Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > Configuration
Applying the STIG security profile on a PowerScale cluster is a straightforward process. However, before enabling STIG, you must understand the implications and the context of the STIG security profile. After the profile is applied, existing administrative workflows might be affected.
Before applying the STIG security profile, review this paper in its entirety. Consider the effect on both user and administrative workflows. Implement workarounds to affected workflows, and update processes accordingly. Before applying the STIG security profile, consider the following information:
To generate the report, run the isi hardening apply --profile=STIG --report=true command. Confirm that the cluster is in the “expected state,” as shown in the following example:
PowerScale# isi hardening apply --profile=STIG --report=true
Report Generation for Apply Started
This will take several minutes
This cluster is in expected state
To generate the report, run the isi hardening reports command shown in the following example:
PowerScale# isi hardening reports create
.Hardening operation complete.
PowerScale# isi hardening reports list
Name Applied Status Creation Date Report Age
----------------------------------------------------------
STIG No Not Compliant Mon Dec 5 16:41:01 2022 15s
----------------------------------------------------------
Total: 1
Confirm that Applied is No and Status is Not Compliant. For more details, view the full report by running the following command:
PowerScale# isi hardening reports view --profile=STIG
The STIG security profile is applied to a PowerScale cluster through the hardening engine in OneFS. When a security profile is applied to a cluster, OneFS configures the cluster based on the security profile. After a security profile is applied, it can also be removed to an unhardened state in the future, if required. For OneFS 9.4.0.0 and earlier, the removal process returns the cluster to the original state before applying the security profile. For OneFS 9.5.0.0 and later, removing the STIG security profile returns a PowerScale cluster to its system defaults, rather than the configuration at the time the STIG security profile is applied.
Note: Before proceeding with the application of the STIG security profile, review this white paper in its entirety to ensure an understanding of all the implications of applying the STIG security profile. Further, complete all prerequisites listed in Prerequisites and considerationsPrerequisites and considerations. As recommended for any significant IT infrastructure update, before updating a production cluster, test the update on a lab PowerScale cluster that mimics the production environment, workflow, and workload. Consider updating the production cluster only after a successful lab implementation.
After a security profile is applied to a cluster, it may be reapplied at any point without removing the profile. The reapplication updates any configuration changes that have occurred since the last profile was applied. Reapplying the STIG security profile is the same process as for the initial profile application.
To apply the STIG security profile on a PowerScale cluster:
For OneFS 9.4.0.0 and earlier, proceed to the next step.
For OneFS Release 9.5.0.0 and later, a password hash update is required for any system login with UID 0. Typically, UID 0 applies only to the root account.
Note: Updating the password hash also implicitly disables NTLM support for SMB access that is used when shares are accessed through an IP address.
To update the password hash, run the following commands:
isi auth file modify System --password-hash-type=SHA512
isi auth local modify System --password-hash-type=SHA512
After updating the password hash, update any UID 0 login password. The password value may be the same, but the update applies the new hash. For example, to update the root password, run the following command:
isi auth users change-password root
isi hardening apply --profile=STIG
After the command runs, OneFS first performs a series of checks before applying the STIG security profile. If OneFS does not find any issues with the current configuration, then the STIG security profile is applied.
For OneFS Release 9.4.0.0 and earlier, OneFS displays the issues found and then displays the following prompt:
Do you want to resolve the issue(s)?[Y/N]:
The process varies based on the OneFS release.
PowerScale# isi hardening status
Cluster Name: PowerScale
Hardening Status: Hardened
Profile : STIG
Following is the nodewise status:
PowerScale : Enabled
Alternatively, the hardening status may also be checked in the PowerScale API by a user who has the ISI_PRIV_HARDENING privilege and ISI_PRIV_LOGIN_PAPI.
PowerScale# isi hardening reports list
Name Applied Status Creation Date Report Age
--------------------------------------------------------
STIG Yes Compliant Mon Dec 5 16:41:01 2022 15s
--------------------------------------------------------
Total: 1
Confirm that Applied is Yes and Status is Compliant. For more details, view the full report by running the following command:
PowerScale# isi hardening reports view --profile=STIG
Alternatively, the hardening status may also be checked in the PowerScale API by a user who has the ISI_PRIV_HARDENING privilege and ISI_PRIV_LOGIN_PAPI.
