PowerScale OneFS

Security Configuration Guide

9.0.0.0

June 2020
Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2016 - -2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Other trademarks may be trademarks of their respective owners.
 Contents

Chapter 1: Preface........................................................................................................................ 6
Legal disclaimers.................................................................................................................................................................. 6
Scope of document.............................................................................................................................................................6
Document references ........................................................................................................................................................6
Security resources ..............................................................................................................................................................7
Where to go for support.................................................................................................................................................... 7
Reporting security vulnerabilities..................................................................................................................................... 7

Chapter 2: Security Quick Reference............................................................................................ 8

Deployment models............................................................................................................................................................. 8
Security profiles................................................................................................................................................................... 8

Chapter 3: Product and Subsystem Security................................................................................. 9

Security controls map....................................................................................................................................................... 10
Authentication overview...................................................................................................................................................12
Kerberos authentication................................................................................................................................................... 12
Login security settings......................................................................................................................................................12
Login banner configuration........................................................................................................................................ 12
Failed login behavior.................................................................................................................................................... 12
Emergency user lockout............................................................................................................................................. 13
Authentication types and setup......................................................................................................................................14
Configuring local authentication sources............................................................................................................... 14
Configuring active directory...................................................................................................................................... 14
Certificate and key-based authentication.............................................................................................................. 14
Multi-factor authentication........................................................................................................................................14
Other authentication sources....................................................................................................................................14
Unauthenticated interfaces....................................................................................................................................... 14
Selecting authentication sources............................................................................................................................. 14
User and credential management.................................................................................................................................. 15
Pre-loaded accounts................................................................................................................................................... 15
Default credentials....................................................................................................................................................... 16
How to disable local accounts...................................................................................................................................16
Managing credentials.................................................................................................................................................. 16
Securing credentials.................................................................................................................................................... 16
Password complexity...................................................................................................................................................16
Authentication to external systems ..............................................................................................................................16
Controlling access to remote systems....................................................................................................................16
Remote component authentication..........................................................................................................................17
Authorization....................................................................................................................................................................... 17
General authorization settings.................................................................................................................................. 17
Configuring authorization rules................................................................................................................................. 17
Actions not requiring authorization..........................................................................................................................17
RBAC privileges.................................................................................................................................................................. 17
Network security ...............................................................................................................................................................18

Contents 3
 Network exposure........................................................................................................................................................18
Communication security settings............................................................................................................................ 26
Firewall settings........................................................................................................................................................... 26
Protocols ............................................................................................................................................................................ 26
FTP security..................................................................................................................................................................27
HDFS security...............................................................................................................................................................27
HTTP and HTTPS security........................................................................................................................................ 27
NFS security................................................................................................................................................................. 27
S3 security.....................................................................................................................................................................27
SMB security................................................................................................................................................................ 27
Mixed data-access protocol environments........................................................................................................... 29
Cryptography......................................................................................................................................................................29
Cryptographic configuration options...................................................................................................................... 29
Certified cryptographic modules..............................................................................................................................33
Certificate management ........................................................................................................................................... 33
Regulatory information...............................................................................................................................................33
Auditing and logging......................................................................................................................................................... 34
Logs................................................................................................................................................................................ 34
Log management......................................................................................................................................................... 34
Log protection..............................................................................................................................................................34
Logging format.............................................................................................................................................................34
Alerting...........................................................................................................................................................................34
Physical security................................................................................................................................................................35
Security of the data center.......................................................................................................................................35
Physical ports on PowerScale nodes......................................................................................................................35
Statement of volatility................................................................................................................................................36
Serviceability...................................................................................................................................................................... 36
Maintenance Aids........................................................................................................................................................ 36
Dell Technical Advisories, Security Advisories, and OneFS patches...............................................................36

Chapter 4: Miscellaneous Configuration and Management Elements ...........................................38

Protect authenticity and integrity................................................................................................................................. 38
Preventing malware.......................................................................................................................................................... 38
Specialized security devices........................................................................................................................................... 38

Chapter 5: Security best practices.............................................................................................. 40

Overview............................................................................................................................................................................. 40
Persistence of security settings ............................................................................................................................. 40
PCI compliance................................................................................................................................................................... 41
Configure the cluster to meet PCI compliance.....................................................................................................41
General cluster security best practices....................................................................................................................... 42
Create a login message .............................................................................................................................................42
Manifest check to confirm install authenticity and integrity............................................................................ 42
Set a timeout for idle CLI sessions (CLI)...............................................................................................................45
Set a timeout for idle SSH sessions (CLI).............................................................................................................46
Forward audited events to remote server.............................................................................................................47
Firewall security........................................................................................................................................................... 47
Disable OneFS services that are not in use...........................................................................................................47
Configure WORM directories using SmartLock................................................................................................... 47

4 Contents
 Back up cluster data................................................................................................................................................... 48
Use NTP time............................................................................................................................................................... 48
Login, authentication, and privileges best practices.................................................................................................49
Restrict root logins to the cluster........................................................................................................................... 49
Use RBAC accounts instead of root....................................................................................................................... 49
Privilege elevation: Assign select root-level privileges to nonroot users.......................................................49
Restrict authentication by external providers...................................................................................................... 52
Password usage ..........................................................................................................................................................53
SNMP security best practices....................................................................................................................................... 53
Use SNMPv3 for cluster monitoring.......................................................................................................................53
Disable SNMP...............................................................................................................................................................53
Change default community string for SNMPv2...................................................................................................53
SSH security best practices........................................................................................................................................... 54
Restrict SSH access to specific users and groups..............................................................................................54
Disable root SSH access to the cluster................................................................................................................. 54
Disable forwarding of Unix domain and TCP sockets.........................................................................................54
Data-access protocols best practices..........................................................................................................................55
Use a trusted network to protect files and authentication credentials that are sent in cleartext..........55
Use compensating controls to protect authentication credentials that are sent in cleartext..................55
Use compensating controls to protect files that are sent in cleartext.......................................................... 55
Initial Sequence Numbers (ISNs) through TCP connections........................................................................... 56
Disable FTP access..................................................................................................................................................... 56
Limit or disable HDFS access................................................................................................................................... 56
Limit or disable HTTP access................................................................................................................................... 57
NFS best practices..................................................................................................................................................... 58
SMB best practices.................................................................................................................................................... 59
SMB signing..................................................................................................................................................................60
Disable Swift access....................................................................................................................................................61
Web interface security best practices......................................................................................................................... 62
Replace the TLS certificate...................................................................................................................................... 62
Secure the web interface headers.......................................................................................................................... 62
Accept up-to-date versions of TLS in the OneFS web interface....................................................................63

Chapter 6: Glossary.....................................................................................................................64
Terminology........................................................................................................................................................................ 64

Contents 5
 1
Preface
Dell EMC customers expect that Security Configuration guides will help them: understand the security features and capabilities
of the product; know how to modify the configuration of the product to maximize the security posture in their environment; be
aware of the capabilities Dell EMC has available for secure remote and on-site serviceability; be informed of the expectations
Dell EMC has of the environment in which the product is deployed.
Topics:
• Legal disclaimers
• Scope of document
• Document references
• Security resources
• Where to go for support
• Reporting security vulnerabilities

Legal disclaimers

Scope of document
This guide provides an overview of the security configuration controls and settings available in PowerScale OneFS. This guide is
intended to help facilitate secure deployment, usage, and maintenance of the software and hardware used in PowerScale
clusters.

Document references
The complete documentation set for OneFS is available online.
You can find information that is related to the features and functionality in this document in the following documents available
from the Dell EMC Online Support site.
● EMC Secure Remote Services Installation and Operations Guide
● EMC Secure Remote Services Policy Manager Operations Guide
● EMC Secure Remote Services Site Planning Guide
● EMC Secure Remote Services Technical Description
● PowerScale Multiprotocol Data Access with a Unified Security Model (white paper)
● PowerScale Swift Technical Note
● Managing identities with the PowerScale OneFS user mapping service (white paper)
● OneFS Backup and Recovery Guide
● OneFS CLI Administration Guide
● OneFS Event Reference
● OneFS HDFS Reference Guide
● OneFS Release Notes
● OneFS Web Administration Guide
● OneFS Upgrade Planning and Process Guide

6 Preface
Security resources
Dell Security Advisories (DSAs)
Dell Security Advisories (DSAs) notify customers about potential security vulnerabilities and their remedies for Dell EMC
products. The advisories include specific details about an issue and instructions to help prevent or alleviate that security
exposure.
Common Vulnerabilities and Exposures (CVEs) identify publicly known security concerns. A DSA can address one or more CVEs.
All PowerScale DSAs, together with the CVEs that they address, are listed at the PowerScale Support page.
False positives
It is possible for a security scan to incorrectly identify a CVE as affecting a Dell EMC product. CVEs in this category are termed
false positives. False positives for OneFS and InsightIQ are listed at the PowerScaleOneFS False Positive Security Vulnerabilities
document.

Where to go for support

This topic contains resources for getting answers to questions about PowerScale products.

Dell Technologies ● Support tab on the Dell homepage: https://www.dell.com/support/incidents-online. Once you
support identify your product, the "How to Contact Us" gives you the option of email, chat, or
telephone support.
● For questions about accessing online support, send an email to support@emc.com.

Telephone support ● United States: 1-800-SVC-4EMC (1-800-782-4362)

● Canada: 1-800-543-4782
● Worldwide: 1-508-497-7901
● Local phone numbers for a specific country/region are available at Dell EMC Customer Support
Centers.

PowerScale OneFS ● OneFS Info Hubs: https://www.dell.com/support/article/sln318794

Documentation Info Hubs

Reporting security vulnerabilities

Dell EMC takes reports of potential security vulnerabilities in the products seriously. If you discover a security vulnerability, you
are encouraged to report it to Dell EMC immediately.
For the latest on how to report a security issue to Dell EMC, see the Dell Vulnerability Response Policy on the Dell.com site.

Preface 7
 2
Security Quick Reference
Topics:
• Deployment models
• Security profiles

Deployment models
A PowerScale cluster is only one piece of a complex installation and co-exists with the surrounding physical and electronic
environment. You must develop and maintain comprehensive security policies for the entire environment.
It is assumed that you have implemented the following security controls prior to the PowerScale security deployment:
● Physical security of system unit room facilities
● Comprehensive network security
● Monitoring of computer-related controls, including:
○ Access to data and programs
○ Secure organizational structure to manage login and access rights
○ Change control to prevent unauthorized modifications to programs.
● Service continuity to ensure that critical services and processes remain operational during a disaster or data breach.
With these security controls in place, PowerScale offers the following deployment models:
● General business
● SmartLock
● Security Technical Implementation Guide (STIG)

Security profiles
Security profiles refer to representations of the product's and/or subsystem's security posture through specific configuration
setting combinations.
OneFS uses STIG documents throughout its security development lifecycle.

8 Security Quick Reference

 3
Product and Subsystem Security
Topics:
• Security controls map
• Authentication overview
• Kerberos authentication
• Login security settings
• Authentication types and setup
• User and credential management
• Authentication to external systems
• Authorization
• RBAC privileges
• Network security
• Protocols
• Cryptography
• Auditing and logging
• Physical security
• Serviceability

Product and Subsystem Security 9

Security controls map
The following diagram provides an overview of the various security controls that are available on PowerScale clusters.

10 Product and Subsystem Security

Figure 1. Security control map

Product and Subsystem Security 11

Authentication overview
For general information about authentication not covered in this guide, see the OneFS 9.0.0 Web Administration Guide and the
OneFS 9.0.0 CLI Administration Guide.

Kerberos authentication
For general information about Kerberos authentication, see the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI
Administration Guide.

Login security settings

Login security includes login banners (usually presenting legal disclaimers and other usage and privacy policies), failed login
behavior, and account lockout options.

Login banner configuration

Login banners can display critical system information and proper usage, and they can list restrictions and privacy policies. Should
legal information, both in the enforcement and the discipline upon failure, be relevant, those notices should also go here.
The hardening process creates an /etc/issue file which is displayed before logins. Non-hardened cluster administrators can
also create a root-owned (with permissions 644) /etc/issue file manually; link to it through the ln -sf /etc/
motd /etc/issue command.

Failed login behavior

This section details the behavior of the product when authentication is unsuccessful a fixed number of times.

Failed login scenario Expected behavior

Failed login attempts exceeded behavior Prevents local provider logins until a given duration is
exceeded.
Failed login attempts allowed before exceed behavior is Configurable in the local provider using the following
triggered command:

isi auth local modify --lockout-

threshold=<count> <provider>

Authentication delay settings (for failed login attempt Not applicable.

prevention)
Account lockout duration Configurable in the local provider using the following
command:

isi auth local modify --lockout-

duration=<duration> <provider>

Operational requirements to resolve account lockout issues, The administrator needs readwrite ISI_PRIV_AUTH privileges
including user or role that can resolve account lockout, any to configure the lockout behavior of the local provider.
required notifications required on the part of the customer to NOTE: This is only in the local provider. Other
Dell EMC, and any notifications generated by the product as authentication providers do not have this feature.
part of account lockout, such as a log event or call home
message

12 Product and Subsystem Security

Emergency user lockout
Configure this feature, which behaves as described.
The best practice is to disable authentication, which would prevent new logins.

Lockout scenario Details

User or role that can generate an emergency user lockout You can disable a user or remove a privilege, but this action
event does not kick a user off.
For this action, the admin would need read/write
ISI_PRIV_AUTH privileges to disable the user and/or remove
a privilege from the user.

User or role that can undo an emergency user lockout event The action is similar to above. An admin with read/write
ISI_PRIV_AUTH can enable a user.
Description of emergency user lockout behavior Only prevents new logins, but a user who is already logged in
cannot be logged off.
How to lock out a specific user
isi auth users modify --enabled=false
<user>

How to lock out all users Disabling authentication per provider, or disabling roles will
prevent new logins per provider.
NOTE: All providers in the authentication zone would
need to be set individually.

isi auth local modify --

authentication=false <provider>
isi auth file modify --
authentication=false <provider>
isi auth ads modify --
authentication=false <provider>
isi auth ldap modify --
authentication=false <provider>
isi auth nis modify --
authentication=false <provider>

A list of users that can never be locked out

How to reenable access for a specific user or all users to the For a specific user:
system
isi auth users modify --enabled=false
<user>

For all users (the opposite of the lock out all users):

isi auth local modify --

authentication=true <provider>
isi auth file modify --
authentication=true <provider>
isi auth ads modify --authentication=true
<provider>
isi auth ldap modify --
authentication=true <provider>
isi auth nis modify --authentication=true
<provider>

Product and Subsystem Security 13

Authentication types and setup
Configure the authentication types and possible different sources for the system.
For general information about Authentication types and setup, see the OneFS 9.0.0 Web Administration Guide and the OneFS
9.0.0 CLI Administration Guide.

