Isilon

OneFS
Version 8.1.2

Security Configuration Guide

Copyright © 2013-2018 Dell Inc. All rights reserved.

Published August 2018

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
Published in the USA.

Dell EMC
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.DellEMC.com

2 OneFS 8.1.2 Security Configuration Guide

CONTENTS

Chapter 1 Introduction to this guide 9

About this guide.......................................................................................... 10
Reporting security vulnerabilities................................................................ 10
EMC security advisories..............................................................................10
False positive security vulnerabilities...........................................................10
Related documents..................................................................................... 10
Where to go for support.............................................................................. 11
Terminology................................................................................................ 12

Chapter 2 Security overview 15

Security deployment models....................................................................... 16
General business security deployment model................................. 16
SmartLock security deployment model.......................................... 16
Security Technical Implementation Guide (STIG) deployment model
(Federal accounts only)..................................................................17
Security control map...................................................................................18

Chapter 3 Cryptography 19
Cryptography overview.............................................................................. 20
Cryptographic inventory for FTP................................................................20
Cryptographic inventory for HTTPS............................................................21
Cryptographic inventory for NFS............................................................... 22
Cryptographic inventory for OpenSSH....................................................... 23
Cryptographic inventory for SMB...............................................................23

Chapter 4 OneFS security hardening 25

Security hardening..................................................................................... 26
STIG hardening profile................................................................................26
Apply a security hardening profile...............................................................27
Revert a security hardening profile.............................................................28
View the security hardening status.............................................................29

Chapter 5 Authentication 31
Authentication overview............................................................................. 32
Supported authentication providers...............................................32
Authentication provider features................................................... 32
Active Directory......................................................................................... 33
Configuring an Active Directory provider....................................... 34
LDAP.......................................................................................................... 36
Configuring an LDAP provider........................................................37
NIS..............................................................................................................41
Configuring an NIS provider........................................................... 41
Kerberos authentication............................................................................. 42
Keytabs and SPNs overview.......................................................... 43
Configuring an MIT Kerberos provider........................................... 43
File provider............................................................................................... 45
Configuring a file provider............................................................. 46

OneFS 8.1.2 Security Configuration Guide 3

CONTENTS

Local provider.............................................................................................50
Configuring local users and groups................................................ 50
Certificates................................................................................................ 53
Replacing or renewing the TLS certificate.....................................53
Verify a TLS certificate update......................................................58
TLS certificate data example......................................................... 58
Cluster identity...........................................................................................59
Set the cluster name and contact information...............................59

Chapter 6 Identity management 61

Identity management overview...................................................................62
Identity types............................................................................................. 62
Access tokens............................................................................................ 63
Access token generation............................................................................ 64
ID mapping.................................................................................... 64
User mapping................................................................................ 66
On-disk identity............................................................................. 68
Configuring identity mapping......................................................................70
Create an identity mapping............................................................ 70
Configure identity mapping settings.............................................. 70
ID mapping ranges......................................................................... 70
Configuring user mapping............................................................................71
Create a user-mapping rule............................................................ 71
Mapping rule options..................................................................... 72
Mapping rule operators..................................................................73

Chapter 7 Network security 77

Network port usage.................................................................................... 78
OneFS services.......................................................................................... 84
Data-access protocols................................................................................86
Mixed protocol environments........................................................ 87
FTP.............................................................................................................87
Enable and configure FTP file sharing............................................ 87
FTP security.................................................................................. 88
About Hadoop............................................................................................ 88
How Hadoop is implemented on OneFS......................................... 89
Configuring HDFS......................................................................... 90
HDFS authentication methods.......................................................90
Hadoop user and group accounts.................................................. 92
Enabling the WebHDFS REST API................................................. 92
Secure impersonation.................................................................... 93
HTTP and HTTPS.......................................................................................94
Enable and configure HTTP........................................................... 95
NFS............................................................................................................ 96
NFS exports.................................................................................. 96
NFS aliases.................................................................................... 97
NFS log files.................................................................................. 97
Configuring NFS............................................................................ 98
SMB..........................................................................................................102
Configuring SMB..........................................................................103
SMB security settings.................................................................. 103
SMB shares in access zones........................................................ 104
SMB Multichannel........................................................................105
Anonymous access to SMB shares...............................................106

4 OneFS 8.1.2 Security Configuration Guide

 CONTENTS

Chapter 8 Roles and privileges 107

Role-based access.................................................................................... 108
Roles............................................................................................ 108
Managing roles.............................................................................109
Privileges.................................................................................................. 109
Supported OneFS privileges......................................................... 110
Data backup and restore privileges............................................... 110
Command-line interface privileges.................................................111

Chapter 9 Data security 113

Access zones overview ............................................................................. 114
Base directory guidelines.............................................................. 114
Access zones best practices......................................................... 115
Configuring an access zone.......................................................... 116
Data access control overview.................................................................... 116
ACLs............................................................................................. 116
UNIX permissions..........................................................................117
Mixed-permission environments....................................................117
Configuring data access control....................................................118
SmartLock overview..................................................................................127
Compliance mode......................................................................... 127
SmartLock directories.................................................................. 128
Accessing SmartLock with IsilonSD Edge.....................................128
Replication and backup with SmartLock.......................................129
Configuring SmartLock................................................................ 130
Snapshots overview.................................................................................. 136
Data protection with SnapshotIQ................................................. 136
Protection domains overview.................................................................... 136
Protection domain considerations................................................ 137
Create a protection domain.......................................................... 138
Data-at-rest encryption overview............................................................. 138
Self-encrypting drives.................................................................. 138
Data-at-rest encryption for IsilonSD Edge................................... 139
Data security on self-encrypting drives........................................ 139
Data migration to a cluster with self-encrypting drives................ 139
Chassis and drive states............................................................... 139
Smartfailed drive REPLACE state................................................ 143

Chapter 10 Auditing and logging 145

Auditing overview......................................................................................146
Syslog....................................................................................................... 146
Syslog forwarding.........................................................................147
Protocol audit events................................................................................ 147
Supported event types..............................................................................148
Supported audit tools................................................................................149
Configuring auditing.................................................................................. 149
Enable protocol access auditing................................................... 149
Forward protocol access events to syslog ...................................150
Enable system configuration auditing........................................... 151
Forward system configuration changes to syslog......................... 152
Events and alerts...................................................................................... 152
Events overview...........................................................................153
Event groups overview................................................................. 153
Alerts overview............................................................................ 153

OneFS 8.1.2 Security Configuration Guide 5

CONTENTS

Channels overview....................................................................... 153

Configuring and managing events................................................ 154

Chapter 11 Physical security 159

Physical security overview........................................................................ 160
Security of the data center....................................................................... 160
Physical ports on Isilon nodes................................................................... 160
Statements of Volatility............................................................................ 160

Chapter 12 Serviceability 163

Self-service support..................................................................................164
Remote support using ESRS..................................................................... 164
Configuring EMC Secure Remote Services support..................... 164
Remote support scripts................................................................ 167
Enable and configure ESRS...........................................................171

Chapter 13 Antivirus 175

Antivirus overview..................................................................................... 176
On-access scanning.................................................................................. 176
Antivirus policy scanning........................................................................... 177
Individual file scanning...............................................................................177
Antivirus scan reports................................................................................177
ICAP servers..............................................................................................177
Antivirus threat responses.........................................................................178
Configuring antivirus................................................................................. 179
Enable or disable antivirus scanning............................................. 179
Exclude files from antivirus scans.................................................179
Configure on-access scanning settings.........................................181
Configure antivirus threat response settings................................ 181
Configure antivirus report retention settings................................ 181
Add and connect to an ICAP server.............................................. 181
Create an antivirus policy............................................................. 182
Scan a file.................................................................................... 182
Manually quarantine a file.............................................................183
Manually truncate a file................................................................ 183

Chapter 14 Security best practices 185

Overview...................................................................................................186
Persistence of security settings ............................................................... 186
General cluster security best practices..................................................... 188
Create a login message ............................................................... 188
Set a timeout for idle CLI sessions (CLI)...................................... 188
Set a timeout for idle SSH sessions (CLI)..................................... 191
Forward audited events to remote server.....................................192
Firewall security........................................................................... 193
Disable OneFS services that are not in use...................................193
Configure WORM directories using SmartLock............................ 194
Back up cluster data.....................................................................194
Use NTP time...............................................................................195
Best practices for login, authentication, and privileges............................. 196
Restrict root logins to the cluster.................................................196
Use RBAC accounts instead of root............................................. 196

6 OneFS 8.1.2 Security Configuration Guide

 CONTENTS

Privilege elevation: Assign select root-level privileges to non-root

users............................................................................................ 196
Restrict authentication by external providers.............................. 200
Replace the TLS certificate..........................................................201
SNMP security best practices...................................................................201
Use SNMPv3 for cluster monitoring.............................................201
Disable SNMP..............................................................................202
SSH security best practices..................................................................... 202
Perform general SSH hardening.................................................. 202
Restrict SSH access to specific users and groups....................... 204
Restrict SSH access to specific IP addresses.............................. 204
Disable root SSH access to the cluster........................................ 207
Best practices for data-access protocols................................................. 209
Use a trusted network to protect files and authentication
credentials that are sent in cleartext........................................... 209
Use compensating controls to protect authentication credentials
that are sent in cleartext.............................................................. 210
Use compensating controls to protect files that are sent in cleartext
.....................................................................................................210
Disable FTP access....................................................................... 211
Limit or disable HDFS access........................................................ 211
Limit or disable HTTP access....................................................... 212
NFS best practices.......................................................................213
SMB best practices...................................................................... 213
SMB signing................................................................................. 214
Disable Swift access.....................................................................217
Web interface security best practices....................................................... 217
Secure the web interface headers................................................ 217
Accept up-to-date versions of TLS in the OneFS web interface.. 219

Chapter 15 Additional security best practices for IsilonSD Edge 221

Security recommendations for EMC IsilonSD Edge front-end network.... 222
Security requirements for EMC IsilonSD Edge back-end network............ 223
Updating the IsilonSD Edge management server...................................... 223

Chapter 16 Additional security best practices for CloudPools 225

Configuring network proxy servers with CloudPools................................ 226

OneFS 8.1.2 Security Configuration Guide 7

CONTENTS

8 OneFS 8.1.2 Security Configuration Guide

CHAPTER 1
Introduction to this guide

This section contains the following topics:

l About this guide..................................................................................................10

l Reporting security vulnerabilities........................................................................10
l EMC security advisories..................................................................................... 10
l False positive security vulnerabilities.................................................................. 10
l Related documents.............................................................................................10
l Where to go for support...................................................................................... 11
l Terminology........................................................................................................12

Introduction to this guide 9

Introduction to this guide

About this guide

This guide provides an overview of the security configuration controls and settings
available in Isilon OneFS. This guide is intended to help facilitate secure deployment,
usage, and maintenance of the software and hardware used in Isilon clusters.
Most of the information in this guide also applies to IsilonSD Edge, a software-defined
version of OneFS running on the VMware ESXi hypervisor. Differences, if any, are
highlighted in the respective sections of this guide.
Your suggestions help us to improve the accuracy, organization, and overall quality of
the documentation. Send your feedback to https://www.research.net/s/isi-
docfeedback. If you cannot provide feedback through the URL, send an email message
to [email protected].

Reporting security vulnerabilities

EMC takes reports of potential security vulnerabilities in our products very seriously. If
you discover a security vulnerability, you are encouraged to report it to EMC
immediately.
For information on how to report a security issue to EMC, see the EMC Vulnerability
Response Policy at http://www.emc.com/products/security/product-security-
response-center.htm.

EMC security advisories

EMC Security Advisories (ESAs) notify customers about potential security
vulnerabilities and their remedies for EMC products. The advisories include specific
details about an issue and instructions to help prevent or alleviate that security
exposure.
Common Vulnerabilities and Exposures (CVEs) identify publicly known security
concerns. An ESA can address one or more CVEs.
All Isilon ESAs, together with the CVEs that they address, are listed at https://
community.emc.com/docs/DOC-45144.

False positive security vulnerabilities

It is possible for a security scan to incorrectly identify a CVE as affecting an EMC
product. CVEs in this category are termed false positives.
False positives for OneFS and Insight IQ are listed at https://community.emc.com/
docs/DOC-45144.

Related documents
The complete documentation set for OneFS is available online.
You can find information that is related to the features and functionality described in
this document in the following documents available from the EMC Online Support site.
l EMC Secure Remote Services Installation and Operations Guide

10 OneFS 8.1.2 Security Configuration Guide

 Introduction to this guide

l EMC Secure Remote Services Policy Manager Operations Guide

l EMC Secure Remote Services Site Planning Guide
l EMC Secure Remote Services Technical Description
l EMC Isilon Multiprotocol Data Access with a Unified Security Model (white paper)
l Isilon Swift Technical Note
l IsilonSD Edge Installation and Administration Guide
l Managing identities with the Isilon OneFS user mapping service (white paper)
l OneFS Backup and Recovery Guide
l OneFS CLI Administration Guide
l OneFS Event Reference
l OneFS Release Notes
l OneFS Web Administration Guide
l OneFS Upgrade Planning and Process Guide

Where to go for support

This topic contains resources for getting answers to questions about Isilon products.

Online support l Live Chat

l Create a Service Request
For questions about accessing online support, send an email to
[email protected].

Telephone l United States: 1-800-SVC-4EMC (1-800-782-4362)

support
l Canada: 1-800-543-4782
l Worldwide: 1-508-497-7901
l Local phone numbers for a specific country are available at
EMC Customer Support Centers.

Isilon The Isilon Community Network connects you to a central hub of

Community information and experts to help you maximize your current storage
Network solution. From this site, you can demo Isilon products, ask
questions, view technical videos, and get our latest Isilon product
documentation.
Isilon Info Hubs For the list of Isilon info hubs, see the Isilon Info Hubs page on the
Isilon Community Network. Use these info hubs to find product
documentation, troubleshooting guides, videos, blogs, and other
information resources about the Isilon products and features you're
interested in.

Support for IsilonSD Edge

If you are running a free version of IsilonSD Edge, support is available through the
Isilon Community Network. If you purchased one or more IsilonSD Edge licenses,
support is available through Isilon Technical Support, provided you have a valid
support contract for the product.

Where to go for support 11

Introduction to this guide

Terminology
The following terms and abbreviations describe some of the features and technology
of the Isilon OneFS system and Isilon cluster.
Access-based enumeration (ABE)
In a Microsoft Windows environment, ABE filters the list of available files and
folders to allow users to see only those that they have permissions to access on a
file server.

Access control entry (ACE)

An element of an access control list (ACL) that defines access rights to a file for a
user or group.
Access control list (ACL)
A list of access control entries (ACEs) that provide information about the users
and groups allowed access to an object.

ACL policy
The policy that defines which access control methods (NFS permissions and/or
Windows ACLs) are enforced when a user accesses a file on the system in an
environment that is configured to provide multiprotocol access to file systems.
The ACL policy is set through the web administration interface.

Authentication
The process for verifying the identity of a user trying to access a resource or
object, such as a file or a directory.

Certificate Authority (CA)

A trusted third party that digitally signs public key certificates.

Certificate Authority Certificate

A digitally signed association between an identity (a Certificate Authority) and a
public key to be used by the host to verify digital signatures on public key
certificates.

Command-line interface (CLI)

An interface for entering commands through a shell window to perform cluster
administration tasks.

Digital certificate
An electronic ID issued by a certificate authority that establishes user credentials.
It contains the user identity (a hostname), a serial number, expiration dates, a
copy of the public key of the certificate holder (used for encrypting messages
and digital signatures), and a digital signature from the certificate-issuing
authority so that recipients can verify that the certificate is valid.

Directory server
A server that stores and organizes information about a computer network's users
and network resources, and that allows network administrators to manage user
access to the resources. X.500 is the best-known open directory service.
Proprietary directory services include Microsoft Active Directory.

12 OneFS 8.1.2 Security Configuration Guide

 Introduction to this guide

EMC Support Remote Services Gateway

EMC Secure Remote Support (ESRS) enables 24x7 proactive, secure, high-speed
remote monitoring and repair for many EMC products.

Group Identifier (GID)

Numeric value used to represent a group account in a UNIX system.

Hypertext Transfer Protocol (HTTP)

The communications protocol used to connect to servers on the World Wide Web.

Hypertext Transfer Protocol Secure (HTTPS)

HTTP over TLS. All network traffic between the client and server system is
encrypted. In addition, HTTPS provides the option to verify server and client
identities. Typically, server identities are verified and client identities are not.

Kerberos
An authentication, data integrity, and data-privacy encryption mechanism that is
used to encode authentication information. Kerberos coexists with NTLM
(Netlogon services) and provides authentication for client/server applications
using secret-key cryptography.
Lightweight Directory Access Protocol (LDAP)
An information-access protocol that runs directly over TCP/IP. LDAP is the
primary access protocol for Active Directory and LDAP-based directory servers.
LDAP Version 3 is defined by a set of Proposed Standard documents in Internet
Engineering Task Force (IETF) RFC 2251.

LDAP-based directory
A directory server that provides access through LDAP. Examples of LDAP-based
directory servers include OpenLDAP and SUN Directory Server.

Network File System (NFS)

A distributed file system that provides transparent access to remote file systems.
NFS allows all network systems to share a single copy of a directory.

Network Information Service (NIS)

A service that provides authentication and identity uniformity across local area
networks and allows you to integrate the cluster with your NIS infrastructure.
Designed by Sun Microsystems, NIS can be used to authenticate users and
groups when they access the cluster.

OneFS API
A RESTful HTTP-based interface that enables cluster configuration,
management, and monitoring functionality, and enables operations on files and
directories.

OpenLDAP
The open source implementation of an LDAP-based directory service.

Public Key Infrastructure (PKI)

A means of managing private keys and associated public key certificates for use in
Public Key Cryptography.

Simple Network Management Protocol (SNMP)

A protocol that can be used to communicate management information between
the network management stations and the agents in the network elements.

Terminology 13
Introduction to this guide

Secure Sockets Layer (SSL)

A security protocol that provides encryption and authentication. SSL encrypts
data and provides message and server authentication. SSL also supports client
authentication if required by the server.

Security Identifier (SID)

A unique, fixed identifier used to represent a user account, user group, or other
secure identity component in a Windows system.

Transport Layer Security (TLS)

The successor protocol to SSL for general communication authentication and
encryption over TCP/IP networks. TLS version 1 is nearly identical with SSL
version 3.

User Identifier (UID)

Alphanumeric value used to represent a user account in a UNIX system.

X.509
A widely used standard for defining digital certificates.

14 OneFS 8.1.2 Security Configuration Guide

CHAPTER 2
Security overview

This section contains the following topics:

l Security deployment models...............................................................................16

l Security control map.......................................................................................... 18

Security overview 15
Security overview

Security deployment models

An Isilon cluster is only one piece of a complex installation and coexists with the
surrounding physical and electronic environment. You must develop and maintain
comprehensive security policies for the entire environment.
It is assumed that you have implemented the following security controls prior to the
Isilon security deployment:
l Physical security of computer room facilities
l Comprehensive network security
l Monitoring of computer-related controls, including:
n Access to data and programs
n Secure organizational structure to manage login and access rights
n Change control to prevent unauthorized modifications to programs
l Service continuity to ensure that critical services and processes remain
operational in the event of a disaster or data breach.
With these security controls in place, Isilon offers the following deployment models:
l General business
l SmartLock
l Security Technical Implementation Guide (STIG)

General business security deployment model

An Isilon cluster is designed to meet the storage needs of diverse users across the
spectrum of big data and enterprise IT. The general business security deployment
model comprises a set of best practices that can be implemented in any environment.
See the Security Best Practices chapter of this guide for recommended steps to
increase the security of an Isilon cluster.

SmartLock security deployment model

Smartlock is a data retention solution which protects files from accidental or
deliberate modification or deletion during a specified retention period. SmartLock
employs Write Once Read Many (WORM) data storage technology. WORM
technology allows information to be written to a drive once, after which it is non-
erasable and non-rewritable.
There are two options for SmartLock implementation:
l Compliance mode. This mode is designed for use only by those organizations
which are legally required to comply with the United States Securities and
Exchange Commission’s (SEC) rule 17-a4(f).
l Enterprise mode. This mode can be used by organizations that have no legal
requirement but want to use WORM technology to protect their data.
SmartLock compliance mode commits files to a WORM state in a compliance directory
where the files cannot be modified or deleted until the specified retention period has
expired. If a cluster is installed in compliance mode, the entire cluster is defined as a
SmartLock compliance cluster.
SmartLock enterprise mode commits files to a WORM state in an enterprise directory
where the files cannot be modified or deleted until the retention period has expired.

16 OneFS 8.1.2 Security Configuration Guide

 Security overview

The only exception is through a privileged delete feature that exists for the root
account.
For more information about SmartLock, see the Smartlock overview section of this
document.

Security Technical Implementation Guide (STIG) deployment model (Federal

accounts only)
To meet Federal Approved Products List (APL) requirements, the configuration of
OneFS must comply with Security Technical Implementation Guides (STIGs) that
define hardening configuration requirements.
STIGs are maintained by the Defense Information Systems Agency (DISA), which
produces STIGs for several computing technologies, referred to as assessment areas.
STIG hardening is designed for Isilon clusters that support Federal Government
accounts. Clusters that do not support Federal Government accounts are generally
not candidates for STIG hardening.

Note

STIG hardening assumes that the entire environment has been hardened to STIG
standards. Securing only the Isilon cluster, without the surrounding components also
meeting STIG requirements, can create problems due to different expectations
between the components.

For more information about STIG deployment, see the OneFS Security Hardening
chapter of this document.

Security Technical Implementation Guide (STIG) deployment model (Federal accounts only) 17
Security overview

Security control map

The following diagram provides an overview of the various security controls that are
available on Isilon clusters.
Figure 1 Security control map

Unencrypted Data Encrypted Data

Isilon Cluster
Another Isilon Replication Users and Groups Authentication
OneFS Operating System
Cluster Authentication Providers
Encrypted Drives (optional)
Internal Cluster Communication
Status/Data Serial Console Connection HTTPS/
Antivirus Cluster REST Clients
OneFS API

Unencrypted Data Data Encrypted

Client Protocols Client Protocols

Backup Data
NDMP Private Cloud

Administration

HTTPS/
InsightIQ
OneFS API

Encrypted Internet Data

Request/Response Microsoft
Management
Logs
ESRS Gateway Console
Dial Home

Console Access Secure Socket

Data Shell (SSH)
Public Cloud

HTTPS/ Web Browser

Request/Response (WebUI)

18 OneFS 8.1.2 Security Configuration Guide

CHAPTER 3
Cryptography

This section contains the following topics:

l Cryptography overview......................................................................................20
l Cryptographic inventory for FTP....................................................................... 20
l Cryptographic inventory for HTTPS................................................................... 21
l Cryptographic inventory for NFS....................................................................... 22
l Cryptographic inventory for OpenSSH...............................................................23
l Cryptographic inventory for SMB...................................................................... 23

Cryptography 19
Cryptography

Cryptography overview
OneFS uses up-to-date, globally recognized cryptographic algorithms and protocols,
including:
l FTP
l HDFS
l HTTPS
l Kerberos
l NDMP
l NFS
l Secure Socket Shell (SSH)
l SMB
l Swift
l Transport Layer Security (TLS)
l TLS to Active Directory
l TLS to Lightweight Directory Access Protocol (LDAP)
This chapter provides details on cryptographic use within OneFS, including the current
cryptographic releases, which algorithms are used, and where in the product the
algorithms are used.

Note

Different releases of OneFS may support different cryptographic inventories. If you

have questions about the cryptographic inventory for different versions of OneFS,
contact Isilon Technical Support.

Cryptographic inventory for FTP

The cipher suites that are supported by FTP in OneFS are described in the following
sections. FTP is disabled by default in OneFS.
TLSv1.0 cipher suites supported by FTP

TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)

TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)

TLSv1.1 cipher suites supported by FTP

TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)

TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)

20 OneFS 8.1.2 Security Configuration Guide

 Cryptography

TLSv1.2 cipher suites supported by FTP

TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)

TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)

Cryptographic inventory for HTTPS

The HTTPS cryptography applies to REST clients and to the OneFS web
administration interface. This section lists the cipher suites that are supported by
HTTPS in OneFS.
TLSv1.0 cipher suites supported by HTTPS

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)

TLSv1.1 cipher suites supported by HTTPS

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)

TLSv1.2 cipher suites supported by HTTPS

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)
TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)

Cryptographic inventory for HTTPS 21

Cryptography

TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)

TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)

Cryptographic inventory for NFS

This section lists the NFS cryptographic algorithms that are available in OneFS.
Usage of these algorithms depends on your configuration and workflow. For
configuration information, refer to the OneFS CLI Administration Guide Info Hub.
NFS default settings

Setting Enabled/disabled
NFS service Enabled
NFSv3 Enabled
NFSv4 Disabled

NFSv3 algorithms

Algorithm Description
Key Exchange Algorithm RPCSEC_GSS, KerberosV5
Authentication Algorithm AUTH_UNIX, krb5, krb5i, krb5p
Encryption Algorithm AES256-CTS AES128-CTS RC4-HMAC DES-
CBC-MD5 DES-CBC-CRC
Message Authentication Code RPCSEC_GSS, enforces TCP protocol at
Algorithm(integrity) transport layer.

NFSv4 algorithms

Algorithm Description
Key Exchange Algorithm RPCSEC_GSS, KerberosV5
Authentication Algorithm AUTH_UNIX, krb5, krb5i, krb5p
Encryption Algorithm AES256-CTS AES128-CTS RC4-HMAC DES-
CBC-MD5 DES-CBC-CRC
Message Authentication Code RPCSEC_GSS, enforces TCP protocol at
Algorithm(integrity) transport layer.

