Unisphere Security and Basic Management
description
Transcript of Unisphere Security and Basic Management
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
Upon completion of this module, you should be able to:• List Unisphere security features• Describe Unisphere authentication using LDAP• Audit Control Station events • Explain VNX system notification methods and event
monitoring • Implement Unisphere Security
Unisphere Security and Basic Management 1
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
This lesson covers the following topics:• VNX administration• Unisphere interface navigation• Command Line Interface (CLI) for File and Block access
Lesson 1: Unisphere and CLI interfaces
Unisphere Security and Basic Management 2
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX Administration
Unisphere Security and Basic Management 3
• Administration performed via GUI or CLI connection to VNX Unisphere GUI CLI to Control Station (for File) or Host Secure CLI (for Block)
Copyright © 2014 EMC Corporation. All Rights Reserved.
EMC Unisphere
Unisphere Security and Basic Management 4
Enter the IP address of the VNX Control Station or Storage Processor
Browser session
Unisphere VNX Client
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Interface Terms and Components (1 of 8)
Unisphere Security and Basic Management 5
1
1. Top Navigation Bar
2. Task Pane3. Main Pane
23
Expand Main Pane
Expand Task Pane
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Interface Terms and Components (2 of 8)
Unisphere Security and Basic Management 6
1
1. Toolbar Search Option
2. General Options
2
Logged User
Navigation “breadcrum
b”
HideTask Menu
Expand Task Menu
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Interface Terms and Components (3 of 8)
TTTTTTTTTTTTTTTTTTTTTT
Unisphere Security and Basic Management 7
Mouse over an option of the Top Navigation Bar opens
a submenuRight-click of mouse over a query selection opens menu with actions for
selected object
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Interface Terms and Components (4 of 8)
Unisphere Security and Basic Management 8
Page Help
Export to CSV file
Refresh the Page
Tools
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Interface Terms and Components (5 of 8)
Unisphere Security and Basic Management 9
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Interface Terms and Components (6 of 8)• Mouse cursor over field name
Wait for pop-up description Quick answers for simple
usability questions• Example:
User is creating a NFS Export for a File System (discussed later on this course)
The Create NFS export dialog box opens with data form
Mouse cursor was placed over “Read-only Hosts:”
Operator waited two seconds
Unisphere Security and Basic Management 10
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Interface Terms and Components (7 of 8)
• Wizards Generates pop-up window Simplified step walk through Designed for novice users Further modification and management
done using Navigation and Task pages
Unisphere Security and Basic Management 11
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX for File Command Line Interface (CLI)• Used for the completion of most administrative tasks• Primary function: scripting of repetitive tasks• CLI can be accessed in the Control Station (CS)
Local access available directly at the Control Station console Remote access available via an SSH interface tool like PuTTy
• Approximately 80 Linux-like commands. CS runs an EMC-customized Linux
• Data Movers (DM) do not have CLI Commands are entered from CS CS route the commands to
Data Movers Storage Systems
Unisphere Security and Basic Management 12
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX for File CLI Commands• cel_ commands
Execute to remotely-linked VNX for File systems• cs_ commands
Execute to the local Control Station• fs_ commands
Execute to the specified file system• nas_ commands
Execute to the Control Station database• server_ commands
Execute directly to a Data Mover
Unisphere Security and Basic Management 13
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Integration with VNX for File CLI• Integration with Command Line Interface (CLI)
VNX for File CLI commands can be executed via GUI interface Only one command at a time
Unisphere Security and Basic Management 14
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX for Block Command Line Interface (CLI) • Secure CLI is a comprehensive VNX CLI for Block solution
Client application installed on supported Windows, Linux /Unix hosts Commands consist of naviseccli command and options Commands: Storage connectivity/provisioning, and management, LUN
compression/expansion/migration, storage domain/host agents
Unisphere Security and Basic Management 15
Copyright © 2014 EMC Corporation. All Rights Reserved.