Configuring local authentication sources

For general information about configuring local authentication sources, see the OneFS 9.0.0 Web Administration Guide and the
OneFS 9.0.0 CLI Administration Guide.

Configuring active directory

For general information about configuring active directory, see the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0
CLI Administration Guide.

Certificate and key-based authentication

Client and/or server authentication using TLS certificates: For more information, see the OneFS 9.0.0 CLI Administration Guide.

Multi-factor authentication
For general information about multi-factor authentication, see the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0
CLI Administration Guide.

Other authentication sources

For general information about other authentication sources, see the OneFS 9.0.0 Web Administration Guide and the OneFS
9.0.0 CLI Administration Guide.

Unauthenticated interfaces
The following interfaces do not require authentication to access:
● LCD front panel and buttons
● Certain platform targets
● File over http w/o basic auth, and not via RAN
● SNMP
● Using syslog to remote server
● Anonymous FTP
● Joining to the cluster
● SyncIQ
NOTE: The LCD front-panel, platform, and join all require physical access to use. The rest are described in the OneFS
admin guides.

Selecting authentication sources

For general information about selecting authentication sources, see the OneFS 9.0.0 Web Administration Guide and the OneFS
9.0.0 CLI Administration Guide.

14 Product and Subsystem Security

User and credential management

Pre-loaded accounts
This is a list of default/pre-loaded accounts and their purpose within the product or subsystem.

Username Role Login provided

root Root Yes
daemon Owner of many system processes No
operator System No
bin Binaries Commands and Source No
tty Tty Sandbox No
kmem KMem Sandbox No
news News Subsystem No
man Mister Man Pages No
admin PowerScaleUI Administrator Yes
compadmin PowerScale SmartLock Compliance Administrator No
remotesupport Remote Support User Yes
ftp Anonymous Ftp No
insightiq InsightIQ User No
isdmgmt PowerScaleSD Management User No
sshd Secure Shell Daemon No
smb guest account SMB Guest Account No
smmsp Sendmail Submission User No
mailnull Sendmail Default User No
bind Bind Sandbox No
unbound Unbound DNS Resolver No
proxy Packet Filter pseudo-user No
_pflogd pflogd privsep user No
_dhcp dhcp programs No
uucp UUCP pseudo-user Yes
pop Post Office Owner No
auditdistd Auditdistd unprivileged user No
www World Wide Web Owner No
_ypldap YP LDAP unprivileged user No
ganglia Ganglia User No
hast HAST unprivileged user No
_lldpd LLDP Daemon User No
nobody Unprivileged user No

Product and Subsystem Security 15

Username Role Login provided
everyone Everyone No
null Null user No
group Group-owner No
git_daemon git daemon No

Default credentials

How to disable local accounts

1. To disable local accounts, open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command, where <account> is the account name in question:

pw user del <account>

NOTE: All the default accounts are in the System zone, and therefore the isi auth command will not work. This
command works for both those listed in the master.passwd file and for the isi auth listed ones.

Managing credentials
For information about managing credentials, see the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI
Administration Guide.

Securing credentials
For information about securing credentials, see the File Provider section of the OneFS 9.0.0 Web Administration Guide and the
OneFS 9.0.0 CLI Administration Guide.

Password complexity
For information about password complexity, see the Configure or modify a local password policy section of the OneFS 9.0.0
Web Administration Guide and the OneFS 9.0.0 CLI Administration Guide.

Authentication to external systems

Configure OneFS to communicate with and authenticate to external systems.

Controlling access to remote systems

You can deny specific nodes for external systems accessing OneFS

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Using an editor, open the following file

/etc/mcp/override/hosts.allow

16 Product and Subsystem Security

3. Deny all protocol access, where <IP> is the IP address of the node:

ALL : <IP> : deny

Remote component authentication

How to provide credentials to use to authenticate to the external system.

Authorization
Authorization is a critical component of any security model for OneFS. While authentication describes who can perform an
action within a system, authorization describes what a user may be allowed do. In addition to general settings, OneFS includes
Role-Based Access Control (RBAC).
For information about general authorization settings and rules that are not covered in this guide, see the Administrative Roles
and Privileges chapter of the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0.0 CLI Administration Guide.

General authorization settings

For information about general authorization settings not covered in this guide, see the Administrative Roles and Privileges
chapter of the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI Administration Guide.

Configuring authorization rules

NOTE: Most processes run as root; therefore only root would have access to act directly on the process.

Actions not requiring authorization

The following actions may be allowed without explicit authorization:

● LCD front panel and buttons
● Certain platform targets
● File over http w/o basic auth, and not via RAN
● SNMP
● Using syslog to remote server
● Anonymous FTP
● Joining to the cluster
● SyncIQ

RBAC privileges
Role-Based Access Control (RBAC) assigns privileges to users through roles.
For information about RBAC and privileges, including default roles, configuring roles, and role mapping, see the Administrative
Roles and Privileges chapter of the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI Administration Guide.

Product and Subsystem Security 17

Network security
OneFS security includes the security of networked subsystems and interfaces.

Network exposure
The following sections detail the network exposure of OneFS, including ports, protocols, services exposed, and default states.

Network port usage

Standardized protocols enable other system units to exchange data with OneFS.
The TCP/IP protocol suite uses numbered ports to describe the communication channel within the protocol. Generally, the
OneFS system uses a well-known port for receiving incoming data. The client uses that ephemeral port number to send data.
Port numbers and IP addresses are included with a data packet, which enables other systems to make determinations about the
data stream. TCP and UDP protocols within the TCP/IP suite use ports that range from 1 to 65535.
The Internet Assigned Numbers Authority (IANA) assigns and maintains port numbers. They are divided into three ranges:
1. Well-known ports, ranging from 0 to 1023.
2. Registered ports, ranging from 1024 to 49151.
3. Dynamic or private ports, ranging from 49152 to 65535.
Protocols support both IPv4 and IPv6 addresses except where noted.
NOTE: As a security best practice, use an external firewall to limit access to the cluster to only those trusted clients and
servers that require access. Allow restricted access only to ports that are required for communication. Block access to all
other ports.

Port Service Protocol Connection Usage and description Effect if closed Default on
name type installation
20 ftp-data TCP Outbound ● FTP access (disabled by default) FTP access is Disabled
● Data channel for FTP service unavailable.

21 ftp TCP Inbound ● FTP access FTP access is Disabled

● Control channel for FTP access unavailable.

22 ssh TCP Inbound ● SSH login service SSH secure shell Enabled
● console management access is
unavailable.
NOTE: does not support
IPv6.

25 smtp TCP Outbound Email deliveries Outbound email Disabled

alerts from OneFS
are unavailable.
53 DNS UDP Outbound Domain Name Service resolution Services not able Enabled
to resolve domain
names.
53 DNS TCP/UDP Inbound SmartConnect DNS requests and SmartConnect Enabled
incoming DNS request responses. DNS resolution is
unavailable.
80 http TCP Inbound HTTP for file access HTTP access to Enabled
files is unavailable.
88 kerberos TCP/UDP Outbound Kerberos authentication services Kerberos Disabled
that are used to authenticate users authentication is
against Microsoft Active Directory unavailable.
domains

18 Product and Subsystem Security

Port Service Protocol Connection Usage and description Effect if closed Default on
name type installation
111 rpc.bind TCP/UDP Inbound ONC RPC portmapper that is used to Cannot be closed; Enabled
locate services such as NFS, disrupts core
mountd, and isi_cbind_d functionality.
123 ntp UDP Outbound Network Time Protocol used to Cluster time Enabled
synchronize host clocks within the cannot be
cluster synchronized with
an external NTP
time source.
135 dcerpc TCP/UDP Inbound RPC Endpoint mapper service Witness Enabled
connections for
SMB continuous
availability are not
established.
137 netbios- UDP Inbound NetBIOS Name Service that provides None. Disabled
ns name resolution service for pre-
Windows 2000 SMB1 clients
138 netbios- UDP Inbound NetBIOS Datagram Service that None. Disabled
dgm provides legacy connectionless
service for pre-Windows 2000 SMB1
clients
139 netbios- TCP Inbound NetBIOS Session Service that Old SMB1 clients Disabled
ssn provides SMB1 support for pre- unable to use port
Windows 2000 clients 445 cannot access
the server.
161 snmp UDP Inbound Simple Network Management SNMP Enabled
Protocol support. Typically, agents communications
listen on port 161 are not available.
162 snmptra UDP Inbound Simple Network Management SNMP Enabled
p Protocol support. Typically, communications
asynchronous traps are received on are not available.
port 162
300 mountd TCP/UDP Inbound NFSv3 mount service NFSv3 mount Enabled
service is not
available.
302 statd TCP/UDP Inbound NFS Network Status Monitor (NSM) The NSM service is Enabled
not available.
304 lockd TCP/UDP Inbound NFS Network Lock Manager (NLM) The NLM service is Enabled
not available.
389 ldap TCP/UDP Outbound Microsoft Active Directory domain The cluster cannot Enabled
services. Used to fetch the list of fetch list of AD
servers from the Active Directory domains or verify
domain and other domain information they are active.
389 ldap UDP Outbound CLDAP pings. Used to determine if a The cluster cannot Enabled
domain server is running perform user or
group lookups or
authentications
against LDAP or
Active Directory.
389 ldap TCP Outbound LDAP SASL (secure LDAP). Normally The cluster cannot Enabled
used to query for user/group perform user or
information after authentication. group lookups or
NOTE: Whether SASL is used is authentications
configured on the AD/LDAP

Product and Subsystem Security 19

Port Service Protocol Connection Usage and description Effect if closed Default on
name type installation

servers, not on the cluster. against LDAP or

During LDAP connection setup, Active Directory.
there is an option to determine
whether to use a secure
connection.

443 https TCP Inbound HTTPS file access HTTP access to Disabled
files is unavailable
over TLS.
443 https TCP Outbound Typical port for CloudPools access to If CloudPools is Disabled
a cloud storage provider. using this port,
NOTE: Port 443 is typical, but CloudPools
not always the correct port. The features are not
cloud storage provider (or other available.
archive location such as ECS or
another PowerScale cluster) may
use or require a different port.
Customer load balancers may
also affect which port is required
for CloudPools connections.

445 microsof TCP Outbound SMB1 and SMB2 client Joining an Active Enabled
t-ds Directory domain
and the NTLM
authentication
against it are not
possible.
445 microsof TCP Inbound SMB1 and SMB2 server SMB server is not Enabled
t-ds available.
585 hdfs TCP (IPv4 Inbound HDFS (Hadoop file system) HDFS is Enabled
(datano only) unavailable.
de)
623 n/a TCP/UDP Inbound Reserved for hardware n/a Enabled
636 ldap TCP Outbound ● LDAP Directory service queries LDAP is Disabled
that are used by OneFS Identity unavailable.
services
● Default port for LDAPS

664 n/a TCP/UDP Inbound Reserved for hardware n/a Enabled

989 ftps- TCP Outbound ● Secure FTP access (disabled by Secure FTP access Disabled
data default) is unavailable.
(implicit) ● Secure data channel for FTP
service

990 ftps TCP Inbound ● Secure FTP access Secure FTP access Disabled
(implicit) ● Control channel for FTP access is unavailable.

2049 nfs TCP/UDP Inbound Network File Service (NFS) server The NFS server Enabled
and all related NFS
services (including
mount, NSM, and
NLM) are not
available. NFS is an
important
component of the
OneFS interaction,

20 Product and Subsystem Security

Port Service Protocol Connection Usage and description Effect if closed Default on
name type installation
even if no NFS
exports are visible
externally.
2097 n/a TCP Inbound SyncIQ: isi_migr_pworker SyncIQ is Disabled
unavailable.
2098 n/a TCP Inbound SyncIQ: isi_migr_pworker SyncIQ is Disabled
unavailable.
3148 n/a TCP Inbound SyncIQ: isi_migr_bandwidth SyncIQ is Disabled
unavailable.
3149 n/a TCP Inbound SyncIQ: isi_migr_bandwidth SyncIQ is Disabled
unavailable.
3268 n/a TCP Outbound Microsoft Active Directory global Some forms of Disabled
catalog search requests used when Active Directory
joined to an Active Directory domain authentication
through plaintext. might not work,
depending on the
configuration.
3269 n/a TCP Outbound Microsoft Active Directory global Some forms of Disabled
catalog search requests used when Active Directory
joined to an Active Directory domain authentication
through SSL. might not work,
depending on the
configuration.
5019 ifs TCP Inbound/ PowerScale file system Intra-cluster Enabled
Outbound communication is
(Internal) not available.
5055 smartco UDP Inbound SmartConnect SmartConnect is Enabled
nnect (Internal) unavailable.

5667 n/a TCP Inbound SyncIQ: isi_migr_sworker SyncIQ is Disabled

unavailable.
5668 n/a TCP Inbound SyncIQ: isi_migr_sworker SyncIQ is Disabled
unavailable.
6557 n/a TCP Inbound Performance collector Performance Disabled
collection and
analysis is
unavailable.
8020 hdfs TCP (IPv4 Inbound HDFS (Hadoop file system) HDFS is Enabled
(nameno only) unavailable.
de)
8080 apache2 TCP (IPv4 Inbound ● OneFS web administration ● HTTPS access Enabled
only) interface to the web
● OneFS API administration
● WebHDFS interface is
unavailable.
● HTTPS
● OneFS API is
● HTTP sessions
unavailable.
● Restful access for namespace
● HTTPS access
(RAN)
to WebHDFS is
● OneFS web administration
unavailable.
interface
● RAN
unavailable.

Product and Subsystem Security 21

Port Service Protocol Connection Usage and description Effect if closed Default on
name type installation

● CloudPools, when a second ● CloudPools

PowerScale cluster is used for archive to
archiving another
PowerScale
cluster is
unavailable.