22 OneFS 8.1.2 Security Configuration Guide

 Cryptography

Cryptographic inventory for OpenSSH

This section lists the OpenSSH cryptographic algorithms as used in OneFS.

Algorithm Description
Key Exchange Algorithm [email protected],ecdh-sha2-
nistp256,ecdh-sha2-nistp384,ecdh-sha2-
nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group-exchange-sha1,diffie-
hellman-group14-sha1
Authentication Algorithm AUTH_UNIX
Encryption Algorithm aes128-ctr,aes192-ctr,aes256-ctr,aes128-
[email protected],aes256-
[email protected],chacha20-
[email protected]
Message Authentication Code hmac-sha1
Algorithm(integrity)

Cryptographic inventory for SMB

This section lists the SMB cryptographic algorithms that are available in OneFS.
Usage of these algorithms depends on your configuration and workflow. For
configuration information, refer to the OneFS CLI Administration Guide Info Hub.
The SMB service is enabled by default in OneFS, and it supports SMBv1, SMBv2, and
SMBv3. However, OneFS does not currently support the encryption feature in
SMBv3.
SMB algorithms
Algorithm Description
Authentication Algorithm AUTH_UNIX, krb5, krb5i, krb5p, NTLM, NIS, LDAP

Encryption Algorithm AES256-CTS, AES128-CTS, RC4-HMAC, DES-CBC-MD5, DES-

CBC-CRC

SMB signing algorithms

SMB protocol version SMB signing algorithm description
SMBv1 MD5

SMBv2 SHA-256-HMAC

SMBv3 SHA-256-HMAC (key derivation)

AES-128-CMAC (signing)

Used via GSS-API, NTLM mechanism:

l RC4 (schannel encryption)
l MD5-HMAC (signing)

Cryptographic inventory for OpenSSH 23

Cryptography

SMB protocol version SMB signing algorithm description

Used via GSS-API, KRB5 mechanism (all encryption types
provide signing and encryption):
l AES256-CTS
l AES128-CTS
l RC4-HMAC
l DES-CBC-MD5
l DES-CBC-CRC

24 OneFS 8.1.2 Security Configuration Guide

CHAPTER 4
OneFS security hardening

This section contains the following topics:

l Security hardening............................................................................................. 26
l STIG hardening profile....................................................................................... 26
l Apply a security hardening profile...................................................................... 27
l Revert a security hardening profile.................................................................... 28
l View the security hardening status.................................................................... 29

OneFS security hardening 25

OneFS security hardening

Security hardening
Security hardening is the process of configuring a system to reduce or eliminate as
many security risks as possible.
When you apply a hardening profile on an Isilon cluster, OneFS reads the security
profile file and applies the configuration defined in the profile to the cluster. If
required, OneFS identifies configuration issues that prevent hardening on the nodes.
For example, the file permissions on a particular directory might not be set to the
expected value, or the required directories might be missing. When an issue is found,
you can choose to allow OneFS to resolve the issue, or you can defer resolution and
fix the issue manually.

Note

The intention of the hardening profile is to support the Security Technical

Implementation Guides (STIGs) that are defined by the Defense Information Systems
Agency (DISA) and applicable to OneFS. Currently, the hardening profile only
supports a subset of requirements defined by DISA in STIGs. The hardening profile is
meant to be primarily used in Federal accounts.

If you determine that the hardening configuration is not right for your system, OneFS
allows you to revert the security hardening profile. Reverting a hardening profile
returns OneFS to the configuration achieved by resolving issues, if any, prior to
hardening.
You must have an active security hardening license and be logged in to the EMC Isilon
cluster as the root user to apply hardening to OneFS. To obtain a license, contact your
EMC Isilon sales representative.

STIG hardening profile

The OneFS STIG hardening profile contains a subset of the configuration
requirements set by the Department of Defense and is designed for Isilon clusters that
support Federal Government accounts. An Isilon cluster that is installed with a STIG
profile relies on the surrounding ecosystem also being secure.
After you apply the OneFS STIG hardening profile, the OneFS configuration is
modified to make the Isilon cluster more secure and support some of the controls that
are defined by the DISA STIGs. Some examples of the many system changes are as
follows:
l After you log in through SSH or the web interface, the system displays a message
that you are accessing a U.S. Government Information System and displays the
terms and conditions of using the system.
l On each node, SSH and the web interface listen only on the node's external IP
address.
l Password complexity requirements increase for local user accounts. Passwords
must be at least 14 characters and contain at least one of each of the following
character types: numeric, uppercase, lowercase, symbol.
l Root SSH is disabled. You can log in as root only through the web interface or
through a serial console session.

26 OneFS 8.1.2 Security Configuration Guide

 OneFS security hardening

Apply a security hardening profile

You can apply the OneFS STIG hardening profile to the Isilon cluster.
Before you begin
Security hardening requires root privileges and can be performed only through the
command-line interface.
Once hardening has been successfully applied to the cluster, root SSH is not allowed
on a hardened cluster. To log in as the root user on a hardened cluster, you must
connect through the web interface or a serial console session.
You must have an active security hardening license to apply a hardening profile to
OneFS. To obtain a license, contact your Isilon sales representative.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the isi hardening apply command.
The following command directs OneFS to apply the hardening profile to the
Isilon cluster.

isi hardening apply --profile=STIG

Note

STIG is a tag, not a file.

OneFS checks whether the system contains any configuration issues that must
be resolved before hardening can be applied.
l If OneFS does not encounter any issues, the hardening profile is applied.
l If OneFS encounters issues, the system displays output similar to the
following example:

Found the following Issue(s) on the cluster:

Issue #1 (Isilon Control_id:isi_GEN001200_01)
Node: test-cluster-2
1: /etc/syslog.conf: Actual permission 0664; Expected
permission 0654

Issue #2 (Isilon Control_id:isi_GEN001200_02)

Node: test-cluster-3
1: /usr/bin/passwd: Actual permission 4555; Expected
permission 0555
2: /usr/bin/yppasswd: Actual permission 4555; Expected
permission 0555
Node: test-cluster-2
1: /usr/bin/passwd: Actual permission 4555; Expected
permission 0555
2: /usr/bin/yppasswd: Actual permission 4555; Expected
permission 0555

Total: 2 issue(s)
Do you want to resolve the issue(s)?[Y/N]:
3. Resolve any configuration issues. At the prompt Do you want to resolve
the issue(s)?[Y/N], choose one of the following actions:

Apply a security hardening profile 27

OneFS security hardening

l To allow OneFS to resolve all issues, type Y. OneFS fixes the issues and then
applies the hardening profile.
l To defer resolution and fix all of the found issues manually, type N. After you
have fixed all of the deferred issues, run the isi hardening apply
command again.

Note

If OneFS encounters an issue that is considered catastrophic, the system

prompts you to resolve the issue manually. OneFS cannot resolve a catastrophic
issue.

Revert a security hardening profile

You can revert a hardening profile that has been applied to the EMC Isilon cluster.
Before you begin
Reverting security hardening requires root privileges and can be performed only
through the command-line interface. To log in as the root user on a hardened cluster,
you must connect through a serial console session. Root SSH is not allowed on a
hardened cluster.
You must have an active security hardening license to revert a hardening profile on
OneFS. To obtain a license, contact your EMC Isilon sales representative.
Procedure
1. Open a serial console session on any node in the cluster and log in as root.
2. Run the isi hardening revert command.
OneFS checks whether the system is in an expected state.
l If OneFS does not encounter any issues, the hardening profile is reverted.
l If OneFS encounters any issues, the system displays output similar to the
following example:

Found the following Issue(s) on the cluster:

Issue #1 (Isilon Control_id:isi_GEN001200_01)
Node: test-cluster-2
1: /etc/syslog.conf: Actual permission 0664; Expected
permission 0654

Issue #2 (Isilon Control_id:isi_GEN001200_02)

Node: test-cluster-3
1: /usr/bin/passwd: Actual permission 4555; Expected
permission 0555
2: /usr/bin/yppasswd: Actual permission 4555; Expected
permission 0555
Node: test-cluster-2
1: /usr/bin/passwd: Actual permission 4555; Expected
permission 0555
2: /usr/bin/yppasswd: Actual permission 4555; Expected
permission 0555

Total: 2 issue(s)
Do you want to resolve the issue(s)?[Y/N]:
3. Resolve any configuration issues. At the prompt Do you want to resolve
the issue(s)?[Y/N], choose one of the following actions:

28 OneFS 8.1.2 Security Configuration Guide

 OneFS security hardening

l To allow OneFS to resolve all issues, type Y. OneFS sets the affected
configurations to the expected state and then reverts the hardening profile.
l To defer resolution and fix all of the found issues manually, type N. OneFS
halts the revert process until all of the issues are fixed. After you have fixed
all of the deferred issues, run the isi hardening revert command
again.

Note

If OneFS encounters an issue that is considered catastrophic, the system will

prompt you to resolve the issue manually. OneFS cannot resolve a catastrophic
issue.

View the security hardening status

You can view the security hardening status of the EMC Isilon cluster and each cluster
node. A cluster is not considered hardened until all of its nodes are hardened. During
the hardening process, if OneFS encounters issues that must be resolved manually, or
if you defer issues to resolve them manually, the nodes on which the issues occur are
not hardened until the issues are resolved and the hardening profile is applied
successfully. If you need help resolving these issues, contact Isilon Technical Support.
Before you begin
Viewing the security hardening status of the cluster requires root privileges and can be
performed only through the command-line interface. To log in as the root user on a
hardened cluster, you must connect through a serial console session. Root SSH is not
allowed on a hardened cluster.
You do not need a security hardening license to view the hardening status of the
cluster.
Procedure
1. Open a console session on any node in the cluster and log in as root.
2. Run the isi hardening status command to view the status of security
hardening on the Isilon cluster and each of the nodes.
The system displays output similar to the following example:

Cluster Name: test-cluster

Hardening Status: Not Hardened
Profile: STIG
Node status:
test-cluster-1: Disabled
test-cluster-2: Enabled
test-cluster-3: Enabled

View the security hardening status 29

OneFS security hardening

30 OneFS 8.1.2 Security Configuration Guide

CHAPTER 5
Authentication

This section contains the following topics:

l Authentication overview.....................................................................................32
l Active Directory................................................................................................. 33
l LDAP..................................................................................................................36
l NIS..................................................................................................................... 41
l Kerberos authentication..................................................................................... 42
l File provider....................................................................................................... 45
l Local provider.................................................................................................... 50
l Certificates........................................................................................................ 53
l Cluster identity.................................................................................................. 59

Authentication 31
Authentication

Authentication overview
OneFS supports local and remote authentication providers to verify that users
attempting to access an EMC Isilon cluster are who they claim to be. Anonymous
access, which does not require authentication, is supported for protocols that allow it.
OneFS supports concurrent multiple authentication provider types, which are
analogous to directory services. For example, OneFS is often configured to
authenticate Windows clients with Active Directory and to authenticate UNIX clients
with LDAP. You can also configure NIS, designed by Sun Microsystems, to
authenticate users and groups when they access a cluster.

Note

OneFS is RFC 2307-compliant.

Supported authentication providers

You can configure local and remote authentication providers to authenticate or deny
user access to an EMC Isilon cluster.
The following table compares features that are available with each of the
authentication providers that OneFS supports. In the following table, an x indicates
that a feature is fully supported by a provider; an asterisk (*) indicates that additional
configuration or support from another provider is required.

Authentic NTLM Kerberos User/ Netgroup UNIX Windows

ation group s propertie propertie
provider managem s (RFC s
ent 2307)
Active x x * x
Directory

LDAP * x x x *

NIS x x

Local x x x x

File x x x

MIT x * * *
Kerberos

Authentication provider features

You can configure authentication providers for your environment.
Authentication providers support a mix of the features described in the following
table.

Feature Description
Authentication All authentication providers support cleartext
authentication. You can configure some
providers to support NTLM or Kerberos
authentication also.

32 OneFS 8.1.2 Security Configuration Guide

 Authentication

Feature Description
Users and groups OneFS provides the ability to manage users
and groups directly on the cluster.

Netgroups Specific to NFS, netgroups restrict access to

NFS exports.

UNIX-centric user and group properties Login shell, home directory, UID, and GID.
Missing information is supplemented by
configuration templates or additional
authentication providers.

Windows-centric user and group properties NetBIOS domain and SID. Missing information
is supplemented by configuration templates.

Active Directory
Active Directory is a Microsoft implementation of Lightweight Directory Access
Protocol (LDAP), Kerberos, and DNS technologies that can store information about
network resources. Active Directory can serve many functions, but the primary reason
for joining the cluster to an Active Directory domain is to perform user and group
authentication.
You can join the EMC Isilon cluster to an Active Directory (AD) domain by specifying
the fully qualified domain name, which can be resolved to an IPv4 or an IPv6 address,
and a user name with join permission. When the cluster joins an AD domain, a single
AD machine account is created. The machine account establishes a trust relationship
with the domain and enables the cluster to authenticate and authorize users in the
Active Directory forest. By default, the machine account is named the same as the
cluster. If the cluster name is more than 15 characters long, the name is hashed and
displayed after joining the domain.
OneFS supports NTLM and Microsoft Kerberos for authentication of Active Directory
domain users. NTLM client credentials are obtained from the login process and then
presented in an encrypted challenge/response format to authenticate. Microsoft
Kerberos client credentials are obtained from a key distribution center (KDC) and then
presented when establishing server connections. For greater security and
performance, we recommend that you implement Kerberos, according to Microsoft
guidelines, as the primary authentication protocol for Active Directory.
Each Active Directory provider must be associated with a groupnet. The groupnet is a
top-level networking container that manages hostname resolution against DNS
nameservers and contains subnets and IP address pools. The groupnet specifies which
networking properties the Active Directory provider will use when communicating with
external servers. The groupnet associated with the Active Directory provider cannot
be changed. Instead you must delete the Active Directory provider and create it again
with the new groupnet association.
You can add an Active Directory provider to an access zone as an authentication
method for clients connecting through the access zone. OneFS supports multiple
instances of Active Directory on an Isilon cluster; however, you can assign only one
Active Directory provider per access zone. The access zone and the Active Directory
provider must reference the same groupnet. Configure multiple Active Directory
instances only to grant access to multiple sets of mutually-untrusted domains.
Otherwise, configure a single Active Directory instance if all domains have a trust
relationship. You can discontinue authentication through an Active Directory provider
by removing the provider from associated access zones.

Active Directory 33
Authentication

Configuring an Active Directory provider

You can add an Active Directory provider in an access zone to add users and groups
and configure authentication.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about Active Directory provider authentication and additional Active
Directory provider management tasks.

Configure an Active Directory provider

You can configure one or more Active Directory providers, each of which must be
joined to a separate Active Directory domain. By default, when you configure an
Active Directory provider, it is automatically added to the System access zone.

Note

Consider the following information when you configure an Active Directory provider:
l When you join Active Directory from OneFS, cluster time is updated from the
Active Directory server, as long as an NTP server has not been configured for the
cluster.
l If you migrate users to a new or different Active Directory domain, you must re-set
the ACL domain information after you configure the new provider. You can use
third-party tools such as Microsoft SubInACL.

Procedure
1. Click Access > Authentication Providers > Active Directory.
2. Click Join a domain.
3. In the Domain Name field, specify the fully qualified Active Directory domain
name, which can be resolved to an IPv4 or an IPv6 address.
The domain name will also be used as the provider name.
4. In the User field, type the username of an account that is authorized to join the
Active Directory domain.
5. In the Password field, type the password of the user account.
6. (Optional) In the Organizational Unit field, type the name of the organizational
unit (OU) to connect to on the Active Directory server. Specify the OU in the
format OuName or OuName1/SubName2.
7. (Optional) In the Machine Account field, type the name of the machine
account.

Note

If you specified an OU to connect to, the domain join will fail if the machine
account does not reside in the OU.

8. From the Groupnet list, select the groupnet the authentication provider will
reference.
9. (Optional) To enable Active Directory authentication for NFS, select Enable
Secure NFS.

34 OneFS 8.1.2 Security Configuration Guide

 Authentication

Note

If you specified an OU to connect to, the domain join will fail if the machine
account does not reside in the OU.

If you enable this setting, OneFS registers NFS service principal names (SPNs)
during the domain join.

10. (Optional) In the Advanced Active Directory Settings area, configure the
advanced settings that you want to use. It is recommended that you not change
any advanced settings without understanding their consequences.
11. Click Join.

Active Directory provider settings

You can view or modify the advanced settings for an Active Directory provider.

Setting Description
Services For UNIX Specifies whether to support RFC 2307
attributes for domain controllers. RFC 2307 is
required for Windows UNIX Integration and
Services For UNIX technologies.

Map to primary domain Enables the lookup of unqualified user names

in the primary domain. If this setting is not
enabled, the primary domain must be
specified for each authentication operation.

Ignore trusted domains Ignores all trusted domains.

Trusted Domains Specifies trusted domains to include if the

Ignore Trusted Domains setting is
enabled.

Domains to Ignore Specifies trusted domains to ignore even if

the Ignore Trusted Domains setting is
disabled.

Send notification when domain is unreachable Sends an alert as specified in the global
notification rules.

Use enhanced privacy and encryption Encrypts communication to and from the
domain controller.

Home Directory Naming Specifies the path to use as a template for

naming home directories. The path must begin
with /ifs and can contain variables, such as
%U, that are expanded to generate the home
directory path for the user.

Create home directories on first login Creates a home directory the first time that a
user logs in if a home directory does not
already exist for the user.

UNIX Shell Specifies the path to the login shell to use if

the Active Directory server does not provide
login-shell information. This setting applies
only to users who access the file system
through SSH.

Configuring an Active Directory provider 35

Authentication

Setting Description
Query all other providers for UID If no UID is available in the Active Directory,
looks up Active Directory users in all other
providers for allocating a UID.

Match users with lowercase If no UID is available in the Active Directory,

normalizes Active Directory user names to
lowercase before lookup.

Auto-assign UIDs If no UID is available in the Active Directory,

enables UID allocation for unmapped Active
Directory users.

Query all other providers for GID If no GID is available in the Active Directory,
looks up Active Directory groups in all other
providers before allocating a GID.

Match groups with lowercase If no GID is available in the Active Directory,

normalizes Active Directory group names to
lowercase before lookup.

Auto-assign GIDs If no GID is available in the Active Directory,

enables GID allocation for unmapped Active
Directory groups.

Make UID/GID assignments for users and Restricts user and group lookups to the
groups in these specific domains specified domains.

LDAP
The Lightweight Directory Access Protocol (LDAP) is a networking protocol that
enables you to define, query, and modify directory services and resources.
OneFS can authenticate users and groups against an LDAP repository in order to grant
them access to the cluster. OneFS supports Kerberos authentication for an LDAP
provider.
The LDAP service supports the following features:
l Users, groups, and netgroups.
l Configurable LDAP schemas. For example, the ldapsam schema allows NTLM
authentication over the SMB protocol for users with Windows-like attributes.
l Simple bind authentication, with and without TLS.
l Redundancy and load balancing across servers with identical directory data.
l Multiple LDAP provider instances for accessing servers with different user data.
l Encrypted passwords.
l IPv4 and IPv6 server URIs.
Each LDAP provider must be associated with a groupnet. The groupnet is a top-level
networking container that manages hostname resolution against DNS nameservers
and contains subnets and IP address pools. The groupnet specifies which networking
properties the LDAP provider will use when communicating with external servers. The
groupnet associated with the LDAP provider cannot be changed. Instead you must
delete the LDAP provider and create it again with the new groupnet association.
You can add an LDAP provider to an access zone as an authentication method for
clients connecting through the access zone. An access zone may include at most one

36 OneFS 8.1.2 Security Configuration Guide

 Authentication

LDAP provider. The access zone and the LDAP provider must reference the same
groupnet. You can discontinue authentication through an LDAP provider by removing
the provider from associated access zones.

Configuring an LDAP provider

You can add an LDAP provider in an access zone to add users and groups and
configure authentication.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about LDAP provider authentication and additional LDAP provider
management tasks.

Configure an LDAP provider

By default, when you configure an LDAP provider, it is automatically added to the
System access zone.
Procedure
1. Click Access > Authentication Providers > LDAP.
2. Click Add an LDAP Provider.
3. In the LDAP provider name field, type a name for the provider.
4. In the Server URIs field, type one or more valid LDAP server URIs, one per line,
in the format ldaps://<server>:<port> (secure LDAP) or ldap://
<server>:<port> (non-secure LDAP). An LDAP server URI can be specified as
an IPv4 address, IPv6 address, or hostname.

Note

l If you do not specify a port, the default port is used. The default port for
non-secure LDAP (ldap://) is 389; for secure LDAP (ldaps://), it is 636. If
you specify non-secure LDAP, the bind password is transmitted to the
server in cleartext.
l If you specify an IPv6 address, the address must be enclosed in square
brackets. For example, ldap://[2001:DB8:170:7cff::c001] is the correct IPv6
format for this field.

5. Select the Connect to a random server on each request checkbox to connect

to an LDAP server at random. If unselected, OneFS connects to an LDAP server
in the order listed in the Server URIs field.
6. In the Base distinguished name (DN) field, type the distinguished name (DN)
of the entry at which to start LDAP searches.
Base DNs can include cn (Common Name), l (Locality), dc (Domain
Component), ou (Organizational Unit), or other components. For example,
dc=emc,dc=com is a base DN for emc.com.
7. From the Groupnet list, select the groupnet that the authentication provider
will reference.
8. In the Bind DN field, type the distinguished name of the entry at which to bind
to the LDAP server.
9. In the Bind DN password field, specify the password to use when binding to
the LDAP server.

Configuring an LDAP provider 37

Authentication

Use of this password does not require a secure connection; if the connection is
not using Transport Layer Security (TLS), the password is sent in cleartext.
10. (Optional) Update the settings in the following sections of the Add an LDAP
provider form to meet the needs of your environment:

Option Description
Default Query Settings Modify the default settings for user, group, and
netgroup queries.
User Query Settings Modify the settings for user queries and home
directory provisioning.
Group Query Settings Modify the settings for group queries.
Netgroup Query Modify the settings for netgroup queries.
Settings
Advanced LDAP Modify the default LDAP attributes that contain
Settings user information or to modify LDAP security
settings.

11. Click Add LDAP Provider.

LDAP query settings

You can configure the entry point and depth at which to search for LDAP users,
groups, and netgroups. You also can configure the settings for user home directory
provisioning.

Note

OneFS is RFC 2307-compliant.

Base distinguished name

Specifies the base distinguished name (base DN) of the entry at which to start
LDAP searches for user, group, or netgroup objects. Base DNs can include cn
(Common Name), l (Locality), dc (Domain Component), ou (Organizational
Unit), or other components. For example, dc=emc,dc=com is a base DN for
emc.com.

Search scope
Specifies the depth from the base DN at which to perform LDAP searches. The
following values are valid:
Default
Applies the search scope that is defined in the default query settings. This
option is not available for the default query search scope.

Base
Searches only the entry at the base DN.

One-level
Searches all entries exactly one level below the base DN.

Subtree
Searches the base DN and all entries below it.

38 OneFS 8.1.2 Security Configuration Guide

 Authentication

Children
Searches all entries below the base DN, excluding the base DN itself.

Search timeout
Specifies the number of seconds after which to stop retrying and fail a search.
The default value is 100. This setting is available only in the default query
settings.

Query filter
Specifies the LDAP filter for user, group, or netgroup objects. This setting is not
available in the default query settings.

Authenticate users from this LDAP provider

Specifies whether to allow the provider to respond to authentication requests.
This setting is available only in the user query settings.

Home directory naming template

Specifies the path to use as a template for naming home directories. The path
must begin with /ifs and can contain variables, such as %U, that are expanded
to generate the home directory path for the user. This setting is available only in
the user query settings.

Automatically create user home directories on first login

Specifies whether to create a home directory the first time a user logs in, if a
home directory does not exist for the user. This setting is available only in the
user query settings.

UNIX shell
Specifies the path to the user's login shell, for users who access the file system
through SSH. This setting is available only in the user query settings.

LDAP advanced settings

You can configure LDAP security settings and specify the LDAP attributes that
contain user information.

Note

OneFS is RFC 2307-compliant.

Name attribute
Specifies the LDAP attribute that contains UIDs, which are used as login names.
The default value is uid.

Common name attribute

Specifies the LDAP attribute that contains common names (CNs). The default
value is cn.

Email attribute
Specifies the LDAP attribute that contains email addresses. The default value is
mail.

GECOS field attribute

Specifies the LDAP attribute that contains GECOS fields. The default value is
gecos.

Configuring an LDAP provider 39

Authentication

UID attribute
Specifies the LDAP attribute that contains UID numbers. The default value is
uidNumber.

GID attribute
Specifies the LDAP attribute that contains GIDs. The default value is gidNumber.

Home directory attribute

Specifies the LDAP attribute that contains home directories. The default value is
homeDirectory.

UNIX shell attribute

Specifies the LDAP attribute that contains UNIX login shells. The default value is
loginShell.

Member of attribute
Sets the attribute to be used when searching LDAP for reverse memberships.
This LDAP value should be an attribute of the user type posixAccount that
describes the groups in which the POSIX user is a member. This setting has no
default value.
Netgroup members attribute
Specifies the LDAP attribute that contains netgroup members. The default value
is memberNisNetgroup.

Netgroup triple attribute

Specifies the LDAP attribute that contains netgroup triples. The default value is
nisNetgroupTriple.

Group members attribute

Specifies the LDAP attribute that contains group members. The default value is
memberUid.

Unique group members attribute

Specifies the LDAP attribute that contains unique group members. This attribute
is used to determine which groups a user belongs to if the LDAP server is queried
by the user’s DN instead of the user’s name. This setting has no default value.

