700 likes | 942 Views
Unisphere Security and Basic Management. Upon completion of this module, you should be able to: List Unisphere security features Describe Unisphere authentication using LDAP Audit Control Station events Explain VNX system notification methods and event monitoring
E N D
Unisphere Security and Basic Management Upon completion of this module, you should be able to: List Unisphere security features Describe Unisphere authentication using LDAP Audit Control Station events Explain VNX system notification methods and event monitoring Implement Unisphere Security Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 1: Unisphere and CLI interfaces This lesson covers the following topics: VNX administration Unisphere interface navigation Command Line Interface (CLI) for File and Block access Unisphere Security and Basic Management
VNX Administration • Administration performed via GUI or CLI connection to VNX • Unisphere GUI • CLI to Control Station (for File) or Host Secure CLI (for Block) Unisphere Security and Basic Management
EMC Unisphere Enter the IP address of the VNX Control Station or Storage Processor Browser session Unisphere VNX Client Unisphere Security and Basic Management
Unisphere Interface Terms and Components (1 of 8) 1 2 3 Expand Main Pane Top Navigation Bar Task Pane Main Pane Expand Task Pane Unisphere Security and Basic Management
Unisphere Interface Terms and Components (2 of 8) 1 2 Hide Task Menu Navigation “breadcrumb” Toolbar Search Option General Options Expand Task Menu Logged User Unisphere Security and Basic Management
Unisphere Interface Terms and Components (3 of 8) • TTTTTTTTTTTTTTTTTTTTTT Mouse over an option of the Top Navigation Bar opens a submenu Right-click of mouse over a query selection opens menu with actions for selected object Unisphere Security and Basic Management
Unisphere Interface Terms and Components (4 of 8) Tools Page Help Export to CSV file Refresh the Page Unisphere Security and Basic Management
Unisphere Interface Terms and Components (5 of 8) Unisphere Security and Basic Management
Unisphere Interface Terms and Components (6 of 8) • Mouse cursor over field name • Wait for pop-up description • Quick answers for simple usability questions • Example: • User is creating a NFS Export for a File System (discussed later on this course) • The Create NFS export dialog box opens with data form • Mouse cursor was placed over “Read-only Hosts:” • Operator waited two seconds Unisphere Security and Basic Management
Unisphere Interface Terms and Components (7 of 8) • Wizards • Generates pop-up window • Simplified step walk through • Designed for novice users • Further modification and management done using Navigation and Task pages Unisphere Security and Basic Management
VNX for File Command Line Interface (CLI) • Used for the completion of most administrative tasks • Primary function: scripting of repetitive tasks • CLI can be accessed in the Control Station (CS) • Local access available directly at the Control Station console • Remote access available via an SSH interface tool like PuTTy • Approximately 80 Linux-like commands. • CS runs an EMC-customized Linux • Data Movers (DM) do not have CLI • Commands are entered from CS • CS route the commands to • Data Movers • Storage Systems Unisphere Security and Basic Management
VNX for File CLI Commands • cel_ commands • Execute to remotely-linked VNX for File systems • cs_ commands • Execute to the local Control Station • fs_ commands • Execute to the specified file system • nas_ commands • Execute to the Control Station database • server_commands • Execute directly to a Data Mover Unisphere Security and Basic Management
Unisphere Integration with VNX for File CLI • Integration with Command Line Interface (CLI) • VNX for File CLI commands can be executed via GUI interface • Only one command at a time Unisphere Security and Basic Management
VNX for Block Command Line Interface (CLI) • Secure CLI is a comprehensive VNX CLI for Block solution • Client application installed on supported Windows, Linux /Unix hosts • Commands consist of navisecclicommand and options • Commands: Storage connectivity/provisioning, and management, LUN compression/expansion/migration, storage domain/host agents Unisphere Security and Basic Management
SP Setup Page Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 1: Summary During this lesson the following topics were covered: VNX administration Unisphere interface navigation Command Line Interface (CLI) for File and Block access Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 2: Unisphere Security Features This lesson covers the following topics: VNX Administrative user authentication Unisphere Security Features Unisphere authentication scopes Unisphere user roles for system administration Unisphere Security and Basic Management
VNX Management Access Security • Different management applications with access to VNX system • Access limited to authorized users and applications • Authentication • Identify user making a request • Authorization • Determine if user has the right to exercise the request • Privacy • Avoid unauthorized disclosure of information to user • Trust • Verify the identity of the communication parties • Audit • Record of activities performed by authenticated user Unisphere Security and Basic Management
