Administration Security

Module 5 Data ONTAP 8.0 7-Mode Administration

Module Objectives
By the end of this module, you should be able to: Restrict administrative access Restrict console and NetApp System Manager access Configure a client machine as an adminhost to manage a storage system

2009 NetApp. All rights reserved.

Storage System Access

Careful attention should be taken when setting up administrative access
Dont allow admin access from anywhere

To secure your system:

Ensure proper configuration Manage user logins Communicate securely with the storage system Guard physical access

2009 NetApp. All rights reserved.

Secure Configuration

2009 NetApp. All rights reserved.

Securing a NetApp Storage System

Use secureadmin to enable SSH and SSL and the follow settings are set:
system> system> system> system> options options options options ssh.enable on ssh2.enable on ssh.passwd_auth.enable on ssh.pubkey_auth.enable on

These steps were performed when we discussed configuring a storage system with System Manager and CLI

User SSL to communicate with System Manager

system> options httpd.admin.ssl.enable on

2009 NetApp. All rights reserved.

Securing a NetApp Storage System (Cont.)

Disable nonsecure protocols:
system> system> system> system> system> system> options options options options options options rsh.enable off telnet.enable off ftpd.enable off httpd.enable off httpd.admin.enable off ssh1.enable off

Check to ensure the passwords are hardened:

system> system> system> system> ... options options options options security.passwd.rules.everyone on security.passwd.rules.history 6 security.passwd.minimum 8 security.passwd.minimum.digit 1
These should be set in compliance with corporate security policies

2009 NetApp. All rights reserved.

Manage User Logins

2009 NetApp. All rights reserved.

Administrator Users
Initially, there is only one administrator account
Root

Multiple administrator accounts are allowed

Managed by role-based access control (RBAC)

Login information is tracked in the syslog (/etc/messages file), including:

User name Time of access Node name or address

Administrative operations are tracked in the audit log (/etc/log/auditlog)

2009 NetApp. All rights reserved.

Role-Based Access Control (RBAC)

RBAC
Mechanism for managing a set of capabilities that an administrator can perform on a storage system

Steps to implement:
Create a role with specific capabilities Create a group with one or more assigned role Create user(s) assigned to one or more group

Groups

Roles

Capabilities

2009 NetApp. All rights reserved.

Capabilities
Capabilities are:
Predefined privileges that allow users to execute commands or take other specified actions

A role is a set of capabilities The following capabilities are predefined:

Login CLI Security API

2009 NetApp. All rights reserved.

Roles
A role is a defined set of capabilities Data ONTAP includes several predefined roles Administrators can create additional roles or modify existing roles

Admin Role Capabilities

Login capability Security capability CLI capability API capability

2009 NetApp. All rights reserved.

Predefined Administrative Roles

root - Grants all possible capabilities admin - Grants all CLI, API, login, and security capabilities power - Grants the ability to: Invoke all cifs, exportfs, nfs, and useradmin CLI commands Make all cifs and nfs API calls Log in using Telnet, HTTP, RSH, and SSH sessions compliance - Grants the ability of the power role along with SnapLock and file API calls audit - Grants the ability to make snmp-get and snmp-get-next API calls none - Grants no administrative capabilities
2009 NetApp. All rights reserved.

Groups
A group is:
A collection of users Associated with one or more roles

Groups have defined permissions and access levels that are defined by roles

Admin Role

2009 NetApp. All rights reserved.

Predefined Groups
Administrators - Grants all CLI, API, login, and security capabilities Power Users - Grants the ability to invoke cifs, nfs, and useradmin CLI commands, manage cifs and nfs API calls, and log in using Telnet, HTTP, RSH, and SSH sessions Compliance Administrators group - compliance role Backup Operators - none role Users - Grants the ability to make snmp-get and snmp-get-next API calls Guests - none role Everyone - none role
2009 NetApp. All rights reserved.

