Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > Definition
A STIG security profile requires OneFS configuration changes across several parameters. This section describes the security profile updates by area, which varies by OneFS release. Newer OneFS releases contain some of the STIG security profile parameters by default.
For OneFS 9.5.0.0 and later, the hardening report shows the OneFS configuration changes. To list all configuration changes:
The remainder of this section lists the configuration changes for OneFS 9.4.0.0 and earlier.
Applying the STIG security profile updates the network services to ensure that modules and services are secured, as shown in the following table.
Note: The table lists the updates for OneFS 9.4.0.0 and earlier. For OneFS 9.5.0.0 and later, generate a report by running the isi hardening reports create command. To view all OneFS configuration changes, run the isi hardening reports view STIG command.
Component | OneFS release | |||||
8.2.2 | 9.0.x | 9.1.x | 9.2.x | 9.3.x | 9.4.x | |
Apache |
| |||||
Disable mod_status and mod_info | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Require binding to configured external IP addresses | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Prevent infinite request body size | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Limit request header fields to 100 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Limit request header size to 32 KB | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Limit the size of the request line to 32 KB | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Restrict proxying | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
SSL engine enables fips_mode, which limits the crypto to crypto approved and verified in the FIPS 140-2 CMVP for the product During the hardening process, the HTTP services will be restarted, invalidating any WebUI or API sessions that are established. | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Disable and ignore ICMP and ICMPv6 redirects | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
A checkmark (✔) indicates that applying the STIG security profile updates the component for the specified release. “N/A,” for not applicable, indicates that the component is not updated or applicable for the specified release.
After the STIG security profile is applied, future changes to network pools or IPs will cause sshd and httpd to restart. For sshd, existing sessions continue. For WebUI and API access, active sessions are invalidated. Also, the sessions are affected due to the processes being bound only to front-end IPs.
As part of the STIG security profile, remote access to the cluster is secured to prevent unauthorized access and protection. The following table lists the remote access updates.
Note: The table lists the updates for OneFS 9.4.0.0 and earlier. For OneFS 9.5.0.0 and later, generate a report by running the isi hardening reports create command. View all OneFS configuration changes by running the isi hardening reports view STIG command.
Component | OneFS Release | |||||
8.2.2 | 9.0.x | 9.1.x | 9.2.x | 9.3.x | 9.4.x | |
SSH | ||||||
Deny root login | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
Require protocol v2 | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
Restrict login attempts to 3 | ✔ | ✔ | ✔ | ✔ | ✔ | D |
Display login banner: For more information, see the Login banner section. | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Listen only on IPs on external interfaces | ✔ | ✔ | N/A | N/A | N/A | N/A |
Enforce a session timeout | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Require FIPS 140-2 compatible cryptography | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Disable vsftpd | N/A | N/A | N/A | N/A | N/A | ✔ |
A checkmark (✔) indicates that applying the STIG security profile updates the component for the specified release. “N/A,” for not applicable, indicates that the component is not updated or applicable for the specified release. “D,” for default, indicates that the component is already set by default in the base OneFS release irrespective of applying a STIG security profile.
Note: For HTTP, SSH, NTP, and key management, hardening the STIG security profile limits crypto to crypto approved and verified in the FIPS 140-2 CMVP for the product.
For OneFS 9.4.0.0 and earlier, the STIG security profile updates the console access by disabling the system reboot keyboard combination and requiring authentication for a single user and debugging.
For OneFS 9.5.0.0 and later, generate a report by running the isi hardening reports create command. To view all OneFS configuration changes, run the isi hardening reports view STIG command.
The STIG security profile requires significant updates to the identity and authorization implementation, ensuring that only authorized users have cluster access. The following table lists the identity and authorization updates.
Note: The table lists the updates for OneFS 9.4.0.0 and earlier. For OneFS 9.5.0.0 and later, generate a report by running the isi hardening reports create command. View all OneFS configuration changes by running the isi hardening reports view STIG command.
Component | OneFS release | |||||
8.2.2 | 9.0.x | 9.1.x | 9.2.x | 9.3.x | 9.4.x | |
Increase password complexity requirements for the system authentication provider by requiring: Minimum length of 14 characters No repetition of the last five passwords in history Must contain uppercase, lowercase, number, and symbol characters | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Delete ftp user to prevent anonymous FTP | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
Delete news user and group | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
Change the UID of the disabled toor user | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
Change www user home directories | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
Delete any tcpwrapper host equivalents that may have been added to the system | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
A checkmark (✔) indicates that applying the STIG security profile updates the component for the specified release. “N/A,” for not applicable, indicates that the component is not updated or applicable for the specified release.
The STIG security profile updates the cluster’s access control and aligns the file system to strict policy control. The file system access control updates include restricting access to the components listed in the following table.