VNX Administration Security • VNX access via GUI or CLI interfaces require user authentication • Administrative options for • Unique administrative user accounts • Role based administration • Secure authentication and management • SSL/TLS &SSH Login Unisphere Security and Basic Management
Administrative Authentication Scope • Authentication Scopes • Global • Local • LDAP Storage Domain Global GlobalUser Login Local LocalUser LDAPUser LDAP LDAP Server Unisphere Security and Basic Management
VNX Default Management Accounts • VNX for File and Unified systems default management accounts • VNX for Block systems do not have default factory installed management accounts • A global account can be created during initialization or first login Unisphere Security and Basic Management
Administrative Roles • Areas of Administrative responsibility • Privileges to VNX object • Read/Modify/Full Control • Associated to User’s Primary group • System-defined roles • Cannot be modified/deleted • User-defined role • Custom configured • Roles apply to GUI & CLI Unisphere Security and Basic Management
Unisphere SSL/TLS Certificates • Certificates secure VNX network links for: • Management • LDAP bindings • Establishing a trusted identity • PKI encoding and decoding • Default self-signed certificates • SPA, SPB & Control Station • 2048 bit RSA keys • Generate Data Mover self-signed certificates • Configure CA-signed certificates • SPA, SPB & Data Movers VMware ESXi Client Software FileMover LDAP SSL/TLS Management Unisphere Security and Basic Management
VNX Log Auditing • Audit Logging on a VNX for Block system • Check for suspicious activity logged on the VNX SPs • Provides information on the affected SPs and the associated hosts • Auditing on a VNX for File system • Capture management activities initiated from the Control Station • Verify access to key system files and end-user data • Integration with RSA enVision • Application provides collection, analysis and reporting of administrative events logged by the VNX storage systems Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 2: Summary During this lesson the following topics were covered: VNX Administrative user authentication Unisphere authentication scopes Unisphere Security features Unisphere user roles for system administration Unisphere Security and Basic Management
Unisphere Security and Basic Monitoring Lesson 3: Unisphere Authentication using LDAP This lesson covers the following topics: VNX integration with LDAP for management Binding the Control Station and SPs to LDAP Configuring group mappings Assigning administrative roles to LDAP users Unisphere Security and Basic Management
Configuring LDAP Authentication Overview • Configure LDAP binding to LDAP server • Map a VNX Administrative Role to an LDAP Group • VNX creates Local group and maps it to LDAP Group • LDAP-based Domains • Microsoft AD • iPlanet • OpenLDAP LDAP Binding 1 Role to Group mapping 2 Group mapping 3 Unisphere Security and Basic Management
Configuring LDAP Binding: Part 1 • Settings > Security • From System Tasks pane Manage LDAP Domain • Server tab • IP address & port number • Server Type and Protocol • Domain Name • BindDN and Password • User and Group search Paths Unisphere Security and Basic Management
Configuring LDAP Binding: Part 2 • Role Mapping tab • For LDAP Group object • Domain group or user name • Role for user or group • Advanced tab • Customize various LDAP attributes Unisphere Security and Basic Management
Automatic LDAP Group Mapping • New local group automatically created on VNX • Automatic mapping between new local group and LDAP domain group • Members of LDAP group granted administrative rights for role Unisphere Security and Basic Management
LDAP User Login • GUI Login • LDAP Credentials • Username/Password • Select Use LDAP option • CLI Login to Control Station • LDAP credentials • Username format: <username>@<domain name> login as: ptesca@corp.hmarine.com ptesca@corp.hmarine.com@10.127.57.130's password:******* [ptesca@VNX3cs0 ~]$ Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 3: Summary During this lesson the following topics were covered: Integration of VNX with LDAP domains and users How to bind the Control Station and SPs to LDAP Configuration of Group mappings Assignment of Administrative Roles to LDAP users Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 4: Control Station Auditing This lesson covers the following topics: Auditing the administrative access to the Control Station Auditing events Control Station audit commands, creation of logs and reports Unisphere Security and Basic Management
Auditing on the VNX Control Station • The purpose of auditing is to record the security-relevant events that happen on a system • Provides information about who initiated the event and the event’s affect on the system (e.g., success or failure) • Auditing is driven by several factors including compliance concerns and basic system management • Auditing is enabled by default Unisphere Security and Basic Management