SP Setup Page
Unisphere Security and Basic Management 16
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
During this lesson the following topics were covered:• VNX administration• Unisphere interface navigation• Command Line Interface (CLI) for File and Block access
Lesson 1: Summary
Unisphere Security and Basic Management 17
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
This lesson covers the following topics:• VNX Administrative user authentication• Unisphere Security Features• Unisphere authentication scopes• Unisphere user roles for system administration
Lesson 2: Unisphere Security Features
Unisphere Security and Basic Management 18
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX Management Access Security• Different management applications with access to VNX system• Access limited to authorized users and applications
Authentication Identify user making a request
Authorization Determine if user has the right to exercise the request
Privacy Avoid unauthorized disclosure of information to user
Trust Verify the identity of the communication parties
Audit Record of activities performed by authenticated user
Unisphere Security and Basic Management 19
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX Administration Security
• VNX access via GUI or CLI interfaces require user authentication• Administrative options for
Unique administrative user accounts Role based administration Secure authentication and management
SSL/TLS &SSH
Unisphere Security and Basic Management 20
Login
Copyright © 2014 EMC Corporation. All Rights Reserved.
Administrative Authentication Scope• Authentication Scopes
Global Local LDAP
Unisphere Security and Basic Management 21
Login
LDAP
LDAPUser
LDAP Server
Local LocalUser
Storage Domain
GlobalUser
Global
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX Default Management Accounts• VNX for File and Unified systems default management accounts
• VNX for Block systems do not have default factory installed management accounts A global account can be created during initialization or first login
Unisphere Security and Basic Management 22
Account Description
root VNX for File local account which provides administrator level privileges on the CS
nasadmin VNX for File local account which provides administrator level privileges on the CS
sysadminGlobal system account which provides administrator level privileges for both VNX for File and VNX for Block
Copyright © 2014 EMC Corporation. All Rights Reserved.
• Areas of Administrative responsibility
• Privileges to VNX object Read/Modify/Full Control
• Associated to User’s Primary group
• System-defined roles Cannot be modified/deleted
• User-defined role Custom configured
• Roles apply to GUI & CLI
Administrative Roles
Unisphere Security and Basic Management 23
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere SSL/TLS Certificates• Certificates secure VNX network links for:
Management LDAP bindings Establishing a trusted identity PKI encoding and decoding
• Default self-signed certificates SPA, SPB & Control Station 2048 bit RSA keys
• Generate Data Mover self-signed certificates
• Configure CA-signed certificates SPA, SPB & Data Movers
Unisphere Security and Basic Management 24
LDAP FileMoverSSL/TLS
Management
VMwareESXi
ClientSoftware
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX Log Auditing• Audit Logging on a VNX for Block system
Check for suspicious activity logged on the VNX SPs Provides information on the affected SPs and the associated hosts
• Auditing on a VNX for File system Capture management activities initiated from the Control Station Verify access to key system files and end-user data
• Integration with RSA enVision Application provides collection, analysis and reporting of
administrative events logged by the VNX storage systems
Unisphere Security and Basic Management 25
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
During this lesson the following topics were covered:• VNX Administrative user authentication• Unisphere authentication scopes• Unisphere Security features • Unisphere user roles for system administration
Lesson 2: Summary
Unisphere Security and Basic Management 26
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Monitoring
This lesson covers the following topics:• VNX integration with LDAP for management• Binding the Control Station and SPs to LDAP• Configuring group mappings• Assigning administrative roles to LDAP users
Lesson 3: Unisphere Authentication using LDAP
Unisphere Security and Basic Management 27
Copyright © 2014 EMC Corporation. All Rights Reserved.
Configuring LDAP Authentication Overview• Configure LDAP binding to LDAP server• Map a VNX Administrative Role to an LDAP Group• VNX creates Local group and maps it to LDAP Group
Unisphere Security and Basic Management 28
LDAP Binding1
LDAP-based Domains• Microsoft AD• iPlanet• OpenLDAP
Role to Group mapping2
Group mapping 3
Copyright © 2014 EMC Corporation. All Rights Reserved.
Configuring LDAP Binding: Part 1• Settings > Security
From System Tasks pane Manage LDAP Domain • Server tab
IP address & port number Server Type and Protocol Domain Name BindDN and Password User and Group search Paths
Unisphere Security and Basic Management 29
Copyright © 2014 EMC Corporation. All Rights Reserved.