8081 VASA TCP Inbound ● VASA vCenter plug-in for Disabled

● HTTPS VMware
integrations is
unavailable.
8082 WebHDF TCP (IPv4 Inbound WebHDFS over HTTP Access to HDFS Disabled
S only) data is unavailable
through WebHDFS.
8083 httpd TCP Inbound Swift protocol access Swift protocol Enabled
access is
unavailable.
8440 Ambari TCP (IPv4 Outbound Handshake from Ambari agent to Ambari Agent is Disabled
agent only) Ambari server. unavailable to
monitor and report
status of HDFS
access zone.
8441 Ambari TCP (IPv4 Outbound Heartbeat status from Ambari agent Ambari Agent is Disabled
agent only) to Ambari server. unavailable to
monitor and report
status of HDFS
access zone.
8470 n/a TCP Inbound SyncIQ: isi_replicate SyncIQ is Disabled
unavailable.
9020 s3 http Inbound S3 service access S3 access is Disabled
unavailable.
9021 s3 https Inbound S3 service access S3 access is Disabled
unavailable.
9443 isi_esrs_ TCP Outbound outbound alerts PowerScale is Disabled
d unable to send
alerts, log gathers,
and other event
data to Dell EMC
PowerScale
Technical Support.
10000 NDMP TCP Inbound Network data management for NDMP backup is Disabled
backup disabled.
15000 isi_lcd_d TCP Inbound Internal communication None Enabled
(Internal)
15100 isi_upgr TCP Inbound PowerScale upgrade daemon Cluster reimages Enabled
ade_age (Internal) are unavailable.
nt_d
28080 lwswift TCP Inbound Swift protocol access Swift protocol Enabled
access is
unavailable.

22 Product and Subsystem Security

Network port controls
This is a list of commands to enable or disable the ports listed in the Network port usage table.

Port Service Default on Command usage

name installation NOTE: For each command you are running, add the desired toggle value.

20 ftp-data Disabled Opened on use if FTP service enabled.

isi services vsftpd <enable or disable>

21 ftp Disabled isi services vsftpd <enable or disable>

22 ssh Enabled See SSH Security Best Practices section of the Security Configuration Guide.
25 smtp Disabled See the Configure SMTP email settings section of the OneFS CLI Administration
Guide or the OneFS Web Administration Guide.
53 DNS Enabled Not modifiable.
80 http Disabled isi http settings modify --service <enable or disable>

88 kerberos Disabled isi auth krb5 delete <provider-name>

111 rpc.bind Enabled isi services -a rpcbind <enable or disable>

123 ntp Enabled Not modifiable

135 dcerpc Enabled /usr/likewise/bin/lwsm stop dcerpc

137 netbios-ns Disabled Not modifiable.

See https://www.dell.com/support/kbdoc/en-us/491918

138 netbios- Disabled Not modifiable.

dgm
See https://www.dell.com/support/kbdoc/en-us/491918

139 netbios-ssn Disabled Not modifiable.

See https://www.dell.com/support/kbdoc/en-us/491918

161 snmp Enabled isi services snmp <enable or disable>

162 snmptrap Enabled isi services snmp <enable or disable>

300 mountd Enabled Not modifiable.

302 statd Enabled Not modifiable.
304 lockd Enabled Not modifiable.
389 ldap Enabled Port is opened on usage. To ensure non-usage, delete the LDAP configuration:
isi auth ldap delete <provider name>

389 ldap Enabled See above

443 https Disabled isi http settings modify --https <enable or disable>
NOTE: This will take effect immediately, unless "--service" is not enabled.
Otherwise, enable the service.

445 microsoft- Enabled isi services -a smb <enable or disable>

ds
585 hdfs Enabled isi hdfs settings modify --service <true or false>
(datanode)
623 n/a Enabled Not modifiable.

Product and Subsystem Security 23

Port Service Default on Command usage
name installation NOTE: For each command you are running, add the desired toggle value.

636 ldap Disabled Port is opened on usage. To ensure non-usage, delete the LDAP configuration:
isi auth ldap delete <provider name>

664 n/a Enabled Not modifiable.

989 ftps-data Disabled Not modifiable.
(implicit)
990 ftps Disabled Not modifiable.
(implicit)
2049 nfs Enabled isi services nfs <enable or disable>

2097 n/a Disabled isi sync settings modify --service <on or off>

2098 n/a Disabled isi sync settings modify --service <on or off>

3148 n/a Disabled isi sync settings modify --service <on or off>

3149 n/a Disabled isi sync settings modify --service <on or off>

3268 n/a Disabled Enabled on use. For information on using AD, see the OneFS CLI Administration Guide.
3269 n/a Disabled Enabled on use. For information on using AD, see the OneFS CLI Administration Guide.
5019 ifs Enabled Not modifiable.
5055 smartconne Enabled Not modifiable.
ct
5667 n/a Disabled isi sync settings modify --service <on or off>

5668 n/a Disabled isi sync settings modify --service <on or off>

6557 n/a Disabled Not modifiable.

8020 hdfs Enabled isi services hdfs
(namenode)
8080 isi_webui Enabled Not modifiable.
8082 WebHDFS Disabled Not modifiable, but you can switch WebHDFS settings:
isi hdfs settings modify --webhdfs-enabled <true or false>

8083 lwswift Enabled Not modifiable, but you can configure Swift with isi swift accounts.
NOTE: Support for Open Stack Swift will be removed in a future OneFS release.
Use the S3 protocol instead.

8440 Ambari Disabled isi hdfs settings modify --ambari-server

agent
For more information and options, see the HDFS Reference Guide on the Support site.

8441 Ambari Disabled isi hdfs settings modify --ambari-server

agent
8470 n/a Disabled Not modifiable.
9020 s3 Disabled isi services s3 <enable or disable>

9021 s3 Disabled isi services s3 <enable or disable>

9443 isi_esrs_d Disabled isi services isi_esrs_d <enable or disable>

24 Product and Subsystem Security

Port Service Default on Command usage
name installation NOTE: For each command you are running, add the desired toggle value.

10000 NDMP Disabled isi services ndmpd <enable or disable>

15000 isi_lcd_d Enabled Not modifiable.

15100 isi_upgrade Enabled isi services isi_upgrade_d <enable or disable>
_agent_d
NOTE: This is not completely modifiable. You can modify the TCP port on all
interfaces, but the UDP port on the backend interface is unaffected.

28080 lwswift Enabled isi services lwswift <enable or disable>

OneFS services
To improve OneFS security, you should restrict access to the OneFS cluster by disabling network services that you do not use.
NOTE: There are some services that you should not disable, because doing so could have a detrimental effect on cluster
operations. The list in this section includes only those services that can be disabled without disrupting other operations on
the cluster. This list does not include all the network services available on OneFS.
You can disable network services by running the following command, where <service> is the name of the service to disable:

isi services -a <service> disable

Disable the following services when they are not in use:

Service Service Service function Corresponding Default

name description daemons setting
apache2 Apache2 Web Connects to the Apache web server httpd Enabled
Server
Disabling apache2 disables file sharing over HTTP/
HTTPS, but the OneFS web interface is still
available.

hdfs HDFS Server Connects to Hadoop Distributed File System lw-container hdfs Disabled
(HDFS).
isi_migrate SyncIQ Service Replicates data from one PowerScale cluster ● isi_migr_sched Enabled
(source) to another cluster (target). ● isi_migrate
● isi_migr_bandwidth
● isi_migr_pworker
● isi_migr_sworker

isi_object_d PowerScale Object Services OneFS API requests. isi_object_d Enabled

Interface
isi_vasa_d The PowerScale Allows virtual machine (VM) administrators to isi_vasa_d Disabled
VMware vSphere deploy VMs based on storage capabilities. OneFS
API for Storage communicates with VMware vSphere through
Awareness (VASA) VASA.
Provider Daemon
isi_vc_d The PowerScale for Processes tasks that are sent from the NAS plugin isi_vc_d Disabled
vCenter Job that is installed on the ESXi server to the gconfig
Daemon database.
lwswift Swift Server Enables you to access file-based data that is lw-container lwswift Disabled
stored on the cluster as objects. The Swift API is
implemented as a set of Representational State
Transfer (REST) web services over HTTP or
secure HTTP (HTTPS). Content and metadata can

Product and Subsystem Security 25

Service Service Service function Corresponding Default
name description daemons setting
be ingested as objects and concurrently accessed
through other supported Dell EMC PowerScale
protocols. For more information, see the
PowerScale Swift Technical Note.
ndmpd Network Data Backs up and restores services. isi_ndmp_d Disabled
Management
Protocol Daemon
nfs NFS Server Manages Network File System (NFS) protocol ● isi_netgroup_d Enabled
settings. ● mountd
● gssd
● nfsd
● rpc.statd
● rpc.locked

s3 S3 Service Connects to the S3 server. lw-container s3 Disabled

smb SMB Service Enables or disables the Server Message Block ● srv Enabled
(SMB) server. ● rdr
● srvsvc

snmp SNMP Server Connects to the Simple Network Management snmpd Enabled
Protocol (SNMP) server.
vsftpd VSFTPD Server Connects to the Very Secure FTP (VSFTPD) vsftpd Disabled
server.

Communication security settings

For information about how to authenticate between client nodes and Dell EMC PowerScale systems, see the OneFS 9.0.0 Web
Administration Guide and the OneFS 9.0.0.0 CLI Administration Guide.

Firewall settings
PowerScale does not support a host-based firewall.

Protocols
OneFS includes several communication protocols.

NOTE:

On new installations of OneFS 9.0.0.0, all protocols are disabled by default. You need to enable any protocols that you plan
to use. In addition, the default /ifs export and the /ifs share no longer exist.

Upgrading to or from OneFS 9.0.0.0 will not affect existing configurations, so if a service or share is enabled, it will continue
to be enabled. As a security best practice, it is recommended that you disable or place restrictions on all protocols that you
do not plan to support. For instructions, see the Best practices for data-access protocols section of PowerScale for your
version of OneFS.

26 Product and Subsystem Security

FTP security
The FTP service is disabled by default. You can set the FTP service to allow any node in the cluster to respond to FTP requests
through a standard user account.
When configuring FTP access, ensure that the specified FTP root is the home directory of the user who logs in. For example,
the FTP root for local user jsmith should be ifs/home/jsmith. You can enable the transfer of files between remote FTP
servers and enable anonymous FTP service on the root by creating a local user named anonymous or ftp.

NOTE: OneFSsupports FTP, the gate-ftp variant of FTP, pftp, and sftp. OneFS does not support tftp.

CAUTION: The FTP service supports cleartext authentication. If you enable the FTP service, the remote FTP
server allows the user's name and password to be transmitted in cleartext and authentication credentials might
be intercepted. If you must use FTP, we recommend that you enable TLS on the FTP service, and then connect
with an FTP client that supports TLS.

To enable TLS on the FTP service, you must change the <ssl_enable> property in the /etc/mcp/sys/
vsftpd_config.xml file on each node to the following configuration:

<ssl_enable default="NO">YES<isi-meta-tag id="ssl_enable" can-mod-text="yes"/></

ssl_enable>

HDFS security
There are no additional security options beyond what is listed in the HDFS Hadoop Guide.

HTTP and HTTPS security

There are no additional security options beyond what is listed in the OneFS 9.0.0 Web Administration Guide and the OneFS
9.0.0.0 CLI Administration Guide.

NFS security
On new installations of OneFS 9.0.0.0, all protocols are disabled by default. To enable NFS, see the File Sharing chapter of the
OneFS 9.0.0 Web Administration Guide or the OneFS 9.0.0 CLI Administration Guide.
There are no additional security options beyond what is listed in the OneFS 9.0.0 Web Administration Guide and the OneFS
9.0.0.0 CLI Administration Guide.

S3 security
The S3 service is disabled by default. With the S3 service enabled, only HTTPS access to S3 is enabled by default.
NOTE: The S3 service is independent of HTTP Server configuration.

For more information about S3, see the S3 Support chapter of the OneFS 9.0.0 Web Administration Guide and the OneFS
9.0.0 CLI Administration Guide.

SMB security
On new installations of OneFS 9.0.0.0, all protocols are disabled by default. To enable SMB, see the File Sharing chapter of the
OneFS 9.0.0 Web Administration Guide or the OneFS 9.0.0 CLI Administration Guide.
For additional information about SMB that is not covered in this chapter, see the OneFS 9.0.0 Web Administration Guide and
the OneFS 9.0.0 CLI Administration Guide.

Product and Subsystem Security 27

SMB security settings
You can view and configure the security settings of an SMB share by clicking Protocols > Windows Sharing (SMB) > SMB
Shares, selecting the share, clicking View/Edit, and then clicking Edit SMB Share. You can view and configure the default
SMB share security settings by clicking Protocols > Windows Sharing (SMB) > Default Share Settings. The security
settings are available in the Advanced Settings section.
NOTE: Changes that are made directly to an SMB share override the default settings that are configured from the Default
Share Settings tab.

Setting Setting value

Create Permission Sets the default source permissions to apply when a file or
directory is created. The default value is Default acl.

Directory Create Mask Specifies UNIX mode bits that are removed when a directory
is created, restricting permissions. Mask bits are applied
before mode bits are applied. The default value is that the
user has Read, Write, and Execute permissions.

Directory Create Mode Specifies UNIX mode bits that are added when a directory is
created, enabling permissions. Mode bits are applied after
mask bits are applied. The default value is None.

File Create Mask Specifies UNIX mode bits that are removed when a file is
created, restricting permissions. Mask bits are applied before
mode bits are applied. The default value is that the user has
Read, Write, and Execute permissions.

File Create Mode Specifies UNIX mode bits that are added when a file is
created, enabling permissions. Mode bits are applied after
mask bits are applied. The default value is that the user has
Execute permissions.

Impersonate Guest Determines guest access to a share. The default value is

Never.

Impersonate User Allows all file access to be performed as a specific user. This
must be a fully qualified user name. The default value is No
value.

NTFS ACL Allows ACLs to be stored and edited from SMB clients. The
default value is Yes.

Access Based Enumeration Allows access based enumeration only on the files and folders
that the requesting user can access. The default value is No.

HOST ACL The ACL that defines host access. The default value is No
value.