Default Audit Events • Defined in /etc/audit/audit.rules • Root file system access by Administrators • A list of sensitive system files • Changes to the audit infrastructure • Users authenticating to the system Unisphere Security and Basic Management
Record Types • Several main record types associated to audit events • The main record types are listed on the table below Unisphere Security and Basic Management
Audit Commands • Native Linux commands • No VNX specific commands • Man pages • Requires root permissions • /sbin/auditctl • Controls the kernel’s audit subsystem • /sbin/ausearch • For reading the audit trail • /sbin/aureport • Produces summary reports of audit logs • /sbin/service auditd • Controls the audit subsystem • Options: start, stop, status, restart, reload, rotate, condrestart Unisphere Security and Basic Management
Audit Control # ./auditctl -h usage: auditctl [options] -a <l,a> Append rule to end of <l>ist with <a>ction -A <l,a> Add rule at beginning of <l>ist with <a>ction -b <backlog> Set max number of outstanding audit buffers allowed Default=64 -d <l,a> Delete rule from <l>ist with <a>ction l=task,entry,exit,user,watch,exclude a=never,possible,always -D Delete all rules and watches -e [0..2] Set enabled flag -f [0..2] Set failure flag 0=silent 1=printk 2=panic -F f=v Build rule: field name, operator(=,!=,<,>,<=, >=,^,&) value -h Help • Configure Audit behavior - /sbin/auditctl • Example shows abbreviated output of this command help Unisphere Security and Basic Management
Viewing Audit Log • Reading the audit trail - /sbin/ausearch • Example shows file system paths accessed • Output below is abbreviated. # /sbin/ausearch -i -m PATH |grep cwd type=CWD msg=audit(04/28/2011 09:05:08.909:8442) : cwd=/nbsnas/server type=CWD msg=audit(04/28/2011 09:05:08.911:8443) : cwd=/nbsnas/server type=CWD msg=audit(04/28/2011 09:05:08.914:8444) : cwd=/nbsnas/server type=CWD msg=audit(04/28/2011 09:05:08.916:8445) : cwd=/nbsnas/server type=CWD msg=audit(04/28/2011 09:05:08.917:8446) : cwd=/nbsnas/server type=CWD msg=audit(04/28/2011 09:05:08.974:8447) : cwd=/nbsnas/server type=CWD msg=audit(04/28/2011 09:05:08.975:8448) : cwd=/nbsnas/server type=CWD msg=audit(04/28/2011 09:10:01.119:8472) : cwd=/home/nasadmin type=CWD msg=audit(04/28/2011 09:10:01.120:8473) : cwd=/home/nasadmin type=CWD msg=audit(04/28/2011 09:10:01.132:8475) : cwd=/home/nasadmin type=CWD msg=audit(04/28/2011 09:10:01.133:8476) : cwd=/home/nasadmin type=CWD msg=audit(04/28/2011 09:10:01.137:8477) : cwd=/home/nasadmin Unisphere Security and Basic Management
Creating Audit Reports • Generating Audit Summary Reports - /sbin/aureport • Example shows Authentication Report # ./sbin/aureport –auth Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 04/28/2011 07:30:04 acct="sysadmin ? ? /nas/sbin/change_passwd no 2803462 2. 04/28/2011 07:30:06 acct="root ? ? /nas/sbin/change_passwd no 2803522 3. 04/28/2011 07:30:08 acct="itechi ? ? /nas/sbin/change_passwd no 2803547 4. 04/28/2011 07:34:52 acct="nasadmin 10.12.247.3 ssh /usr/sbin/sshd yes 54 5. 04/28/2011 07:35:09 acct="root ? pts/0 /bin/su yes 256 Unisphere Security and Basic Management
Audit Backups • Audit logs are located in /celerra/audit • Backup of auditing configuration files and current audit log file • To backend:/nas/var/auditing/ • Each Control Station synched every 180 seconds • /nas/var/auditing/cs0/ • /nas/var/auditing/cs1/ • If Control Station in slot 0 is replaced, recovery code will restore the audit configuration files • Slot 1 auditing configuration is restored manually # ls /nas/var/auditing/ cs0 lost+found # ls /nas/var/auditing/cs0 auditd.conf audit.log audit.rules Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 4: Summary During this lesson the following topics were covered: Auditing the administrative access to the Control Station Events that can be configured for auditing Control Station audit commands used for the creation of logs and reports Unisphere Security and Basic Management
Unisphere Security and Basic Management Lesson 5: Notification Methods and Event Monitoring This lesson covers the following topics: Unisphere monitoring features Event logs for VNX system activities Event monitor operations Event monitor notifications Unisphere Security and Basic Management
Unisphere System Monitoring • System > Monitoring and Alerts > Unisphere Security and Basic Management
Unisphere Monitoring: Alerts • System > Monitoring and Alerts > Alerts Unisphere Security and Basic Management
Unisphere Monitoring: Background Tasks for File • System > Monitoring and Alerts > Background Tasks for File Unisphere Security and Basic Management
Unisphere Monitoring: Event Logs for File • VNX for File related events • Messages from Data Mover or Control Station • Selected time interval and severity level • Right-click the mouse over selection and select details Unisphere Security and Basic Management
Unisphere Monitoring: SP Event Logs • VNX for Block related events • Events logged on the Storage Processor Unisphere Security and Basic Management
Unisphere Monitoring: Notifications for File • System Event Notification: Facility, Severity, Action, Destination • System Resource Utilization: Storage usage, Storage Protection, DM load Unisphere Security and Basic Management