User Creation RequirementsRole

Current role definitions can be viewed using the CLI command:
useradmin role list [role]

Empty list general information for all roles Specific role detailed information about a particular role

Create new role using the CLI command:

useradmin role add <rolename> a <capability> ,

Capability can be one or more of login, CLI, security, or API capabilities Each capability can be refined to a specific subset

2009 NetApp. All rights reserved.

Users
A user is:
An individual account that may or may not have capabilities defined for the storage system Part of a group

Admin Role

2009 NetApp. All rights reserved.

User Creation RequirementsGroup

Current group definitions can be viewed using the CLI command:
useradmin group list [group_name]

Empty list general information for all groups Specific group detailed information about a particular group Create a new group using the CLI command:
useradmin group add <groupname> -r <role>,

A group must be associated with one or more roles

2009 NetApp. All rights reserved.

Purpose of Local Users

Local users
Are used for administrative access In CIFS:
Provides list of authenticated users with Microsoft Windows workgroup authentications Provides access to users when there is no domain controller access with Windows domain authentications

In NFS v4, provides access to the storage system

Although you can provide access to data with local users, NetApp recommends using local users only for administrative access
2009 NetApp. All rights reserved.

Security Administration
User accounts are managed from the CLI using the following command:
useradmin This command allows you to list, add, and delete users The user account is maintained in the /etc/registry file

User authentication is performed locally on the storage system

Admin Role

2009 NetApp. All rights reserved.

Security Administration (Cont.)

Password control is defined by security options in:
system> options security

Password management is defined by the CLI command:

system> passwd

NOTE:
The root user ID cannot be deleted No initial password for root for upgrades (new installs require root password by default) Passwords cannot be the same as user name Root has full admin rights to machine without login if there are no other user definitions or password settings

2009 NetApp. All rights reserved.

System Manager: Password Control

Select

Set root user password and click Change

2009 NetApp. All rights reserved.

User Access
Administrative activities are logged For security purposes, each user should have a unique login account Only users can log in to the storage system The syslog file records console logins according to the following:
User name (may be up to 32 characters, not case-sensitive) Time of access Node name and address

2009 NetApp. All rights reserved.

User Creation Requirements - User

Current user definitions can be viewed using the CLI command:
useradmin user list [user]

Empty list: General information for all users Specific user: Detailed information about a particular user

Create a new user using the CLI command:

useradmin user add <username> -g <group>,

Password may be required (see security options) User must be associated with one or more groups
2009 NetApp. All rights reserved.

Authentication Management

To configure users

2009 NetApp. All rights reserved.

Authentication Management (Cont.)

The newly created user

To delete the selected user

2009 NetApp. All rights reserved.

Authentication Management (Cont.)

2009 NetApp. All rights reserved.

Authentication Management (Cont.)

To configure groups

Select the pre-created role

2009 NetApp. All rights reserved.

Authentication Management (Cont.)

The newly created group

2009 NetApp. All rights reserved.

Authentication Management (Cont.)

2009 NetApp. All rights reserved.

Communicate Securely

2009 NetApp. All rights reserved.

Data ONTAP 8.0

Data ONTAP 8.0 ships with the most secure options enabled
SSH and SSL are enabled by default
Configuration required

Telnet, RSH, HTTP, FTP are disabled by default

NOTE: When upgrading, a storage system will inherit the settings of the previous version

2009 NetApp. All rights reserved.

Administration Host
The setup command requests the name and IP address of adminhost
This is typically a UNIX/Linux host that has access to mount the root volume from the storage system When mounted, root on the adminhost has root access to the root volume

If provided, the adminhost is granted access to the root volume for administrative purposes If not provided, all NFS clients will be granted read-write access to the root volume (not recommended)
2009 NetApp. All rights reserved.

Restricting Access
To improve security, you can configure the storage system to allow logins only from trusted hosts. This option can be configured using:
CLI command:
options trusted.hosts [hostname|*|-]

NetApp System Manager

You may specify up to five clients to be given SSH and System Manager privileges

2009 NetApp. All rights reserved.

System Manager: Security

Configure Security immediately to ensure proper a security connection

2009 NetApp. All rights reserved.

System Manager: Security (Cont.)

2009 NetApp. All rights reserved.

Guard Physical Access

2009 NetApp. All rights reserved.

Physical Access
Physical access concerns:
Guard access to your storage systems
Root password can be reset
Discussed in Module 18

2009 NetApp. All rights reserved.

Module Summary
In this module, you should have learned to: Restrict administrative access Restrict console and NetApp System Manager access Configure a client machine as an adminhost to manage a storage system

2009 NetApp. All rights reserved.

Exercise
Module 5: Administration Security Estimated Time: 30 minutes

Check Your Understanding

How do you control administrative access to the storage system?
By creating users with the useradmin command and assigning users to a role

Why would you use the useradmin command?

To create and manage:
Administrator user accounts Groups Roles

2009 NetApp. All rights reserved.