Configuring SMB
You can configure global and share-level SMB settings that specify the behavior of client connections through the SMB
protocol.
SMB data access to the cluster is disabled on new installs. However, if it was enabled from a previous install that was being
upgraded, then it will remain enabled.
In addition, PowerScale provides the following default configurations with no access restrictions:
● An unrestricted SMB share (/ifs)
● Unlimited access to the /ifs directory for the Everyone account
PowerScale cluster administrators must consider whether these configurations are suitable for their deployment, and manage
the security implications appropriately.
For more information about SMB and additional SMB management tasks, see the OneFS Web Administration Guide or the
OneFS CLI Administration Guide.

28 Product and Subsystem Security

Mixed data-access protocol environments
With the OneFS operating system, you can access data with multiple file-sharing and transfer protocols. As a result, Microsoft
Windows, UNIX, Linux, and MacOS X clients can share the same directories and files.
For more information abut data access protocol environments, see the Mixed Protocol Environment section of the OneFS 9.0.0
Web Administration Guide and the OneFS 9.0.0 CLI Administration Guide.

Cryptography
OneFS uses up-to-date, globally recognized cryptographic algorithms and protocols, including:
● FTP
● HDFS
● HTTPS
● Kerberos
● NDMP
● NFS
● Secure Socket Shell (SSH)
● SMB
● Swift
● Transport Layer Security (TLS)
● TLS to Active Directory
● TLS to Lightweight Directory Access Protocol (LDAP)
This chapter provides details on cryptographic use within OneFS, including the current cryptographic releases, which algorithms
are used, and where in the product the algorithms are used.
NOTE: Different releases of OneFS may support different cryptographic inventories. If you have questions about the
cryptographic inventory for different versions of OneFS, contact PowerScale Technical Support .

Cryptographic configuration options

Cryptographic inventory for HTTPS

The HTTPS cryptography applies to REST clients and to the OneFS web administration interface. This section lists the cipher
suites that are supported by HTTPS in OneFS.

TLSv1.1 cipher suites supported by HTTPS

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)

TLSv1.2 cipher suites supported by HTTPS

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)

Product and Subsystem Security 29

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)

Cryptographic inventory for HTTPS in hardening mode

The security hardening cryptography applies to REST clients and to the OneFS web administration interface. This section lists
the cipher suites that are supported by security hardening mode in OneFS.

TLSv1.1 cipher suites supported by HTTPS in hardening mode

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1)

TLSv1.2 cipher suites supported by HTTPS in hardening mode

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)

Cryptographic inventory for NFS

This section lists the NFS cryptographic algorithms that are available in OneFS.
Usage of these algorithms depends on your configuration and workflow. For configuration information, refer to the OneFS CLI
Administration Guide Info Hub.

NOTE: When kerberos is used, it is important that a time sync for NTP be set up in common with the KDC.

NFS default settings

Setting Enabled/disabled
NFS service Enabled
NFSv3 Enabled
NFSv4 Disabled

NFSv3 algorithms

Algorithm Description
Key Exchange Algorithms RPCSEC_GSS, KerberosV5

30 Product and Subsystem Security

Algorithm Description
Authentication Algorithms *see NFS authentication algorithms table
Encryption Algorithms AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
Message Authentication Code Algorithms (integrity) RPCSEC_GSS, enforces TCP protocol at transport layer

NFSv4 algorithms

Algorithm Description
Key Exchange Algorithms RPCSEC_GSS, KerberosV5
Authentication Algorithms *see NFS authentication algorithms table
Encryption Algorithms AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
Message Authentication Code Algorithms (integrity) RPCSEC_GSS, enforces TCP protocol at transport layer

NFS authentication algorithms

Authentication depends on the security approach but can be overridden if the device is blocked in a netgroup, or there is a rule
mapping a uid to something else.

Security approach Description

AUTH_UNIX AUTH_UNIX, trust the remote device for authentication, no integrity check, no encryption
krb5 Trust the kdc, no integrity check, no encryption
krb5i Trust as krb5, integrity check using (RPCSEC_GSS) RPC headers are signed and headers and data are
hashed, no encryption
krb5p Trust as krb5, integrity as krb5i, encryption in (AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC)

Cryptographic inventory for OpenSSH

This section lists the OpenSSH cryptographic algorithms as used in OneFS.

Algorithm Description
Encryption Algorithms aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-
gcm@openssh.com,chacha20-poly1305@openssh.com
Key Exchange Algorithms curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-
nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-
group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group14-sha256 diffie-
hellman-group14-sha1
Host Key Algorithms rsa-sha2-512 rsa-sha2-256 ssh-rsa ecdsa-sha2-nistp256 ssh-ed25519
Authentication Algorithms Depends on cluster configuration
Message Authentication Code hmac-sha1
Algorithms(integrity)

OpenSSH cryptographic algorithms used in hardening mode only:

Algorithm Description
Encryption Algorithms aes128-ctr aes192-ctr aes256-ctr

Product and Subsystem Security 31

Algorithm Description
Key Exchange Algorithms ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-
group-exchange-sha256 diffie-hellman-group-exchange-sha1 diffie-hellman-
group14-sha1
Host Key Algorithm rsa-sha2-512 rsa-sha2-256 ssh-rsa ecdsa-sha2-nistp256 ssh-ed25519
Authentication Algorithms Depends on cluster configuration
Message Authentication Code Algorithms hmac-sha1
(integrity)

Cryptographic inventory for SNMPv3

This section lists the SNMPv3 cryptographic algorithms as used in OneFS.

Algorithm Description
Authentication Algorithms HMAC-SHA-96, MD5
Privacy 3DES, AES-128-CFB

NOTE: The SNMPv3 authentication algorithm defaults to MD5 and to privacy AES.

Cryptographic inventory for SMB

This section lists the SMB cryptographic algorithms that are available in OneFS.

NOTE: It is recommended that you use encryption, and not signing, for ultimate security.

Usage of these algorithms depends on your configuration and workflow. For configuration information, refer to the OneFS CLI
Administration Guide Info Hub.
For a secure OneFSenvironment, it is recommended that you use encryption rather than signing.
The SMB service is enabled by default in OneFS, and it supports SMBv1, SMBv2, and SMBv3.

SMB algorithms

Algorithm Description
Authentication Algorithm ● krb5
● NTLM (GSS-SPNEGO)

SMBv3 Encryption Algorithm ● AES-128-CCM

● AES-128-GCM (faster)

SMB signing algorithms

NOTE: For signing information, see the SMB Signing section of the Design and Considerations for SMB Environments
whitepaper.

SMB protocol version SMB signing algorithm description

SMB 1 MD5
SMB 2.0.2, 2.1 HMAC-SHA256
GSS-API SessionKey (key derivation)
SMB 3.0, 3.0.2, 3.11 AES-128-CMAC (signing)

32 Product and Subsystem Security

SMB protocol version SMB signing algorithm description
GSS-API SessionKey and KDF (key derivation)
Used via GSS-API, NTLM mechanism:
● RC4 (schannel encryption)
● MD5-HMAC (signing)

Used via GSS-API, KRB5 mechanism (all encryption types provide signing and
encryption):
● AES256-CTS
● AES128-CTS
● RC4-HMAC
● DES-CBC-MD5
● DES-CBC-CRC

Certified cryptographic modules

All SED drives within Isilon platforms are FIPS 140-2 validated.
FIPS 140-2 is a United States federal standard specified by the National Institute of Standards and Technology (NIST) for
security requirements that wiil be satisfied by cryptographic modules. The security requirements cover areas related to the
secure design and implementation of a cryptographic module.
OneFS can use validated modules in the following areas when configured in hardened mode:
● NTP server
● HTTP server
● SSH server
● CloudPools
● Key Manager
Additionally, firmware in SED storage makes use of validated modules. For more information, see the Data-at-Rest Encryption
white paper.
Furthermore, the following services are affected:
● NTP
● httpd
● SSH
● CloudPools
● Key Manager

Certificate management
For information about certificate management, see the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI
Administration Guide.

Regulatory information
For information about regulatory information for OneFS, see the Dell Export Compliance List on the Support site.

Product and Subsystem Security 33

Auditing and logging
OneFS has several auditing, events, logging, and similar capabilities.
For general information about auditing and logging not covered in this chapter, see the OneFS 9.0.0 Web Administration Guide
and the OneFS 9.0.0 CLI Administration Guide.

Logs
For more information about logs, see the Auditing and Logging sections of the OneFS 9.0.0 Web Administration Guide and the
OneFS 9.0.0 CLI Administration Guide.

Log management

Log levels
The default logging level is available through the following command:
sysctl ilog.syslog
Output should include the following:

ilog.syslog: error,warning,notice

Error, Warning, Notice, Info, and Debug are all available levels.
NOTE: Info and Debug should be avoided except at the direction of support personnel .

Logging to the console is off by default.

Log rotation capabilities
Log rotation capabilities are available in the /etc/newsyslog.conf file.
You can modify the rotation of the logs, although /var/log/messages defaults to five stored iterations.
System behavior on failed log attempts
A failed log attempt means the log entry does not occur.

Log protection

Encryption options: The contents of the /var/log/messages log file support encryption.
Integrity protection: Syslogs can be created in the /etc/newsyslog.conf log file, which whichever permissions you deem
appropriate. The standard configuration is recommended.

Logging format
For more information about logging formats, see the Auditing and Logging sections of the OneFS 9.0.0 Web Administration
Guide and the OneFS 9.0.0 CLI Administration Guide.

Alerting
See the /var/log file for a complete set of services that generate alerts.

34 Product and Subsystem Security

Physical security
Physical security addresses a different class of threats than the operating environment and user access security concepts that
are discussed elsewhere in this guide. The objective of physical security is to safeguard company personnel, equipment, and
facilities from theft, vandalism, sabotage, accidental damage, and natural or human-made disasters.
Physical security concepts are applicable to all corporate facilities, but data center security is most relevant in terms of
PowerScale deployment.

Security of the data center

PowerScale components are not designed to be self-secure in either resource discrimination or physical access. For example,
drive data encryption keys reside on node hardware. If access is gained to these components, security of the data cannot be
guaranteed. Thus, data center physical security is a necessary compensating control.
In addition to superior resource delivery, a secure data center protects PowerScale components from security violations at the
physical level including:
● Malicious power reset
● Interference with internal cabling
● Unauthorized local access to communication ports
● Unauthorized local access to internal node components
Optimal operation of a PowerScale cluster is achieved when the cluster is installed in a data center where proper measures are
taken to protect equipment and data. See the PowerScale Site Preparation and Planning Guide for complete data center
requirements.

Physical ports on PowerScale nodes

There are several types of PowerScale nodes. See the node installation guide for a particular node type to find the locations and
descriptions of each of the ports.
Follow these security guidelines when using the ports on a node:
● Connect only the minimum number of cables required. If you do not need to use a port, leave it empty.
● Follow the instructions in the node installation guide about which ports to use, and which ports not to use.
● You can connect to a node using a serial cable and enter single user mode. Exception: SmartLock compliance clusters do not
allow you to boot into single user mode.
● Contact PowerScale Technical Support if you have any questions.

Disable USB ports on PowerScale nodes

Disabling of USB ports on PowerScale nodes is supported though BIOS options. Disabling the USB ports on nodes prevents USB
devices from interacting with OneFS, and unauthorized copying of data through USB storage devices.

1. Restart the node.

2. Run break sequence during node boot.
3. On the BIOS main screen, select Advanced > Advanced Chipset Con.
4. Set USB Functions to Disabled.
5. Set USB 2.0 Controller to Disabled .
6. Set BIOS EHCI Hand-Off to Disabled .
7. Save and exit BIOS.
8. Reboot the node.

Product and Subsystem Security 35

Statement of volatility
A Statement of Volatility (SOV) details the conditions under which the non-disk components of physical PowerScale products,
support retaining data when power is removed. Examples of products include storage arrays or physical appliances. It is
important to understand which parts of a product contain (and retain) customer-specific data when power is removed. The data
may be sensitive, or covered by breach, scrubbing, or data retention requirements.
Statements of Volatility are not directly customer accessible, but can be made available to customers on request. Contact your
account team for assistance.

Serviceability
PowerScale includes the ability to use Secure Remote Services support. Customers can limit or manage such access.
You can enable support for Secure Remote Services (SRS) on a PowerScale cluster using the isi esrs modify command.
For more information about enabling and configuring SRS, see the SRS Summary of the OneFS 9.0.0 CLI Administration Guide.

Maintenance Aids
Accounts
The remotesupport account enables Secure Remote Services behavior, as described in the OneFS Administration guides. This
account is disabled by default and should not be enabled unless needed. If so, it is recommended to set a unique password for a
trusted user.
Furthermore, as a general best practice, an external gateway should be enabled to protect the Secure Remote Services gateway
to only allow remotesupport access between endpoints.
Tools or Applications
Other maintenance tools include the following:
● isi_phone_home
● isi_gather_info
● isi_gather_info_classic (used to support upgrades from previous versions that do not support the newer interface)
● isi_telemetry_gather
All these tools are also described in the Secure Remote Services section of the OneFS Administration guides.
Diagnostics
For general diagnostics, run the isi_healthcheck command. Two security-centric health checks exist:
nfs_unresolved_personas and sshd_config_hash, the former only relevant to customers running NFS and the latter
only relevant in non-hardened configurations.
A utility script can be run outside of isi_healthcheck: /usr/libexec/isilon/ioca/IOCA. This utility runs as root and
provides basic diagnostic information about a running system.

Dell Technical Advisories, Security Advisories, and OneFS patches

Dell technical advisories (DTAs), Dell security advisories (DSAs), and OneFS patches are made available on the Online Support
site to provide important information about and solutions to issues that affect the OneFS operating system.

Technical advisories
For the most up-to-date list of DTAs, visit the Dell EMC PowerScale OneFS product page on the Dell EMC Support site, click
the Advisories tab, then select Technical.
To subscribe to receive email notifications about DTAs, visit the Dell EMC PowerScale OneFS product page on the Dell EMC
Support site, click the Notifications icon, then click the Dell EMC Technical Advisory slider.

36 Product and Subsystem Security

Security advisories
For the most up-to-date list of DSAs, visit the Dell EMC PowerScale OneFS product page on the Dell EMC Support site, click
the Advisories tab, then select Security.
To subscribe to receive email notifications about DSAs, visit the Dell EMC PowerScale OneFS product page on the Dell EMC
Support site, click the Notifications icon, then click the Dell EMC Security Advisory slider.

