• Other Security Settings

    PDF

    Other Security Settings

    This chapter contains other information that is relevant for ensuring the secure operation of the storage system.

    Topics include:

    About STIG

    A Security Technical Implementation Guide (STIG) defines a configuration and maintenance standard for computer deployments required by the US Department of Defense (DoD) Information Assurance (IA) program. These guidelines are designed to enhance security settings and configuration options before the systems are connected to a network. More information about the various STIGs is available at http://iase.disa.mil/stigs/index.html.

    Some of the hardening steps to meet STIG requirements are turned on by running service scripts. The svc_stig service command enables or disables STIG mode on a Unity system (physical deployments only) and provides the status of the STIG mode. This service command provides a simple and automated mechanism to apply these changes. These changes can also be undone if there is a requirement to do so at a later date (for example, to troubleshoot an operational issue).

    While the changes implemented by the STIG mode to configuration and management options can be undone, not all of the related settings are returned to their default values. Some settings, such as permission and privilege changes to file systems at the OE level, are retained.

    The storage system persists the STIG mode, and it remains preserved through software upgrade.

    Manage STIG mode (physical deployments only)

    When STIG mode is enabled through the svc_stig service command, the status of each of the STIGs (Category I or Category II, or both) that are applied is shown. You can specify the categories that get applied, however, using svc_stig -e without specifying options applies both CAT I and CAT II STIGs by default. When CAT II is enabled, both the storage system SSH service interface and Unisphere will show a DoD login banner for interactive sessions.

    To harden your storage system, follow these three steps in order:

    1. Enable STIG mode. This process applies the changes on the passive SP and reboots the passive SP. Once the passive SP is fully up, it becomes the active SP. The changes are then applied on the previous active SP and a reboot is issued on that SP.
    2. Enable FIPS 140-2 mode. This process causes the SPs to reboot again. For information about FIPS 140-2 mode, see Management support for FIPS 140-2.
    3. Enable STIG-compliant user account settings. For information about STIG-compliant user account settings, see Manage user account settings within STIG mode (physical deployments only).

    To disable hardening of your storage system, follow these three steps in order:

    1. Disable STIG-compliant user account settings.
    2. Disable FIPS 140-2 mode.
    3. Disable STIG mode.
    Use Cases
                          Usage: svc_stig [<qualifiers>] where the qualifiers are:
    
      -h|--help             : Display this message
      -d|--disable       [options] : Disable STIGs
      -e|--enable        [options] : Enable STIGs
      -s|--status        [options] : Get status for STIGs
    
    This script enables, disables, and provides current status for each
    catgory of STIGs.
    
    See the help text below for more information on options.
    
    Refer to the system documentation for a complete description of STIGs
    supported.
    
    -d|--disable:
      Used to Disable all STIGs (no option specified).
      Options:
    
        -c|--cat [X]    : disable a specific category of STIGs
    
    -e|--enable:
      Used to Enable all STIGs (no option specified).
      Options:
    
        -c|--cat [X]    : enable a specific category of STIGs
    
    -s|--status:
      Used to show the current status (enabled or disabled) for all STIGs
      (no option specified).
      Options:
    
        -c|--cat [X]    : show status for a specific Category of STIGs
        -b|--boolean-format : show boolean status for a specific Category of STIGs
                        
    Example Enable STIG mode
                          12:51:21 service@OB-M1204-spb spb:~> svc_stig -e
    ###############################################################################
    WARNING:
    WARNING: This action will cause a reboot of the system!!
    WARNING:
    ###############################################################################
    
    ###############################################################################
    INFO:
    INFO: Both Storage Processors will reboot in sequence, starting with peer SP.
    INFO: When primary SP comes back from reboot, the process will automatically
    INFO: restart to finish applying. Monitor status with 'svc_stig -s'. If status
    INFO: does not change to expected value within 30 minutes, contact service
    INFO: provider.
    INFO:
    ###############################################################################
    Enter "yes" if want to proceed with this action: 
                        
    Example Show STIG mode status
                          13:25:15 service@OB-M1204-spa spa:~> svc_stig -s
    STIG CATEGORY 1: ENABLED
    STIG CATEGORY 2: ENABLED
                        

    Manage user account settings within STIG mode (physical deployments only)