Alternate security identities attribute

Specifies the name to be used when searching for alternate security identities.
This name is used when OneFS tries to resolve a Kerberos principal to a user. This
setting has no default value.
UNIX password attribute
Specifies the LDAP attribute that contains UNIX passwords. This setting has no
default value.

Windows password attribute

Specifies the LDAP attribute that contains Windows passwords. A commonly
used value is ntpasswdhash.

Certificate authority file

Specifies the full path to the root certificates file.

40 OneFS 8.1.2 Security Configuration Guide

 Authentication

Require secure connection for passwords

Specifies whether to require a Transport Layer Security (TLS) connection.

Ignore TLS errors

Continues over a secure connection even if identity checks fail.

NIS
The Network Information Service (NIS) provides authentication and identity
uniformity across local area networks. OneFS includes an NIS authentication provider
that enables you to integrate the cluster with your NIS infrastructure.
NIS, designed by Sun Microsystems, can authenticate users and groups when they
access the cluster. The NIS provider exposes the passwd, group, and netgroup maps
from an NIS server. Hostname lookups are also supported. You can specify multiple
servers for redundancy and load balancing.
Each NIS provider must be associated with a groupnet. The groupnet is a top-level
networking container that manages hostname resolution against DNS nameservers
and contains subnets and IP address pools. The groupnet specifies which networking
properties the NIS provider will use when communicating with external servers. The
groupnet associated with the NIS provider cannot be changed. Instead you must
delete the NIS provider and create it again with the new groupnet association.
You can add an NIS provider to an access zone as an authentication method for clients
connecting through the access zone. An access zone may include at most one NIS
provider. The access zone and the NIS provider must reference the same groupnet.
You can discontinue authentication through an NIS provider by removing the provider
from associated access zones.

Note

NIS is different from NIS+, which OneFS does not support.

Configuring an NIS provider

You can add an NIS provider in an access zone to configure authentication through
NIS.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about NIS provider authentication and additional NIS provider
management tasks.

Configure an NIS provider

By default, when you configure an NIS provider it is automatically added to the
System access zone.
Procedure
1. Click Access > Authentication Providers > NIS.
2. Click Add a NIS provider.
3. In the NIS Provider Name field, type a name for the provider.
4. In the Servers field, type one or more valid IPv4 addresses, host names, or fully
qualified domain names (FQDNs), separated by commas.

NIS 41
Authentication

Note

If the Load balance servers option is not selected, servers are accessed in the
order in which they are listed.

5. In the NIS Domain field, type the domain name.

6. (Optional) Configure the Load balance servers setting:
l To connect to an NIS server at random, select the check box.
l To connect according to the order in which the NIS servers are listed in the
Servers field, clear the check box.
7. From the Groupnet list, select the groupnet the authentication provider will
reference.
8. (Optional) Specify the Default Query Settings.
a. In the Search Timeout field, specifies the number of seconds after which to
stop retrying and fail a search. The default value is 20.
b. In the Retry Frequency field, specify the timeout period in seconds after
which a request will be retried. The default value is 5.
9. (Optional) Specify the User Query Settings.
a. Select the Authenticate users from this provider check box to allow the
provider to respond to authentication requests.
b. Type a path in the Home Directory Naming field to use as a template for
naming home directories. The path must begin with /ifs and can contain
expansion variables, such as %U, which expand to generate the home
directory path for the user. For more information, see the Home directories
section.
c. Select the Create home directories on first login check box to specify
whether to create a home directory the first time a user logs in, if a home
directory does not already exist for the user.
d. Select a path from the UNIX Shell list to specify the path to the user's login
shell for users who access the file system through SSH.
10. (Optional) Click Host Name Query Settings and then configure the Resolve
hosts from this provider setting:
l To enable host resolution, select the check box.
l To disable host resolution, clear the check box.
11. Click Add NIS provider.

Kerberos authentication
Kerberos is a network authentication provider that negotiates encryption tickets for
securing a connection. OneFS supports Microsoft Kerberos and MIT Kerberos
authentication providers on an EMC Isilon cluster. If you configure an Active Directory
provider, support for Microsoft Kerberos authentication is provided automatically. MIT
Kerberos works independently of Active Directory.
For MIT Kerberos authentication, you define an administrative domain known as a
realm. Within this realm, an authentication server has the authority to authenticate a
user, host, or service; the server can resolve to either IPv4 or IPv6 addresses. You can

42 OneFS 8.1.2 Security Configuration Guide

 Authentication

optionally define a Kerberos domain to allow additional domain extensions to be

associated with a realm.
The authentication server in a Kerberos environment is called the Key Distribution
Center (KDC) and distributes encrypted tickets. When a user authenticates with an
MIT Kerberos provider within a realm, an encrypted ticket with the user's service
principal name (SPN) is created and validated to securely pass the user's identification
for the requested service.
Each MIT Kerberos provider must be associated with a groupnet. The groupnet is a
top-level networking container that manages hostname resolution against DNS
nameservers and contains subnets and IP address pools. The groupnet specifies which
networking properties the Kerberos provider will use when communicating with
external servers. The groupnet associated with the Kerberos provider cannot be
changed. Instead you must delete the Kerberos provider and create it again with the
new groupnet association.
You can add an MIT Kerberos provider to an access zone as an authentication method
for clients connecting through the access zone. An access zone may include at most
one MIT Kerberos provider. The access zone and the Kerberos provider must
reference the same groupnet. You can discontinue authentication through an MIT
Kerberos provider by removing the provider from associated access zones.

Keytabs and SPNs overview

A Key Distribution Center (KDC) is an authentication server that stores accounts and
keytabs for users connecting to a network service within an EMC Isilon cluster. A
keytab is a key table that stores keys to validate and encrypt Kerberos tickets.
One of the fields in a keytab entry is a service principal name (SPN). An SPN identifies
a unique service instance within a cluster. Each SPN is associated with a specific key
in the KDC. Users can use the SPN and its associated keys to obtain Kerberos tickets
that enable access to various services on the cluster. A member of the SecurityAdmin
role can create new keys for the SPNs and modify them later as necessary. An SPN
for a service typically appears as <service>/<fqdn>@<realm>.

Note

SPNs must match the SmartConnect zone name and the FQDN hostname of the
cluster. If the SmartConnect zone settings are changed, you must update the SPNs
on the cluster to match the changes.

Configuring an MIT Kerberos provider

You can add an MIT Kerberos realm, domain, and provider in an access zone to
configure Kerberos authentication.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about MIT Kerberos provider authentication and additional Kerberos
provider management tasks.

Create an MIT Kerberos realm, domain, and a provider

You can create an MIT Kerberos realm, domain, and a provider through a single
workflow instead of configuring each of these objects individually.
Procedure
1. Click Access > Authentication Providers > Kerberos Provider.
2. Click Get Started.

Keytabs and SPNs overview 43

Authentication

The system displays the Create a Kerberos Realm and Provider window.
3. From the Create Realm section, type a domain name in the Realm Name field.
It is recommended that the domain name is formatted in uppercase characters,
such as CLUSTER-NAME.COMPANY.COM.
4. Check the Set as the default realm box to set the realm as the default.
5. In the Key Distribution Centers (KDCs) field, add one or more KDCs by
specifying the IPv4 address, IPv6 address, or the hostname of each server.
6. In the Admin Server field, specify the IPv4 address, IPv6 address, or hostname
of the administration server, which will be fulfill the role of master KDC. If you
omit this step, the first KDC that you added previously is used as the default
admin server.
7. In the Default Domain field, specify the domain name to use for translating the
service principal names (SPNs).
8. (Optional) From the Create Domain(s) section, specify one or more domain
names to associate with the realm in the Domain(s) field.
9. From the Authenticate to Realm section, type the name and password of a
user that has permission to create SPNs in the Kerberos realm in the User and
Password fields.
10. From the Create Provider section, select the groupnet the authentication
provider will reference from the Groupnet list.
11. From the Service Principal Name (SPN) Management area, select one of the
following options to be used for managing SPNs:
l Use recommended SPNs
l Manually associate SPNs
If you select this option, type at least one SPN in the format service/
principal@realm to manually associate it with the realm.
12. Click Create Provider and Join Realm.

Create an MIT Kerberos realm

An MIT Kerberos realm is an administrative domain that defines the boundaries within
which an authentication server has the authority to authenticate a user or service. You
can create a realm by defining a Key Distribution Center (KDC) and an administrative
server.
Procedure
1. Click Access > Authentication Providers > Kerberos Provider.
2. Click Create a Kerberos Realm.
3. In the Realm Name field, type a domain name in uppercase characters. For
example, CLUSTER-NAME.COMPANY.COM.
4. Select the Set as the default realm check box to set the realm as the default.
5. In the Key Distribution Centers (KDCs) field add one or more KDCs by
specifying the IPv4 address, IPv6 address, or the hostname of each server.
6. (Optional) In the Admin Server field, specify the IPv4 address, IPv6 address, or
hostname of the administration server, which will be fulfill the role of master
KDC. If you omit this step, the first KDC that you added previously is used as
the default administrative server.
7. (Optional) In the Default Domain field, specify the domain name to use for
translating the service principal names.

44 OneFS 8.1.2 Security Configuration Guide

 Authentication

8. Click Create Realm.

Create an MIT Kerberos provider and join a realm

You join a realm automatically as you create an MIT Kerberos provider. A realm defines
a domain within which the authentication for a specific user or service takes place.
Before you begin
You must be a member of the SecurityAdmin role to view and access the Create a
Kerberos Provider button and perform the tasks described in this procedure.
Procedure
1. Click Access > Authentication Providers > Kerberos Provider.
2. Click Create a Kerberos Provider.
3. In the User field, type a user name who has the permission to create service
principal names (SPNs) in the Kerberos realm.
4. In the Password field, type the password for the user.
5. From the Realm list, select the realm that you want to join. The realm must
already be configured on the system.
6. From the Groupnet list, select the groupnet the authentication provider will
reference.
7. From the Service Principal Name (SPN) Management area, select one of the
following options to be used for managing SPNs:
l Use recommended SPNs
l Manually associate SPNs
If you select this option, type at least one SPN in the format service/
principal@realm to manually associate it with the realm.
8. Click Create Provider and Join Realm.

Create an MIT Kerberos domain

You optionally create an MIT Kerberos domain to allow additional domain extensions to
be associated with an MIT Kerberos realm apart from the default domains.
Before you begin
You must be a member of the SecurityAdmin role to perform the tasks described in
this procedure.
Procedure
1. Click Access > Authentication Providers > Kerberos Provider.
2. Click Create a Kerberos Domain.
3. In the Domain field, specify a domain name which is typically a DNS suffix in
lowercase characters.
4. From the Realm list, select a realm that you have configured previously.
5. Click Create Domain.

File provider
A file provider enables you to supply an authoritative third-party source of user and
group information to an EMC Isilon cluster. A third-party source is useful in UNIX and

File provider 45
Authentication

Linux environments that synchronize /etc/passwd, /etc/group, and etc/

netgroup files across multiple servers.
Standard BSD /etc/spwd.db and /etc/group database files serve as the file
provider backing store on a cluster. You generate the spwd.db file by running the
pwd_mkdb command in the OneFS command-line interface (CLI). You can script
updates to the database files.
On an Isilon cluster, a file provider hashes passwords with libcrypt. For the best
security, we recommend that you use the Modular Crypt Format in the source /etc/
passwd file to determine the hashing algorithm. OneFS supports the following
algorithms for the Modular Crypt Format:
l MD5
l NT-Hash
l SHA-256
l SHA-512
For information about other available password formats, run the man 3 crypt
command in the CLI to view the crypt man pages.

Note

The built-in System file provider includes services to list, manage, and authenticate
against system accounts such as root, admin, and nobody. We recommended that you
do not modify the System file provider.

Configuring a file provider

You can add and configure a file provider in an access zone to add users and groups
and configure authentication.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about file provider authentication and additional file provider
management tasks.

Configure a file provider

You can configure one or more file providers, each with its own combination of
replacement files, for each access zone. You can specify replacement files for any
combination of users, groups, and netgroups.
Procedure
1. Click Access > Authentication Providers > File Provider.
2. Click Add a file provider.
3. In the File provider name field, type a name for the file provider.
4. To specify a user replacement file, in the Path to users file field, type or
browse to the location of the spwd.db file.
5. To specify a netgroup replacement file, in the Path to netgroups file field, type
or browse to the location of the netgroup file.
6. To specify a group replacement file, in the Path to groups file field, type or
browse to the location of the group file.
7. (Optional) Configure the following settings:

46 OneFS 8.1.2 Security Configuration Guide

 Authentication

Option Description
Authenticate users Specifies whether to allow the provider to respond to
from this provider authentication requests.
Create home Specifies whether to create a home directory the first
directories on first time a user logs in, if a home directory does not exist for
login the user.
Path to home Specifies the path to use as a template for naming home
directory directories. The path must begin with /ifs and can
contain expansion variables such as %U, which expand
to generate the home directory path for the user. For
more information, see the Home directories section of
the OneFS Web Administration Guide or the OneFS CLI
Administration Guide.
UNIX Shell Specifies the path to the user's login shell, for users who
access the file system through SSH.

8. Click Add File Provider.

Generate a password file

Password database files, which are also called user database files, must be in binary
format.
This procedure must be performed through the command-line interface (CLI). For
command-usage guidelines, run the man pwd_mkdb command.
Procedure
1. Establish an SSH connection to any node in the cluster.
2. Run the pwd_mkdb <file> command, where <file> is the location of the source
password file.

Note

By default, the binary password file, spwd.db, is created in the /etc directory.
You can override the location to store the spwd.db file by specifying the -d
option with a different target directory.

The following command generates an spwd.db file in the /etc directory from
a password file that is located at /ifs/test.passwd:

pwd_mkdb /ifs/test.passwd

The following command generates an spwd.db file in the /ifs directory from
a password file that is located at /ifs/test.passwd:

pwd_mkdb -d /ifs /ifs/test.passwd

Configuring a file provider 47

Authentication

Password file format

The file provider uses a binary password database file, spwd.db. You can generate a
binary password file from a master.passwd-formatted file by running the
pwd_mkdb command.
The master.passwd file contains ten colon-separated fields, as shown in the
following example:

admin:*:10:10::0:0:Web UI Administrator:/ifs/home/admin:/bin/zsh

The fields are defined below in the order in which they appear in the file.

Note

UNIX systems often define the passwd format as a subset of these fields, omitting
the Class, Change, and Expiry fields. To convert a file from passwd to
master.passwd format, add :0:0: between the GID field and the Gecos field.

Username
The user name. This field is case-sensitive. OneFS does not limit the length; many
applications truncate the name to 16 characters, however.

Password
The user’s encrypted password. If authentication is not required for the user, you
can substitute an asterisk (*) for a password. The asterisk character is
guaranteed to not match any password.

UID
The UNIX user identifier. This value must be a number in the range
0-4294967294 that is not reserved or already assigned to a user. Compatibility
issues occur if this value conflicts with an existing account's UID.

GID
The group identifier of the user’s primary group. All users are a member of at least
one group, which is used for access checks and can also be used when creating
files.

Class
This field is not supported by OneFS and should be left empty.

Change
OneFS does not support changing the passwords of users in the file provider. This
field is ignored.

Expiry
OneFS does not support the expiration of user accounts in the file provider. This
field is ignored.

Gecos
This field can store a variety of information but is usually used to store the user’s
full name.

Home
The absolute path to the user’s home directory, beginning at /ifs.

48 OneFS 8.1.2 Security Configuration Guide

 Authentication

Shell
The absolute path to the user’s shell. If this field is set to /sbin/nologin, the
user is denied command-line access.

Group file format

The file provider uses a group file in the format of the /etc/group file that exists on
most UNIX systems.
The group file consists of one or more lines containing four colon-separated fields, as
shown in the following example:

admin:*:10:root,admin

The fields are defined below in the order in which they appear in the file.
Group name
The name of the group. This field is case-sensitive. Although OneFS does not limit
the length of the group name, many applications truncate the name to 16
characters.

Password
This field is not supported by OneFS and should contain an asterisk (*).

GID
The UNIX group identifier. Valid values are any number in the range
0-4294967294 that is not reserved or already assigned to a group. Compatibility
issues occur if this value conflicts with an existing group's GID.

Group members
A comma-delimited list of user names.

Netgroup file format

A netgroup file consists of one or more netgroups, each of which can contain
members. Hosts, users, or domains, which are members of a netgroup, are specified in
a member triple. A netgroup can also contain another netgroup.
Each entry in a netgroup file consists of the netgroup name, followed by a space-
delimited set of member triples and nested netgroup names. If you specify a nested
netgroup, it must be defined on a separate line in the file.
A member triple takes the following form:

(<host>, <user>, <domain>)

Where <host> is a placeholder for a machine name, <user> is a placeholder for a user
name, and <domain> is a placeholder for a domain name. Any combination is valid
except an empty triple: (,,).

Configuring a file provider 49

Authentication

The following sample file contains two netgroups. The rootgrp netgroup contains four
hosts: two hosts are defined in member triples and two hosts are contained in the
nested othergrp netgroup, which is defined on the second line.

rootgrp (myserver, root, somedomain.com) (otherserver, root,

somedomain.com) othergrp
othergrp (other-win,, somedomain.com) (other-linux,, somedomain.com)

Note

A new line signifies a new netgroup. You can continue a long netgroup entry to the
next line by typing a backslash character (\) in the right-most position of the first line.

Local provider
The local provider provides authentication and lookup facilities for user accounts
added by an administrator.
Local authentication is useful when Active Directory, LDAP, or NIS directory services
are not configured or when a specific user or application needs access to the cluster.
Local groups can include built-in groups and Active Directory groups as members.
In addition to configuring network-based authentication sources, you can manage local
users and groups by configuring a local password policy for each node in the cluster.
OneFS settings specify password complexity, password age and re-use, and
password-attempt lockout policies.

Configuring local users and groups

When you create an access zone, the zone includes a local provider. You can create
and manage local users and groups in each local provider.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about local providers and user and group management tasks,
including how to create, modify, and delete local users and groups.

Naming rules for local users and groups

Local user and group names must follow naming rules in order to ensure proper
authentication and access to the EMC Isilon cluster.
You must adhere to the following naming rules when creating and modifying local
users and groups:
l The maximum name length is 104 characters. It is recommended that names do not
exceed 64 characters.
l Names cannot contain the following invalid characters:
"/\[]:;|=,+*?<>
l Names can contain any special character that is not in the list of invalid
characters. It is recommend that names do not contain spaces.
l Names are not case sensitive.

Configure or modify a local password policy

You can configure and modify a local password policy for a local provider.
This procedure must be performed through the command-line interface (CLI).

50 OneFS 8.1.2 Security Configuration Guide

 Authentication

Note

Separate password policies are configured for each access zone. Each access zone in
the cluster contains a separate instance of the local provider, which allows each
access zone to have its own list of local users who can authenticate. Password
complexity is configured for each local provider, not for each user.

Procedure
1. Establish an SSH connection to any node in the cluster.
2. (Optional) Run the following command to view the current password settings:

isi auth local view system

3. Run the isi auth local modify command, choosing from the parameters
described in Local password policy default settings.
The --password-complexity parameter must be specified for each setting.

isi auth local modify system --password-complexity=lowercase \

--password-complexity=uppercase -–password-
complexity=numeric \
--password-complexity=symbol

The following command configures a local password policy for a local provider:

isi auth local modify <provider-name> \

--min-password-length=20 \
--lockout-duration=20m \
--lockout-window=5m \
--lockout-threshold=5 \
--add-password-complexity=uppercase \
--add-password-complexity=numeric

Local password policy settings

You can configure local password policy settings and specify the default for each
setting through the isi auth local modify command. Password complexity
increases the number of possible passwords that an attacker must check before the
correct password is guessed.

Setting Description Comments

min-password-length Minimum password length Long passwords are best. The
in characters. minimum length should not be so
long that users have a difficult time
entering or remembering the
password.

password-complexity A list of cases that a new You can specify as many as four
password must contain. By cases. The following cases are valid:
default, the list is empty.
l uppercase

Configuring local users and groups 51

Authentication

Setting Description Comments

l lowercase
l numeric
l symbol (excluding # and @)

min-password-age The minimum password A minimum password age ensures

age. You can set this value that a user cannot enter a
using characters for units; temporary password and then
for example, 4W for 4 immediately change it to the
weeks, 2d for 2 Days. previous password. Attempts to
check or set a password before the
time expires are denied.

max-password-age The maximum password Attempts to login after a password

age. You can set this value expires forces a password change. If
using characters for units; a password change dialog cannot be
for example, 4W for 4 presented, the user is not allowed to
weeks, 2d for 2 Days. login.

password-history- The number of historical To avoid recycling of passwords,

length passwords to keep. New you can specify the number of
passwords are checked previous passwords to remember. If
against this list and a new password matches a
rejected if the password is remembered previous password, it is
already present. The max rejected.
history length is 24.

lockout-duration The length of time in After an account is locked, it is

seconds that an account is unavailable from all sources until it is
locked after a configurable unlocked. OneFS provides two
number of bad passwords configurable options to avoid
are entered. administrator interaction for every
locked account:
l Specify how much time must
elapse before the account is
unlocked.
l Automatically reset the
incorrect-password counter
after a specified time, in
seconds.

lockout-threshold The number of incorrect After an account is locked, it is

password attempts before unavailable from all sources until it is
an account is locked. A unlocked.
value of zero disables
account lockout.

lockout-window The time that elapses If the configured number of

before the incorrect incorrect password attempts is
password attempts count reached, the account is locked and
is reset. lockout-duration determines the
length of time that the account is
locked. A value of zero disables the
window.

52 OneFS 8.1.2 Security Configuration Guide

 Authentication

Certificates
All OneFS API communication, which includes communication through the web
administration interface, is over Transport Layer Security (TLS). You can renew the
TLS certificate for the OneFS web administration interface or replace it with a third-
party TLS certificate.
To replace or renew a TLS certificate, you must be logged in as root.

Note

OneFS defaults to the best supported version of TLS against the client request.

Replacing or renewing the TLS certificate

The Transport Layer Security (TLS) certificate is used to access the cluster through a
browser. The cluster initially contains a self-signed certificate for this purpose. You
can continue to use the existing self-signed certificate, or you can replace it with a
third-party certificate authority (CA)-issued certificate.
If you continue to use the self-signed certificate, you must replace it when it expires,
with either:
l A third-party (public or private) CA-issued certificate
l Another self-signed certificate that is generated on the cluster
The following folders are the default locations for the server.crt and server.key
files.
l TLS certificate: /usr/local/apache2/conf/ssl.crt/server.crt
l TLS certificate key: /usr/local/apache2/conf/ssl.key/server.key

Replace the TLS certificate with a third-party CA-issued certificate

This procedure describes how to replace the existing TLS certificate with a third-party
(public or private) certificate authority (CA)-issued TLS certificate.
Before you begin
When you request a TLS certificate from a certificate authority, you must provide
information about your organization. It is a good idea to determine this information in
advance, before you begin the process. See the TLS certificate data example section of
this chapter for details and examples of the required information.

Note

This procedure requires you to restart the isi_webui service, which restarts the web
administration interface. Therefore, it is recommended that you perform these steps
during a scheduled maintenance window.

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

Certificates 53
Authentication

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Make backup copies of the existing server.crt and server.key files by

running the following two commands:

cp /usr/local/apache2/conf/ssl.crt/server.crt \
/ifs/data/backup/server.crt.bak

cp /usr/local/apache2/conf/ssl.key/server.key \
/ifs/data/backup/server.crt.bak

Note

If files with the same names exist in the backup directory, either overwrite the
existing files, or, to save the old backups, rename the new files with a
timestamp or other identifier.

5. Create a working directory to hold the files while you complete this procedure:

mkdir /ifs/local

6. Set the permissions on the working directory to 700:

chmod 700 /ifs/local

7. Change to the working directory:

cd /ifs/local

8. Generate a new Certificate Signing Request (CSR) and a new key by running
the following command, where <common-name> is a name that you assign. This
name identifies the new .key and .csr files while you are working with them in
this procedure. Eventually, you will rename the files and copy them back to the
default location, and delete the files with the <common-name>. Although you
can choose any name for <common-name>, we recommend that you use the
name that you plan to enter as the Common Name for the new TLS certificate
(for example, the server FQDN or server name, such as
isilon.example.com). This enables you to distinguish the new files from the
original files.

openssl req -new -nodes -newkey rsa:1024 -keyout \

<common-name>.key -out <common-name>.csr

9. When prompted, type the information to be incorporated into the certificate

request.

54 OneFS 8.1.2 Security Configuration Guide

 Authentication

When you finish entering the information, the <common-name>.csr and

<common-name>.key files appear in the /ifs/local directory.
10. Send the contents of the <common-name>.csr file from the cluster to the
Certificate Authority (CA) for signing.
11. When you receive the signed certificate (now a .crt file) from the CA, copy
the certificate to /ifs/local/<common-name>.crt (where <common-
name> is the name you assigned earlier).
12. (Optional) To verify the attributes in the TLS certificate, run the following
command, where <common-name> is the name that you assigned earlier:

openssl x509 -text -noout -in <common-name>.crt

13. Run the following five commands to install the certificate and key, and restart
the isi_webui service. In the commands, replace <common-name> with the
name that you assigned earlier.

isi services -a isi_webui disable

chmod 640 <common name>.key

isi_for_array -s 'cp /ifs/local/<common-name>.key \

/usr/local/apache2/conf/ssl.key/server.key'

isi_for_array -s 'cp /ifs/local/<common-name>.crt \

/usr/local/apache2/conf/ssl.crt/server.crt'

isi services -a isi_webui enable

14. Verify that the installation succeeded. For instructions, see the Verify a TLS
certificate update section of this guide.
15. Delete the temporary working files from the /ifs/local directory:

rm /ifs/local/<common-name>.csr \
/ifs/local/<common-name>.key /ifs/local/<common-name>.crt

16. (Optional) Delete the backup files from the /ifs/data/backup directory:

rm /ifs/data/backup/server.crt.bak \
/ifs/data/backup/server.key.bak

Renew the self-signed TLS certificate

This procedure describes how to replace an expired self-signed TLS certificate by
generating a new certificate that is based on the existing (stock) server key.
Before you begin
When you generate a self-signed certificate, you must provide information about your
organization. It is a good idea to determine this information in advance, before you

Replacing or renewing the TLS certificate 55

Authentication

begin the process. See the TLS certificate data example section of this chapter for
details and examples of the required information.