OneFS patches
For the most up-to-date list of patches that are available for the version of OneFS running on your cluster, see the Current
PowerScale OneFS Patches document on the Customer support site.

Product and Subsystem Security 37

 4
Miscellaneous Configuration and
Management Elements
Any miscellaneous configuration changes to OneFS are not recommended. Only use OneFS security and roll-up patches to
modify your environment, and check your manifest to verify the installation. For more information, see the Dell Technical
Advisories, Security Advisories, and OneFS patches section of this document.
Topics:
• Protect authenticity and integrity
• Preventing malware
• Specialized security devices

Protect authenticity and integrity

Digital signing and cryptographic checksums can ensure the authenticity and integrity of product modules.

Checking md5 hash files

The OneFS installer tarball file contains a complete list of md5 hashes for OneFS. Those md5 hashes are contained within the /
boot/.md5 file. If you store them in a separate, secure location, those md5 hashes are useful in verifying the authenticity and
integrity of said files.
For example, to compare the authenticity and integrity of the kernel:

# md5/boot/kernel.amd64/kernel.gz
MD5 (/boot/kernel.amd64/kernel.gz) = baac9b1d6a71030476a1c21e3e7c714d

Check this value against the corresponding md5 hash in the .md5 file.

Checking Manifests
For information about checking manifest files, see the Manifest check to confirm install authenticity and integrity topic of
this guide.

Preventing malware
CAUTION: When an ICAP antivirus server is configured, the network between the cluster and the ICAP needs to
be a trusted network as file contents will be visible to people and programs that have access to the network
packets.
For information about preventing malware, see the Antivirus section of the OneFS 9.0.0 Web Administration Guide and the
OneFS 9.0.0 CLI Administration Guide.

Specialized security devices

OneFS supports several security device integration and configuration options.
OneFS supports MFA authentication using the DUO 2FA for authentication over SSH.

38 Miscellaneous Configuration and Management Elements

Multifactor authentication (MFA) is system access control method where a user is granted access after successfully presenting
several separate pieces of evidence to an authentication mechanism. Typically, authentication uses at least two of the following
categories:
● Knowledge (something they know).
● Possession (something they have).
● Inherence (something they are).
MFA enables the LSASS daemon to require and accept multiple forms of credentials other than a username and password
combination for some forms of authentication.
In order to successfully authenticate through the MFA feature, the following must be true regarding the target user:
● The user identity on cluster must belong to a role that allows SSH access.
● The user-auth-method SSH setting must be set to anything but 'any'.
● If the user-auth-method SSH setting is set to publickey, all users needing SSH access require a valid public key value for
sshPublicKey in their LDAP entry.
● If the user-auth-method SSH setting is set to password, all users needing SSH access require a valid password value for
userPassword in their LDAP entry.
This feature only works as expected if the above conditions are met.

CAUTION: If any of the conditions above are not met, you could risk locking yourself out of your node.

Example of login using passwords:

isi auth roles modify --role=SystemAdmin --add-user=ssh_user_rsa

isi ssh settings modify --user-auth-method=password
isi auth duo modify --ikey=DI18IILDTQB2XHUZC4KK --host=api-
4e85fa6f.duosecurity.com
Enter skey:
Confirm:
isi auth duo modify --enabled=true

Connection to <IP address> closed.

Shell> ssh <IP address>
Duo two-factor login for root
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-4237
2. Phone call to XXX-XXX-4237
3. SMS passcodes to XXX-XXX-4237
Passcode or option (1-3): 1
Success. Logging you in...
Password:

Example using public and private key pairs:

isi auth roles modify --role=SystemAdmin --add-user=ssh_user_rsa

isi ssh settings modify --user-auth-method=publickey
isi auth duo modify --ikey=DI18IILDTQB2XHUZC4KK --host=api-
4e85fa6f.duosecurity.com
Enter skey:
Confirm:
<userID> isi auth duo modify --enabled=true
<userID> Connection to <IP address> closed.
Shell> ssh ssh_user_rsa@<IP address> -i /source/onefs/isilon/test-
qa/test_data/aima/ssh_test_keys/ssh_rsa_key
Duo two-factor login for ssh_user_rsa

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-4237
2. Phone call to XXX-XXX-4237
3. SMS passcodes to XXX-XXX-4237
Passcode or option (1-3): 1
Success. Logging you in...

Miscellaneous Configuration and Management Elements 39

 5
Security best practices
Topics:
• Overview
• PCI compliance
• General cluster security best practices
• Login, authentication, and privileges best practices
• SNMP security best practices
• SSH security best practices
• Data-access protocols best practices
• Web interface security best practices

Overview
This chapter provides suggestions and recommendations to help administrators maximize security on PowerScale clusters.
Consider these recommendations in the context of your specific business policies and use cases.
Root-level privileges are required to perform many of the procedures. However, this chapter also includes procedures to use the
following options instead:
● Restrict the root account, and use an RBAC account with root privileges.
● Restrict the root account, and use the sudo command with privilege elevation.
If a procedure requires you to "log in as root," you must log in using a business-authorized privileged account, such as root, an
RBAC account with root privileges, or sudo.
NOTE:

Ensure that you have installed the latest security updates. For more information, see the Current PowerScale OneFS
Patches document on the Customer support site.

Persistence of security settings

Some of these best practice configurations do not persist after OneFS is upgraded, and might not persist after a patch for
OneFS is applied. For best results, keep track of which best practices you implement, so that if the settings do not persist, you
can configure them again.
The following table lists each of the best practices that are described in this chapter.
You can use the second column of the table as a checklist to track which security settings you implement on the cluster.

Security setting Implemented on cluster?

General cluster best practices
Create a login message
Set a timeout for idle CLI sessions
Set a timeout for idle SSH sessions
Forward audited events to a remote server
Firewall security
Disable OneFS services that are not in use
Configure WORM directories using SmartLock

40 Security best practices

Security setting Implemented on cluster?
Back up cluster data
Specify an NTP time server
Login, authentication, and privileges best practices
Restrict root logins to the cluster
Assign RBAC access and privileges
Privilege elevation: Assign select root-level privileges to non-root
users
Restrict authentication by external providers
SNMP best practices
Use SNMPv3 for cluster monitoring
Disable SNMP
SSH best practices
Restrict SSH access to specific users and groups
Disable root SSH access to the cluster
Data-access protocols best practices
Use a trusted network to protect files and authentication
credentials that are sent in cleartext
Use compensating controls to protect authentication credentials
that are sent in cleartext
Use compensating controls to protect files that are sent in
cleartext
Disable FTP access
Limit or disable HDFS access
Limit or disable HTTP access
NFS best practices
SMB best practices
SMB signing
Disable Swift access
Web interface best practices
Replace the TLS certificate
Secure the web interface headers
Accept up-to-date versions of TLS in the web interface

PCI compliance

Configure the cluster to meet PCI compliance

Should it become required for the cluster to meet PCI compliance, root over an SSH session must be disabled.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as a user that has ISI_PRIV_AUTH privileges.

Security best practices 41

 NOTE:

Such a user would have the rights to "Configure external authentication providers."

2. Run the following command to disable the ability of the root user to log in through an SSH session:

isi ssh settings modify --permit-root-login False

NOTE:

If SSH access is still needed for other users, ensure that there is at least one other user with SSH privileges on the
cluster.

To verify this change on the command-line interface, run the following command to confirm that there is at least one
nonroot user listed:

isi auth roles view SecurityAdmin

To verify on the OneFS web administration interface, click Access > Membership and Roles > Roles > tab. Select the
view/edit button in the SecurityAdmin section.

General cluster security best practices

The following general security recommendations can be applied to any cluster.

Create a login message

The login message appears as a separate box on the login page of the OneFS web administration interface and also at the end of
the introductory text on the command-line interface after a user logs in. The login message can convey information,
instructions, or warnings that a user should know before using the cluster. Note: Login messages convey policy information and
are typically written in conjunction with a legal team.
1. On the OneFS web administration interface, click Cluster Management > General Settings > Cluster Identity.
2. In the Login Message area, type a title in the Message Title field and a message in the Cluster Description field.
3. Click Save Changes.

Manifest check to confirm install authenticity and integrity

Download and extract the installer and the signed manifest

1. If you do not have the OneFS signature release artifacts, download them from the Online support site: https://
download.emc.com/downloads/DL96969.
2. Run the following command to extract the signed manifest and signature:

tar -xf OneFS_v8.2.2.0_signature.tar

Verify the OneFS Install Signature from the Certificate Authority

To independently verify the authenticity and integrity of the certificate of your OneFS install file, you can validate that the
Manifest.sha256.signed file is a valid signature of Manifest.sha256, signed with the Dell code signing cert that is
issued from the external Certificate authority Entrust, Inc.
There are three steps in this procedure:

42 Security best practices

1. Verify Manifest.sha256.signed is signed by a Dell Code Signing Certificate.
2. Verify that Manifest.sha256.signed is the signature for the Manifest.sha256.
3. Verify the SHA256 hash in Manifest.sha256 matches that of your installer.

Verify Manifest.sha256.signed is signed by a Dell Code Signing

Certificate.

1. Run the following command to check that the key signing this file is issued to Dell:

openssl x509 -noout -subject -in Manifest.sha256.signed

2. One of the following outputs should appear, depending on your version of OpenSSL:

subject=C = US, ST = Texas, L = Round Rock, O = Dell Technologies Inc., OU = Isilon

OneFS, CN = Dell Technologies Inc.

subject= /C=US/ST=Texas/L=Round Rock/O=Dell Technologies Inc./OU=Isilon OneFS/CN=Dell

Technologies Inc.

3. For UNIX-like environments that have OpenSSL, and trust the Entrust CA (this is common), run the following command to
verify that the certificate signed the Manifest.sha256.signed file:

openssl verify -no_check_time Manifest.sha256.signed

4. The following output displays:

Manifest.sha256.signed: OK

5. If you do not have the Entrust CA already trusted, the following output displays showing the Dell certificate. However, the
output states it cannot find the trust of the Entrust certificate. In this case, go to the next procedure, Manually verify
using our CA. Otherwise, go to the subsequent procedure.

C = US, ST = Texas, L = Round Rock, O = Dell Technologies Inc., OU = Isilon OneFS, CN

= Dell Technologies
Inc.
error 20 at 0 depth lookup: unable to get local issuer certificate

Manually verify using our CA

If your system does not currently trust the Entrust CA and the codesigning intermediary, you can still verify this with OpenSSL
1.1.1 by obtaining and using the public key for the root CA and the intermediate CA that is signing the Dell key. To build the CA
bundle, concatenate the public keys in the PEM format as follows.
1. Get the intermediate CA public der format key and save as PEM:

curl http://aia.entrust.net/ovcs1-chain256.cer | openssl x509 -inform der > ovcs1-

chain256.pem

2. Get the root CA public PEM format key:

curl -k https://web.entrust.com/root-certificates/entrust_g2_ca.cer >

entrust_g2_ca.pem

cat entrust_g2_ca.pem ovcs1-chain256.pem > EntrustCodeSignedBundle

Security best practices 43

3. Run the following command to verify the correct key is present:

openssl x509 -in EntrustCodeSignedBundle -fingerprint -noout

4. The following output should display:

SHA1 Fingerprint=8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4

Verify that Manifest.sha256.signed is the signature for the

Manifest.sha256.

1. Run the following command to verify the Manifest.sha256.signed file:

openssl verify -no_check_time -CAfile EntrustCodeSignedBundle Manifest.sha256.signed

2. The following output should display:

Manifest.sha256.signed: OK

Verify that the manifest signature is for the manifest file.

This procedure will extract the public key, convert the sha256 hash in the manifest to a binary format that OpenSSL expects
and then use these to verify the manifest.
1. Run the following commands to verify the manifest signature is for the manifest file:

openssl x509 -in Manifest.sha256.signed -noout -pubkey > manifest.pem

openssl x509 -in Manifest.sha256.signed -noout -pubkey > manifest.pem; grep '^SHA256'
Manifest.sha256.signed | xargs python -c 'from codecs import decode, sys;
print(decode(sys.argv[-1],
"hex_codec"))' > binary_signature

openssl dgst -verify manifest.pem -signature binary_signature Manifest.sha256 || echo

"Manifest
signature is not for the manifest"

2. The output should be Verified OK.

Verify the SHA256 hash in Manifest.sha256 matches that of your

installer.
Note: This procedure may be done either with the included manifest files or directly on the archive, which may be the full install
or a patch file.
1. Using the OneFS_v9.1.0_Install.tar.gz files as the example for this step, run the following commands to verify the
hash:

OneFS_v9.1.0_Install.tar.gz

sha256sum $INSTALLER 2>/dev/null || sha256 $INSTALLER

grep '$INSTALLER$' Manifest.sha256

2. The outputs should list the same hexadecimal hashes.

44 Security best practices

Set a timeout for idle CLI sessions (CLI)
The timeout value is the maximum period after which a user's inactive CLI session is terminated. This timeout applies to both
SSH connections and serial console connections that are running directly in the defined shells.
For additional security, it is recommended that you also configure an idle SSH session timeout (see the Set a timeout for idle
SSH sessions section of this guide). If you configure both timeouts, the shorter timeout applies to SSH sessions only.
NOTE: These changes take effect for all new shell logins for all existing and new users. Users who are logged in while these
changes are being made are not affected by these changes until they log out and log in again.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Check whether the /etc/profile file exists on every node in the cluster:

isi_for_array 'test -f /etc/profile || echo /etc/profile \

missing on node `hostname`'

If the file exists on every node in the cluster, there is no output. If the file does not exist on every node, the output displays
which nodes do not contain the file.
5. Perform one of the following actions:
● If the file exists on every node in the cluster, run the following two commands to make a working copy and a backup copy
in the /ifs/data/backup directory:

cp /etc/profile /ifs/data/backup/profile

cp /etc/profile /ifs/data/backup/profile.bak

NOTE: If a file with the name profile.bak exists in the backup directory, either overwrite the existing file, or, to
save the old backups, rename the new file with a timestamp or other identifier.
● If the file does not exist on every node in the cluster, the integrity of the OneFS installation is in doubt. Stop here and
contact PowerScale Technical Support to check the OneFS installation on the node. This file is part of a normal
installation, and it is important to understand how and why it was removed.
6. Open the /ifs/data/backup/profile file in a text editor.
7. Add the following lines at the end of the file, after the # End Isilon entry. Replace <seconds> with the timeout value in
seconds. For example, a 10-minute timeout would be 600 seconds.

