When configuring security hardening on OneFS 9.5 or later, one thing to note is that, even with the STIG profile activated, not all the rules are automatically marked as ‘applied’. Specifically:
# isi hardening report view STIG | grep “Not Applied” check_stig_celog_alerts Cluster Not Applied Military Unique Deployment Guide manually configured CELOG settings. check_synciq_default_ocsp_settings Cluster Not Applied /sync/settings/:cluster_certificate_id check_synciq_policy_ocsp_settings Cluster Not Applied /sync/policies/:ocsp_issuer_certificate_id check_multiple_ntp_servers_configured Cluster Not Applied /protocols/ntp/servers:total set_auth_webui_sso_mfa_idp Cluster Not Applied auth/providers/saml-services/idps/System set_auth_webui_sso_mfa_sp_host Cluster Not Applied auth/providers/saml-services/sp?zone=System:hostname
Applying a hardening profile is one of multiple tasks that are required in order to configure a STIG-compliant PowerScale cluster. These include:
| Component | Tasks |
| Audit | Configure remote syslog servers for auditing. |
| Authentication | Configure secure auth provider, SecurityAdmin account, and default restricted shell. |
| CELOG | Create event channel for security officers and system admin to monitor /root and /var partition usage, audit service, security verification, and account creation. |
| MFA & SSO | Enable and configure multi-factor authentication and single sign-on. |
| NTP | Configure secure NTP servers with SHA256 keys. |
| SMB | Configure SMB global settings and defaults.
Enable SMB encryption on shares. |
| SNMP | Enable SNMP and configure SNMPv3 settings. |
| SyncIQ | Configure SyncIQ to use CA certificates so both the source and target clusters (primary and secondary DSCs) have both Server Authentication and Client Authentication set in their Extended Key Usages fields. |
Over the course of the next two blog articles, we’ll cover the specific configuration requirements and details of each of these components via the OneFS CLI.
In this article, we’ll focus on the following tasks:
Audit Setup
- To set up secure auditing, first configure the remote syslog server(s). Note that, while the configuration differentiates between configuration, protocol, and system auditing, these can be sent to the same central syslog server(s). When complete, these syslog servers can be added to the OneFS audit configuration via the following CLI syntax:
# isi audit settings global modify --config-syslog-servers=[server FQDN/IP] --protocol-syslog-servers=[server FQDN/IP] --system-syslog-servers=[server FQDN/IP]
- Also consider adding the cluster certificate to the audit settings for mutual Transport Layer Security (TLS) authentication.
# isi audit certificates syslog import [certificate_path] [key_path]
To prevent unauthorized access to the private key/certificate, the recommendation is to remove certificate and private key files once the necessary import steps have been completed.
Authentication Setup
- Set the default shell for any new users created in the Local Provider.
# isi auth local modify System --login-shell=/usr/local/restricted_shell/bin/restricted_shell.py
- Next, configure the remote authentication provider. This could be Kerberos, LDAP, or Active Directory. For more information, see the OneFS 9.5 CLI Administration Guide.
Note that all Active Directory users must have an e-mail address configured for them for use with ADFS multi-factor authentication (MFA).
Every Active Directory user must have a home directory created on the cluster, containing the correct public key in ~/.ssh/authorized_keys for the certificate presented by SSH clients (SecureCRT, PuTTY-CAC, etc).
If using Active Directory, the recommendation is to enable LDAP encryption, commonly referred to as ‘LDAP sign and seal’. For example:
# isi auth ads modify [provider-name] --ldap-sign-and-seal true
Additionally, the ‘machine password lifespan’ should be configured to a value of 60 days or less:
# isi auth ads modify [provider-name] --machine-password-lifespan=60D
Where [provider-name] is the name of the chosen Active Directory provider.
- Finally, identify a remote-authenticated user and assign them administrative privileges.
# isi auth roles modify SecurityAdmin --add-user [username] # isi auth roles modify SystemAdmin --add-user [username]
Where [username] is the name of the chosen administrative user.
CELOG Setup
- For CELOG security setup, create and event channel for the required ISSO/SA alerts and configure appropriate event thresholds.
The following events need to send alerts on a channel monitored by an organization’s Information Systems Security Officers (ISSOs) or System Administrators (SAs):
| Event ID | Event |
| 100010001 | The /var partition is near capacity. |
| 100010002 | The /var/crash partition is near capacity. |
| 100010003 | The root partition is near capacity. |
| 400160002 | Audit system cannot provide service. |
| 400160005 | Audit daemon failed to persist events. |
| 400200001 | Security verification check failed. |
| 400200002 | Security verification successfully ran. |
| 400260000 | User account(s) created/updated/removed. |
The event channel can be created as follows:
# isi event channels create [channel name] [type] [options]
Next, the thresholds for the above event IDs can be set:
# isi event thresholds modify 100010001 --info 74 --warn 75 # isi event thresholds modify 100010002 --warn 75 # isi event thresholds modify 100010003 --warn 75 # isi event alerts create [event name 1] NEW [channel name] --eventgroup 100010001 --eventgroup 100010002 --eventgroup 100010003 --eventgroup 400160002 --eventgroup 400160005 --eventgroup 400200001 --eventgroup 400200002 --eventgroup 400260000 # isi event alerts create [event name 2] SEVERITY_INCREASE [channel name] --eventgroup 100010001 --eventgroup 100010002 --eventgroup 100010003 --eventgroup 400160002 --eventgroup 400160005 --eventgroup 400200001 --eventgroup 400200002 --eventgroup 400260000
Where:
| Item | Description |
| [channel name] | The name of the newly configured event channel. |
| [event name 1] and [event name 2] | The names of the events that will trigger alerts when a new event occurs or when an event increases in severity, respectively. |
Multi-Factor Authentication (MFA)/Single Sign-On (SSO) Setup
- First, configure the SSO service provider. This can be achieved as follows:
# isi auth sso sp modify --hostname=[node IP or cluster FQDN]
Where [node IP or cluster FQDN] is the IP address of a node in the PowerScale cluster or the fully qualified domain name (FQDN) of the PowerScale cluster.
- Next, configure the Identity Provider (IdP) as follows:
# isi auth sso idps create [name] [options]
- Enable MFA/SSO.
# isi auth sso settings modify --sso-enabled=true
At this point, we’ve covered the configuration and setup of the first four components in the list.
In the next article in this series, we’ll focus on the remaining topics:
Namely secure NTP, SMB, SNMP, and SyncIQ configuration.