Note

This procedure requires you to restart the isi_webui service, which restarts the web
administration interface. Therefore, it is recommended that you perform these steps
during a scheduled maintenance window.

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Make backup copies of the existing server.crt and server.key files by

running the following two commands:

cp /usr/local/apache2/conf/ssl.crt/server.crt \
/ifs/data/backup.bak

cp /usr/local/apache2/conf/ssl.key/server.key \
/ifs/data/backup.bak

Note

If files with the same names exist in the backup directory, either overwrite the
existing files, or, to save the old backups, rename the new files with a
timestamp or other identifier.

5. Create a working directory to hold the files while you complete this procedure:

mkdir /ifs/local/

6. Set the permissions on the working directory to 700:

chmod 700 /ifs/local

7. Change to the working directory:

cd /ifs/local/

56 OneFS 8.1.2 Security Configuration Guide

 Authentication

8. At the command prompt, run the following two commands to create a

certificate that will expire in 2 years (730 days). Increase or decrease the value
for -days to generate a certificate with a different expiration date.

cp /usr/local/apache2/conf/ssl.key/server.key ./

openssl req -new -days 730 -nodes -x509 -key \

server.key -out server.crt

Note

the -x509 value is a certificate format.

9. When prompted, type the information to be incorporated into the certificate

request.
When you finish entering the information, a renewal certificate is created, based
on the existing (stock) server key. The renewal certificate is named
server.crt and it appears in the /ifs/local directory.
10. (Optional) To verify the attributes in the TLS certificate, run the following
command:

openssl x509 -text -noout -in server.crt

11. Run the following five commands to install the certificate and key, and restart
the isi_webui service:

isi services -a isi_webui disable

chmod 640 server.key

isi_for_array -s 'cp /ifs/local/server.key \

/usr/local/apache2/conf/ssl.key/server.key'

isi_for_array -s 'cp /ifs/local/server.crt \

/usr/local/apache2/conf/ssl.crt/server.crt'

isi services -a isi_webui enable

12. Verify that the installation succeeded. For instructions, see the Verify a TLS
certificate update section of this guide.
13. Delete the temporary working files from the /ifs/local directory:

rm /ifs/local/<common-name>.csr \
/ifs/local/<common-name>.key /ifs/local/<common-name>.crt

Replacing or renewing the TLS certificate 57

Authentication

14. (Optional) Delete the backup files from the /ifs/data/backup directory:

rm /ifs/data/backup/server.crt.bak \
/ifs/data/backup/server.key.bak

Verify a TLS certificate update

You can verify the details that are stored in a Transport Layer Security (TLS)
certificate.
Procedure
1. Open a web browser window.
2. Browse to https://<common name>:8080, where <common name> is the
hostname for the OneFS web administration interface, such as
isilon.example.com.
3. In the security details for the web page, verify that the issuer, validity dates,
and subject are correct.

Note

The steps to view security details vary by browser. For example, in some
browsers, you can click the padlock icon in the address bar to view the security
details. Follow the steps that are specific to the browser.

TLS certificate data example

TLS certificate renewal or replacement requires you to provide data such as a fully
qualified domain name and a contact email address.
When you renew or replace a TLS certificate, you are asked to provide data in the
format that is shown in the following example:

You are about to be asked to enter information that will be

incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company
Organizational Unit Name (eg, section) []:System
AdministrationCommon Name (e.g. server FQDN or YOUR name)
[]:localhost.example.org
Email Address []:[email protected]

In addition, if you are requesting a third-party CA-issued certificate, you should

include additional attributes that are shown in the following example:

Please enter the following 'extra' attributes

to be sent with your certificate request

58 OneFS 8.1.2 Security Configuration Guide

 Authentication

A challenge password []:password

An optional company name []:Another Name

Cluster identity
You can specify identity attributes for an Isilon cluster.
Cluster name
The cluster name appears on the login page, and it makes the cluster and its
nodes more easily recognizable on your network. Each node in the cluster is
identified by the cluster name plus the node number. For example, the first node
in a cluster named Images may be named Images-1.

Note

In the case of IsilonSD Edge, you can assign a cluster name only through the
IsilonSD Management Plug-in. For more information, see the IsilonSD Edge
Installation and Administration Guide.

Cluster description
The cluster description appears below the cluster name on the login page. The
cluster description is useful if your environment has multiple clusters.

Login message
The login message appears as a separate box on the login page of the OneFS web
administration interface, or as a line of text under the cluster name in the OneFS
command-line interface. The login message can convey cluster information, login
instructions, or warnings that a user should know before logging into the cluster.
Set this information in the Cluster Identity page of the OneFS web
administration interface

Set the cluster name and contact information

You can specify a name, description, login message, and contact information for your
EMC Isilon cluster.
Cluster names must begin with a letter and can contain only numbers, letters, and
hyphens. If the cluster is joined to an Active Directory domain, the cluster name must
be 11 characters or fewer.
Procedure
1. Click Cluster Management > General Settings > Cluster Identity.
2. (Optional) In the Cluster Identity area, type a name for the cluster in the
Cluster Name field and type a description in the Cluster Description field.

Note

In the case of IsilonSD Edge, specify the cluster name through the IsilonSD
Management Plug-in within VMware vCenter. For more information, see the
IsilonSD Edge Installation and Administration Guide.

3. (Optional) In the Login Message area, type a title in the Message Title field
and a message in the Message Body field.

Cluster identity 59
Authentication

4. In the Contact Information area, enter the name and location of your company.
5. In the Primary Administrator Information area, enter the name, phone
numbers, and email address of the primary OneFS administrator for the cluster.
6. In the Secondary Administrator Information area, enter the name, phone
numbers, and email address of the secondary OneFS administrator for the
cluster.
7. Click Save Changes..
After you finish
You must add the cluster name to your DNS servers.

60 OneFS 8.1.2 Security Configuration Guide

CHAPTER 6
Identity management

This section contains the following topics:

l Identity management overview.......................................................................... 62

l Identity types..................................................................................................... 62
l Access tokens.................................................................................................... 63
l Access token generation.................................................................................... 64
l Configuring identity mapping............................................................................. 70
l Configuring user mapping................................................................................... 71

Identity management 61
Identity management

Identity management overview

In environments with several different types of directory services, OneFS maps the
users and groups from the separate services to provide a single unified identity on an
EMC Isilon cluster and uniform access control to files and directories, regardless of
the incoming protocol. This process is called identity mapping.
Isilon clusters are frequently deployed in multiprotocol environments with multiple
types of directory services, such as Active Directory and LDAP. When a user with
accounts in multiple directory services logs in to a cluster, OneFS combines the user’s
identities and privileges from all the directory services into a native access token.
You can configure OneFS settings to include a list of rules for access token
manipulation to control user identity and privileges. For example, you can set a user
mapping rule to merge an Active Directory identity and an LDAP identity into a single
token that works for access to files stored over both SMB and NFS. The token can
include groups from Active Directory and LDAP. The mapping rules that you create
can solve identity problems by manipulating access tokens in many ways, including the
following examples:
l Authenticate a user with Active Directory but give the user a UNIX identity.
l Select a primary group from competing choices in Active Directory or LDAP.
l Disallow login of users that do not exist in both Active Directory and LDAP.
For more information about identity management, see the white paper Managing
identities with the Isilon OneFS user mapping service at EMC Online Support.

Identity types
OneFS supports three primary identity types, each of which you can store directly on
the file system. Identity types are user identifier and group identifier for UNIX, and
security identifier for Windows.
When you log on to an EMC Isilon cluster, the user mapper expands your identity to
include your other identities from all the directory services, including Active Directory,
LDAP, and NIS. After OneFS maps your identities across the directory services, it
generates an access token that includes the identity information associated with your
accounts. A token includes the following identifiers:
l A UNIX user identifier (UID) and a group identifier (GID). A UID or GID is a 32-bit
number with a maximum value of 4,294,967,295.
l A security identifier (SID) for a Windows user account. A SID is a series of
authorities and sub-authorities ending with a 32-bit relative identifier (RID). Most
SIDs have the form S-1-5-21-<A>-<B>-<C>-<RID>, where <A>, <B>, and <C> are
specific to a domain or computer and <RID> denotes the object in the domain.
l A primary group SID for a Windows group account.
l A list of supplemental identities, including all groups in which the user is a member.
The token also contains privileges that stem from administrative role-based access
control.
On an Isilon cluster, a file contains permissions, which appear as an access control list
(ACL). The ACL controls access to directories, files, and other securable system
objects.
When a user tries to access a file, OneFS compares the identities in the user’s access
token with the file’s ACL. OneFS grants access when the file’s ACL includes an access

62 OneFS 8.1.2 Security Configuration Guide

 Identity management

control entry (ACE) that allows the identity in the token to access the file and that
does not include an ACE that denies the identity access. OneFS compares the access
token of a user with the ACL of a file.

Note

For more information about access control lists, including a description of the
permissions and how they correspond to POSIX mode bits, see the white paper titled
EMC Isilon Multiprotocol Data Access with a Unified Security Model on the EMC Online
Support web site.

When a name is provided as an identifier, it is converted into the corresponding user or

group object and the correct identity type. You can enter or display a name in various
ways:
l UNIX assumes unique case-sensitive namespaces for users and groups. For
example, Name and name represent different objects.
l Windows provides a single, case-insensitive namespace for all objects and also
specifies a prefix to target an Active Directory domain; for example, domain\name.
l Kerberos and NFSv4 define principals, which require names to be formatted the
same way as email addresses; for example, [email protected].
Multiple names can reference the same object. For example, given the name support
and the domain example.com, support, EXAMPLE\support and [email protected]
are all names for a single object in Active Directory.

Access tokens
An access token is created when the user first makes a request for access.
Access tokens represent who a user is when performing actions on the cluster and
supply the primary owner and group identities during file creation. Access tokens are
also compared against the ACL or mode bits during authorization checks.
During user authorization, OneFS compares the access token, which is generated
during the initial connection, with the authorization data on the file. All user and
identity mapping occurs during token generation; no mapping takes place during
permissions evaluation.
An access token includes all UIDs, GIDs, and SIDs for an identity, in addition to all
OneFS privileges. OneFS reads the information in the token to determine whether a
user has access to a resource. It is important that the token contains the correct list
of UIDs, GIDs, and SIDs. An access token is created from one of the following sources:

Source Authentication
Username l SMB impersonate user
l Kerberized NFSv3
l Kerberized NFSv4
l NFS export user mapping
l HTTP
l FTP
l HDFS

Access tokens 63
Identity management

Source Authentication
Privilege Attribute Certificate (PAC) l SMB NTLM
l Active Directory Kerberos

User identifier (UID) l NFS AUTH_SYS mapping

Access token generation

For most protocols, the access token is generated from the username or from the
authorization data that is retrieved during authentication.
The following steps present a simplified overview of the complex process through
which an access token is generated:
Step 1: User identity lookup
Using the initial identity, the user is looked up in all configured authentication
providers in the access zone, in the order in which they are listed. The user
identity and group list are retrieved from the authenticating provider. Next,
additional group memberships that are associated with the user and group list are
looked up for all other authentication providers. All of these SIDs, UIDs, or GIDs
are added to the initial token.

Note

An exception to this behavior occurs if the AD provider is configured to call other

providers, such as LDAP or NIS.

Step 2: ID mapping
The user's identifiers are associated across directory services. All SIDs are
converted to their equivalent UID/GID and vice versa. These ID mappings are also
added to the access token.

Step 3: User mapping

Access tokens from other directory services are combined. If the username
matches any user mapping rules, the rules are processed in order and the token is
updated accordingly.

Step 4: On-disk identity calculation

The default on-disk identity is calculated from the final token and the global
setting. These identities are used for newly created files.

ID mapping
The Identity (ID) mapping service maintains relationship information between mapped
Windows and UNIX identifiers to provide consistent access control across file sharing
protocols within an access zone.

Note

ID mapping and user mapping are different services, despite the similarity in names.

64 OneFS 8.1.2 Security Configuration Guide

 Identity management

During authentication, the authentication daemon requests identity mappings from the
ID mapping service in order to create access tokens. Upon request, the ID mapping
service returns Windows identifiers mapped to UNIX identifiers or UNIX identifiers
mapped to Windows identifiers. When a user authenticates to a cluster over NFS with
a UID or GID, the ID mapping service returns the mapped Windows SID, allowing
access to files that another user stored over SMB. When a user authenticates to the
cluster over SMB with a SID, the ID mapping service returns the mapped UNIX UID
and GID, allowing access to files that a UNIX client stored over NFS.
Mappings between UIDs or GIDs and SIDs are stored according to access zone in a
cluster-distributed database called the ID map. Each mapping in the ID map is stored
as a one-way relationship from the source to the target identity type. Two-way
mappings are stored as complementary one-way mappings.

Mapping Windows IDs to UNIX IDs

When a Windows user authenticates with an SID, the authentication daemon searches
the external Active Directory provider to look up the user or group associated with the
SID. If the user or group has only an SID in the Active Directory, the authentication
daemon requests a mapping from the ID mapping service.

Note

User and group lookups may be disabled or limited, depending on the Active Directory
settings. You enable user and group lookup settings through the isi auth ads
modify command.

If the ID mapping service does not locate and return a mapped UID or GID in the ID
map, the authentication daemon searches other external authentication providers
configured in the same access zone for a user that matches the same name as the
Active Directory user.
If a matching user name is found in another external provider, the authentication
daemon adds the matching user's UID or GID to the access token for the Active
Directory user, and the ID mapping service creates a mapping between the UID or GID
and the Active Directory user's SID in the ID map. This is referred to as an external
mapping.

Note

When an external mapping is stored in the ID map, the UID is specified as the on-disk
identity for that user. When the ID mapping service stores a generated mapping, the
SID is specified as the on-disk identity.

If a matching user name is not found in another external provider, the authentication
daemon assigns a UID or GID from the ID mapping range to the Active Directory user's
SID, and the ID mapping service stores the mapping in the ID map. This is referred to
as a generated mapping. The ID mapping range is a pool of UIDs and GIDs allocated in
the mapping settings.
After a mapping has been created for a user, the authentication daemon retrieves the
UID or GID stored in the ID map upon subsequent lookups for the user.

Mapping UNIX IDs to Windows IDs

The ID mapping service creates temporary UID-to-SID and GID-to-SID mappings only
if a mapping does not already exist. The UNIX SIDs that result from these mappings
are never stored on disk.
UIDs and GIDs have a set of predefined mappings to and from SIDs.

ID mapping 65
Identity management

If a UID-to-SID or GID-to-SID mapping is requested during authentication, the ID

mapping service generates a temporary UNIX SID in the format S-1-22-1-<UID> or
S-1-22-2-<GID> by applying the following rules:
l For UIDs, the ID mapping service generates a UNIX SID with a domain of S-1-22-1
and a resource ID (RID) matching the UID. For example, the UNIX SID for UID 600
is S-1-22-1-600.
l For GIDs, the ID mapping service generates a UNIX SID with a domain of S-1-22-2
and an RID matching the GID. For example, the UNIX SID for GID 800 is
S-1-22-2-800.

User mapping
User mapping provides a way to control permissions by specifying a user's security
identifiers, user identifiers, and group identifiers. OneFS uses the identifiers to check
file or group ownership.
With the user-mapping feature, you can apply rules to modify which user identity
OneFS uses, add supplemental user identities, and modify a user's group membership.
The user-mapping service combines a user’s identities from different directory
services into a single access token and then modifies it according to the rules that you
create.

Note

You can configure mapping rules on a per-zone basis. Mapping rules must be
configured separately in each access zone that uses them. OneFS maps users only
during login or protocol access.

Default user mappings

Default user mappings determine access if explicit user-mapping rules are not created.
If you do not configure rules, a user who authenticates with one directory service
receives the identity information in other directory services when the account names
are the same. For example, a user who authenticates with an Active Directory domain
as Desktop\jane automatically receives identities in the final access token for the
corresponding UNIX user account for jane from LDAP or NIS.
In the most common scenario, OneFS is connected to two directory services, Active
Directory and LDAP. In such a case, the default mapping provides a user with the
following identity attributes:
l A UID from LDAP
l The user SID from Active Directory
l An SID from the default group in Active Directory
The user's groups come from Active Directory and LDAP, with the LDAP groups and
the autogenerated group GID added to the list. To pull groups from LDAP, the
mapping service queries the memberUid attribute. The user’s home directory, gecos,
and shell come from Active Directory.

Elements of user-mapping rules

You combine operators with user names to create a user-mapping rule.
The following elements affect how the user mapper applies a rule:
l The operator, which determines the operation that a rule performs

66 OneFS 8.1.2 Security Configuration Guide

 Identity management

l Fields for usernames

l Options
l A parameter
l Wildcards

User-mapping best practices

You can follow best practices to simplify user mapping.
Use Active Directory with RFC 2307 and Windows Services for UNIX
Use Microsoft Active Directory with Windows Services for UNIX and RFC 2307
attributes to manage Linux, UNIX, and Windows systems. Integrating UNIX and
Linux systems with Active Directory centralizes identity management and eases
interoperability, reducing the need for user-mapping rules. Make sure your
domain controllers are running Windows Server 2003 or later.

Employ a consistent username strategy

The simplest configurations name users consistently, so that each UNIX user
corresponds to a similarly named Windows user. Such a convention allows rules
with wildcard characters to match names and map them without explicitly
specifying each pair of accounts.

Do not use overlapping ID ranges

In networks with multiple identity sources, such as LDAP and Active Directory
with RFC 2307 attributes, you should ensure that UID and GID ranges do not
overlap. It is also important that the range from which OneFS automatically
allocates UIDs and GIDs does not overlap with any other ID range. OneFS
automatically allocates UIDs and GIDs from the range 1,000,000-2,000,000. If
UIDs and GIDs overlap multiple directory services, some users might gain access
to other users’ directories and files.

Avoid common UIDs and GIDs

Do not include commonly used UIDs and GIDs in your ID ranges. For example,
UIDs and GIDs below 1000 are reserved for system accounts; do not assign them
to users or groups.

Do not use UPNs in mapping rules

You cannot use a user principal name (UPN) in a user mapping rule. A UPN is an
Active Directory domain and username that are combined into an Internet-style
name with an @ symbol, such as an email address: jane@example. If you include a
UPN in a rule, the mapping service ignores it and may return an error. Instead,
specify names in the format DOMAIN\user.com.

Group rules by type and order them

The system processes every mapping rule by default, which can present problems
when you apply a deny-all rule—for example, to deny access to all unknown
users. In addition, replacement rules might interact with rules that contain
wildcard characters. To minimize complexity, it is recommended that you group
rules by type and organize them in the following order:
1. Replacement rules: Specify all rules that replace an identity first to ensure
that OneFS replaces all instances of the identity.
2. Join, add, and insert rules: After the names are set by any replacement
operations, specify join, add, and insert rules to add extra identifiers.
3. Allow and deny rules: Specify rules that allow or deny access last.

User mapping 67
Identity management

Note

Stop all processing before applying a default deny rule. To do so, create a rule
that matches allowed users but does nothing, such as an add operator with no
field options, and has the break option. After enumerating the allowed users,
you can place a catchall deny at the end to replace anybody unmatched with
an empty user.

To prevent explicit rules from being skipped, in each group of rules, order explicit
rules before rules that contain wildcard characters.

Add the LDAP or NIS primary group to the supplemental groups

When an Isilon cluster is connected to Active Directory and LDAP, a best practice
is to add the LDAP primary group to the list of supplemental groups. This lets
OneFS honor group permissions on files created over NFS or migrated from other
UNIX storage systems. The same practice is advised when an Isilon cluster is
connected to both Active Directory and NIS.

On-disk identity
After the user mapper resolves a user's identities, OneFS determines an authoritative
identifier for it, which is the preferred on-disk identity.
OnesFS stores either UNIX or Windows identities in file metadata on disk. On-disk
identity types are UNIX, SID, and native. Identities are set when a file is created or a
file's access control data is modified. Almost all protocols require some level of
mapping to operate correctly, so choosing the preferred identity to store on disk is
important. You can configure OneFS to store either the UNIX or the Windows identity,
or you can allow OneFS to determine the optimal identity to store.
On-disk identity types are UNIX, SID, and native. Although you can change the type of
on-disk identity, the native identity is best for a network with UNIX and Windows
systems. In native on-disk identity mode, setting the UID as the on-disk identity
improves NFS performance.

Note

The SID on-disk identity is for a homogeneous network of Windows systems managed
only with Active Directory. When you upgrade from a version earlier than OneFS 6.5,
the on-disk identity is set to UNIX. When you upgrade from OneFS 6.5 or later, the
on-disk identity setting is preserved. On new installations, the on-disk identity is set to
native.

The native on-disk identity type allows the OneFS authentication daemon to select the
correct identity to store on disk by checking for the identity mapping types in the
following order:

Order Mapping type Description

1 Algorithmic mapping An SID that matches
S-1-22-1-UID or S-1-22-2-GID
in the internal ID mapping
database is converted back to
the corresponding UNIX
identity, and the UID and GID
are set as the on-disk identity.

68 OneFS 8.1.2 Security Configuration Guide

 Identity management

Order Mapping type Description

2 External mapping A user with an explicit UID
and GID defined in a directory
service (such as Active
Directory with RFC 2307
attributes, LDAP, NIS, or the
OneFS file provider or local
provider) has the UNIX
identity set as the on-disk
identity.

3 Persistent mapping Mappings are stored

persistently in the identity
mapper database. An identity
with a persistent mapping in
the identity mapper database
uses the destination of that
mapping as the on-disk
identity, which occurs
primarily with manual ID
mappings. For example, if
there is an ID mapping of GID:
10000 to S-1-5-32-545, a
request for the on-disk
storage of GID:10000 returns
S-1-5-32-545.

4 No mapping If a user lacks a UID or GID

even after querying the other
directory services and identity
databases, its SID is set as
the on-disk identity. In
addition, to make sure a user
can access files over NFS,
OneFS allocates a UID and
GID from a preset range of
1,000,000 to 2,000,000. In
native on-disk identity mode,
a UID or GID that OneFS
generates is never set as the
on-disk identity.

Note

If you change the on-disk identity type, you should run the PermissionRepair job with
the Convert repair type selected to make sure that the disk representation of all files
is consistent with the changed setting. For more information, see the Run the
PermissionRepair job section.

On-disk identity 69
Identity management

Configuring identity mapping

You can create and manage identity mappings to maintain relationship information
between Windows and UNIX identifiers.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about identity mapping and additional identity mapping management
tasks.

Create an identity mapping

You can create a manual identity mapping between source and target identities or
automatically generate a mapping for a source identity.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth mapping create command.
The following command specifies IDs of source and target identities in the
zone3 access zone to create a two-way mapping between the identities:

isi auth mapping create --2way --source-sid=S-1-5-21-12345 \

--target-uid=5211 --zone=zone3

Configure identity mapping settings

You can enable or disable automatic allocation of UIDs and GIDS and customize the
range of ID values in each access zone. The default range is 1000000–2000000.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth settings mapping modify command.
The following command enables automatic allocation of both UIDs and GIDs in
the zone3 access zone and sets their allocation ranges to 25000–50000:

isi auth settings mapping modify --gid-range-enabled=yes \

--gid-range-min=25000 --gid-range-max=50000 --uid-range-
enabled=yes \
--uid-range-min=25000 --uid-range-max=50000 --zone=zone3

ID mapping ranges
In access zones with multiple external authentication providers, such as Active
Directory and LDAP, it is important that the UIDs and GIDs from different providers
that are configured in the same access zone do not overlap. Overlapping UIDs and
GIDs between providers within an access zone might result in some users gaining
access to other users' directories and files.
The range of UIDs and GIDs that can be allocated for generated mappings is
configurable in each access zone through the isi auth settings mappings

70 OneFS 8.1.2 Security Configuration Guide

 Identity management

modify command. The default range for both UIDs and GIDs is 1000000–2000000 in
each access zone.
Do not include commonly used UIDs and GIDs in your ID ranges. For example, UIDs and
GIDs below 1000 are reserved for system accounts and should not be assigned to
users or groups.

Configuring user mapping

You can create and manage user mappings to specify the security, user, and group
identifiers for specific users.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about user mapping and additional user mapping management tasks.

Create a user-mapping rule

You can create a user-mapping rule to manage user identities.
Procedure
1. Click Access > Membership & Roles > User Mapping.
2. From the Current Access Zone list, select an access zone that contains the
rules you want to manage, and then click Edit User Mapping Rules.
The Edit User Mapping Rules dialog box appears.
3. Click Create a User Mapping Rule.
The Create a User Mapping Rule dialog box appears.
4. From the Operation list, select an operation.
Depending on your selection, the Create a User Mapping Rule displays
additional fields.
5. Fill in the fields as needed.
6. Click Add Rule to save the rule and return to the Edit User Mapping Rules
dialog box.
7. In the User Mapping Rules area, click the title bar of a rule and drag it to a new
position to change the position of a rule in the list.
Rules are applied in the order they are listed. To ensure that each rule gets
processed, list replacement rules first and list allow or deny rules at the end.
8. If the access token is not associated with a default UNIX user or if the default
UNIX user does not have a primary UID or GID, select one of the following
options for authentication:
l Generate a primary UID or GID from the reserved range of UIDs and GIDs
l Deny access to the user
l Assign another user as the default UNIX user

Note

It is recommended that you assign a user from the well-known account that
has a read-only access.