# Begin Security Best Practice

# Set shell idle timeout to <seconds> seconds
TMOUT=<seconds>
export TMOUT
readonly TMOUT
# End Security Best Practice

8. Confirm that the changes are correct. Then save the file and exit the text editor.
9. Check whether the /etc/zprofile file exists, and then do one of the following things:
● If the file exists, run the following commands to create a working and a backup copy in the /ifs/data/backup
directory:

cp /etc/zprofile /ifs/data/backup/zprofile

cp /etc/zprofile /ifs/data/backup/zprofile.bak

Security best practices 45

 NOTE: If the zprofile.bak file name exists in the backup directory, either overwrite the existing file, or, to save
the old backups, rename the new file with a timestamp or other identifier.
● If the file does not exist, create it in the /ifs/data/backup directory:

touch /ifs/data/backup/zprofile

10. Open the /ifs/data/backup/zprofile file in a text editor.

11. Add the same lines that you added to the /ifs/data/backup/profile file, where <seconds> is the timeout value in
seconds. Add these lines at the end of the file:

# Begin Security Best Practice

# Set shell idle timeout to <seconds> seconds
TMOUT=<seconds>
export TMOUT
readonly TMOUT
# End Security Best Practice

12. Confirm that the changes are correct. Then save the file and exit the text editor.
13. Set the permissions on both files to 644 by running the following command:

chmod 644 /ifs/data/backup/profile /ifs/data/backup/zprofile

14. Run the following two commands to copy the two files to the /etc directory on all the nodes in the cluster:

isi_for_array 'cp /ifs/data/backup/profile /etc/profile'

isi_for_array 'cp /ifs/data/backup/zprofile /etc/zprofile

15. (Optional) Delete the working and backup copies from the /ifs/data/backup directory:

rm /ifs/data/backup/profile /ifs/data/backup/profile.bak \
/ifs/data/backup/zprofile /ifs/data/backup/zprofile.bak

Set a timeout for idle SSH sessions (CLI)

The timeout value is the maximum period after which a user's inactive SSH session is terminated.
If you are connected to the cluster through a serial console, the SSH timeout does not apply. Therefore, it is recommended that
you also configure an idle CLI session timeout for additional security. For instructions, see the Set a timeout value for idle CLI
sessions section of this guide.
NOTE: If you configure both timeouts, the shorter timeout applies to SSH sessions only.

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Configure SSH timeouts with the following commands:

isi_gconfig -t ssh-config client_alive_count_max=0

isi_gconfig -t ssh-config client_alive_interval=600
isi_gconfig -t ssh-config tcp_keep_alive=no

3. Confirm the timeout values:

isi_gconfig -t ssh-config client_alive_count_max

isi_gconfig -t ssh-config client_alive_interval
isi_gconfig -t ssh-config tcp_keep_alive

46 Security best practices

Forward audited events to remote server
It is recommended that you use the auditing and audit forwarding capabilities in OneFS . Auditing can detect many potential
sources of data loss, including fraudulent activities, inappropriate entitlements, and unauthorized access attempts.
Forwarding audited events to a remote server has the following security benefits:
● You can scan the data for security issues on the remote server and avoid interfering with cluster operation or performance.
● You can send syslog output from multiple locations to the same remote server and run scanning software on all the logs in
one location. This method may be easier and more convenient than trying to run scanning software on the cluster.
● When hackers access a system such as an PowerScale cluster, they try to erase their tracks. If audit information is
forwarded to a remote server, the audit trail on the server is preserved, making identification and containment of the breach
simpler.
● If the cluster node that contains the syslog events fails, you can access the information that was forwarded to the remote
server for diagnosis and troubleshooting.

Instructions for forwarding audited events to a remote server

To forward protocol access auditing and system configuration changes to a remote server, enable auditing, forwarding of
audited events to syslog, and configure syslog forwarding.
1. Enable auditing and forwarding to syslog. For instructions, see the OneFS 9.0.0 Web Administration Guide and the OneFS
9.0.0 CLI Administration Guide.
2. Configure syslog forwarding on the cluster. For instructions, see the OneFS: How to configure remote logging from a cluster
to a remote server (syslog forwarding).

Firewall security
Use an external firewall to limit access to the cluster to only those trusted clients and servers that require access. Allow
restricted access only to ports that are required for communication. Block access to all other ports.
It is recommended that you limit access to the cluster web administration interface to specific administrator terminals through
an IP address. Another option is to isolate web-based access to a specific management network.
See the Network port usage section of this guide for more information about all the ports on the PowerScale cluster.

Disable OneFS services that are not in use

OneFS has some services that are safe to disable when they are not in use.
See the OneFS Services section of this guide for a list of the services that should be disabled when not in use and instructions
for disabling them.

Configure WORM directories using SmartLock

Use the SmartLock feature to create write-once read-many (WORM) directories to protect files from being modified for a
specified retention period.
There are two options for SmartLock implementation:
● Compliance mode: This mode is designed for use only by those organizations which are legally required to comply with the
United States Securities and Exchange Commission’s (SEC) rule 17-a4(f).
● Enterprise mode: This mode can be used by organizations that have no legal requirement but want to use WORM
technology to protect their data. SmartLock compliance mode commits files to a WORM state.
NOTE: WORM file access does not protect against hardware or file system issues. If the data on the cluster becomes
unavailable, the WORM files are also unavailable. Therefore, we recommend that you additionally back up the cluster data to
separate physical devices.

Security best practices 47

Back up cluster data
OneFS offers a range of options to preserve user and application data in the event of accidental or malicious modification,
deletion, or encryption (for example, through a ransomware attack).
We strongly recommend that you use local snapshots, plus either SyncIQ replication or NDMP backups, to protect data in case
it becomes compromised.

Option Required Description

license
Replication to SyncIQ Replicate data from one PowerScale cluster to another. You can specify which files and
a secondary directories to replicate. SyncIQ also offers automated failover and failback capabilities so that
PowerScale you can continue operations on the secondary cluster should the primary cluster become
cluster unavailable. While this option does not make the data more secure, it does provide a backup if
the data is compromised or lost.
It is recommended that the secondary cluster be located in a different geographical area from
the primary cluster to protect against physical disasters. It is also recommended that the
secondary cluster have a different password from the primary cluster in case the primary
cluster is compromised.

NDMP None Back up and restore data through the Network Data Management Protocol (NDMP). From a
backups backup server, you can direct backup and restore processes between the cluster and backup
devices such as tape devices, media servers, and virtual tape libraries (VTLs). While this option
does not make the original data more secure, it does provide a backup if the data is
compromised or lost.
It is recommended that the external backup system be located in a different geographical area
from the PowerScale cluster to protect against physical disasters.

Local SnapshotIQ Snapshots protect data against accidental deletion and modification by enabling you to restore
snapshots deleted and modified files.
Snapshots do not protect against hardware or file system issues. Snapshots reference data
that is stored on a cluster. If the data on the cluster becomes unavailable, the snapshots are
also unavailable. Therefore, it is recommended that you additionally back up the cluster data to
separate physical devices.

Use NTP time

Network Time Protocol (NTP) is recommended as the most consistent source for cluster time. In a Windows environment, it is
recommended to use the Active Directory Domain Control NTP service.
Use the OneFS web administration interface to configure NTP time service synchronization to an external time service.

NOTE: It is recommended that you point the cluster to an NTP server within the perimeter of your network environment.

For additional recommendations for using NTP time with Smartlock directories and Smartlock compliance mode, see the OneFS
9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI Administration Guide.

Specify an NTP time server

You can specify one or more Network Time Protocol (NTP) servers to synchronize the system time on the PowerScale cluster.
The cluster periodically contacts the NTP servers and sets the date and time based on the information that it receives.
1. Click Cluster Management > General Settings > NTP.
2. In the NTP Servers area, type the IPv4 or IPv6 address of one or more NTP servers. If you want to use a key file, type the
key numbers in the field next to the server's IP address.
Click Add Another NTP Server if you are specifying multiple servers.
3. Optional: If you are using a key file for the NTP server, type the file path for that file in the Path to Key File field.
4. In the Chimer Settings area, specify the number of chimer nodes that contact NTP servers (the default is 3).

48 Security best practices

5. To exclude a node from chiming, type its logical node number (LNN) in the Nodes Excluded from Chiming field.
6. Click Save Changes.

Login, authentication, and privileges best practices

Following are security best practice recommendations for configuring how users will log in to the cluster, authenticate, and
access privileges.

Restrict root logins to the cluster

A strong security stance entails using the root account as little as possible.
You can use one or more of the following methods to restrict root access to the cluster:
● Use SmartLock compliance mode to completely remove root access to the cluster. This method is the most restrictive
option. When you are logged in to a SmartLock compliance mode cluster through the compliance administrator account, you
can perform administrative tasks through the sudo command. Using the sudo command provides an audit trail by logging all
command activity to /var/log/auth.log.
● Disable root SSH access to the cluster. You can still log in as root using other methods such as console access or an RBAC-
authorized account. See the Disable root SSH access to the cluster section of this guide for details and instructions.
● Limit the number of people who know the root password by doing one or both of the following:
○ Assign admin users an RBAC role with only the privileges that they require to do their job.
○ If an admin user needs greater privileges than the RBAC role can provide, use privilege elevation to give them select
root-level privileges.

Use RBAC accounts instead of root

Instead of using the root account, assign roles and privileges to users and groups as needed by using the role-based access
control (RBAC) functionality.
The following RBAC best practices are recommended:
● Ensure that each administrator has a unique user account. Do not allow users to share accounts.
● For each user and group, assign the lowest level of privileges required.
● Use privilege elevation to assign select root-level privileges to specified users as needed.

Privilege elevation: Assign select root-level privileges to nonroot

users
A root account is necessary for some cluster administrative purposes, but for security reasons the root privileges should be
closely monitored. Instead of providing the root account to an administrator, you can elevate the administrator's privileges so
that they can run selected root-level commands using sudo. Using the sudo command also provides an audit trail by logging all
command activity to /var/log/auth.log.
NOTE: This procedure is not intended for use on clusters that are in SmartLock compliance mode. In SmartLock compliance
mode, the compadmin account exists with the correct sudo infrastructure.

NOTE: Users who are logged in while these changes are being made are unaffected by these changes until they log out and
log in again.
You can also perform steps 1 to 5 of this procedure by using the OneFS web interface. See the OneFS Web Administration
Guide for instructions.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Create a group to assign elevated privileges to, where <groupname> is the name of the group. This group must be in the
local provider and System zone.

isi auth groups create <groupname> --provider local --zone system

Security best practices 49

 For example, you can create a group that is named SPECIAL, as follows:

isi auth groups create SPECIAL --provider local --zone system

3. (Optional) Verify that the users that you want to add to the SPECIAL group are already members of either the SystemAdmin
or the SecurityAdmin role. Since these two roles have strong security privileges, this step ensures that the user has already
been approved for a high level of access. To check whether the user is a member of the SystemAdmin or SecurityAdmin role,
run the following two commands to list the members of those roles:

isi auth roles members list SystemAdmin

isi auth roles members list SecurityAdmin

4. Add a user to the group you assign elevated privileges to, where <groupname> is the name of the group and <username> is
the user to add:

isi auth groups modify <groupname> –-add-user= <username>

For example, to add a user who is named bob to the SPECIAL group, the command would be:

isi auth groups modify SPECIAL –-add-user=bob

5. Confirm that the user has been added to the group:

isi auth groups members list <groupname>

6. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

7. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

8. Make a working copy of the /etc/mcp/override/sudoers file in the backup directory:

cp /etc/mcp/override/sudoers /ifs/data/backup

9. Make a backup copy of the /etc/mcp/override/sudoers file in the backup directory:

cp /etc/mcp/override/sudoers /ifs/data/backup/sudoers.bak

NOTE: If a file with the same name exists in the backup directory, there are two options:

● Overwrite the existing file.

● Name the new file with a timestamp or other identifier. This option saves the old backups.

10. Open the /ifs/data/backup/sudoers file in a text editor.

11. Add the following entry, where <groupname> is the name of the group:
NOTE: You can make additional changes to this entry as described in the last bullet below.

# Begin Security Best Practices

%<groupname> ALL=(ALL) PASSWD: PROCESSES, SYSADMIN, ISI, ISI_ADMIN, \ ISI_SUPPORT,
ISI_HWTOOLS, ISI_HARDENING
# End Security Best Practices

50 Security best practices

 For example, for the SPECIAL group, the entry would look like the following:

%SPECIAL ALL=(ALL) PASSWD: PROCESSES, SYSADMIN, ISI, ISI_ADMIN, \ ISI_SUPPORT,

ISI_HWTOOLS, ISI_HARDENING

This entry in the sudoers file provides the following security benefits:
● Requires the user to preface all root-level commands with sudo.
● Requires the user to type the user password the first time that they run a sudo command in a session, and caches these
credentials for five minutes. After five minutes, the user must retype the user password to run sudo commands.
● A comma-separated list of command sets (called command aliases) is assigned to the group (for example,
PROCESSES, SYSADMIN, ISI, and so on). The listed command aliases include all the diagnostic and hardware tools
available, making the privileges equivalent to the compadmin role in a SmartLock compliance mode cluster. You can
modify the line to include fewer command aliases, or different command aliases, to allow only the privileges that you want
the group to have. To see the available command aliases and the lists of commands that are in each alias, review
the /etc/mcp/templates/sudoers file.
CAUTION: Do not modify the /etc/mcp/templates/sudoers file.
12. Confirm that the changes are correct. Then save the file and exit the text editor.
13. Copy the /ifs/data/backup/sudoers file to the /etc/mcp/override/sudoers file.

cp /ifs/data/backup/sudoers /etc/mcp/override/sudoers

14. To identify the commands that are now available to the user, log in as the user and run the following command:

sudo -l

The output looks similar to the following. The privileges listed after (ALL) NOPASSWD are the privileges for the user's
assigned RBAC role, and they do not require the user to retype the user password to use the privileges. The commands
listed after (ALL) PASSWD are the sudo commands that are available to the user, and they require the user to type the
user password after typing the command.
NOTE: If the user's existing RBAC role includes commands that are also granted by privilege elevation, then the user
does not must retype the user password to access these commands.