Note: The table lists the updates for OneFS 9.4.0.0 and earlier. For OneFS 9.5.0.0 and later, generate a report by running the isi hardening reports create command. To view all OneFS configuration changes, run the isi hardening reports view STIG command.
Component | OneFS release | |||||
8.2.2 | 9.0.x | 9.1.x | 9.2.x | 9.3.x | 9.4.x | |
Log file access for non-root users | ||||||
Access to system logs | ✔ | ✔ | ✔ | D | D | D |
Access to logging configuration | ✔ | ✔ | ✔ | D | D | D |
Configuration file access for non-root users | ||||||
Access under /etc | ✔ | ✔ | ✔ | D | D | D |
Access to sysctl configuration | ✔ | ✔ | ✔ | D | D | D |
Access to NTP configuration | ✔ | ✔ | ✔ | D | D | D |
Access to /etc/master.passwd | ✔ | ✔ | ✔ | D | D | D |
Access to shell initialization files | ✔ | ✔ | ✔ | D | D | D |
Access to cron configuration | ✔ | ✔ | ✔ | ✔ | D | D |
Access to at configuration | ✔ | ✔ | ✔ | ✔ | D | D |
Access to inetd configuration | ✔ | ✔ | D | D | D | D |
Access to snmp configuration | ✔ | ✔ | ✔ | D | D | D |
Access to webserver files | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Access under /root | ✔ | ✔ | ✔ | D | D | D |
Access under /admin | ✔ | ✔ | ü | D | D | D |
Access under /compadmin | ✔ | ✔ | ✔ | D | D | D |
Access to system directories for non-root users | ||||||
Access under /usr/bin | ✔ | ✔ | ✔ | D | D | D |
Access under /usr/sbin | ✔ | ✔ | ✔ | D | D | D |
Access under /boot | ✔ | ✔ | ✔ | D | D | D |
Impose strict umask for root and administrator file operations | ✔ | ✔ | ✔ | D | D | D |
A checkmark (✔) indicates that applying the STIG security profile updates the component for the specified release. A “D,” for default, indicates that the component is already set by default in the base OneFS release irrespective of applying a STIG security profile.
The following table lists the components that are updated by the local attack surface reduction.
Note: The table lists the updates for OneFS 9.4.0.0 and earlier. For OneFS 9.5.0.0 and later, generate a report by running the isi hardening reports create command. To view all OneFS configuration changes, run the isi hardening reports view STIG command.
Component | OneFS release | |||||
8.2.2 | 9.0.x | 9.1.x | 9.2.x | 9.3.x | 9.4.x | |
Disable core dumps and minidumps | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Remove debugging tools such as nc and tcpdump | ✔ | ✔ | ✔ | N/A | N/A | N/A |
Restrict access to traceroute | ✔ | ✔ | ✔ | N/A | N/A | N/A |
Restrict cron and at usage to root user | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
Disable ldd | ✔ | ✔ | ✔ | N/A | N/A | N/A |
Disable kernel debugger – keyboard shortcut and on kernel panic | N/A | N/A | N/A | N/A | N/A | ✔ |
A checkmark (✔) indicates that applying the STIG security profile updates the component for the specified release. “N/A,” for not applicable, indicates that the component is not updated or applicable for the specified release.
The STIG security profile applies FIPS 140-2 compliance for select services. For more information about Data-at-rest encryption, see PowerScale Data at Rest EncryptionPowerScale Data at Rest Encryption.
For OneFS 9.4.0.0 and earlier, the STIG security profile limits crypto to crypto approved and verified in the FIPS 140-2 CMVP for the product for HTTP, SSH, NTP, and key management.
For OneFS 9.5.0.0 and later, see PowerScale OneFS FIPS compliance modePowerScale OneFS FIPS compliance mode.
The STIG security profile enhances system auditing and logging, as shown in the following table.
Note: The table lists the updates for OneFS 9.4.0.0 and earlier. For OneFS 9.5.0.0 and later, generate a report by running the isi hardening reports create command. To view all OneFS configuration changes, run the isi hardening reports view STIG command.
Component | OneFS release | |||||
8.2.2 | 9.0.x | 9.1.x | 9.2.x | 9.3.x | 9.4.x | |
Display login banner acknowledging consent to monitoring For more information, see Login banner | ✔ | ✔ | ✔ | ✔
| ✔ | ✔ |
Record shell sessions to facilitate enhanced auditing requirements | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Enable audit logging | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Disable Secure Remote Service (SRS) | N/A | N/A | N/A | N/A | N/A | ✔ |
Enable protocol auditing for file access | N/A | N/A | N/A | N/A | N/A | ✔ |
Enable configuration auditing using PAPI | N/A | N/A | N/A | N/A | N/A | ✔ |
A checkmark (✔) indicates that applying the STIG security profile updates the component for the specified release. “N/A,” for not applicable, indicates that the component is not updated or applicable for the specified release.