9. Click Save Changes.

Configuring user mapping 71

Identity management

Mapping rule options

Mapping rules can contain options that target the fields of an access token.
A field represents an aspect of a cross-domain access token, such as the primary UID
and primary user SID from a user that you select. You can see some of the fields in the
OneFS web administration interface. User in the web administration interface is the
same as username. You can also see fields in an access token by running the command
isi auth mapping token.
When you create a rule, you can add an option to manipulate how OneFS combines
aspects of two identities into a single token. For example, an option can force OneFS
to append the supplement groups to a token.
A token includes the following fields that you can manipulate with user mapping rules:
l username
l unix_name
l primary_uid
l primary_user_sid
l primary_gid
l primary_group_sid
l additional_ids (includes supplemental groups)
Options control how a rule combines identity information in a token. The break option
is the exception: It stops OneFS from processing additional rules.
Although several options can apply to a rule, not all options apply to all operators. The
following table describes the effect of each option and the operators that they work
with.

Option Operator Description

user insert, append Copies the primary UID and
primary user SID, if they exist,
to the token.

groups insert, append Copies the primary GID and

primary group SID, if they
exist, to the token.

groups insert, append Copies all the additional

identifiers to the token. The
additional identifiers exclude
the primary UID, the primary
GID, the primary user SID,
and the primary group SID.

default_user all operators except remove If the mapping service fails to

groups find the second user in a rule,
the service tries to find the
username of the default user.
The name of the default user
cannot include wildcards.
When you set the option for
the default user in a rule with
the command-line interface,

72 OneFS 8.1.2 Security Configuration Guide

 Identity management

Option Operator Description

you must set it with an
underscore: default_user.

break all operators Stops the mapping service

from applying rules that
follow the insertion point of
the break option. The
mapping service generates
the final token at the point of
the break.

Mapping rule operators

The operator determines what a mapping rule does.
You can create user-mapping rules through either the web-administration interface,
where the operators are spelled out in a list, or from the command-line interface.
When you create a mapping rule with the OneFS command-line interface (CLI), you
must specify an operator with a symbol. The operator affects the direction in which
the mapping service processes a rule. For more information about creating a mapping
rule, see the white paper Managing identities with the Isilon OneFS user mapping service.
The following table describes the operators that you can use in a mapping rule.
A mapping rule can contain only one operator.

Operator Web interface CLI Direction Description

append Append fields ++ Left-to-right Modifies an
from a user access token by
adding fields to
it. The mapping
service appends
the fields that
are specified in
the list of options
(user, group,
groups) to the
first identity in
the rule. The
fields are copied
from the second
identity in the
rule. All
appended
identifiers
become
members of the
additional groups
list. An append
rule without an
option performs
only a lookup
operation; you
must include an

Mapping rule operators 73

Identity management

Operator Web interface CLI Direction Description

option to alter a
token.

insert Insert fields += Left-to-right Modifies an

from a user existing access
token by adding
fields to it. Fields
specified in the
options list (user,
group, groups)
are copied from
the new identity
and inserted into
the identity in
the token. When
the rule inserts a
primary user or
primary group, it
become the new
primary user and
primary group in
the token. The
previous primary
user and primary
group move to
the additional
identifiers list.
Modifying the
primary user
leaves the
token’s
username
unchanged.
When inserting
the additional
groups from an
identity, the
service adds the
new groups to
the existing
groups.

replace Replace one => Left-to-right Removes the

user with a token and
different user replaces it with
the new token
that is identified
by the second
username. If the
second username
is empty, the
mapping service
removes the first
username in the

74 OneFS 8.1.2 Security Configuration Guide

 Identity management

Operator Web interface CLI Direction Description

token, leaving no
username. If a
token contains
no username,
OneFS denies
access with a no
such user
error.

remove groups Remove -- Unary Modifies a token

supplemental by removing the
groups from a supplemental
user groups.

join Join two users &= Bidirectional Inserts the new

together identity into the
token. If the new
identity is the
second user, the
mapping service
inserts it after
the existing
identity;
otherwise, the
service inserts it
before the
existing identity.
The location of
the insertion
point is relevant
when the
existing identity
is already the
first in the list
because OneFS
uses the first
identity to
determine the
ownership of
new file system
objects.

Mapping rule operators 75

Identity management

76 OneFS 8.1.2 Security Configuration Guide

CHAPTER 7
Network security

This section contains the following topics:

l Network port usage............................................................................................78

l OneFS services.................................................................................................. 84
l Data-access protocols....................................................................................... 86
l FTP.................................................................................................................... 87
l About Hadoop.................................................................................................... 88
l HTTP and HTTPS.............................................................................................. 94
l NFS....................................................................................................................96
l SMB................................................................................................................. 102

Network security 77
Network security

Network port usage

Standardized protocols enable other computers to exchange data with OneFS.
The TCP/IP protocol suite uses numbered ports to describe the communication
channel within the protocol. Generally, the OneFS system uses a well-known port for
receiving incoming data. That ephemeral port number is used by the client to send
data. Port numbers and IP addresses are included in a data packet, which enables
other systems to make determinations about the data stream. TCP and UDP protocols
within the TCP/IP suite use ports that range from 1 to 65535.
Port numbers are assigned and maintained by the Internet Assigned Numbers
Authority (IANA) and are divided into three ranges:
1. Well-known ports, ranging from 0 to 1023.
2. Registered ports, ranging from 1024 to 49151.
3. Dynamic or private ports, ranging from 49152 to 65535.
Protocols support both IPv4 and IPv6 addresses except where noted.

Note

As a security best practice, you should use an external firewall to limit access to the
cluster to only those trusted clients and servers that require access. Allow restricted
access only to ports that are required for communication. Block access to all other
ports.

Port Service name Protocol Type/ Usage and Effect if Enabled

Connection description closed or
disabled
on
installati
on
20 ftp-data TCP External/ l FTP access FTP access is Disabled
Outbound (disabled by unavailable.
default)
l Data channel for
FTP service

21 ftp TCP External/ l FTP access FTP access is Disabled

Inbound unavailable.
l Control channel for
FTP access

22 ssh TCP External/ l SSH login service SSH secure shell Enabled
Inbound access is
l EMC Secure unavailable.
Remote Support
console
management

78 OneFS 8.1.2 Security Configuration Guide

 Network security

Port Service name Protocol Type/ Usage and Effect if Enabled

Connection description closed or
disabled
on
installati
on

Note

EMC Secure
Remote Support
does not support
IPv6.

23 telnet TCP External/ Telnet: telnetd Telnet access to Disabled

Inbound OneFS is
unavailable.

25 smtp TCP External/ Email deliveries Outbound email Disabled

Outbound alerts from
OneFS are
unavailable.

53 domain TCP/UDP External/ Domain Name Service SmartConnect is Disabled

Outbound requests unavailable.

53 domain UDP External/ Domain Name Service l SmartConne Disabled

Inbound caching resolver ct is
running on localhost unavailable.
only
l All non-local
identity
services are
affected or
degraded.

80 http TCP External/ HTTP for file access HTTP access to Disabled
Inbound files is
unavailable.

88 kerberos TCP/UDP External/ Kerberos Kerberos Disabled

Outbound authentication services authentication is
that are used to unavailable.
authenticate users
against Microsoft
Active Directory
domains

111 rpc.bind TCP/UDP External/ ONC RPC portmapper Cannot be Enabled

Inbound that is used to locate closed; disrupts
isi_cbind_d services such as NFS, core
mountd, and functionality.
isi_cbind_d

123 ntp UDP External/ Network Time Protocol Cluster time Enabled
Outbound used to synchronize cannot be
host clocks within the synchronized
cluster with an external
NTP time source.

Network port usage 79

Network security

Port Service name Protocol Type/ Usage and Effect if Enabled

Connection description closed or
disabled
on
installati
on
135 dcerpc TCP External/ RPC Endpoint mapper Witness Enabled
Inbound service connections for
SMB continuous
availability are
not established.

137 netbios-ns UDP External/ NetBIOS Name Service Disables services Disabled
Inbound that provides legacy that are related
SMB1 access for pre- to SMB.
Windows 2000 clients

138 netbios-gdm UDP External/ NetBIOS Datagram Disables services Disabled

Inbound Service that provides that are related
legacy SMB1 access for to SMB.
pre-Windows 2000
clients

139 netbios-ssn TCP External/ NetBIOS Session Clients that rely Disabled
Inbound Service that provides on NBSS are not
legacy SMB1 access for able to connect
pre-Windows 2000 to the server.
clients

161 snmp UDP External/ Simple Network SNMP Enabled

Inbound Management Protocol communications
support. Typically, are not available.
agents listen on port
161.

162 snmptrap UDP External/ Simple Network SNMP Enabled

Inbound Management Protocol communications
support. Typically, are not available.
asynchronous traps are
received on port 162.

300 mountd TCP/UDP External/ NFSv3 mount service NFSv3 mount Enabled
Inbound service is not
available.

302 statd TCP/UDP External/ NFS Network Status The NSM service Enabled
Inbound Monitor (NSM) is not available.

304 lockd TCP/UDP External/ NFS Network Lock The NLM service Enabled
Inbound Manager (NLM) is not available.

389 ldap TCP External/ LDAP Directory service Non-secure Disabled

Outbound queries that are used LDAP
by OneFS Identity authentication
services queries are
unavailable.
Secure LDAP is

80 OneFS 8.1.2 Security Configuration Guide

 Network security

Port Service name Protocol Type/ Usage and Effect if Enabled

Connection description closed or
disabled
on
installati
on
configurable as
an alternative.

389 ldap UDP External/ Microsoft Active The cluster Disabled

Outbound Directory domain cannot perform
location requests user or group
lookups or
authentications
against LDAP or
Active Directory.

443 https TCP External/ Access to the /ifs The /ifs Disabled
Inbound directory. directory is not
available.

445 microsoft-ds TCP External/ SMB server SMB Disabled

Outbound communication is
not available.

445 microsoft-ds TCP External/ SMB server SMB Enabled

Inbound communication is
not available.

585 hdfs (datanode) TCP (IPv4 only) External/ HDFS (Hadoop file HDFS is Disabled
Inbound system) unavailable.

623 n/a TCP/UDP External/ IPMI daemon IPMI is Enabled

Inbound unavailable.

636 ldap TCP External/ l LDAP Directory LDAP is Disabled

Outbound service queries that unavailable.
are used by OneFS
Identity services
l Default port for
LDAPS

664 n/a TCP/UDP External/ IPMI daemon IPMI is Enabled

Inbound unavailable.

989 ftps-data TCP External/ l Secure FTP access Secure FTP Disabled
(implicit) Outbound (disabled by access is
default) unavailable.

l Secure data
channel for FTP
service

990 ftps (implicit) TCP External/ l Secure FTP access Secure FTP Disabled
Inbound access is
l Control channel for unavailable.
FTP access

Network port usage 81

Network security

Port Service name Protocol Type/ Usage and Effect if Enabled

Connection description closed or
disabled
on
installati
on
2049 nfs TCP/UDP External/ Network File Service The NFS server Enabled
Inbound (NFS) server and all related
NFS services
(including mount,
NSM, and NLM)
are not available.
NFS is an
important
component of the
OneFS
interaction, even
if no NFS exports
are visible
externally.

2097 n/a TCP External/ SyncIQ: SyncIQ is Disabled

Inbound isi_migr_pworker unavailable.

2098 n/a TCP External/ SyncIQ: SyncIQ is Disabled

Inbound isi_migr_pworker unavailable.

3148 n/a TCP External/ SyncIQ: SyncIQ is Disabled

Inbound isi_migr_bandwidth unavailable.

3149 n/a TCP External/ SyncIQ: SyncIQ is Disabled

Inbound isi_migr_bandwidth unavailable.

3268 n/a TCP External/ Microsoft Active Some forms of Disabled

Outbound Directory global catalog Active Directory
search requests used authentication
when joined to an might not work,
Active Directory depending on the
domain configuration.

5019 ifs TCP External/ Isilon file system Intra-cluster Enabled

Inbound communication is
not available.

5055 n/a UDP External/ SmartConnect SmartConnect is Enabled

Inbound unavailable.

5666 n/a TCP External/ SyncIQ: SyncIQ is Disabled

Inbound isi_migr_sworker unavailable.

5667 n/a TCP External/ SyncIQ: SyncIQ is Disabled

Inbound isi_migr_sworker unavailable.

6557 n/a TCP External/ Performance collector Performance Disabled

Inbound collection and
analysis is
unavailable.

82 OneFS 8.1.2 Security Configuration Guide

 Network security

Port Service name Protocol Type/ Usage and Effect if Enabled

Connection description closed or
disabled
on
installati
on
8020 hdfs TCP (IPv4 only) External/ HDFS (Hadoop file HDFS is Disabled
(namenode) Inbound system) unavailable.

8080 n/a TCP (IPv4 only) External/ l OneFS web l HTTPS Disabled
Inbound administration access to the
interface web
administratio
l OneFS API
n interface is
l WebHDFS unavailable.
l HTTPS l OneFS API is
unavailable.
l HTTPS
access to
WebHDFS is
unavailable.

8081 VASA TCP External/ l VASA vCenter plug-in Disabled

Inbound for VMware
l HTTPS integrations is
unavailable.

8082 n/a TCP (IPv4 only) External/ WebHDFS over HTTP Access to HDFS Disabled
Inbound data is
unavailable
through
WebHDFS.

8083 httpd TCP External/ Swift protocol access Swift protocol Enabled
Inbound access is
unavailable.

8440 Ambari agent TCP (IPv4 only) External/ Handshake from Ambari Agent is Disabled
Outbound Ambari agent to Ambari unavailable to
server. monitor and
report status of
HDFS access
zone.

8441 Ambari agent TCP (IPv4 only) External/ Heartbeat status from Ambari Agent is Disabled
Outbound Ambari agent to Ambari unavailable to
server. monitor and
report status of
HDFS access
zone.

8470 n/a TCP External/ SyncIQ: isi_replicate SyncIQ is Disabled

Inbound unavailable.

8649 gmond TCP/ UDP External/ Ganglia monitoring Ganglia Disabled

Inbound monitoring is
unavailable.

Network port usage 83

Network security

Port Service name Protocol Type/ Usage and Effect if Enabled

Connection description closed or
disabled
on
installati
on
9443 isi_esrs_d TCP External/ EMC Secure Remote EMC Secure Disabled
Outbound Support outbound Remote Support
alerts is unable to send
alerts, log
gathers, and
other event data
to EMC Isilon
Technical
Support.

10000 NDMP TCP External/ Network data NDMP backup is Disabled

Inbound management for disabled.
backup

15100 n/a TCP External/ Isilon upgrade daemon Cluster reimages Disabled
Inbound are unavailable.

28080 lwswift TCP External/ Swift protocol access Swift protocol Enabled
Inbound access is
unavailable.

OneFS services
To improve OneFS security, you should restrict access to the OneFS cluster by
disabling network services that you do not use.

Note

There are some services that you should not disable, because doing so could have a
detrimental effect on cluster operations. The list in this section includes only those
services that can be disabled without disrupting other operations on the cluster. This
list does not include all of the network services available on OneFS.

You can disable network services by running the following command, where <service>
is the name of the service to disable:

isi services -a <service> disable

Disable the following services when they are not in use:

Service Service Service function Corresponding Default setting

name description daemons
apache2 Apache2 Web Connects to the Apache web httpd Enabled
Server server.
Disabling apache2 disables file
sharing over HTTP/HTTPS, but the

84 OneFS 8.1.2 Security Configuration Guide

 Network security

Service Service Service function Corresponding Default setting

name description daemons
OneFS web interface is still
available.

hdfs HDFS Server Connects to Hadoop Distributed lw-container hdfs Disabled

File System (HDFS).

isi_migrate SyncIQ Service Replicates data from one Isilon l isi_migr_sched Enabled
cluster (source) to another cluster
(target).
l isi_migrate
l isi_migr_bandwidth
l isi_migr_pworker
l isi_migr_sworker

isi_object_d Isilon Object Services OneFS API requests. isi_object_d Enabled

Interface

isi_vasa_d The Isilon VMware Allows virtual machine (VM) isi_vasa_d Disabled
vSphere API for administrators to deploy VMs based
Storage Awareness on storage capabilities. OneFS
(VASA) Provider communicates with VMware
Daemon vSphere through VASA.

isi_vc_d The Isilon for Processes tasks that are sent from isi_vc_d Disabled
vCenter Job the NAS plugin that is installed on
Daemon the ESXi server to the gconfig
database.

lwswift Swift Server Enables you to access file-based lw-container lwswift Disabled
data that is stored on the cluster as
objects. The Swift API is
implemented as a set of
Representational State Transfer
(REST) web services over HTTP or
secure HTTP (HTTPS). Content
and metadata can be ingested as
objects and concurrently accessed
through other supported EMC Isilon
protocols. For more information,
see the Isilon Swift Technical Note.

ndmpd Network Data Backs up and restores services. isi_ndmp_d Disabled

Management
Protocol Daemon

nfs NFS Server Manages Network File System l isi_netgroup_d Enabled

(NFS) protocol settings.
l mountd
l gssd
l nfsd
l rpc.statd
l rpc.locked

smb SMB Service Connects to the Server Message l srv Enabled

Block (SMB) server through the

OneFS services 85
Network security

Service Service Service function Corresponding Default setting

name description daemons
Server Service Remote Protocol l rdr
(srvsvc).
l srvsvc

snmp SNMP Server Connects to the Simple Network snmpd Enabled

Management Protocol (SNMP)
server.

telnetd Telnet Server Connects to the Telnet server. telnetd Disabled

vsftpd VSFTPD Server Connects to the Very Secure FTP vsftpd Disabled
(VSFTPD) server.

Data-access protocols
With the OneFS operating system, you can access data with multiple file-sharing and
transfer protocols. As a result, Microsoft Windows, UNIX, Linux, and Mac OS X clients
can share the same directories and files.

Note

As a security best practice, we recommend that you disable or place restrictions on all
protocols that you do not plan to support. For instructions, see the Best practices for
data-access protocols section of this guide.

OneFS supports the following protocols:

SMB
The Server Message Block (SMB) protocol enables Windows users to access the
cluster. OneFS works with SMB 1, SMB 2, and SMB 2.1, as well as SMB 3.0 for
Multichannel only. With SMB 2.1, OneFS supports client opportunity locks
(oplocks) and large (1 MB) MTU sizes. The default file share is /ifs.

NFS
The Network File System (NFS) protocol enables UNIX, Linux, and Mac OS X
systems to remotely mount any subdirectory, including subdirectories created by
Windows users. OneFS works with NFS versions 3 and 4. The default export is /
ifs.

HDFS
The Hadoop Distributed File System (HDFS) protocol enables a cluster to work
with Apache Hadoop, a framework for data-intensive distributed applications.
HDFS integration requires you to activate a separate license.

FTP
FTP allows systems with an FTP client to connect to the cluster and exchange
files.

HTTP and HTTPS

HTTP and its secure variant, HTTPS, give systems browser-based access to
resources. OneFS includes limited support for WebDAV.

86 OneFS 8.1.2 Security Configuration Guide

 Network security

Swift
Swift enables you to access file-based data stored on your EMC Isilon cluster as
objects. The Swift API is implemented as a set of Representational State Transfer
(REST) web services over HTTP or secure HTTP (HTTPS). Content and
metadata can be ingested as objects and concurrently accessed through other
supported EMC Isilon protocols. For more information, see the Isilon Swift
Technical Note.

Mixed protocol environments

The /ifs directory is the root directory for all file system data in the cluster, serving
as an SMB share, an NFS export, and a document root directory. You can create
additional shares and exports within the /ifs directory tree. You can configure your
OneFS cluster to use SMB or NFS exclusively, or both. You can also enable HTTP,
FTP, and SSH.
Access rights are consistently enforced across access protocols on all security
models. A user is granted or denied the same rights to a file whether using SMB or
NFS. Clusters running OneFS support a set of global policy settings that enable you to
customize the default access control list (ACL) and UNIX permissions settings.
OneFS is configured with standard UNIX permissions on the file tree. Through
Windows Explorer or OneFS administrative tools, you can give any file or directory an
ACL. In addition to Windows domain users and groups, ACLs in OneFS can include
local, NIS, and LDAP users and groups. After a file is given an ACL, the mode bits are
no longer enforced and exist only as an estimate of the effective permissions.

Note

We recommend that you configure ACL and UNIX permissions only if you fully
understand how they interact with one another.

FTP
OneFS includes a secure FTP service called vsftpd, which stands for Very Secure FTP
Daemon, that you can configure for standard FTP and FTPS file transfers.

Enable and configure FTP file sharing

You can set the FTP service to allow any node in the cluster to respond to FTP
requests through a standard user account.
You can enable the transfer of files between remote FTP servers and enable
anonymous FTP service on the root by creating a local user named "anonymous" or
"ftp".
When configuring FTP access, ensure that the specified FTP root is the home
directory of the user who logs in. For example, the FTP root for local user jsmith
should be ifs/home/jsmith.
Procedure
1. Click Protocols > FTP Settings.
2. In the Service area, select Enable FTP service.
3. In the Settings area, select one or more of the following options:

Mixed protocol environments 87

Network security

Option Description
Enable anonymous Allow users with "anonymous" or "ftp" as the user name
access to access files and directories without requiring
authentication. This setting is disabled by default.
Enable local access Allow local users to access files and directories with their
local user name and password, allowing them to upload
files directly through the file system. This setting is
enabled by default.
Enable server-to- Allow files to be transferred between two remote FTP
server transfers servers. This setting is disabled by default.

4. Click Save Changes.

FTP security
The FTP service is disabled by default. You can set the FTP service to allow any node
in the cluster to respond to FTP requests through a standard user account.
When configuring FTP access, ensure that the specified FTP root is the home
directory of the user who logs in. For example, the FTP root for local user jsmith
should be ifshome/jsmith. You can enable the transfer of files between remote
FTP servers and enable anonymous FTP service on the root by creating a local user
named anonymous or ftp.

CAUTION

The FTP service supports cleartext authentication. If you enable the FTP service,
the remote FTP server allows the user's name and password to be transmitted in
cleartext and authentication credentials might be intercepted. If you must use
FTP, we recommend that you enable TLS on the FTP service, and then connect
with an FTP client that supports TLS.
To enable TLS on the FTP service, you must change the <ssl_enable> property
in the /etc/mcp/sys/vsftpd_config.xml file on each node to the following
configuration:

<ssl_enable default="NO">YES<isi-meta-tag id="ssl_enable" can-mod-

text="yes"/></ssl_enable>

About Hadoop
Hadoop is an open-source platform that runs analytics on large sets of data across a
distributed file system.
In a Hadoop implementation on an Isilon cluster, OneFS acts as the distributed file
system and HDFS is supported as a native protocol. Clients from a Hadoop cluster
connect to the Isilon cluster through the HDFS protocol to manage and process data.
Hadoop support on the cluster requires you to activate an HDFS license. To obtain a
license, contact your Isilon sales representative.

88 OneFS 8.1.2 Security Configuration Guide

 Network security

How Hadoop is implemented on OneFS

In a Hadoop implementation on an Isilon cluster, Isilon OneFS serves as the file system
for Hadoop compute clients. The Hadoop distributed file system (HDFS) is supported
as a protocol, which is used by Hadoop compute clients to access data on the HDFS
storage layer.
Hadoop compute clients can access the data that is stored on an Isilon cluster by
connecting to any node over the HDFS protocol, and all nodes that are configured for
HDFS provide NameNode and DataNode functionality as shown in the following
illustration.
Figure 2 EMC Isilon Hadoop Deployment

Each node boosts performance and expands the cluster's capacity. For Hadoop
analytics, the Isilon scale-out distributed architecture minimizes bottlenecks, rapidly
serves Big Data, and optimizes performance.
How an Isilon OneFS Hadoop implementation differs from a traditional Hadoop
deployment
A Hadoop implementation with OneFS differs from a typical Hadoop implementation in
the following ways:
l The Hadoop compute and HDFS storage layers are on separate clusters instead of
the same cluster.
l Instead of storing data within a Hadoop distributed file system, the storage layer
functionality is fulfilled by OneFS on an Isilon cluster. Nodes on the Isilon cluster
function as both a NameNode and a DataNode.

How Hadoop is implemented on OneFS 89

Network security

l The compute layer is established on a Hadoop compute cluster that is separate

from the Isilon cluster. The Hadoop MapReduce framework and its components
are installed on the Hadoop compute cluster only.
l Instead of a storage layer, HDFS is implemented on OneFS as a native, lightweight
protocol layer between the Isilon cluster and the Hadoop compute cluster. Clients
from the Hadoop compute cluster connect over HDFS to access data on the Isilon
cluster.
l In addition to HDFS, clients from the Hadoop compute cluster can connect to the
Isilon cluster over any protocol that OneFS supports such as NFS, SMB, FTP, and
HTTP. Isilon OneFS is the only non-standard implementation of HDFS offered that
allows for multi-protocol access. Isilon makes for an ideal alternative storage
system to native HDFS by marrying HDFS services with enterprise-grade data
management features.
l Hadoop compute clients can connect to any node on the Isilon cluster that
functions as a NameNode instead of being routed by a single NameNode.