User bob may run the following commands on <hostname>:

(ALL) NOPASSWD: ISI_PRIV_SYS_TIME, (ALL) /usr/sbin/isi_upgrade_logs, (ALL)
ISI_PRIV_ANTIVIRUS, (ALL) /usr/sbin/isi_audit_viewer, (ALL)
ISI_PRIV_CLOUDPOOLS, (ALL) ISI_PRIV_CLUSTER, (ALL) ISI_PRIV_DEVICES, (ALL)
ISI_PRIV_EVENT, (ALL) ISI_PRIV_FILE_FILTER, (ALL) ISI_PRIV_FTP, (ALL)
ISI_PRIV_HARDENING, (ALL) ISI_PRIV_HDFS, (ALL) ISI_PRIV_HTTP, (ALL)
ISI_PRIV_JOB_ENGINE, (ALL) ISI_PRIV_LICENSE, (ALL) ISI_PRIV_NDMP, (ALL)
ISI_PRIV_NETWORK, (ALL) ISI_PRIV_NFS, (ALL) ISI_PRIV_NTP, (ALL)
ISI_PRIV_QUOTA, (ALL) ISI_PRIV_REMOTE_SUPPORT, (ALL) ISI_PRIV_SMARTPOOLS,
(ALL) ISI_PRIV_SMB, (ALL) ISI_PRIV_SNAPSHOT, (ALL) ISI_PRIV_SNMP, (ALL)
ISI_PRIV_STATISTICS, (ALL) ISI_PRIV_SWIFT, (ALL) ISI_PRIV_SYNCIQ, (ALL)
ISI_PRIV_VCENTER, (ALL) ISI_PRIV_WORM
(ALL) PASSWD: /bin/date, /sbin/sysctl, /sbin/shutdown, /bin/ps,
/usr/sbin/ntpdate, /sbin/ifconfig, /usr/sbin/newsyslog, /usr/sbin/nfsstat,
/usr/sbin/pciconf, /usr/sbin/tcpdump, (ALL) /usr/bin/isi_classic,
/usr/bin/isi_for_array, /usr/bin/isi_gconfig, /usr/bin/isi_job_d,
/usr/bin/isi_vol_copy

15. Verify that everything looks correct.

16. (Optional) Delete the working and backup copies from the /ifs/data/backup directory:

rm /ifs/data/backup/sudoers /ifs/data/backup/sudoers.bak

CAUTION: The ISI_PRIV_JOB_ENGINE privilege allows the user to run jobs through the Job Engine. These jobs
run as root. Under specific circumstances, the user then may be able to use some of these jobs to delete entire
sections of OneFS, or to acquire ownership of files to which the user would not have access. Care must be
exercised when granting this privilege. The recommendation is to only grant this level to trusted users.

Security best practices 51

Restrict authentication by external providers
OneFS provides certain system-defined accounts for the file provider in the System zone (also known as the System file
provider). OneFS relies on the identity of these system-defined accounts to ensure normal cluster functionality and security.
The identity includes the UID, GID, shell, passwords, privileges, permissions, and so on. Problems can arise if an external
authentication provider authenticates a user or group with the same name as one of these system-defined accounts.
The OneFS mapping service consolidates all user or group accounts with the same name from all authentication providers into a
single access token which identifies the user and controls access to directories and files. For each access zone in OneFS, there
is an ordered list of providers.
When an identity is found in more than one authentication provider, the provider that comes earliest in the list acts as the
source for that identity. If the external provider comes earlier in the list than the System file provider, then the externally
provided identity "overrides" the system-defined identity. If this happens, unintended users could gain inappropriate access to
the cluster, and appropriate administrators could lose access to the cluster.
OneFS provides the following cluster management accounts for the System file provider:

User accounts ● root

● admin
● compadmin
● ftp
● www
● nobody
● insightiq
● remotesupport
● _lldpd
● _ypldap

Group accounts ● wheel

● admin
● ftp
● guest
● ifs
● nobody
● video
● _lldpd
● _ypldap

To prevent externally provided identities from overriding the system-defined identities, use the unfindable-users and
unfindable-groups options of the isi auth ads|ldap|nis CLI command. Run the command for each user or group
account that you do not want to be overridden. These accounts can be in any access zone, and can include the system-defined
accounts that are described here, as well as accounts that you create.
For details on how to use the commands, see the OneFS CLI Administration Guide.
To view the users and groups that the System file provider manages, click Access > Membership & Roles. Click either the
Users or the Groups tab. Select System from the Current Access Zone list, and select FILE: System from the Providers
list.
Alternatively, you can run one of the following commands on the command-line interface:

isi auth users list --provider='lsa-file-provider:System'

isi auth groups list --provider='lsa-file-provider:System'

52 Security best practices

Password usage
Keep each account separate and limited to the purpose for which it is meant. Do not reuse passwords, and do not grant
additional privileges where accounts should not have them.

SNMP security best practices

If you plan to monitor cluster statistics, it is recommended that you use SNMPv3. If you do not plan to monitor cluster statistics,
you should disable the SNMP service.
For more information about how to configure SNMP, see the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI
Administration Guide.

Use SNMPv3 for cluster monitoring

Network devices must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent
configured on the device. If you plan to monitor cluster statistics, SNMPv3 is recommended. When SNMPv3 is used, OneFS
requires the SNMP-specific security level of AuthNoPriv as the default value when querying the PowerScale cluster. The
security level AuthPriv is not supported.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Enable SMNPv3 access by running the following command:

isi snmp settings modify --snmp-v3-access=yes

3. (Recommended) Disable SNMPv1 and SNMPv2 access:

isi snmp settings modify --snmp-v1-v2c-access no

Disable SNMP
Disable the SNMP service if SNMP monitoring is not required. Disabling SNMP on the cluster does not affect the sending of
SNMP trap alerts from the cluster to an SNMP server.

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services snmp disable

Change default community string for SNMPv2

If SNMPv2 is needed, change the default community string (I$ilonpublic) to something different.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Edit the <string> in the gconfig file:

isi_gconfig -t bsnmpd-config ro_community=<new string>

3. Disable and then enable snmpd:

isi services snmp disable

isi services snmp enable

Security best practices 53

SSH security best practices
This section provides recommendations for restricting SSH access and disabling root SSH access to the cluster. You can
perform one or more of these procedures, depending on what is best for your environment.

Restrict SSH access to specific users and groups

By default, only the SecurityAdmin, SystemAdmin, and AuditAdmin roles have SSH access privileges. You can grant SSH access
for specific cluster management tasks to users and groups that have more restricted roles.
To perform these steps, you must log in as a user who has the ISI_PRIV_ROLE privilege, which allows you to create roles and
assign privileges.
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Create a custom role by running the following command, where <role_name> is the name of the custom role:

isi auth roles create <role_name>

3. Add the ISI_PRIV_LOGIN_SSH privilege to the role:

isi auth roles modify <role_name> --add-priv ISI_PRIV_LOGIN_SSH

4. Add a user or a group to the role by running one or both of the following commands, where <user_name> is the name of the
user, and <group_name> is the name of the group:

isi auth roles modify <role_name> --add-user <user_name>

isi auth roles modify <role_name> --add-group <group_name>

Disable root SSH access to the cluster

Disabling root SSH access to the cluster prevents attackers from accessing the cluster by brute-force hacking of the root
password.
After disabling root SSH access, you can still log in as root by performing one of the following actions:
● Physically connect to the cluster using a serial cable, and log in as root.
● Open a secure shell (SSH) connection to any node in the cluster and log in using an RBAC-authorized account. At the
command prompt, type login root and press ENTER. Type the root password when prompted. This method has the
security benefit of requiring two passwords (the user password and the root password).
You can also elevate the privileges for select users to give them access to specified root-level commands (see the Privilege
elevation: Assign select root-level privileges to non-root users section of this guide).
1. Ensure that there is at least one non-root administrator account that is configured and working, and that allows remote SSH
login to the cluster, before you disable root SSH access.
2. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
3. Disable root access by running the following command:

isi ssh modify --permit-root-login=false

Disable forwarding of Unix domain and TCP sockets

Disabling forwarding of Unix domain and TCP sockets prevents attackers from TCP and stream forwarding vulnerabilities.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

54 Security best practices

2. Run the following commands:

isi_gconfig -t ssh-config allow_tcp_forwarding=no

isi_gconfig -t ssh-config allow_stream_local_forwarding=no

Data-access protocols best practices

To prevent unauthorized client access through unused or unmonitored protocols, disable protocols that you do not support. For
those protocols that you do support, limit access to only those clients that require it.
The following sections provide instructions for limiting or disabling these protocols.

Use a trusted network to protect files and authentication

credentials that are sent in cleartext
The security between a client and the PowerScale cluster depends which protocol is being used. Some protocols send files
and/or authentication credentials in cleartext. Unless you implement a compensating control, the best way to protect your data
and authentication information from interception is to ensure that the path between clients and the cluster is on a trusted
network. Even if you do implement a compensating control, a trusted network provides an additional layer of security.

Use compensating controls to protect authentication credentials

that are sent in cleartext
Some protocols send authentication credentials in cleartext. You can use compensating controls to enable more secure
authentication.
Protocols that send authentication credentials in cleartext include:
● FTP
● HDFS (and WebHDFS)
● HTTP
● NFS
● Swift
Compensating controls for cleartext authentication in OneFS include:
● Kerberos authentication (supported by some protocols).
● NTLM authentication (supported by some protocols).
● Secure impersonation on HDFS.
● Enabling TLS on the FTP service.
● SSH tunneling (wraps an existing non-secure protocol and moves all communication to an encrypted channel).
● The OneFS API (all authentication credentials are sent over TLS).

Use compensating controls to protect files that are sent in

cleartext
Files specific to the web interface are sent over TLS. Files specific to /ifs are sent differently depending on the protocol. You
can use compensating controls to increase the security of files that are sent in cleartext.
Protocols that may send /ifs data files in cleartext include:
● FTP
● HDFS (and WebHDFS)
● HTTP
● NFS
● Some versions of SMB

Security best practices 55

Compensating controls for data transmission in OneFS include:
● The OneFS API (all file access communication is sent over TLS).
● SSH tunneling (wraps an existing non-secure protocol and moves all communication to an encrypted channel).

Initial Sequence Numbers (ISNs) through TCP connections

During a TCP connection, the syncache is used to limit the amount of data the kernel is tracking until the connection is
established. If the syncache is full, the kernel switches to syncookies to prevent DOS attempts through a SYN flood attack.
However, it is possible for Initial Sequence Numbers (ISNs) to be generated every 15s based on source and destination ports,
among other factors.
To disable syncookies and generate more random ISNs, use the net.inet.tcp.syncookies sysctl. The setting is enabled
by default. To disable the setting, change the setting to zero.

Disable FTP access

The FTP service is disabled by default. It should remain disabled unless it is required.

Disable FTP access (Web UI)

1. Click Protocols > FTP Settings.
2. In the Service area, clear the Enable FTP service check box.
3. Click Save Changes.

Disable FTP access (CLI)

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services vsftpd disable

Limit or disable HDFS access

The HDFS service on the cluster is enabled by default, and is configured on a per-access-zone basis. If you support Hadoop, you
should disable HDFS access from any access zones that do not require it. If you do not support Hadoop, you should disable the
HDFS service entirely.

Limit HDFS access to specific access zones

If you are using Hadoop, you should disable HDFS access from any access zones that do not require it.
NOTE: Disabling HDFS for an individual access zone prevents HDFS access to that zone. It does not disable the HDFS
service on the cluster.
1. From the OneFS web administration interface, click Protocols > Hadoop (HDFS) > Settings.
2. From the Current Access Zone list, select the access zone for which you want to disable HDFS.
3. In the HDFS Service Settings area, clear the Enable HDFS Service check box.
4. Click Save Changes.
HDFS is disabled for the selected access zone.

56 Security best practices

Disable HDFS access
If you do not support HDFS, you should disable the HDFS service entirely.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services hdfs disable

General HDFS security

It is recommended you use HDFS' Transparent Data Encryption (TDE) as recommended in this KB article. To use this feature,
you must enable Kerberos authentication as configured in the OneFS CLI administration guide.
Furthermore, customers should use TLS with WebHDFS.

Limit or disable HTTP access

HTTP is used to access the OneFS web administration interface, the OneFS API, WebHDFS, and file sharing. HTTP access to
the cluster is enabled by default.
If you support HTTP, there are several options that you can use to limit access. If you do not support HTTP, you can disable the
apache2 service on the cluster.
Administrators must consider whether limiting or disabling HTTP is suitable for their deployment, and manage the security
implications appropriately.

Limit HTTP access

For options and instructions on how to limit HTTP access, see the Web interface security best practices section of this guide.

Disable HTTP access

Disabling HTTP closes the HTTP port that is used for file access. If you disable HTTP, you can still access the OneFS web
interface by using HTTPS and specifying the port number in the URL. The default port is 8080.

NOTE: to specify the port, use https://<ip>:8080

Disable HTTP access (Web UI)

1. Click Protocols > HTTP Settings.
2. In the Service area, select Disable HTTP.
3. Click Save Changes.

Disable HTTP access (CLI)

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services apache2 disable

Security best practices 57

NFS best practices
NFS data access to the cluster is enabled by default. In addition, the NFS export /ifs has no access restrictions.
Administrators must consider whether these configurations are suitable for their deployment, and manage the security
implications appropriately.
If you support NFS, recommendations for limiting access are provided in the following sections. If you do not support NFS, you
should disable the NFS service on the cluster.

Delete the default /ifs NFS export

If you support NFS, we recommend that you delete the default NFS export of /ifs. If you choose to keep the /ifs export,
you should assess the security attributes of the export and configure the attributes appropriately for your environment.

Limit access to NFS exports

Use the OneFS web administration interface or command-line interface to control which IP addresses or machines can access
NFS shares and to configure their access levels.
For details, see the OneFS Web Administration Guide or the OneFS CLI Administration Guide.