• Role Mapping tab For LDAP Group object Domain group or user name Role for user or group
• Advanced tab Customize various LDAP
attributes
Configuring LDAP Binding: Part 2
Unisphere Security and Basic Management 30
Copyright © 2014 EMC Corporation. All Rights Reserved.
Automatic LDAP Group Mapping• New local group automatically created on VNX• Automatic mapping between new local group and LDAP domain
group Members of LDAP group granted administrative rights for role
Unisphere Security and Basic Management 31
Copyright © 2014 EMC Corporation. All Rights Reserved.
LDAP User Login• GUI Login
LDAP Credentials Username/Password
Select Use LDAP option• CLI Login to Control Station
LDAP credentials Username format: <username>@<domain name>
Unisphere Security and Basic Management 32
login as: [email protected]@[email protected]'s password:*******[ptesca@VNX3cs0 ~]$
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
During this lesson the following topics were covered:• Integration of VNX with LDAP domains and users• How to bind the Control Station and SPs to LDAP• Configuration of Group mappings• Assignment of Administrative Roles to LDAP users
Lesson 3: Summary
Unisphere Security and Basic Management 33
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
This lesson covers the following topics:• Auditing the administrative access to the Control Station• Auditing events• Control Station audit commands, creation of logs and reports
Lesson 4: Control Station Auditing
Unisphere Security and Basic Management 34
Copyright © 2014 EMC Corporation. All Rights Reserved.
Auditing on the VNX Control Station• The purpose of auditing is to record the security-relevant events
that happen on a system Provides information about who initiated the event and the event’s
affect on the system (e.g., success or failure)• Auditing is driven by several factors including compliance
concerns and basic system management• Auditing is enabled by default
Unisphere Security and Basic Management 35
Copyright © 2014 EMC Corporation. All Rights Reserved.
Default Audit Events• Defined in /etc/audit/audit.rules
Root file system access by Administrators A list of sensitive system files Changes to the audit infrastructure Users authenticating to the system
Unisphere Security and Basic Management 36
Copyright © 2014 EMC Corporation. All Rights Reserved.
Record Types• Several main record types associated to audit events
The main record types are listed on the table below
Unisphere Security and Basic Management 37
Record Type Description
SYSCALL Information associated with a system call invocation
PATH Information about a file being accessed
CWD The current working directory of the processUSER_XX
XX Events associated with a user authenticating to the system
FS_WATCH
Associated with accessing a file system object that has an explicit watch placed on it.
Copyright © 2014 EMC Corporation. All Rights Reserved.
Audit Commands• Native Linux commands
No VNX specific commands Man pages Requires root permissions
• /sbin/auditctl Controls the kernel’s audit subsystem
• /sbin/ausearch For reading the audit trail
• /sbin/aureport Produces summary reports of audit logs
• /sbin/service auditd Controls the audit subsystem
Options: start, stop, status, restart, reload, rotate, condrestart
Unisphere Security and Basic Management 38
Copyright © 2014 EMC Corporation. All Rights Reserved.
Audit Control
# ./auditctl -husage: auditctl [options] -a <l,a> Append rule to end of <l>ist with <a>ction -A <l,a> Add rule at beginning of <l>ist with <a>ction -b <backlog> Set max number of outstanding audit buffers
allowed Default=64 -d <l,a> Delete rule from <l>ist with <a>ction
l=task,entry,exit,user,watch,exclude a=never,possible,always
-D Delete all rules and watches -e [0..2] Set enabled flag -f [0..2] Set failure flag
0=silent 1=printk 2=panic -F f=v Build rule: field name, operator(=,!=,<,>,<=,
>=,^,&) value -h Help
Unisphere Security and Basic Management 39
• Configure Audit behavior - /sbin/auditctl Example shows abbreviated output of this command help
Copyright © 2014 EMC Corporation. All Rights Reserved.
Viewing Audit Log• Reading the audit trail - /sbin/ausearch
Example shows file system paths accessed Output below is abbreviated.