Configuring HDFS
You can configure global and access zone-level settings for HDFS that specify the
behavior of Hadoop client connections through the HDFS protocol.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about HDFS and additional HDFS management tasks.

HDFS authentication methods

When a Hadoop compute client connects to the Isilon cluster through an access zone,
the client must authenticate with the method specified for that access zone.
HDFS supports simple authentication, Kerberos authentication, or both. By default,
HDFS accepts both simple and Kerberos authentication.

Set the HDFS authentication method (Web UI)

Configure the HDFS authentication method in each access zone using the OneFS web
administration interface.
Before you begin
If you want to Hadoop clients to connect to an access zone through Kerberos, a
Kerberos authentication provider must be configured and added to the access zone.
Procedure
1. Click Protocols > Hadoop (HDFS) > Settings.
2. In the Current Access Zone list, select the access zone that you want to
specify the authentication method for.
3. In the HDFS Protocol Settings area, in the Authentication Type list, select
one of the following authentication methods:
l Both Simple and Kerberos authentication
l Simple authentication
l Kerberos authentication
4. Click Save Changes.

90 OneFS 8.1.2 Security Configuration Guide

 Network security

Configure Kerberos authentication for Hadoop clients (CLI)

If you want Hadoop compute clients running Hadoop 2.2 and later to connect to an
access zone through Kerberos, you must modify the core-site.xml and hdfs-
site.xml files on the Hadoop clients.
Before you begin
Kerberos must be set as the HDFS authentication method in the access zone and a
Kerberos authentication provider must be configured and assigned to the access zone.
Procedure
1. Go to the $HADOOP_CONF directory on your Hadoop client.
2. Open the core-site.xml file in a text editor.
3. Set the value of the hadoop.security.token.service.use_ip property to false as
shown in the following example:

<property>
<name>hadoop.security.token.service.use_ip</name>
<value>false</value>
</property>

4. Save and close the core-site.xml file.

5. Open the hdfs-site.xml file in a text editor.
6. Set the value of the dfs.namenode.kerberos.principal.pattern property to the
Kerberos realm configured in the Kerberos authentication provider as shown in
the following example:

<property>
<name>dfs.namenode.kerberos.principal.pattern</name>
<value>hdfs/*@storage.company.com</value>
</property>

7. Save and close the hdfs-site.xml file.

Supported HDFS authentication methods

The authentication method determines the credentials that OneFS requires to
establish a Hadoop compute client connection.
An HDFS authentication method is specified for each access zone. OneFS supports
the following authentication methods for HDFS:
Authenticatio Description
n method
Simple only Requires only a username to establish client connections.

Kerberos only Requires Kerberos credentials to establish client connections.

Note

You must configure Kerberos as an authentication provider on the Isilon

cluster, and you must modify the core-site.xml file on clients running
Hadoop 2.2 and later.

HDFS authentication methods 91

Network security

Authenticatio Description
n method
All (default Accepts both simple authentication and Kerberos credentials. If Kerberos
value) settings and file modifications are not completed, client connections default
to simple authentication.

CAUTION

To prevent unintended access through simple authentication, set the

authentication method to Kerberos only to enforce client access
through Kerberos.

Hadoop user and group accounts

Before implementing Hadoop, ensure that the user and groups accounts that you will
need to connect over HDFS are configured on the Isilon cluster.
Additionally, ensure that the user accounts that your Hadoop distribution requires are
configured on the Isilon cluster on a per-zone basis. The user accounts that you need
and the associated owner and group settings vary by distribution, requirements, and
security policies. The profiles of the accounts, including UIDs and GIDS, on the Isilon
cluster should match the profiles of the accounts on your Hadoop compute clients.
OneFS must be able to look up a local Hadoop user or group by name. If there are no
directory services, such as Active Directory or LDAP, that can perform a user lookup,
you must create a local Hadoop user or group. If directory services are available, a
local user account or user group is not required.

Create a local Hadoop user (Web UI)

Create a local Hadoop user using the OneFS web administration interface.
Procedure
1. Click Access > Membership & Roles > Users.
2. From the Current Access Zone list, select the access zone that you want to
create a local Hadoop user for.
3. From the Providers list, select LOCAL.
4. Click Create User, and then type a name for the Hadoop user in the Username
field.
5. Click Create User.

Enabling the WebHDFS REST API

OneFS supports access to HDFS data through WebHDFS REST API client
applications.
WebHDFS is a RESTful programming interface based on HTTP operations such as
GET, PUT, POST, and DELETE that is available for creating client applications.
WebHDFS client applications allow you to access HDFS data and perform HDFS
operations through HTTP and HTTPS.
l WebHDFS is supported by OneFS on a per-access zone basis and is enabled by
default.
l WebHDFS supports simple authentication or Kerberos authentication. If the HDFS
authentication method for an access zone is set to All, OneFS uses simple
authentication for WebHDFS.

92 OneFS 8.1.2 Security Configuration Guide

 Network security

l To prevent unauthorized client access through simple authentication, disable

WebHDFS in each access zone that should not support it.
You can specify whether access to HDFS data through WebHDFS client applications is
supported in each access zone using either the OneFS web administration interface or
the command-line interface.

Enable or disable WebHDFS (Web UI)

Configure access to HDFS data through WebHDFS client applications using the
OneFS web administration interface.
Procedure
1. Click Protocols > Hadoop (HDFS) > Settings.
2. From the Current Access Zone list, select the access zone that you want to
enable or disable WebHDFS for.
3. From the HDFS Protocol Settings area, select or clear the Enable WebHDFS
Access checkbox.
4. Click Save Changes.

Enable or disable WebHDFS (CLI)

Configure access to HDFS data through WebHDFS client applications using the
command-line interface.
Procedure
1. Run the isi hdfs settings modify command.
The following command enables WebHDFS in zone3:

isi hdfs settings modify --webhdfs-enabled=yes --zone=zone3

The following command disables WebHDFS in zone3:

isi hdfs settings modify --webhdfs-enabled=no --zone=zone3

Secure impersonation
Secure impersonation enables you to create proxy users that can impersonate other
users to run Hadoop jobs.
You might configure secure impersonation if you use applications, such as Apache
Oozie, to automatically schedule, manage, and run Hadoop jobs. For example, you can
create an Oozie proxy user that securely impersonates a user called HadoopAdmin,
which allows the Oozie user to request that Hadoop jobs be performed by the
HadoopAdmin user.
You configure proxy users for secure impersonation on a per–zone basis, and users or
groups of users that you assign as members to the proxy user must be from the same
access zone. A member can be one or more of the following identity types:
l User specified by user name or UID
l Group of users specified by group name or GID
l User, group, machine, or account specified by SID
l Well-known user specified by name
If the proxy user does not present valid credentials or if a proxy user member does not
exist on the cluster, access is denied. The proxy user can only access files and sub-

Secure impersonation 93
Network security

directories located in the HDFS root directory of the access zone. It is recommended
that you limit the members that the proxy user can impersonate to users that have
access only to the data the proxy user needs.

Create a proxy user (Web UI)

Create a proxy user using the OneFS web administration interface.
Before you begin
Add the users that you want to designate as proxy users or members to the Isilon
cluster. The proxy user and its members must belong to the same access zone.
Procedure
1. Click Protocols > Hadoop (HDFS) > Proxy Users.
2. From the Current Access Zone list, select the access zone in which you want
to add a proxy user.
3. Click Create a Proxy User.
4. In the Name field, type or browse for the user that you want to designate as a
new proxy user.
If you browse for a user, you can search within each authentication provider
that is assigned to the current access zone in the Select a User dialog box.
5. Click Add a Member. The Select a User, Group, or Well-known SID dialog
box appears.
6. In the Search for area, select the type of member that you want to search for.
Members can be individual users or groups. You can search for a user or group
by name or by well-known SID.
7. (Optional) Click Search to display the search results based on the search
criteria.
8. Select the member that you want from the Search Results list, and then click
Select.
The Select a User, Group, or Well-known SID dialog box closes.
9. Click Create a Proxy User.

HTTP and HTTPS

OneFS includes a configurable Hypertext Transfer Protocol (HTTP) service, which is
used to request files that are stored on the cluster and to interact with the web
administration interface.
OneFS supports both HTTP and its secure variant, HTTPS. Each node in the cluster
runs an instance of the Apache HTTP Server to provide HTTP access. You can
configure the HTTP service to run in different modes.
Both HTTP and HTTPS are supported for file transfer, but only HTTPS is supported
for API calls. The HTTPS-only requirement includes the web administration interface.
In addition, OneFS supports a form of the web-based DAV (WebDAV) protocol that
enables users to modify and manage files on remote web servers. OneFS performs
distributed authoring, but does not support versioning and does not perform security
checks. You can enable DAV in the web administration interface.

94 OneFS 8.1.2 Security Configuration Guide

 Network security

Enable and configure HTTP

You can configure HTTP and DAV to enable users to edit and manage files
collaboratively across remote web servers. You can only perform this task through the
OneFS web administration interface.
Procedure
1. Click Protocols > HTTP Settings.
2. In the Service area, select one of the following settings:

Option Description
Enable HTTP Allows HTTP access for cluster administration and browsing content on
the cluster.

Disable HTTP and Allows only administrative access to the web administration interface.
redirect to the This is the default setting.
OneFS Web
Administration
interface

Disable HTTP Closes the HTTP port that is used for file access. Users can continue to
access the web administration interface by specifying the port number in
the URL. The default port is 8080.

3. In the Protocol Settings area, in the Document root directory field, type a
path name or click Browse to browse to an existing directory in /ifs.

Note

The HTTP server runs as the daemon user and group. To correctly enforce
access controls, you must grant the daemon user or group read access to all
files under the document root, and allow the HTTP server to traverse the
document root.

4. In the Authentication Settings area, from the HTTP Authentication list,

select an authentication setting:

Option Description
Off Disables HTTP authentication.

Basic Authentication Enables HTTP basic authentication. User credentials are sent in
Only cleartext.

Integrated Enables HTTP authentication via NTLM, Kerberos, or both.

Authentication Only

Integrated and Basic Enables both basic and integrated authentication.

Authentication

Basic Authentication Enables HTTP basic authentication and enables the Apache web server
with Access Controls to perform access checks.

Integrated Enables HTTP integrated authentication via NTLM and Kerberos, and
Authentication with enables the Apache web server to perform access checks.
Access Controls

Enable and configure HTTP 95

Network security

Option Description
Integrated and Basic Enables HTTP basic authentication and integrated authentication, and
Authentication with enables the Apache web server to perform access checks.
Access Controls

5. To allow multiple users to manage and modify files collaboratively across remote
web servers, select Enable WebDAV.
6. Select Enable access logging.
7. Click Save Changes.

NFS
OneFS provides an NFS server so you can share files on your cluster with NFS clients
that adhere to the RFC1813 (NFSv3) and RFC3530 (NFSv4) specifications.
In OneFS, the NFS server is fully optimized as a multi-threaded service running in user
space instead of the kernel. This architecture load balances the NFS service across all
nodes of the cluster, providing the stability and scalability necessary to manage up to
thousands of connections across multiple NFS clients.
NFS mounts execute and refresh quickly, and the server constantly monitors
fluctuating demands on NFS services and makes adjustments across all nodes to
ensure continuous, reliable performance. Using a built-in process scheduler, OneFS
helps ensure fair allocation of node resources so that no client can seize more than its
fair share of NFS services.
The NFS server also supports access zones defined in OneFS, so that clients can
access only the exports appropriate to their zone. For example, if NFS exports are
specified for Zone 2, only clients assigned to Zone 2 can access these exports.
To simplify client connections, especially for exports with large path names, the NFS
server also supports aliases, which are shortcuts to mount points that clients can
specify directly.
For secure NFS file sharing, OneFS supports NIS and LDAP authentication providers.

NFS exports
You can manage individual NFS export rules that define mount-points (paths) available
to NFS clients and how the server should perform with these clients.
In OneFS, you can create, delete, list, view, modify, and reload NFS exports.
NFS export rules are zone-aware. Each export is associated with a zone, can only be
mounted by clients on that zone, and can only expose paths below the zone root. By
default, any export command applies to the client's current zone.
Each rule must have at least one path (mount-point), and can include additional paths.
You can also specify that all subdirectories of the given path or paths are mountable.
Otherwise, only the specified paths are exported, and child directories are not
mountable.
An export rule can specify a particular set of clients, enabling you to restrict access to
certain mount-points or to apply a unique set of options to these clients. If the rule
does not specify any clients, then the rule applies to all clients that connect to the
server. If the rule does specify clients, then that rule is applied only to those clients.

96 OneFS 8.1.2 Security Configuration Guide

 Network security

NFS aliases
You can create and manage aliases as shortcuts for directory path names in OneFS. If
those path names are defined as NFS exports, NFS clients can specify the aliases as
NFS mount points.
NFS aliases are designed to give functional parity with SMB share names within the
context of NFS. Each alias maps a unique name to a path on the file system. NFS
clients can then use the alias name in place of the path when mounting.
Aliases must be formed as top-level Unix path names, having a single forward slash
followed by name. For example, you could create an alias named /q4 that maps
to /ifs/data/finance/accounting/winter2015 (a path in OneFS). An NFS
client could mount that directory through either of:

mount cluster_ip:/q4

mount cluster_ip:/ifs/data/finance/accounting/winter2015

Aliases and exports are completely independent. You can create an alias without
associating it with an NFS export. Similarly, an NFS export does not require an alias.
Each alias must point to a valid path on the file system. While this path is absolute, it
must point to a location beneath the zone root (/ifs on the System zone). If the alias
points to a path that does not exist on the file system, any client trying to mount the
alias would be denied in the same way as attempting to mount an invalid full pathname.
NFS aliases are zone-aware. By default, an alias applies to the client's current access
zone. To change this, you can specify an alternative access zone as part of creating or
modifying an alias.
Each alias can only be used by clients on that zone, and can only apply to paths below
the zone root. Alias names are unique per zone, but the same name can be used in
different zones—for example, /home.
When you create an alias in the web administration interface, the alias list displays the
status of the alias. Similarly, using the --check option of the isi nfs aliases
command, you can check the status of an NFS alias (status can be: good, illegal path,
name conflict, not exported, or path not found).

NFS log files

OneFS writes log messages associated with NFS events to a set of files in /var/log.
With the log level option, you can now specify the detail at which log messages are
output to log files. The following table describes the log files associated with NFS.

Log file Description

nfs.log Primary NFS server functionality (v3, v4, mount)

rpc_lockd.log NFS v3 locking events through the NLM protocol

rpc_statd.log NFS v3 reboot detection through the NSM protocol

isi_netgroup_d.log Netgroup resolution and caching

NFS aliases 97
Network security

Configuring NFS
You can configure global and export-level NFS settings that specify the behavior of
client connections through the NFS protocol.
NFS data access to the cluster is enabled by default. Also by default, Isilon provides
the /ifs directory as an NFS export with no access restrictions. Isilon cluster
administrators must consider whether these configurations are suitable for their
deployment and manage the security implications appropriately. For guidance on
making configuration changes, see the NFS best practices section of this document.
For more information about NFS and additional NFS management tasks, see the
OneFS Web Administration Guide or the OneFS CLI Administration Guide.

Managing NFS exports

You can create NFS exports, view and modify export settings, and delete exports that
are no longer needed.
The /ifs directory is the top-level directory for data storage in OneFS, and is also
the path defined in the default export. By default, the /ifs export disallows root
access, but allows other UNIX clients to mount this directory and any subdirectories
beneath it.

Note

We recommend that you modify the default export to limit access only to trusted
clients, or to restrict access completely. To help ensure that sensitive data is not
compromised, other exports that you create should be lower in the OneFS file
hierarchy, and can be protected by access zones or limited to specific clients with
either root, read-write, or read-only access, as appropriate.

Basic NFS export settings

The basic NFS export settings are global settings that apply to any new NFS exports
that you create.
The basic NFS export settings are described in the following table.

Setting Default values

Root User Mapping User: Map root users to user nobody
Primary Group: No primary group
Secondary Groups: No secondary groups

Note

The default settings result in a root squashing

rule whereby no user on the NFS client, even
a root user, can gain root privileges on the
NFS server.

Non-Root User Mapping User mapping is disabled by default. It is

recommended that you specify this setting on
a per-export basis, when appropriate.

98 OneFS 8.1.2 Security Configuration Guide

 Network security

Setting Default values

Failed User Mapping User mapping is disabled by default. It is
recommended that you specify this setting on
a per-export basis, when appropriate.

Security Flavors Available options include UNIX (system),

the default setting, Kerberos5, Kerberos5
Integrity, and Kerberos5 Privacy.

Create an NFS export

You can create NFS exports to share files in OneFS with UNIX-based clients.
The NFS service runs in user space and distributes the load across all nodes in the
cluster. This enables the service to be highly scalable and support thousands of
exports. As a best practice, however, you should avoid creating a separate export for
each client on your network. It is more efficient to create fewer exports, and to use
access zones and user mapping to control access.
Procedure
1. Click Protocols > UNIX Sharing (NFS) > NFS Exports.
2. Click Create Export.
3. For the Directory Paths setting, type or browse to the directory that you want
to export.
You can add multiple directory paths by clicking Add another directory path
for each additional path.
4. (Optional) In the Description field, type a comment that describes the export.
5. (Optional) Specify the NFS clients that are allowed to access the export.
You can specify NFS clients in any or all of the client fields, as described in the
following table. A client can be identified by host name, IPv4 or IPv6 address,
subnet, or netgroup. IPv4 addresses mapped into the IPv6 address space are
translated and stored as IPv4 addresses to remove any possible ambiguities.
You can specify multiple clients in each field by typing one entry per line.

Note

If you do not specify any clients, all clients on the network are allowed access to
the export. If you specify clients in any of the rule fields, such as Always Read-
Only Clients, the applicable rule is only applied to those clients. However,
adding an entry to Root Clients does not stop other clients from accessing the
export.
If you add the same client to more than one list and the client is entered in the
same format for each entry, the client is normalized to a single list in the
following order of priority:
l Root Clients
l Always Read-Write Clients
l Always Read-Only Clients
l Clients

Configuring NFS 99
Network security

Setting Description
Clients Specifies one or more clients to be allowed access to the export.
Access level is controlled through export permissions.
Always Specifies one or more clients to be allowed read/write access to
Read-Write the export regardless of the export's access-restriction setting.
Clients This is equivalent to adding a client to the Clients list with the
Restrict access to read-only setting cleared.
Always Specifies one or more clients to be allowed read-only access to
Read-Only the export regardless of the export's access-restriction setting.
Clients This is equivalent to adding a client to the Clients list with the
Restrict access to read-only setting selected.
Root Specifies one or more clients to be mapped as root for the
Clients export. This setting enables the following client to mount the
export, present the root identity, and be mapped to root. Adding
a client to this list does not prevent other clients from mounting
if clients, read-only clients, and read-write clients are unset.

6. Select the export permissions setting to use:

l Restrict actions to read-only.
l Enable mount access to subdirectories. Allow subdirectories below the
path(s) to be mounted.
7. Specify user and group mappings.
Select Use custom to limit access by mapping root users or all users to a
specific user and group ID. For root squash, map root users to the username
nobody.
8. Locate the Security Flavors setting. Set the security type to use. UNIX is the
default setting.
Click Use custom to select one or more of the following security types:
l UNIX (system)
l Kerberos5
l Kerberos5 Integrity
l Kerberos5 Privacy

100 OneFS 8.1.2 Security Configuration Guide

 Network security

Note

The default security flavor (UNIX) relies upon having a trusted network. If you
do not completely trust everything on your network, then the best practice is to
choose a Kerberos option. If the system does not support Kerberos, it will not
be fully protected because NFS without Kerberos trusts everything on the
network and sends all packets in cleartext. If you cannot use Kerberos, you
should find another way to protect the Internet connection. At a minimum, do
the following:
l Limit root access to the cluster to trusted host IP addresses.
l Make sure that all new devices that you add to the network are trusted.
Methods for ensuring trust include, but are not limited to, the following:
n Use an IPsec tunnel. This option is very secure because it authenticates
the devices using secure keys.
n Configure all of the switch ports to go inactive if they are physically
disconnected. In addition, make sure that the switch ports are MAC
limited.

9. Click Show Advanced Settings to configure advanced NFS export settings.

Do not change the advanced settings unless it is necessary and you fully
understand the consequences of these changes.
10. Click Save Changes.
Results
The new NFS export is created and shown at the top of the NFS Exports list.

Create a root-squashing rule for the default NFS export

By default, the NFS service implements a root-squashing rule for the default NFS
export. This rule prevents root users on NFS clients from exercising root privileges on
the NFS server.
Procedure
1. Click Protocols > UNIX Sharing (NFS) > NFS Exports.
2. Select the default export in the NFS Exports list, and click View/Edit.
3. In the Root User Mapping area, verify that the default settings are selected. If
so, no changes are necessary and you can go to step 7.
4. Click Edit Export.
5. Locate the Root User Mapping setting, and then click Use Default to reset
to these values:

User: Map root users to user nobody

Primary Group: No primary group
Secondary Groups: No secondary groups

6. Click Save Changes.

7. Click Close.

Configuring NFS 101

Network security

Results
With these settings, regardless of the users' credentials on the NFS client, they would
not be able to gain root privileges on the NFS server.

SMB
OneFS includes a configurable SMB service to create and manage SMB shares. SMB
shares provide Windows clients network access to file system resources on the
cluster. You can grant permissions to users and groups to carry out operations such as
reading, writing, and setting access permissions on SMB shares.
The /ifs directory is configured as an SMB share and is enabled by default. OneFS
supports both user and anonymous security modes. If the user security mode is
enabled, users who connect to a share from an SMB client must provide a valid user
name with proper credentials.
SMB shares act as checkpoints, and users must have access to a share in order to
access objects in a file system on a share. If a user has access granted to a file system,
but not to the share on which it resides, that user will not be able to access the file
system regardless of privileges. For example, assume a share named ABCDocs
contains a file named file1.txt in a path such as: /ifs/data/ABCDocs/
file1.txt. If a user attempting to access file1.txt does not have share
privileges on ABCDocs, that user cannot access the file even if originally granted read
and/or write privileges to the file.
The SMB protocol uses security identifiers (SIDs) for authorization data. All identities
are converted to SIDs during retrieval and are converted back to their on-disk
representation before they are stored on the cluster.
When a file or directory is created, OneFS checks the access control list (ACL) of its
parent directory. If the ACL contains any inheritable access control entries (ACEs), a
new ACL is generated from those ACEs. Otherwise, OneFS creates an ACL from the
combined file and directory create mask and create mode settings.
OneFS supports the following SMB clients:

SMB version Supported operating systems

3.0 - Multichannel only Windows 8 or later
Windows Server 2012 or later

2.1 Windows 7 or later

Windows Server 2008 R2 or later

2.0 Windows Vista or later

Windows Server 2008 or later
Mac OS X 10.9 or later

1.0 Windows 2000 or later

Windows XP or later
Mac OS X 10.5 or later

102 OneFS 8.1.2 Security Configuration Guide

 Network security

Configuring SMB
You can configure global and share-level SMB settings that specify the behavior of
client connections through the SMB protocol.
SMB data access to the cluster is enabled by default. In addition, Isilon provides the
following default configurations with no access restrictions:
l An unrestricted SMB share (/ifs)
l Unlimited access to the /ifs directory for the Everyone account
Isilon cluster administrators must consider whether these configurations are suitable
for their deployment, and manage the security implications appropriately.
For more information about SMB and additional SMB management tasks, see the
OneFS Web Administration Guide or the OneFS CLI Administration Guide.

SMB security settings

You can view and configure the security settings of an SMB share by clicking
Protocols > Windows Sharing (SMB) > SMB Shares, selecting the share, clicking
View/Edit, and then clicking Edit SMB Share. You can view and configure the default
SMB share security settings by clicking Protocols > Windows Sharing (SMB) >
Default Share Settings. The security settings are available in the Advanced Settings
section.

Note

Changes that are made directly to an SMB share override the default settings that are
configured from the Default Share Settings tab.

Setting Setting value

Create Permission Sets the default source permissions to apply
when a file or directory is created. The default
value is Default acl.

Directory Create Mask Specifies UNIX mode bits that are removed
when a directory is created, restricting
permissions. Mask bits are applied before
mode bits are applied. The default value is
that the user has Read, Write, and
Execute permissions.

Directory Create Mode Specifies UNIX mode bits that are added
when a directory is created, enabling
permissions. Mode bits are applied after mask
bits are applied. The default value is None.

File Create Mask Specifies UNIX mode bits that are removed
when a file is created, restricting permissions.
Mask bits are applied before mode bits are
applied. The default value is that the user has
Read, Write, and Execute permissions.

File Create Mode Specifies UNIX mode bits that are added
when a file is created, enabling permissions.
Mode bits are applied after mask bits are

Configuring SMB 103

Network security

Setting Setting value

applied. The default value is that the user has

Execute permissions.

Impersonate Guest Determines guest access to a share. The

default value is Never.

Impersonate User Allows all file access to be performed as a

specific user. This must be a fully qualified
user name. The default value is No value.

NTFS ACL Allows ACLs to be stored and edited from

SMB clients. The default value is Yes.

Access Based Enumeration Allows access based enumeration only on the

files and folders that the requesting user can
access. The default value is No.

HOST ACL The ACL that defines host access. The default
value is No value.