For information, see Appendix A: SSH key exchange, ciphers, algorithms, and tagsAppendix A: SSH key exchange, ciphers, algorithms, and tags.
For releases before OneFS 9.3.0.0, after the STIG profile is applied, logging in as root through SSH, SCP, and SFTP is not possible. Only the serial console and the web interface permit the root login. OneFS 9.3.0.0 and later releases do not disable root access.
After applying the STIG profile to a PowerScale cluster, it may be returned to its original state. The process varies by OneFS release, as described in this section.
Note: Before returning a STIG security profile to its original state, consider the troubleshooting options discussed in Troubleshooting and reportsTroubleshooting and reports. Ensure that reverting the security profile is the best option and test it in a lab environment before impacting a production cluster.
To revert the STIG security profile for OneFS 9.4.0.0 and earlier:
isi hardening revert
In response, OneFS first runs through a series of checks before reverting the STIG security profile. If OneFS does not find any issues with the current configuration, then the STIG profile is reverted.
If issues are found during the initial checks, OneFS displays the issues and then displays the following prompt:
Do you want to resolve the issue(s)?[Y/N]:
PowerScale# isi hardening status
Cluster Name: PowerScale
Hardening Status: Not Hardened
Alternatively, the hardening status may also be checked in the PowerScale API by a user who has the ISI_PRIV_HARDENING privilege and ISI_PRIV_LOGIN_PAPI.
For OneFS 9.5.0.0 and later, the hardening engine attempts to apply the appropriate non-hardened OneFS defaults where possible. The hardening engine does not return the cluster to its "original state" when the STIG security profile was applied; instead, OneFS defaults are applied.
Note: After removing the STIG security profile, before exiting the SSH session, SSH access must be updated. Otherwise, SSH access may not be available at the next login. Perform all the following steps in a single SSH session without exiting.
To remove the STIG security profile in OneFS 9.5.0.0 and later:
isi hardening profile defaults STIG
If issues are found during the initial checks, OneFS displays the issues and then displays the following prompt:
Do you want to resolve the issue(s)?[Y/N]:
Name Applied Status Creation Date Report Age
------------------------------------------------------
STIG No Not Compliant Mon Dec 5 16:41:01 2022 15s
--------------------------------------------------------
Total: 1
Confirm that Applied is No and Status is Not Compliant. For more details, view the full report by running the following command:
PowerScale# isi hardening reports view STIG
Alternatively, the hardening status may also be checked in the PowerScale API by a user who has the ISI_PRIV_HARDENING privilege and ISI_PRIV_LOGIN_PAPI.
Throughout the STIG security profile process, you can monitor the cluster progress. For OneFS 9.5.0.0 and later, view the current STIG hardening status by running the isi hardening reports create and the isi hardening report view STIG commands. Further, the OneFS audit log retains STIG hardening updates if configuration auditing is enabled. In addition to reviewing the audit log, you can view any of the following logs to monitor the process.
Log file name and location | Log contents |
/etc/ifs/hardening_info.txt | Overall hardening status of the current node |
/var/log/hardening_engine.log | Status of processing the STIG security profile |
/var/log/isi_hardening_d.log | Status of the hardening daemon |
/var/log/hardening.log | Hardening log file (applies only to OneFS 9.5.0.0 and later) |
/ifs/.ifsvar/CHE/log/hardening_engine.log | Status of the hardening stages |
/ifs/.ifsvar/CHE/cluster_info.txt | Cluster-wide status of a security profile (shown as enabled or disabled) |
/ifs/.ifsvar/CHE/node_info.txt | Node status of a security profile (shown as enabled or disabled) |
/ifs/.ifsvar/CHE/output.txt | CLI output when the STIG security profile is applied; lists any issues displayed on the CLI during the STIG security profile application |
With the OneFS API, a user who has the ISI_PRIV_HARDENING privilege and ISI_PRIV_LOGIN can also monitor the STIG security profile status.