Unisphere Security and Basic Management 40
# /sbin/ausearch -i -m PATH |grep cwdtype=CWD msg=audit(04/28/2011 09:05:08.909:8442) : cwd=/nbsnas/servertype=CWD msg=audit(04/28/2011 09:05:08.911:8443) : cwd=/nbsnas/servertype=CWD msg=audit(04/28/2011 09:05:08.914:8444) : cwd=/nbsnas/servertype=CWD msg=audit(04/28/2011 09:05:08.916:8445) : cwd=/nbsnas/servertype=CWD msg=audit(04/28/2011 09:05:08.917:8446) : cwd=/nbsnas/servertype=CWD msg=audit(04/28/2011 09:05:08.974:8447) : cwd=/nbsnas/servertype=CWD msg=audit(04/28/2011 09:05:08.975:8448) : cwd=/nbsnas/servertype=CWD msg=audit(04/28/2011 09:10:01.119:8472) : cwd=/home/nasadmintype=CWD msg=audit(04/28/2011 09:10:01.120:8473) : cwd=/home/nasadmintype=CWD msg=audit(04/28/2011 09:10:01.132:8475) : cwd=/home/nasadmintype=CWD msg=audit(04/28/2011 09:10:01.133:8476) : cwd=/home/nasadmintype=CWD msg=audit(04/28/2011 09:10:01.137:8477) : cwd=/home/nasadmin
Copyright © 2014 EMC Corporation. All Rights Reserved.
Creating Audit Reports• Generating Audit Summary Reports - /sbin/aureport
Example shows Authentication Report
Unisphere Security and Basic Management 41
# ./sbin/aureport –authAuthentication Report============================================# date time acct host term exe success event============================================1. 04/28/2011 07:30:04 acct="sysadmin ? ? /nas/sbin/change_passwd no 28034622. 04/28/2011 07:30:06 acct="root ? ? /nas/sbin/change_passwd no 28035223. 04/28/2011 07:30:08 acct="itechi ? ? /nas/sbin/change_passwd no 28035474. 04/28/2011 07:34:52 acct="nasadmin 10.12.247.3 ssh /usr/sbin/sshd yes 545. 04/28/2011 07:35:09 acct="root ? pts/0 /bin/su yes 256
Copyright © 2014 EMC Corporation. All Rights Reserved.
Audit Backups• Audit logs are located in /celerra/audit• Backup of auditing configuration files and current audit log file
To backend: /nas/var/auditing/ Each Control Station synched every 180 seconds
/nas/var/auditing/cs0/ /nas/var/auditing/cs1/
If Control Station in slot 0 is replaced, recovery code will restore the audit configuration files Slot 1 auditing configuration is restored manually
Unisphere Security and Basic Management 42
# ls /nas/var/auditing/cs0 lost+found# ls /nas/var/auditing/cs0auditd.conf audit.log audit.rules
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
During this lesson the following topics were covered:• Auditing the administrative access to the Control Station• Events that can be configured for auditing• Control Station audit commands used for the creation of logs
and reports
Lesson 4: Summary
Unisphere Security and Basic Management 43
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
This lesson covers the following topics:• Unisphere monitoring features• Event logs for VNX system activities• Event monitor operations• Event monitor notifications
Lesson 5: Notification Methods and Event Monitoring
Unisphere Security and Basic Management 44
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere System Monitoring• System > Monitoring and Alerts >
Unisphere Security and Basic Management 45
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: Alerts• System > Monitoring and Alerts > Alerts
Unisphere Security and Basic Management 46
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: Background Tasks for File• System > Monitoring and Alerts > Background Tasks for File
Unisphere Security and Basic Management 47
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: Event Logs for File
• VNX for File related events Messages from Data Mover
or Control Station Selected time interval and
severity level Right-click the mouse over
selection and select details
Unisphere Security and Basic Management 48
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: SP Event Logs
Unisphere Security and Basic Management 49
• VNX for Block related events Events logged on the Storage Processor
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: Notifications for File• System Event Notification: Facility, Severity, Action, Destination• System Resource Utilization: Storage usage, Storage Protection, DM load
Unisphere Security and Basic Management 50
Events Query
Description
Facility Facility value must match this value to trigger notification
Severity Severity level that will trigger the notification:0, 1, and 2 – Critical3 – Error4 – Warning4, 6 – informational
Action Action that must be taken if event meet Facility and Severity criteria.
