loader.conf file.
b. Under the Kernel tunables heading, add the following line:

vm.pmap.pti="0"

2. Reboot the cluster for the change to take effect.


Other mitigations All other recent changes are enabled by default and are not tunable.

110 Miscellaneous Configuration and Management Elements


8
Glossary
Topics:
• Terminology

Terminology
The following terms and abbreviations describe some of the features and technology of the PowerScale OneFS system and
PowerScale cluster.

Access-based In a Microsoft Windows environment, ABE filters files and folders to show only the files that the user has
enumeration permissions to access on a file server.
(ABE)
Access control An element of an access control list (ACL) that defines access rights to an object (like a file or directory)
entry (ACE) for a user or group.
Access control A list of access control entries (ACEs) that provide information about the users and groups allowed
list (ACL) access to an object.
ACL policy Defines which access control methods are enforced when a user accesses a file on a system that is
configured for multiprotocol access to file systems. Access control methods are: NFS permissions and
Windows ACLs. The ACL policy is set using the web administration interface.
Authentication The process for verifying the identity of a user trying to access a resource or object, such as a file or a
directory.
Certificate A trusted third party that digitally signs public key certificates.
Authority (CA)
Certificate A digitally signed association between an identity (a Certificate Authority) and a public key. The host uses
Authority the certificate to verify digital signatures on public key certificates.
Certificate
Command-line An interface for entering commands through a shell window to perform cluster administration tasks.
interface (CLI)
Digital certificate An electronic ID issued by a certificate authority that establishes user credentials. It contains:
● The user identity (a hostname)
● A serial number
● Expiration dates
● A copy of the public key of the certificate holder—The public key is used to encrypt messages and
digital signatures.
● A digital signature from the certificate-issuing authority, so recipients can verify that the certificate is
valid.
Directory server A server that stores and organizes information about users and resources on a system network and allows
network administrators to manage user access to the resources. X.500 is the best-known open directory
service. Proprietary directory services include Microsoft Active Directory.
Group Identifier Numeric value used to represent a group account in a UNIX system.
(GID)
Hypertext The communications protocol used to connect to servers on the World Wide Web.
Transfer Protocol
(HTTP)
Hypertext HTTP over TLS. All network traffic between the client and server system is encrypted. In addition, HTTPS
Transfer Protocol provides the option to verify server and client identities. Typically, server identities are verified and client
Secure (HTTPS) identities are not.

Glossary 111
Kerberos An authentication, data integrity, and data-privacy encryption mechanism that is used to encode
authentication information. Kerberos co-exists with NTLM and provides authentication for client/server
applications using secret-key cryptography.
Lightweight An information-access protocol that runs directly over TCP/IP. LDAP is the primary access protocol for
Directory Access Active Directory and LDAP-based directory servers. LDAP Version 3 is defined by Proposed Standard
Protocol (LDAP) documents in Internet Engineering Task Force (IETF) RFC 2251.
LDAP-based A directory server that provides access through LDAP. Examples of LDAP-based directory servers include
directory OpenLDAP and SUN Directory Server.
Network File A distributed file system that provides transparent access to remote file systems. NFS allows all network
System (NFS) systems to share a single copy of a directory.
Network A service that provides authentication and identity uniformity across local area networks and allows you
Information to integrate the cluster with your NIS infrastructure. Designed by Sun Microsystems, NIS can be used to
Service (NIS) authenticate users and groups when they access the cluster.
OneFS API A RESTful HTTP-based interface that enables cluster configuration, management, and monitoring
functionality, and enables operations on files and directories.
OpenLDAP The open-source implementation of an LDAP-based directory service.
Public Key A means of managing private keys and associated public key certificates for use in Public Key
Infrastructure Cryptography.
(PKI)
Role-based RBAC grants the rights to perform particular administrative actions to users who have authenticated to
Access Control a cluster. Security Administrators create roles, assign privileges to the roles, and then assign members to
(RBAC) the roles.
Secure Connect A gateway for proactive, automated issue detection, case creation and notification, analytics-based
Gateway (SCG) recommendations, and predictive analysis failure detection for server hard drives and backplanes. SCG
offers remote access and secure, two-way communication between Dell Technologies and the customer
environment for accelerated issue resolution.
Both SupportAssist and Secure Remote Services can use SCG to connect a cluster to Dell Technologies
Support.
Secure Remote Enables 24x7 proactive, secure, high-speed remote monitoring and repair for many Dell Technologies
Services (SRS) products. SRS requires a gateway for connection. Supported versions of either the SCG or the SRS
Gateway can be used.
Secure Sockets A security protocol that provides encryption and authentication. SSL encrypts data and provides message
Layer (SSL) and server authentication. SSL also supports client authentication when required by the server.
Security A unique, fixed identifier represents a user account, user group, or other secure identity component in a
Identifier (SID) Windows system.
Server Message A network protocol used by Windows-based systems that allows systems within the same network to
Block (SMB) share files.
Simple Network A protocol that can be used to communicate management information between the network management
Management stations and the agents in the network elements.
Protocol (SNMP)
SupportAssist A secure support system that includes 24x7 remote monitoring of a PowerScale cluster. With
permission, it provides remote access for Dell Technologies Support personnel to gather cluster data
and troubleshoot issues.
SupportAssist replaces SRS as the primary service path for PowerScale and OneFS.
Transport Layer The successor protocol to SSL for general communication authentication and encryption over TCP/IP
Security (TLS) networks.
User Identifier Alphanumeric value used to represent a user account in a UNIX system.
(UID)
X.509 A widely used standard for defining digital certificates.

112 Glossary
A
Links to security standards
The following references provide more information about security standards.

Topic Links
Common Criteria https://www.commoncriteriaportal.org/
DISA https://www.disa.mil/
DoD Public SRG\STIG Downloads https://public.cyber.mil/stigs/downloads/
FIPS 140-2 https://csrc.nist.gov/publications/detail/fips/140/2/final
MITRE CVE https://cve.mitre.org/
NIST CCSS https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7502.pdf
NIST SP 800-53 https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/
final

Links to security standards 113

You might also like