SMB shares in access zones

You can create and manage SMB shares within access zones.
You can create access zones that partition storage on the EMC Isilon cluster into
multiple virtual containers. Access zones support all configuration settings for
authentication and identity management services on the cluster, so you can configure
authentication providers and provision SMB shares on a zone-by-zone basis. When
you create an access zone, a local provider is created automatically, which allows you
to configure each access zone with a list of local users and groups. You can also
authenticate through a different Active Directory provider in each access zone, and
you can control data access by directing incoming connections to the access zone
from a specific IP address in a pool. Associating an access zone with an IP address
pool restricts authentication to the associated access zone and reduces the number of
available and accessible SMB shares.
Here are a few ways to simplify SMB management with access zones:
l Migrate multiple SMB servers, such as Windows file servers or NetApp filers, to a
single Isilon cluster, and then configure a separate access zone for each SMB
server.
l Configure each access zone with a unique set of SMB share names that do not
conflict with share names in other access zones, and then join each access zone to
a different Active Directory domain.
l Reduce the number of available and accessible shares to manage by associating an
IP address pool with an access zone to restrict authentication to the zone.
l Configure default SMB share settings that apply to all shares in an access zone.
The Isilon cluster includes a built-in access zone named System, where you manage all
aspects of the cluster and other access zones. If you don't specify an access zone
when managing SMB shares, OneFS will default to the System zone.

104 OneFS 8.1.2 Security Configuration Guide

 Network security

SMB Multichannel
SMB Multichannel supports establishing a single SMB session over multiple network
connections.
SMB Multichannel is a feature of the SMB 3.0 protocol that provides the following
capabilities:
Increased throughput
OneFS can transmit more data to a client through multiple connections over high
speed network adapters or over multiple network adapters.

Connection failure tolerance

When an SMB Multichannel session is established over multiple network
connections, the session is not lost if one of the connections has a network fault,
which enables the client to continue to work.

Automatic discovery
SMB Multichannel automatically discovers supported hardware configurations on
the client that have multiple available network paths and then negotiates and
establishes a session over multiple network connections. You are not required to
install components, roles, role services, or features.

SMB Multichannel requirements

You must meet software and NIC configuration requirements to support SMB
Multichannel on the EMC Isilon cluster.
OneFS can only support SMB Multichannel when the following software requirements
are met:
l Windows Server 2012, 2012 R2 or Windows 8, 8.1 clients
l SMB Multichannel must be enabled on both the EMC Isilon cluster and the
Windows client computer. It is enabled on the Isilon cluster by default.
SMB Multichannel establishes a single SMB session over multiple network connections
only on supported network interface card (NIC) configurations. SMB Multichannel
requires at least one of the following NIC configurations on the client computer:
l Two or more network interface cards.
l One or more network interface cards that support Receive Side Scaling (RSS).
l One or more network interface cards configured with link aggregation. Link
aggregation enables you to combine the bandwidth of multiple NICs on a node into
a single logical interface.

Client-side NIC configurations supported by SMB Multichannel

SMB Multichannel automatically discovers supported hardware configurations on the
client that have multiple available network paths.
Each node on the EMC Isilon cluster has at least one RSS-capable network interface
card (NIC). Your client-side NIC configuration determines how SMB Multichannel
establishes simultaneous network connections per SMB session.

SMB Multichannel 105

Network security

Client-side NIC Description

Configuration
Single RSS-capable SMB Multichannel establishes a maximum of four network connections
NIC to the Isilon cluster over the NIC. The connections are more likely to be
spread across multiple CPU cores, which reduces the likelihood of
performance bottleneck issues and achieves the maximum speed
capability of the NIC.

Multiple NICs If the NICs are RSS-capable, SMB Multichannel establishes a maximum
of four network connections to the Isilon cluster over each NIC. If the
NICs on the client are not RSS-capable, SMB Multichannel establishes a
single network connection to the Isilon cluster over each NIC. Both
configurations allow SMB Multichannel to leverage the combined
bandwidth of multiple NICs and provides connection fault tolerance if a
connection or a NIC fails.

Note

SMB Multichannel cannot establish more than eight simultaneous

network connections per session. In a multiple NIC configuration, this
might limit the number connections allowed per NIC. For example, if the
configuration contains three RSS-capable NICs, SMB Multichannel
might establish three connections over the first NIC, three connections
over the second NIC and two connections over the third NIC.

Aggregated NICs SMB Multichannel establishes multiple network connections to the Isilon
cluster over aggregated NICs, which results in balanced connections
across CPU cores, effective consumption of combined bandwidth, and
connection fault tolerance.

Note

The aggregated NIC configuration inherently provides NIC fault

tolerance that is not dependent upon SMB.

Anonymous access to SMB shares

You can configure anonymous access to SMB shares by enabling the local Guest user
and allowing impersonation of the guest user.
For example, if you store files such as browser executables or other data that is public
on the internet, anonymous access allows any user to access the SMB share without
authenticating.

106 OneFS 8.1.2 Security Configuration Guide

CHAPTER 8
Roles and privileges

This section contains the following topics:

l Role-based access............................................................................................108
l Privileges.......................................................................................................... 109

Roles and privileges 107

Roles and privileges

Role-based access
You can assign role-based access to delegate administrative tasks to selected users.
Role based access control (RBAC) allows the right to perform particular
administrative actions to be granted to any user who can authenticate to a cluster.
Roles are created by a Security Administrator, assigned privileges, and then assigned
members. All administrators, including those given privileges by a role, must connect
to the System zone to configure the cluster. When these members log in to the
cluster through a configuration interface, they have these privileges. All administrators
can configure settings for access zones, and they always have control over all access
zones on the cluster.
Roles also give you the ability to assign privileges to member users and groups. By
default, only the root user and the admin user can log in to the web administration
interface through HTTP or the command-line interface through SSH. Using roles, the
root and admin users can assign others to built-in or custom roles that have login and
administrative privileges to perform specific administrative tasks.

Note

As a best practice, assign users to roles that contain the minimum set of necessary
privileges. For most purposes, the default permission policy settings, system access
zone, and built-in roles are sufficient. You can create role-based access management
policies as necessary for your particular environment.

Roles
You can permit and limit access to administrative areas of your EMC Isilon cluster on a
per-user basis through roles. OneFS includes several built-in administrator roles with
predefined sets of privileges that cannot be modified. You can also create custom
roles and assign privileges.
The following list describes what you can and cannot do through roles:
l You can assign privileges to a role.
l You can create custom roles and assign privileges to those roles.
l You can copy an existing role.
l You can add any user or group of users, including well-known groups, to a role as
long as the users can authenticate to the cluster.
l You can add a user or group to more than one role.
l You cannot assign privileges directly to users or groups.

Note

When OneFS is first installed, only users with root- or admin-level access can log in
and assign users to roles.

Built-in roles
Built-in roles are included in OneFS and have been configured with the most likely
privileges necessary to perform common administrative functions. You cannot modify
the list of privileges assigned to each built-in role; however, you can assign users and
groups to built-in roles.
OneFS provides the following built-in roles:

108 OneFS 8.1.2 Security Configuration Guide

 Roles and privileges

l SecurityAdmin
l SystemAdmin
l AuditAdmin
l BackupAdmin
l VMwareAdmin
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
descriptions and a list of privileges assigned to each of the built-in roles.

Custom roles
Custom roles supplement built-in roles.
You can create custom roles and assign privileges mapped to administrative areas in
your EMC Isilon cluster environment. For example, you can create separate
administrator roles for security, auditing, storage provisioning, and backup.
You can designate certain privileges as read-only or read/write when adding the
privilege to a role. You can modify this option at any time to add or remove privileges
as user responsibilities grow and change.

Managing roles
You can view, add, or remove members of any role. Except for built-in roles, whose
privileges you cannot modify, you can add or remove OneFS privileges on a role-by-
role basis.

Note

Roles take both users and groups as members. If a group is added to a role, all users
who are members of that group are assigned the privileges associated with the role.
Similarly, members of multiple roles are assigned the combined privileges of each role.

See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
instructions on how to create, modify, and delete roles.

Privileges
Privileges permit users to complete tasks on an EMC Isilon cluster.
Privileges are associated with an area of cluster administration such as Job Engine,
SMB, or statistics.
Privileges have one of two forms:
Action
Allows a user to perform a specific action on a cluster. For example, the
ISI_PRIV_LOGIN_SSH privilege allows a user to log in to a cluster through an
SSH client.

Read/Write
Allows a user to view or modify a configuration subsystem such as statistics,
snapshots, or quotas. For example, the ISI_PRIV_SNAPSHOT privilege allows an
administrator to create and delete snapshots and snapshot schedules. A read/
write privilege can grant either read-only or read/write access. Read-only access
allows a user to view configuration settings; read/write access allows a user to
view and modify configuration settings.

Managing roles 109

Roles and privileges

Privileges are granted to the user on login to a cluster through the OneFS API, the
web administration interface, SSH, or a console session. A token is generated for the
user, which includes a list of all privileges granted to the user. Each URI, web-
administration interface page, and command requires a specific privilege to view or
modify the information available through any of these interfaces.
In some cases, privileges cannot be granted or there are privilege limitations.
l Privileges are not granted to users that do not connect to the System Zone during
login or to users that connect through the deprecated Telnet service, even if they
are members of a role.
l Privileges do not provide administrative access to configuration paths outside of
the OneFS API. For example, the ISI_PRIV_SMB privilege does not grant a user
the right to configure SMB shares using the Microsoft Management Console
(MMC).
l Privileges do not provide administrative access to all log files. Most log files
require root access.

Supported OneFS privileges

Privileges supported by OneFS are categorized by the type of action or access that is
granted to the user—for example, login, security, and configuration privileges.
OneFS supports the following types of privileges:
l Login privileges
l System privileges
l Security privileges
l Configuration privileges
l File access privileges
l Namespace privileges
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
names and descriptions of all of the privileges available for these privilege types.

Data backup and restore privileges

You can assign privileges to a user that are explicitly for cluster data backup and
restore actions.
Two privileges allow a user to backup and restore cluster data over supported client-
side protocols: ISI_PRIV_IFS_BACKUP and ISI_PRIV_IFS_RESTORE.

CAUTION

These privileges circumvent traditional file access checks, such as mode bits or
NTFS ACLs.

Most cluster privileges allow changes to cluster configuration in some manner. The
backup and restore privileges allow access to cluster data from the System zone, the
traversing of all directories, and reading of all file data and metadata regardless of file
permissions.
Users assigned these privileges use the protocol as a backup protocol to another
machine without generating access-denied errors and without connecting as the root
user. These two privileges are supported over the following client-side protocols:
l SMB

110 OneFS 8.1.2 Security Configuration Guide

 Roles and privileges

l NFS
l OneFS API
l FTP
l SSH
Over SMB, the ISI_PRIV_IFS_BACKUP and ISI_PRIV_IFS_RESTORE privileges
emulate the Windows privileges SE_BACKUP_NAME and SE_RESTORE_NAME. The
emulation means that normal file-open procedures are protected by file system
permissions. To enable the backup and restore privileges over the SMB protocol, you
must open files with the FILE_OPEN_FOR_BACKUP_INTENT option, which occurs
automatically through Windows backup software such as Robocopy. Application of the
option is not automatic when files are opened through general file browsing software
such as Windows File Explorer.
Both ISI_PRIV_IFS_BACKUP and ISI_PRIV_IFS_RESTORE privileges primarily
support Windows backup tools such as Robocopy. A user must be a member of the
BackupAdmin built-in role to access all Robocopy features, which includes copying file
DACL and SACL metadata.

Command-line interface privileges

You can perform most tasks granted by a privilege through the command-line
interface (CLI). Some OneFS commands require root access.
Each CLI command is associated with a privilege. Some commands require root
access. See the OneFS Web Administration Guide or the OneFS CLI Administration Guide
for which privilege is associated with each command.

Command-line interface privileges 111

Roles and privileges

112 OneFS 8.1.2 Security Configuration Guide

CHAPTER 9
Data security

This section contains the following topics:

l Access zones overview .....................................................................................114

l Data access control overview............................................................................116
l SmartLock overview......................................................................................... 127
l Snapshots overview..........................................................................................136
l Protection domains overview............................................................................136
l Data-at-rest encryption overview..................................................................... 138

Data security 113

Data security

Access zones overview

Although the default view of an EMC Isilon cluster is that of one physical machine, you
can partition a cluster into multiple virtual containers called access zones. Access
zones allow you to isolate data and control who can access data in each zone.
Access zones support configuration settings for authentication and identity
management services on a cluster, so you can configure authentication providers and
provision protocol directories such as SMB shares and NFS exports on a zone-by-
zone basis. When you create an access zone, a local provider is automatically created,
which allows you to configure each access zone with a list of local users and groups.
You can also authenticate through a different authentication provider in each access
zone.
To control data access, you associate the access zone with a groupnet, which is a top-
level networking container that manages DNS client connection settings and contains
subnets and IP address pools. When you create an access zone, you must specify a
groupnet. If a groupnet is not specified, the access zone will reference the default
groupnet. Multiple access zones can reference a single groupnet. You can direct
incoming connections to the access zone through a specific IP address pool in the
groupnet. Associating an access zone with an IP address pool restricts authentication
to the associated access zone and reduces the number of available and accessible
SMB shares and NFS exports.
An advantage to multiple access zones is the ability to configure audit protocol access
for individual access zones. You can modify the default list of successful and failed
protocol audit events and then generate reports through a third-party tool for an
individual access zone.
A cluster includes a built-in access zone named System where you manage all aspects
of a cluster and other access zones. By default, all cluster IP addresses connect to the
System zone. Role-based access, which primarily allows configuration actions, is
available through only the System zone. All administrators, including those given
privileges by a role, must connect to the System zone to configure a cluster. The
System zone is automatically configured to reference the default groupnet on the
cluster, which is groupnet0.
Configuration management of a non-System access zone is not permitted through
SSH, the OneFS API, or the web administration interface. However, you can create
and delete SMB shares in an access zone through the Microsoft Management Console
(MMC).

Base directory guidelines

A base directory defines the file system tree exposed by an access zone. The access
zone cannot grant access to any files outside of the base directory. You must assign a
base directory to each access zone.
Base directories restrict path options for several features such as SMB shares, NFS
exports, the HDFS root directory, and the local provider home directory template. The
base directory of the default System access zone is /ifs and cannot be modified.
To achieve data isolation within an access zone, EMC recommends creating a unique
base directory path that is not identical to or does not overlap another base directory,
with the exception of the System access zone. For example, do not specify /ifs/
data/hr as the base directory for both the zone2 and zone3 access zones, or
if /ifs/data/hr is assigned to zone2, do not assign /ifs/data/hr/personnel
to zone3.

114 OneFS 8.1.2 Security Configuration Guide

 Data security

OneFS supports overlapping data between access zones for cases where your
workflows require shared data; however, this adds complexity to the access zone
configuration that might lead to future issues with client access. For the best results
from overlapping data between access zones, EMC recommends that the access
zones also share the same authentication providers. Shared providers ensures that
users will have consistent identity information when accessing the same data through
different access zones.
If you cannot configure the same authentication providers for access zones with
shared data, EMC recommends the following best practices:
l Select Active Directory as the authentication provider in each access zone. This
causes files to store globally unique SIDs as the on-disk identity, eliminating the
chance of users from different zones gaining access to each other's data.
l Avoid selecting local, LDAP, and NIS as the authentication providers in the access
zones. These authentication providers use UIDs and GIDs, which are not
guaranteed to be globally unique. This results in a high probability that users from
different zones will be able to access each other's data
l Set the on-disk identity to native, or preferably, to SID. When user mappings exist
between Active Directory and UNIX users or if the Services for Unix option
is enabled for the Active Directory provider, OneFS stores SIDs as the on-disk
identity instead of UIDs.

Access zones best practices

You can avoid configuration problems on the EMC Isilon cluster when creating access
zones by following best practices guidelines.

Best practice Details

Create unique base directories. To achieve data isolation, the base directory
path of each access zone should be unique
and should not overlap or be nested inside the
base directory of another access zone.
Overlapping is allowed, but should only be
used if your workflows require shared data.

Separate the function of the System zone Reserve the System zone for configuration
from other access zones. access, and create additional zones for data
access. Move current data out of the System
zone and into a new access zone.

Create access zones to isolate data access for Do not create access zones if a workflow
different clients or users. requires data sharing between different
classes of clients or users.

Assign only one authentication provider of An access zone is limited to a single Active
each type to each access zone. Directory provider; however, OneFS allows
multiple LDAP, NIS, and file authentication
providers in each access zone. It is
recommended that you assign only one type
of each provider per access zone in order to
simplify administration.

Avoid overlapping UID or GID ranges for The potential for zone access conflicts is
authentication providers in the same access slight but possible if overlapping UIDs/GIDs
zone. are present in the same access zone.

Access zones best practices 115

Data security

Configuring an access zone

You can create an access zone on the EMC Isilon cluster and associate it with an IP
address pool to control access to the zone.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about access zones and additional access zone management tasks.

Data access control overview

OneFS supports two types of permissions data on files and directories that control
who has access: Windows-style access control lists (ACLs) and POSIX mode bits
(UNIX permissions). You can configure global policy settings that enable you to
customize default ACL and UNIX permissions to best support your environment.
The OneFS file system installs with UNIX permissions as the default. You can give a
file or directory an ACL by using Windows Explorer or OneFS administrative tools.
Typically, files created over SMB or in a directory that has an ACL, receive an ACL. If
a file receives an ACL, OneFS stops enforcing the file's mode bits; the mode bits are
provided for only protocol compatibility, not for access control.
OneFS supports multiprotocol data access over Network File System (NFS) and
Server Message Block (SMB) with a unified security model. A user is granted or
denied the same access to a file when using SMB for Windows file sharing as when
using NFS for UNIX file sharing.
NFS enables Linux and UNIX clients to remotely mount any subdirectory, including
subdirectories created by Windows or SMB users. Linux and UNIX clients also can
mount ACL-protected subdirectories created by a OneFS administrator. SMB provides
Windows users access to files, directories and other file system resources stored by
UNIX and Linux systems. In addition to Windows users, ACLs can affect local, NIS, and
LDAP users.
By default, OneFS maintains the same file permissions regardless of the client’s
operating system, the user’s identity management system, or the file sharing protocol.
When OneFS must transform a file’s permissions from ACLs to mode bits or vice
versa, it merges the permissions into an optimal representation that uniquely balances
user expectations and file security.

ACLs
In Windows environments, file and directory permissions, referred to as access rights,
are defined in access control lists (ACLs). Although ACLs are more complex than
mode bits, ACLs can express much more granular sets of access rules. OneFS checks
the ACL processing rules commonly associated with Windows ACLs.
A Windows ACL contains zero or more access control entries (ACEs), each of which
represents the security identifier (SID) of a user or a group as a trustee. In OneFS, an
ACL can contain ACEs with a UID, GID, or SID as the trustee. Each ACE contains a set
of rights that allow or deny access to a file or folder. An ACE can optionally contain an
inheritance flag to specify whether the ACE should be inherited by child folders and
files.

116 OneFS 8.1.2 Security Configuration Guide

 Data security

Note

Instead of the standard three permissions available for mode bits, ACLs have 32 bits of
fine-grained access rights. Of these, the upper 16 bits are general and apply to all
object types. The lower 16 bits vary between files and directories but are defined in a
way that allows most applications to apply the same bits for files and directories.

Rights grant or deny access for a given trustee. You can block user access explicitly
through a deny ACE or implicitly by ensuring that a user does not directly, or indirectly
through a group, appear in an ACE that grants the right.

UNIX permissions
In a UNIX environment, file and directory access is controlled by POSIX mode bits,
which grant read, write, or execute permissions to the owning user, the owning group,
and everyone else.
OneFS supports the standard UNIX tools for viewing and changing permissions, ls,
chmod, and chown. For more information, run the man ls, man chmod, and man
chown commands.
All files contain 16 permission bits, which provide information about the file or
directory type and the permissions. The lower 9 bits are grouped as three 3-bit sets,
called triples, which contain the read, write, and execute (rwx) permissions for each
class of users—owner, group, and other. You can set permissions flags to grant
permissions to each of these classes.
Unless the user is root, OneFS checks the class to determine whether to grant or deny
access to the file. The classes are not cumulative: The first class matched is applied. It
is therefore common to grant permissions in decreasing order.

Mixed-permission environments
When a file operation requests an object’s authorization data, for example, with the ls
-l command over NFS or with the Security tab of the Properties dialog box in
Windows Explorer over SMB, OneFS attempts to provide that data in the requested
format. In an environment that mixes UNIX and Windows systems, some translation
may be required when performing create file, set security, get security, or access
operations.

NFS access of Windows-created files

If a file contains an owning user or group that is a SID, the system attempts to map it
to a corresponding UID or GID before returning it to the caller.
In UNIX, authorization data is retrieved by calling stat(2) on a file and examining the
owner, group, and mode bits. Over NFSv3, the GETATTR command functions
similarly. The system approximates the mode bits and sets them on the file whenever
its ACL changes. Mode bit approximations need to be retrieved only to service these
calls.

Note
SID-to-UID and SID-to-GID mappings are cached in both the OneFS ID mapper and
the stat cache. If a mapping has recently changed, the file might report inaccurate
information until the file is updated or the cache is flushed.

UNIX permissions 117

Data security

SMB access of UNIX-created files

No UID-to-SID or GID-to-SID mappings are performed when creating an ACL for a file;
all UIDs and GIDs are converted to SIDs or principals when the ACL is returned.
OneFS initiates a two-step process for returning a security descriptor, which contains
SIDs for the owner and primary group of an object:
1. The current security descriptor is retrieved from the file. If the file does not have a
discretionary access control list (DACL), a synthetic ACL is constructed from the
file’s lower 9 mode bits, which are separated into three sets of permission triples
—one each for owner, group, and everyone. For details about mode bits, see the
UNIX permissions topic.
2. Two access control entries (ACEs) are created for each triple: the allow ACE
contains the corresponding rights that are granted according to the permissions;
the deny ACE contains the corresponding rights that are denied. In both cases, the
trustee of the ACE corresponds to the file owner, group, or everyone. After all of
the ACEs are generated, any that are not needed are removed before the
synthetic ACL is returned.

Configuring data access control

You can configure data access control settings to manage ACLs and UNIX permissions
on files and directories.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about data access control and additional management tasks.

Configure access management settings

Default access settings include whether to send NTLMv2 responses for SMB
connections, the identity type to store on disk, the Windows workgroup name for
running in local mode, and character substitution for spaces encountered in user and
group names.
Procedure
1. Click Access > Settings.
2. Configure the following settings as needed.

Option Description
Send NTLMv2 Specifies whether to send only NTLMv2 responses to SMB
clients with NTLM-compatible credentials.
On-Disk Identity Controls the preferred identity to store on disk. If OneFS is
unable to convert an identity to the preferred format, it is
stored as is. This setting does not affect identities that are
currently stored on disk. Select one of the following
settings:
native
Allow OneFS to determine the identity to store on disk.
This is the recommended setting.

unix
Always store incoming UNIX identifiers (UIDs and GIDs)
on disk.

118 OneFS 8.1.2 Security Configuration Guide

 Data security

Option Description

sid
Store incoming Windows security identifiers (SIDs) on
disk, unless the SID was generated from a UNIX
identifier; in that case, convert it back to the UNIX
identifier and store it on disk.

Workgroup Specifies the NetBIOS workgroup. The default value is

WORKGROUP.
Space For clients that have difficulty parsing spaces in user and
Replacement group names, specifies a substitute character.

3. Click Save.
After you finish
If you changed the on-disk identity selection, it is recommended that you run the
PermissionRepair job with the Convert repair type to prevent potential permissions
errors. For more information, see the Run the PermissionRepair job section.

Modify ACL policy settings

You can modify ACL policy settings but the default ACL policy settings are sufficient
for most cluster deployments.

CAUTION

Because ACL policies change the behavior of permissions throughout the system,
they should be modified only as necessary by experienced administrators with
advanced knowledge of Windows ACLs. This is especially true for the advanced
settings, which are applied regardless of the cluster's environment.

For UNIX, Windows, or balanced environments, the optimal permission policy settings
are selected and cannot be modified. However, you can choose to manually configure
the cluster's default permission settings if necessary to support your particular
environment.
Procedure
1. Click Access > ACL Policy Settings.
2. In the Environment area, select the option that best describes your
environment, or select Custom environment to configure individual permission
policies.
3. If you selected the Custom environment option, settings in the General ACL
Settings area as needed.
4. In the Advanced ACL Settings area, configure the settings as needed.

ACL policy settings

You can configure an access control list (ACL) policy by choosing from the available
settings options.
Environment
Depending on the environment you select, the system will automatically select the
General ACL Settings and Advanced ACL Settings options that are optimal for that
environment. You also have the option to manually configure general and advanced
settings.

Configuring data access control 119

Data security

Balanced
Enables Isilon cluster permissions to operate in a mixed UNIX and Windows
environment. This setting is recommended for most Isilon cluster deployments.

UNIX only
Enables EMC Isilon cluster permissions to operate with UNIX semantics, as
opposed to Windows semantics. Enabling this option prevents ACL creation on
the system.

Windows only
Enables Isilon cluster permissions to operate with Windows semantics, as
opposed to UNIX semantics. Enabling this option causes the system to return an
error on UNIX chmod requests.

Custom environment
Allows you to configure General ACL Settings and Advanced ACL Settings
options.

General ACL Settings

ACL Creation Through SMB
Specifies whether to allow or deny creation of ACLs over SMB. Select one of the
following options:
Do not allow ACLs to be created through SMB
Prevents ACL creation on the cluster.

Allow ACLs to be created through SMB

Allows ACL creation on the cluster.

Note

Inheritable ACLs on the system take precedence over this setting. If inheritable
ACLs are set on a folder, any new files and folders that are created in that folder
inherit the folder's ACL. Disabling this setting does not remove ACLs currently set
on files. If you want to clear an existing ACL, run the chmod -b <mode> <file>
command to remove the ACL and set the correct permissions.