Limit access to parent directories

To hide parent directories of NFSv4 exports, use NFS aliases.
For details, see the NFS aliases section of the OneFS Web Administration Guide or the OneFS CLI Administration Guide.

Disable NFS access

If you do not support NFS, you should disable the NFS service.

Disable NFS access (Web UI)

1. Click Protocols > UNIX Sharing (NFS) > Global Settings.
2. In the Settings area, clear the Enable NFS Export Service check box:
3. Click Save Changes.

Disable NFS access (CLI)

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services nfs disable

Enable export hiding

Mountd discloses the existence of exports to remote users even if they cannot access the export. This behavior is by default as
per the specification.
To enable export hiding:
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.

58 Security best practices

2. Modify this setting:

isi_gconfig registry.Services.lwio.Parameters.
Drivers.nfs.MountdDeniedStatusOnNotAllowed=1

3. To prevent disclosure, restart NFS:

/usr/likewise/bin/lwsm restart onefs_nfs

Disable showmount command

The showmount command would allow an NFS client to see all exports on a cluster. An option was introduced to prevent off-
node clients from performing "showmount -e".
To enable the option to prevent off-node clients from performing showmount -e:
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Modify this setting:

isi_gconfig
registry.Services.lwio.Parameters.Drivers.nfs.MountdAllowForeignShowmountERequests=0
/usr/likewise/bin/lwsm refresh nfs

3. To revert to the default setting:

isi_gconfig
registry.Services.lwio.Parameters.Drivers.nfs.MountdAllowForeignShowmountERequests=1
/usr/likewise/bin/lwsm refresh nfs

SMB best practices

SMB data access to the cluster is enabled by default.
In addition, PowerScale provides the following default configurations with no access restrictions:
● An unrestricted SMB share (/ifs)
● Unlimited access to the /ifs directory for the Everyone account
PowerScale cluster administrators must consider whether these configurations are appropriate for their deployment and manage
the security implications appropriately.
If you support SMB, recommendations for limiting access are provided in the following sections. If you do not support SMB, you
should disable the SMB service on the cluster.

Delete the default /ifs SMB share

If you support SMB, we recommend that you delete the default SMB share of /ifs. If you choose to keep the /ifs share, you
should assess the security attributes of the share and configure the attributes appropriately for your environment.

Limit access to SMB shares

It is possible to restrict access to a share by using the share access control list (ACL). However, it is preferred to configure the
share ACL to grant full control to everyone and manage access to individual files and directories by using the file system ACLs.
Limiting the entire share to read or read/write permissions can complicate management because these restrictions override
existing more permissive permissions on individual files and directories. For example, if the share is configured for read-only
access, but an individual file is configured for read/write, only read access is granted to the file. More permissive permissions on
the share do not override more restrictive permissions that exist on individual files and directories.
For details, see the OneFS Web Administration Guide or the OneFS CLI Administration Guide.

Security best practices 59

Disable SMB access
If you do not support SMB, you should disable the SMB service.

Disable SMB access (Web UI)

1. Click Protocols > Windows Sharing (SMB) > SMB Server Settings.
2. In the Service area, clear the Enable SMB Service check box.
3. Click Save Changes.

Disable SMB access (CLI)

1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services smb disable

SMB signing
SMB is used for file sharing.
In addition, SMB is a transport protocol for Remote Procedure Call (RPC) services such as:
● SAMR (modify local users).
● LSAR (look up local users).
● SRVSVC (modify SMB shares configuration).
SMB and the Distributed Computing Environment Remote Procedure Call (DCERPC) services, which use SMB for transport, are
susceptible to man-in-the-middle attacks. A man-in-the-middle attack occurs when an attacker intercepts and potentially alters
communication between parties who believe that they are in direct communication with one another.
SMB signing can prevent man-in-the-middle attacks within the SMB protocol. However, SMB signing has performance
implications and is disabled by default on PowerScale clusters. Customers should carefully consider whether the security
benefits of SMB signing outweigh the performance costs. The performance degradation SMB signing causes can vary widely
depending on the network and storage system implementation. Actual performance can be verified only through testing in your
network environment.
If SMB signing is needed, you can perform one of the following actions:
● Enable SMB signing for all connections. This action is the easiest and most secure solution. However, this option causes
significant performance degradation because it requires SMB signing for both file transfer and control path DCERPC
connections.
● Enable SMB signing for the control path only. This solution requires that clients use SMB signing when accessing all DCERPC
services on the cluster, but does not require signed connections for the data path. This option requires you to enable four
advanced parameters on the cluster. With these parameters enabled, the OneFS server rejects any nonsigned IPC request
that a client initiates. If clients are configured not to sign, they can access files over SMB but cannot perform certain other
functions, such as SMB share enumeration.

Enable SMB signing for all connections

To enable SMB signing for all connections, perform the following steps.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi smb settings global modify --require-security-signatures yes

3. Configure the client to enable SMB signing. SMB signing may already be enabled by default. See the client documentation
for instructions.

60 Security best practices

Enable SMB signing for the control path only
To enable SMB signing for the control path only, perform the following steps.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following four commands. The value of 1 at the end of the command enables the parameter:

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\\Services\\lsass\

\Parameters\\RPCServers\\lsarpc]" "RequireConnectionIntegrity" 1

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\\Services\\lsass\

\Parameters\\RPCServers\\samr]" "RequireConnectionIntegrity" 1

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\\Services\\lsass\

\Parameters\\RPCServers\\dssetup]" "RequireConnectionIntegrity" 1

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\\Services\\srvsvc\

\Parameters]" "RequireConnectionIntegrity" 1

3. To review the value for each of the settings, run the following four commands. In the output, the value in the line for
"RequireConnectionIntegrity" indicates whether the parameter is enabled (1) or disabled (0).

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\\Services\\lsass\

\Parameters\\RPCServers\\lsarpc]"

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\\Services\\lsass\

\Parameters\\RPCServers\\samr]"

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\\Services\\lsass\

\Parameters\\RPCServers\\dssetup]"

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\\Services\\srvsvc\

\Parameters]"

Example output:

"LpcSocketPath" REG_SZ "/var/lib/likewise/rpc/lsass"

"Path" REG_SZ "/usr/likewise/lib/lsa-rpc/lsa.so"
"RegisterTcpIp" REG_DWORD 0x00000000 (0)
"RequireConnectionIntegrity" REG_DWORD 0x00000000 (1)

4. Configure the client to require SMB signing. This step is required in order for the DCERPC services to function. See the
client documentation for instructions.

Disable Swift access

The Swift service on the cluster is enabled by default. If Swift is not being used to access the cluster, a strong security posture
requires that the service be disabled entirely.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Run the following command:

isi services lwswift disable

Security best practices 61

Web interface security best practices
This section provides recommendations for limiting access to the OneFS web administration interface, securing the web
interface headers, and configuring to use the most current TLS versions. You can perform one or more of these procedures
depending on what is best for your environment.

Replace the TLS certificate

PowerScale clusters ship with a self-signed TLS certificate. It is recommended that you replace the default TLS certificate with
a signed certificate.
For instructions, see the OneFS 9.0.0 Web Administration Guide and the OneFS 9.0.0 CLI Administration Guide.

Secure the web interface headers

Securing the web interface header helps to protect against sniffing, clickjacking, and cross-site scripting attacks.
Ensure that you have the latest security patches installed. For more information, see the Current Isilon OneFS Patches
document on the Customer support site.
NOTE:

● This procedure will restart the httpd service. Restarting the httpd service disconnects all current web interface sessions
to the cluster. To minimize the potential impact, coordinate this activity with other cluster administrators.
● Changes will not be preserved following upgrade and rollback options.
● Changes will not be copied to new nodes.
● Changes might be removed during patching.
● Changes might block security hardening from working.
1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Make working copies of the /etc/mcp/templates/webui_httpd.conf and the /etc/mcp/templates/

apache24.conf files in the backup directory:

cp /etc/mcp/templates/webui_httpd.conf /ifs/data/backup

cp /etc/mcp/templates/apache24.conf /ifs/data/backup

5. Make backup copies of the /etc/mcp/templates/webui_httpd.conf and the /etc/mcp/templates/

apache24.conf files in the backup directory:

cp /etc/mcp/templates/webui_httpd.conf \
/ifs/data/backup/webui_httpd.conf.bak

cp /etc/mcp/templates/apache24.conf \
/ifs/data/backup/apache24.conf.bak

NOTE: If a file with the same name exists in the backup directory, either overwrite the existing file, or, to save the old
backups, rename the new file with a timestamp or other identifier.

62 Security best practices

6. Open the /ifs/data/backup/webui_httpd.conf and the /etc/mcp/templates/apache24.conf files in a text
editor.
7. Add the following lines to the very bottom of the file (after </VirtualHost>):

# Begin Security Best Practices

Header always append X-Frame-Options SAMEORIGIN
Header always append X-Content-Type-Options nosniff
Header always append X-XSS-Protection "1; mode=block"
# End Security Best Practices

8. Confirm that the changes are correct. Then save the file and exit the text editor.
9. Copy the updated file to the /etc/mcp/templates directory on all nodes in the cluster:

isi_for_array 'cp /ifs/data/backup/webui_httpd.conf \

/etc/mcp/templates/webui_httpd.conf'

isi_for_array 'cp /ifs/data/backup/apache24.conf \

/etc/mcp/templates/apache24.conf'

10. (Optional) Delete the working and backup copies from the /ifs/data/backup directory:

rm /ifs/data/backup/webui_httpd.conf \
/ifs/data/backup/webui_httpd.conf.bak

rm /ifs/data/backup/apache24.conf \
/ifs/data/backup/apache24.conf.bak

Accept up-to-date versions of TLS in the OneFS web interface

If required, configure the OneFS web administration interface to accept transmissions from the most up-to-date versions of the
TLS protocol.
If your current configuration at /etc/mcp/templates/webui_httpd.conf contains +TLSv1 or +TLSv1.1, install the
latest security patches. For more information, see the Current PowerScale OneFS Patches document on the Customer support
site.

Security best practices 63

 6
Glossary
Topics:
• Terminology

Terminology
The following terms and abbreviations describe some of the features and technology of the PowerScale OneFS system and
PowerScale cluster.

Access-based In a Microsoft Windows environment, ABE filters the list of available files and folders to allow users to see
enumeration only those that they have permissions to access on a file server.
(ABE)
Access control An element of an access control list (ACL) that defines access rights to an object (like a file or directory)
entry (ACE) for a user or group.
Access control A list of access control entries (ACEs) that provide information about the users and groups allowed
list (ACL) access to an object.
ACL policy The policy that defines which access control methods (NFS permissions and/or Windows ACLs) are
enforced when a user accesses a file on the system in an environment that is configured to provide
multiprotocol access to file systems. The ACL policy is set through the web administration interface.
Authentication The process for verifying the identity of a user trying to access a resource or object, such as a file or a
directory.
Certificate A trusted third party that digitally signs public key certificates.
Authority (CA)
Certificate A digitally signed association between an identity (a Certificate Authority) and a public key to be used by
Authority the host to verify digital signatures on public key certificates.
Certificate
Command-line An interface for entering commands through a shell window to perform cluster administration tasks.
interface (CLI)
Digital certificate An electronic ID issued by a certificate authority that establishes user credentials. It contains the user
identity (a hostname), a serial number, expiration dates, a copy of the public key of the certificate holder
(used for encrypting messages and digital signatures), and a digital signature from the certificate-issuing
authority so that recipients can verify that the certificate is valid.
Directory server A server that stores and organizes information about a computer network's users and network resources,
and that allows network administrators to manage user access to the resources. X.500 is the best-known
open directory service. Proprietary directory services include Microsoft Active Directory.
Group Identifier Numeric value used to represent a group account in a UNIX system.
(GID)
Hypertext The communications protocol used to connect to servers on the World Wide Web.
Transfer Protocol
(HTTP)
Hypertext HTTP over TLS. All network traffic between the client and server system is encrypted. In addition, HTTPS
Transfer Protocol provides the option to verify server and client identities. Typically, server identities are verified and client
Secure (HTTPS) identities are not.
Kerberos An authentication, data integrity, and data-privacy encryption mechanism that is used to encode
authentication information. Kerberos coexists with NTLM and provides authentication for client/server
applications using secret-key cryptography.

64 Glossary
Lightweight An information-access protocol that runs directly over TCP/IP. LDAP is the primary access protocol for
Directory Access Active Directory and LDAP-based directory servers. LDAP Version 3 is defined by a set of Proposed
Protocol (LDAP) Standard documents in Internet Engineering Task Force (IETF) RFC 2251.
LDAP-based A directory server that provides access through LDAP. Examples of LDAP-based directory servers include
directory OpenLDAP and SUN Directory Server.
Network File A distributed file system that provides transparent access to remote file systems. NFS allows all network
System (NFS) systems to share a single copy of a directory.
Network A service that provides authentication and identity uniformity across local area networks and allows you
Information to integrate the cluster with your NIS infrastructure. Designed by Sun Microsystems, NIS can be used to
Service (NIS) authenticate users and groups when they access the cluster.
OneFS API A RESTful HTTP-based interface that enables cluster configuration, management, and monitoring
functionality, and enables operations on files and directories.
OpenLDAP The open source implementation of an LDAP-based directory service.
Public Key A means of managing private keys and associated public key certificates for use in Public Key
Infrastructure Cryptography.
(PKI)
Secure Sockets A security protocol that provides encryption and authentication. SSL encrypts data and provides message
Layer (SSL) and server authentication. SSL also supports client authentication if required by the server.
Security A unique, fixed identifier used to represent a user account, user group, or other secure identity
Identifier (SID) component in a Windows system.
Server Message A network protocol used by Windows-based computers that allows systems within the same network to
Block (SMB) share files.
Simple Network A protocol that can be used to communicate management information between the network management
Management stations and the agents in the network elements.
Protocol (SNMP)
Support Remote Secure Remote Support (SRS) enables 24x7 proactive, secure, high-speed remote monitoring and repair
Services for many Dell EMC products.
Gateway
Transport Layer The successor protocol to SSL for general communication authentication and encryption over TCP/IP
Security (TLS) networks.
User Identifier Alphanumeric value used to represent a user account in a UNIX system.
(UID)
X.509 A widely used standard for defining digital certificates.

Glossary 65