Destination Destination of notification. Format depends on type of action: - Absolute path on CS for log file- Single SNMP trap- Comma separated e-mail addresses
(SMTP)
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: Notifications for Block• Creation and Centralized or Distributed Monitors• Creation and Configuration of Notification templates
Event Severity: Information, Warning, Error, Critical Event Category: Basic Array, MirrorView, SnapView, SAN Copy,
NQM, Alerts, Virtual Provisioning, VNX Snapshots Actions: Logs, Combine events, add response, e-mail notification,
paging service, SNMP trap
Unisphere Security and Basic Management 51
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: Statistics for File
• Graphics with info about usage and performance File System Storage Network device
• Change of parameters for visualization and Flexible navigation
Unisphere Security and Basic Management 52
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Monitoring: Statistics for Block
Unisphere Security and Basic Management 53
• Unisphere Analyzer
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
During this lesson the following topics were covered:• Unisphere monitoring features• Event logs for VNX system activities• Event monitor operations• Event monitor notifications
Lesson 5: Summary
Unisphere Security and Basic Management 54
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
This lesson covers the following topics:• Configuring storage domain management of VNX systems• Configuration of administrative users and assignment of
administrative roles• Creating email notifications• Setting notifications for various severity levels
Lesson 6: Implementing Unisphere Security
Unisphere Security and Basic Management 55
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Storage Domains• All Systems > Domains
Each VNX is its own storage domain Domain members: SPA, SPB, Control Station
System managed by Unisphere session to any member Global user account
“sysadmin”: Administrative role
Unisphere Security and Basic Management 56
Storage Domain
SPA SPB
CS
Copyright © 2014 EMC Corporation. All Rights Reserved.
Multi-Domain Management• All Systems > Domains
Unisphere Security and Basic Management 57
Copyright © 2014 EMC Corporation. All Rights Reserved.
Adding a VNX System to Domain• All Systems > System List > Add
Unisphere Security and Basic Management 58
SP IPAddress
Copyright © 2014 EMC Corporation. All Rights Reserved.
Creating New Administrative Users• Settings > Security > User Management
Requires Administrator or Security Administrator role Global users Local users
For File For Block
Unisphere Security and Basic Management 59
Copyright © 2014 EMC Corporation. All Rights Reserved.
Assigning Administrative Roles• Settings > Security > User Management > User Customization for File > Users >
Properties Primary Group Group Role
Membership Client Access
Unisphere Security and Basic Management 60
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX Email Notifications: Email User• Setup email account
Unisphere Security and Basic Management 61
Copyright © 2014 EMC Corporation. All Rights Reserved.
VNX Notifications: Create Notifications for File• Create event to monitor• Select recipient of notification
Unisphere Security and Basic Management 62
Copyright © 2014 EMC Corporation. All Rights Reserved.
Event Monitoring Configuration
Unisphere Security and Basic Management 63
1. Event Monitor Type• Distributed • Centralized
2. Selection of hosts to monitor
3. Events by Category• Basic Array• MirrorView• SnapView• SAN Copy• Alerts• VNX Snapshots
4. Severity• Critical• Error• Warnings• Informational
5. Response• Send e-mail• Send SNMP trap
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
During this lesson the following topics were covered:• Configuring and management of storage domain• Configuration of administrative users and assignment of
administrative roles• Setting email notifications• Setting notifications for File for various severity levels
Lesson 6: Summary
Unisphere Security and Basic Management 64
Copyright © 2014 EMC Corporation. All Rights Reserved.
SummaryKey points covered in this module:• VNX provides multiple interface options, including VNX
Unisphere and CLI• Unisphere supports Global, Local, and LDAP authentication
Options, as well as built-in management accounts. Default and custom administrative roles help to control management access.
• Control Station auditing can be used to manage desired events.• Unisphere monitoring and notification can also be used to
manage and report on events.
Unisphere Security and Basic Management 65