    A user with an administrator or security administrator role has the capability to enable, disable, view, and configure settings related to user accounts. The settings apply to all user accounts unless specified otherwise. When user account settings is enabled without specifying a particular value for each setting, the default value that is STIG-compliant is automatically applied. When user account settings is disabled, each setting reverts to its value before the functionality was enabled. The following functionality for user account settings is only applicable on systems that have STIG mode enabled:

    • Additional password requirements
    • Failed login requirements
    • Lockout period
    • Session idle timeout
    • Enable default admin lockout

    The following is a summary of the limitations for the user account settings functionality:

    • The functionality is only available through the UEMCLI commands /user/account/settings set and /user/account/settings show.
    • Only a user with an administrator or security administrator role can perform this command.
    • The password for the default admin account never expires.
    • The command returns an error if it is used when STIG mode is not enabled.
    • This functionality needs to be enabled separately after STIG mode is enabled.
    • This functionality needs to be disabled separately before STIG mode is disabled.
    Additional Password requirements

    Additional password requirements are added for user accounts created or modified after STIG mode is enabled:

    • Minimum password size
    • Password count
    • Password period

    The minimum password size (-passwdMinSize) setting represents the minimum size that passwords for local user accounts must meet when a user account is created or when a password is modified. The minimum size for the password can be configured to be within the range of 8 - 40 characters. The default value when user account settings is enabled without specifying the minimum password size is 15 characters. When user account settings is disabled, the minimum password size is set to 8 characters. Any change to this setting does not impact local user accounts that were created prior to the change unless the password is modified.

    The password count (-passwdCount) setting represents the number of passwords that cannot be reused for local user accounts. The password count can be configured to be within the range of 3 - 12 passwords. The default value when user account settings is enabled without specifying the password count is 5 passwords. When user account settings is disabled, the password count is set to 3 passwords. This setting impacts all pre-existing and new local user accounts.

    The password period (-passwdPeriod) setting represents the time period in days when the password expires for local user accounts. The password period can be configured to be within the range of 1 - 180 days, where the value -noPasswdPeriod means that a password will never expire. The default value when user account settings is enabled without specifying the password period is 60 days. When user account settings is disabled, the password period is set to empty. This setting impacts all pre-existing and new local user accounts. However, this setting does not apply to the default admin user account in which the password never expires.

    Password expiration status

    A user with an administrator or security administrator role can view the password expiration status parameter for all local user accounts. This parameter cannot be set. It can only be viewed when the -detail option is specified in the /user/account/settings show UEMCLI command.

    The password expiration status for a user account appears as one of the following values:

    • N/A: Appears when a password is set to never expire, when the user account is of type LDAP, or when user account settings is disabled.
    • # days remaining: Appears when user account settings is enabled and the password period is configured to a value greater than 0.
    • expired: Appears when the password has expired for the user account.
    Failed login requirements

    The following failed login requirements are added for local user accounts after STIG mode is enabled:

    • Maximum failed logins
    • Failed login period

    The maximum number of consecutive failed logins allowed for local user accounts can be configured to be within the range of 1 - 10 consecutive failed logins. The default value when user account settings is enabled without specifying the maximum failed logins is 3 consecutive failed logins. When user account settings is disabled, the maximum number of consecutive failed logins is set to empty.

    The failed login period ( -failedLoginPeriod) and lockout period ( -lockoutPeriod) settings must be specified with a value when the maximum failed logins ( -maxFailedLogins) setting is specified. The value -noMaxFailedLogins means that there is no maximum on the number of consecutive failed logins that are allowed. Also, -noFailedLoginPeriod and -noLockoutPeriod must be specified when -noMaxFailedLogins is specified. For more information about these settings, see Disabling/Re-enabling failed login counting.

    The failed login period setting represents the time period in seconds in which the number of failed logins are tracked for local user accounts. The time period can be configured to be within the range of 1 - 3600 seconds. The default value when user account settings is enabled without specifying the failed login period is 900 seconds. When user account settings is disabled, the failed login period is set to empty.

    The failed login period ( -maxFailedLogins) and lockout period ( -lockoutPeriod) settings must be specified with a value when the failed login period ( -failedLoginPeriod) setting is specified. The value -noFailedLoginPeriod means that the number of consecutive failed logins is not being tracked within a time period. Also, -noMaxFailedLogins and -noLockoutPeriod must be specified when -noFailedLoginPeriod is specified. For more information about these settings, see Disabling/Re-enabling failed login counting.
    Lockout period

    The lockout period setting represents the time period in seconds in which the local user account is locked when the maximum number of consecutive failed logins has been reached within the failed login time window. The time period can be configured to be within the range of 1 - 86400 seconds. The default value when user account settings is enabled without specifying the lockout period is 3600 seconds. When user account settings is disabled, the lockout period is set to empty.

    The maximum failed logins ( -maxFailedLogins) and failed login period ( -failedLoginPeriod) settings must be specified with a value when the lockout period ( -lockoutPeriod) setting is specified. The value -noLockoutPeriod means the account will not be locked due to meeting the maximum failed logins requirement within the failed login period requirement. Also, -noMaxFailedLogins and -noFailedLoginPeriod must be specified when -noLockoutPeriod is specified. For more information about these settings, see Disabling/Re-enabling failed login counting.
    Disabling/Re-enabling failed login counting

    A user with an administrator or security administrator role may choose to disable all login restrictions by simultaneously setting -noMaxFailedLogins, -noFailedLoginPeriod, and -noLockoutPeriod in one command, for example:

    uemcli -d 10.0.0.1 -u Local/admin -p MyPassword456! /user/account/settings set -noMaxFailedLogins -noFailedLoginPeriod -noLockoutPeriod
    It is not recommended to run this command while in STIG mode. While this setting is in effect, a brute-force password attack could be allowed because no checking is being performed.

    To re-enable all login restrictions, simultaneously set -maxFailedLogins, -failedLoginPeriod, and -lockoutPeriod with values in one command, for example:

    uemcli -d 10.0.0.1 -u Local/admin -p MyPassword456! /user/account/settings set -maxFailedLogins 3 -failedLoginPeriod 900 -lockoutPeriod 3600
    Session idle timeout

    The session idle timeout setting represents the time period in seconds in which a session for a user can be idle before the session is automatically terminated. The time period can be configured to be within the range of 1 - 3600 seconds. The default value when user account settings is enabled without specifying the session idle timeout is 600 seconds. When user account settings is disabled, the session idle timeout is set to empty. This setting is applicable to both local and LDAP user accounts.

    The value -noSessionIdleTimeout means the session will not timeout due to being idle.
    Enable default admin lockout

    The enable default admin lockout setting represents whether the manual and automatic account lockout functionality will apply to the local default admin user account. This setting can be configured to be either yes or no. The default value is no when user account settings is enabled without specifying this setting. A no value means that the manual and automatic account lockout functionality do not apply to the local default admin user account.

    Manual account lock/unlock (physical deployments only)

    A user with an administrator role has the capability to manually lock/unlock user accounts. Once a user account is manually locked, the user is unable to successfully authenticate even if the credentials are valid. Also, the user account remains locked until an administrator manually unlocks the user account.

    The following is a summary of the limitations for the manual lock/unlock functionality:

    • The functionality is only available through the UEMCLI, /user/account/ -id <administrator_id> set -locked {yes|no}.
    • Only a user with an administrator role can perform this command.
    • The default admin account cannot be locked/unlocked.
    • A user cannot lock/unlock their own accounts.
    • The command returns an error if it is used when STIG mode is not enabled.

    Physical security controls (physical deployments only)

    The area where the storage system resides must be chosen and modified to provide for the physical security of the storage system. These include basic measures such as providing sufficient doors and locks, permitting only authorized and monitored physical access to the system, providing reliable power source, and following standard cabling best practices.

    In addition, the following storage system components require particular care:

    • Password reset button: Temporarily resets the factory default passwords for both the storage system default administrator account and service account - until an administrator resets the password.
    • SP Ethernet service port connector: Allows authenticated access through an SP Ethernet service port connection.

    Antivirus protection

    The storage system supports Common AntiVirus Agent (CAVA). CAVA, a component of the Common Event Enabler (CEE), provides an antivirus solution to clients using a storage system. It uses an industry-standard SMB protocol in a Microsoft Windows Server environment. CAVA uses third-party antivirus software to identify and eliminate known viruses before they infect files on the storage system. The CEE installer, which contains the CAVA installer, and the CEE release notes are available at Online Support under Support By Product for Unity Family, UnityVSA, Unity Hybrid, or Unity All Flash in Downloads > Full Release.