Use the chmod Command On Files With Existing ACLs

Specifies how permissions are handled when a chmod operation is initiated on a
file with an ACL, either locally or over NFS. This setting controls any elements
that affect UNIX permissions, including File System Explorer. Enabling this policy
setting does not change how chmod operations affect files that do not have
ACLs. Select one of the following options:
Remove the existing ACL and set UNIX permissions instead
For chmod operations, removes any existing ACL and instead sets the chmod
permissions. Select this option only if you do not need permissions to be set
from Windows.

Remove the existing ACL and create an ACL equivalent to the UNIX
permissions
Stores the UNIX permissions in a new Windows ACL. Select this option only
if you want to remove Windows permissions but do not want files to have
synthetic ACLs.

120 OneFS 8.1.2 Security Configuration Guide

 Data security

Remove the existing ACL and create an ACL equivalent to the UNIX
permissions, for all users/groups referenced in old ACL
Stores the UNIX permissions in a new Windows ACL only for users and
groups that are referenced by the old ACL. Select this option only if you want
to remove Windows permissions but do not want files to have synthetic
ACLs.

Merge the new permissions with the existing ACL

Merges permissions that are applied by chmod with existing ACLs. An ACE
for each identity (owner, group, and everyone) is either modified or created,
but all other ACEs are unmodified. Inheritable ACEs are also left unmodified
to enable Windows users to continue to inherit appropriate permissions.
However, UNIX users can set specific permissions for each of those three
standard identities.

Deny permission to modify the ACL

Prevents users from making NFS and local chmod operations. Enable this
setting if you do not want to allow permission sets over NFS.

Ignore operation if file has an existing ACL

Prevents an NFS client from changing the ACL. Select this option if you
defined an inheritable ACL on a directory and want to use that ACL for
permissions.

CAUTION

If you try to run the chmod command on the same permissions that are
currently set on a file with an ACL, you may cause the operation to silently
fail. The operation appears to be successful, but if you were to examine the
permissions on the cluster, you would notice that the chmod command had
no effect. As an alternative, you can run the chmod command away from the
current permissions and then perform a second chmod command to revert to
the original permissions. For example, if the file shows 755 UNIX permissions
and you want to confirm this number, you could run chmod 700 file;
chmod 755 file.

ACLs Created On Directories By the chmod Command

On Windows systems, the ACEs for directories can define detailed inheritance
rules. On a UNIX system, the mode bits are not inherited. Making ACLs that are
created on directories by the chmod command inheritable is more secure for
tightly controlled environments but may deny access to some Windows users who
would otherwise expect access. Select one of the following options:
l Make ACLs inheritable
l Do not make ACLs inheritable

Use the chown/chgrp On Files With Existing ACLs

Changes the user or group that has ownership of a file or folder. Select one of the
following options:

Configuring data access control 121

Data security

Modify only the owner and/or group

Enables the chown or chgrp operation to perform as it does in UNIX.
Enabling this setting modifies any ACEs in the ACL associated with the old
and new owner or group.

Modify the owner and/or group and ACL permissions

Enables the NFS chown or chgrp operation to function as it does in
Windows. When a file owner is changed over Windows, no permissions in the
ACL are changed.

Ignore operation if file has an existing ACL

Prevents an NFS client from changing the owner or group.

Note

Over NFS, the chown or chgrp operation changes the permissions and user or
group that has ownership. For example, a file that is owned by user Joe with
rwx------ (700) permissions indicates rwx permissions for the owner, but no
permissions for anyone else. If you run the chown command to change ownership
of the file to user Bob, the owner permissions are still rwx but they now represent
the permissions for Bob, rather than for Joe, who lost all of his permissions. This
setting does not affect UNIX chown or chgrp operations that are performed on
files with UNIX permissions, and it does not affect Windows chown or chgrp
operations, which do not change any permissions.

Access checks (chmod, chown)

In UNIX environments, only the file owner or superuser has the right to run a
chmod or chown operation on a file. In Windows environments, you can
implement this policy setting to give users the right to perform chmod operations
that change permissions, or the right to perform chown operations that take
ownership, but do not give away ownership. Select one of the following options:
Allow only the file owner to change the mode or owner of the file (UNIX
model)
Enables chmod and chown access checks to operate with UNIX-like
behavior.

Allow the file owner and users with WRITE_DAC and WRITE_OWNER
permissions to change the mode or owner of the file (Windows model)
Enables chmod and chown access checks to operate with Windows-like
behavior.

Advanced ACL Settings

Treatment of 'rwx' permissions
In UNIX environments, rwx permissions indicate that a user or group has read,
write, and execute permissions and that a user or group has the maximum level of
permissions.
When you assign UNIX permissions to a file, no ACLs are stored for that file.
Because a Windows system processes only ACLs, the Isilon cluster must translate
the UNIX permissions into an ACL when you view a file's permissions on a
Windows system. This type of ACL is called a synthetic ACL. Synthetic ACLs are
not stored anywhere; instead, they are dynamically generated and discarded as

122 OneFS 8.1.2 Security Configuration Guide

 Data security

needed. If a file has UNIX permissions, you may notice synthetic ACLs when you
run the ls file command to view a file’s ACLs.
When you generate a synthetic ACL, the Isilon cluster maps UNIX permissions to
Windows rights. Windows supports a more granular permissions model than UNIX
does, and it specifies rights that cannot easily be mapped from UNIX permissions.
If the Isilon cluster maps rwx permissions to Windows rights, you must enable one
of the following options:
Retain 'rwx' permissions
Generates an ACE that provides only read, write, and execute permissions.

Treat 'rwx' permissions as Full Control

Generates an ACE that provides the maximum Windows permissions for a
user or a group by adding the change permissions right, the take ownership
right, and the delete right.

Group Owner Inheritance

Operating systems tend to work with group ownership and permissions in two
different ways: BSD inherits the group owner from the file's parent folder;
Windows and Linux inherit the group owner from the file creator's primary group.
If you enable a setting that causes the group owner to be inherited from the
creator's primary group, you can override it on a per-folder basis by running the
chmod command to set the set-gid bit. This inheritance applies only when the file
is created. For more information, see the manual page for the chmod command.
Select one of the following options:
When an ACL exists, use Linux and Windows semantics, otherwise use BSD
semantics
Specifies that if an ACL exists on a file, the group owner is inherited from the
file creator's primary group. If there is no ACL, the group owner is inherited
from the parent folder.

BSD semantics - Inherit group owner from the parent folder

Specifies that the group owner be inherited from the file's parent folder.

Linux and Windows semantics - Inherit group owner from the creator's
primary group
Specifies that the group owner be inherited from the file creator's primary
group.

chmod (007) On Files With Existing ACLs

Specifies whether to remove ACLs when running the chmod (007) command.
Select one of the following options.
chmod(007) does not remove existing ACL
Sets 007 UNIX permissions without removing an existing ACL.

chmod(007) removes existing ACL and sets 007 UNIX permissions

Removes ACLs from files over UNIX file sharing (NFS) and locally on the
cluster through the chmod (007) command. If you enable this setting, be
sure to run the chmod command on the file immediately after using chmod
(007) to clear an ACL. In most cases, you do not want to leave 007
permissions on the file.

Configuring data access control 123

Data security

Approximate Owner Mode Bits When ACL Exists

Windows ACLs are more complex than UNIX permissions. When a UNIX client
requests UNIX permissions for a file with an ACL over NFS, the client receives an
approximation of the file's actual permissions. Running the ls -l command from
a UNIX client returns a more open set of permissions than the user expects. This
permissiveness compensates for applications that incorrectly inspect the UNIX
permissions themselves when determining whether to try a file-system operation.
The purpose of this policy setting is to ensure that these applications go with the
operation to allow the file system to correctly determine user access through the
ACL. Select one of the following options:
Approximate owner mode bits using all possible group ACEs in ACL
Causes the owner permissions appear more permissive than the actual
permissions on the file.

Approximate owner mode bits using only the ACE with the owner ID
Causes the owner permissions appear more accurate, in that you see only the
permissions for a particular owner and not the more permissive set. This may
cause access-denied problems for UNIX clients, however.

Approximate Group Mode Bits When ACL Exists

Select one of the following options for group permissions:
Approximate group mode bits using all possible group ACEs in ACL
Makes the group permissions appear more permissive than the actual
permissions on the file.

Approximate group mode bits using only the ACE with the group ID
Makes the group permissions appear more accurate, in that you see only the
permissions for a particular group and not the more permissive set. This may
cause access-denied problems for UNIX clients, however.

Synthetic "deny" ACEs

The Windows ACL user interface cannot display an ACL if any deny ACEs are out
of canonical ACL order. To correctly represent UNIX permissions, deny ACEs may
be required to be out of canonical ACL order. Select one of the following options:
Do not modify synthetic ACLs and mode bit approximations
Prevents modifications to synthetic ACL generation and allows “deny” ACEs
to be generated when necessary.

CAUTION

This option can lead to permissions being reordered, permanently

denying access if a Windows user or an application performs an ACL get,
an ACL modification, and an ACL set to and from Windows.

Remove “deny” ACEs from ACLs. This setting can cause ACLs to be more
permissive than the equivalent mode bits
Does not include deny ACEs when generating synthetic ACLs.

Access check (utimes)

You can control who can change utimes, which are the access and modification
times of a file. Select one of the following options:

124 OneFS 8.1.2 Security Configuration Guide

 Data security

Allow only owners to change utimes to client-specific times (POSIX

compliant)
Allows only owners to change utimes, which complies with the POSIX
standard.

Allow owners and users with ‘write’ access to change utimes to client-
specific times
Allows owners as well as users with write access to modify utimes, which is
less restrictive.

Read-only DOS attribute

Deny permission to modify files with DOS read-only attribute over Windows
Files Sharing (SMB)
Duplicates DOS-attribute permissions behavior over only the SMB protocol,
so that files use the read-only attribute over SMB.

Deny permission to modify files with DOS read-only attribute through NFS
and SMB
Duplicates DOS-attribute permissions behavior over both NFS and SMB
protocols. For example, if permissions are read-only on a file over SMB,
permissions are read-only over NFS.

Displayed mode bits

Use ACL to approximate mode bits
Displays the approximation of the NFS mode bits that are based on ACL
permissions.

Always display 777 if ACL exists

Displays 777 file permissions. If the approximated NFS permissions are less
permissive than those in the ACL, you may want to use this setting so the
NFS client does not stop at the access check before performing its
operation. Use this setting when a third-party application may be blocked if
the ACL does not provide the proper access.

Run the PermissionRepair job

You can update file and directory permissions or ownership by running the
PermissionRepair job. To prevent permissions issues that can occur after changing the
on-disk identity, run this job with the Convert repair type to ensure that the changes
are fully propagated throughout the cluster.
Procedure
1. Click Cluster Management > Job Operations > Job Types.
2. (Optional) From the Job Types table, click View/Edit in the PermissionRepair
row.
The View Job Type Details window appears.
3. Click Edit Job Type.
The Edit Job Type Details window appears.
4. Select Enable this job type.

Configuring data access control 125

Data security

5. From the Default Priority list, select a priority number that specifies the job's
priority among all running jobs. Job priority is denoted as 1-10, with 1 being the
highest and 10 being the lowest.
6. (Optional) From the Default Impact Policy list, select an impact policy for the
job to follow.
7. From the Schedule area, specify how the job should be started.

Option Description
Manual The job must be started manually.
Scheduled The job is regularly scheduled. Select the schedule option from
the drop-down list and specify the schedule details.

8. Click Save Changes, and then click Close.

9. (Optional) From the Job Types table, click Start Job.
The Start a Job window opens.
10. Select or clear the Allow Duplicate Jobs checkbox.
11. (Optional) From the Impact policy list, select an impact policy for the job to
follow.
12. In the Paths field, type or browse to the directory in /ifs whose permissions
you want to repair.
13. (Optional) Click Add another directory path and in the added Paths field, type
or browse for an additional directory in /ifs whose permissions you want to
repair.
You can repeat this step to add directory paths as needed.
14. From the Repair Type list, select one of the following methods for updating
permissions:

Option Description
Clone Applies the permissions settings for the directory that is specified by
the Template File or Directory setting to the directory you set in
the Paths fields.
Inherit Recursively applies the ACL of the directory that is specified by the
Template File or Directory setting to each file and subdirectory in
the specified Paths fields, according to standard inheritance rules.
Convert For each file and directory in the specified Paths fields, converts the
owner, group, and access control list (ACL) to the target on-disk
identity based on the Mapping Type setting.

The remaining settings options differ depending on the selected repair type.
15. In the Template File or Directory field, type or browse to the directory in /ifs
that you want to copy permissions from. This setting applies only to the Clone
and Inherit repair types.
16. (Optional) From the Mapping Type list, select the preferred on-disk identity
type to apply. This setting applies only to the Convert repair type.

126 OneFS 8.1.2 Security Configuration Guide

 Data security

Option Description
Global Applies the system's default identity.
SID (Windows) Applies the Windows identity.
UNIX Applies the UNIX identity.
Native If a user or group does not have an authoritative UNIX
identifier (UID or GID), applies the Windows identity (SID)

17. (Optional) Click Start Job.

SmartLock overview
With the SmartLock software module, you can protect files on an EMC Isilon cluster
from being modified, overwritten, or deleted. To protect files in this manner, you must
activate a SmartLock license.
With SmartLock, you can identify a directory in OneFS as a WORM domain. WORM
stands for write once, read many. All files within the WORM domain can be committed
to a WORM state, meaning that those files cannot be overwritten, modified, or
deleted.
After a file is removed from a WORM state, you can delete the file. However, you can
never modify a file that has been committed to a WORM state, even after it is
removed from a WORM state.
In OneFS, SmartLock can be deployed in one of two modes: compliance mode or
enterprise mode.

Compliance mode
SmartLock compliance mode enables you to protect your data in compliance with the
regulations defined by U.S. Securities and Exchange Commission rule 17a-4. This
regulation, aimed at securities brokers and dealers, specifies that records of all
securities transactions must be archived in a non-rewritable, non-erasable manner.

Note

You can configure an EMC Isilon cluster for SmartLock compliance mode only during
the initial cluster configuration process, prior to activating a SmartLock license. A
cluster cannot be converted to SmartLock compliance mode after the cluster is
initially configured and put into production.

If you configure a cluster for SmartLock compliance mode, the root user is disabled,
and you are not able to log in to that cluster through the root user account. Instead,
you can log in to the cluster through the compliance administrator account that is
configured during initial SmartLock compliance mode configuration.
When you are logged in to a SmartLock compliance mode cluster through the
compliance administrator account, you can perform administrative tasks through the
sudo command.

SmartLock overview 127

Data security

SmartLock directories
In a SmartLock directory, you can commit a file to a WORM state manually or you can
configure SmartLock to commit the file automatically. Before you can create
SmartLock directories, you must activate a SmartLock license on the cluster.
You can create two types of SmartLock directories: enterprise and compliance.
However, you can create compliance directories only if the EMC Isilon cluster has
been set up in SmartLock compliance mode during initial configuration.
Enterprise directories enable you to protect your data without restricting your cluster
to comply with regulations defined by U.S. Securities and Exchange Commission rule
17a-4. If you commit a file to a WORM state in an enterprise directory, the file can
never be modified and cannot be deleted until the retention period passes.
However, if you own a file and have been assigned the
ISI_PRIV_IFS_WORM_DELETE privilege, or you are logged in through the root user
account, you can delete the file through the privileged delete feature before the
retention period passes. The privileged delete feature is not available for compliance
directories. Enterprise directories reference the system clock to facilitate time-
dependent operations, including file retention.
Compliance directories enable you to protect your data in compliance with the
regulations defined by U.S. Securities and Exchange Commission rule 17a-4. If you
commit a file to a WORM state in a compliance directory, the file cannot be modified
or deleted before the specified retention period has expired. You cannot delete
committed files, even if you are logged in to the compliance administrator account.
Compliance directories reference the compliance clock to facilitate time-dependent
operations, including file retention.
You must set the compliance clock before you can create compliance directories. You
can set the compliance clock only once, after which you cannot modify the compliance
clock time. You can increase the retention time of WORM committed files on an
individual basis, if desired, but you cannot decrease the retention time.
The compliance clock is controlled by the compliance clock daemon. Root and
compliance administrator users could disable the compliance clock daemon, which
would have the effect of increasing the retention period for all WORM committed
files. However, this is not recommended.

Accessing SmartLock with IsilonSD Edge

If you are running IsilonSD Edge, the SmartLock software module is available only with
a purchased license. It is not packaged with the free license of IsilonSD Edge.
Make note of the following considerations before using SmartLock with IsilonSD Edge:
l Although IsilonSD Edge supports SmartLock functionality in both enterprise and
compliance modes, an IsilonSD cluster likely does not comply with the regulations
defined by U.S. Securities and Exchange Commission rule 17a-4. This is because
the virtualization software on which the IsilonSD cluster runs maintains a root user
who could theoretically tamper with the disk configuration of the virtual cluster,
and therefore the data that resides on it.
l When an IsilonSD cluster is placed in compliance mode, you cannot add new nodes
to the cluster. Therefore, you must add as many nodes as necessary before
upgrading the cluster to SmartLock compliance mode.

128 OneFS 8.1.2 Security Configuration Guide

 Data security

Replication and backup with SmartLock

OneFS enables both compliance and enterprise SmartLock directories to be replicated
or backed up to a target cluster.
If you are replicating SmartLock directories with SyncIQ, we recommend that you
configure all nodes on the source and target clusters with Network Time Protocol
(NTP) peer mode to ensure that the node clocks are synchronized. For compliance
clusters, we recommend that you configure all nodes on the source and target clusters
with NTP peer mode before you set the compliance clocks. This sets the source and
target clusters to the same time initially and helps to ensure compliance with U.S.
Securities and Exchange Commission rule 17a-4.

Note

If you replicate data to a SmartLock directory, do not configure SmartLock settings

for that directory until you are no longer replicating data to the directory. Configuring
an autocommit time period for a SmartLock target directory, for example, can cause
replication jobs to fail. If the target directory commits a file to a WORM state, and the
file is modified on the source cluster, the next replication job will fail because it cannot
overwrite the committed file.

If you back up data to an NDMP device, all SmartLock metadata relating to the
retention date and commit status is transferred to the NDMP device. If you recover
data to a SmartLock directory on the cluster, the metadata persists on the cluster.
However, if the directory that you recover data to is not a SmartLock directory, the
metadata is lost. You can recover data to a SmartLock directory only if the directory is
empty.

SmartLock replication limitations

Be aware of the limitations of replicating and failing back SmartLock directories with
SyncIQ.
If the source directory or target directory of a SyncIQ policy is a SmartLock directory,
replication and failback might not be allowed. For more information, see the following
table:

Source Target directory type Replication Failback allowed

directory type Allowed
Non-SmartLock Non-SmartLock Yes Yes

Non-SmartLock SmartLock enterprise Yes Yes, unless files are

committed to a WORM
state on the target cluster

Non-SmartLock SmartLock compliance No No

SmartLock Non-SmartLock Yes; however, Yes; however the files will

enterprise retention dates not have WORM status
and commit
status of files will
be lost.

SmartLock SmartLock enterprise Yes Yes; any newly committed

enterprise WORM files will be
included

Replication and backup with SmartLock 129

Data security

Source Target directory type Replication Failback allowed

directory type Allowed
SmartLock SmartLock compliance No No
enterprise

SmartLock Non-SmartLock No No
compliance

SmartLock SmartLock enterprise No No

compliance

SmartLock SmartLock compliance Yes Yes; any newly committed

compliance WORM files will be
included

If you are replicating a SmartLock directory to another SmartLock directory, you must
create the target SmartLock directory prior to running the replication policy. Although
OneFS will create a target directory automatically if a target directory does not
already exist, OneFS will not create a target SmartLock directory automatically. If you
attempt to replicate an enterprise directory before the target directory has been
created, OneFS will create a non-SmartLock target directory and the replication job
will succeed. If you replicate a compliance directory before the target directory has
been created, the replication job will fail.
If you replicate SmartLock directories to another Isilon cluster with SyncIQ, the
WORM state of files is replicated. However, SmartLock directory configuration
settings are not transferred to the target directory.
For example, if you replicate a directory that contains a committed file that is set to
expire on March 4th, the file is still set to expire on March 4th on the target cluster.
However, if the directory on the source cluster is set to prevent files from being
committed for more than a year, the target directory is not automatically set to the
same restriction.

Configuring SmartLock
You can create and manage SmartLock directories to control read and write access to
files.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about SmartLock and additional SmartLock management tasks.

Create a SmartLock directory

You can create a SmartLock directory and commit files in that directory to a WORM
state.
Before creating a SmartLock directory, be aware of the following conditions and
requirements:
l You cannot create a SmartLock directory as a subdirectory of an existing
SmartLock directory.
l Hard links cannot cross SmartLock directory boundaries.
l Creating a SmartLock directory causes a corresponding SmartLock domain to be
created for that directory.
Procedure
1. Click File System > SmartLock > WORM.

130 OneFS 8.1.2 Security Configuration Guide

 Data security

2. Click Create Domain.

3. From the Type list, specify whether the directory is an enterprise directory or a
compliance directory.
Compliance directories enable you to protect your data in compliance with the
regulations defined by U.S. Securities and Exchange Commission rule 17a-4.
Enterprise directories enable you to protect your data without complying with
those restrictions.
This option is available only if the cluster is in SmartLock compliance mode. If
the cluster is not in compliance mode, all SmartLock directories are enterprise
directories.

4. From the Privileged Delete list, specify whether to enabled the root user to
delete files that are currently committed to a WORM state.

Note

This functionality is available only for SmartLock enterprise directories.

5. In the Path field, type the full path of the directory you want to make into a
SmartLock directory.
The specified path must belong to an empty directory on the cluster.
6. (Optional) To specify a default retention period for the directory, click Apply a
default retention span and then specify a time period.
The default retention period will be assigned if you commit a file to a WORM
state without specifying a day to release the file from the WORM state.
7. (Optional) To specify a minimum retention period for the directory, click Apply
a minimum retention span and then specify a time period.
The minimum retention period ensures that files are retained in a WORM state
for at least the specified period of time.
8. (Optional) To specify a maximum retention period for the directory, click Apply
a maximum retention span and then specify a time period.
The maximum retention period ensures that files are not retained in a WORM
state for more than the specified period of time.
9. Click Create Domain.
10. Click Create.

SmartLock directory configuration settings

You can configure SmartLock directory settings that determine when files are
committed to and how long files are retained in a WORM state.
Path
The path of the directory.

Root Logical Inode (LIN)

The LIN of the directory.

ID
The numerical ID of the corresponding SmartLock domain.

Configuring SmartLock 131

Data security

Type
The type of SmartLock directory.
Enterprise
Enterprise directories enable you to protect your data without restricting
your cluster to comply with regulations defined by U.S. Securities and
Exchange Commission rule 17a-4

Compliance
Compliance directories enable you to protect your data in compliance with
the regulations defined by U.S. Securities and Exchange Commission rule
17a-4.

Privileged Delete
Indicates whether files committed to a WORM state in the directory can be
deleted through the privileged delete functionality. To access the privilege delete
functionality, you must either be assigned the ISI_PRIV_IFS_WORM_DELETE
privilege and own the file you are deleting. You can also access the privilege
delete functionality for any file if you are logged in through the root or
compadmin user account.
on
Files committed to a WORM state can be deleted through the isi worm
files delete command.

off
Files committed to a WORM state cannot be deleted, even through the isi
worm files delete command.

disabled
Files committed to a WORM state cannot be deleted, even through the isi
worm files delete command. After this setting is applied, it cannot be
modified.

Apply a default retention span

The default retention period for the directory. If a user does not specify a date to
release a file from a WORM state, the default retention period is assigned.

Enforce a minimum retention time span

The minimum retention period for the directory. Files are retained in a WORM
state for at least the specified amount of time, even if a user specifies an
expiration date that results in a shorter retention period.

Enforce a maximum retention time span

The maximum retention period for the directory. Files cannot be retained in a
WORM state for more than the specified amount of time, even if a user specifies
an expiration date that results in a longer retention period.

Automatically commit files after a specific period of time

The autocommit time period for the directory. After a file exists in this SmartLock
directory without being modified for the specified time period, the file is
automatically committed to a WORM state.

132 OneFS 8.1.2 Security Configuration Guide

 Data security

Override retention periods and protect all files until a specific date
The override retention date for the directory. Files committed to a WORM state
are not released from a WORM state until after the specified date, regardless of
the maximum retention period for the directory or whether a user specifies an
earlier date to release a file from a WORM state.

SmartLock directory configuration settings

You can configure SmartLock directory settings that determine when files are
committed to and how long files are retained in a WORM state.
ID
The numerical ID of the corresponding SmartLock domain.

Path
The path of the directory.

Type
The type of SmartLock directory.

LIN
The inode number of the directory.

Autocommit offset
The autocommit time period for the directory. After a file exists in this SmartLock
directory without being modified for the specified time period, the file is
automatically committed to a WORM state.
Times are expressed in the format "<integer> <time>", where <time> is one of
the following values:
Y
Specifies years

M
Specifies months

W
Specifies weeks

D
Specifies days

H
Specifies hours

m
Specifies minutes

s
Specifies seconds

Override date
The override retention date for the directory. Files committed to a WORM state
are not released from a WORM state until after the specified date, regardless of
the maximum retention period for the directory or whether a user specifies an
earlier date to release a file from a WORM state.

Configuring SmartLock 133

Data security

Privileged delete
Indicates whether files committed to a WORM state in the directory can be
deleted through the privileged delete functionality. To access the privilege delete
functionality, you must either be assigned the ISI_PRIV_IFS_WORM_DELETE
privilege and own the file you are deleting. You can also access the privilege
delete functionality for any file if you are logged in through the root or
compadmin user account.
on
Files committed to a WORM state can be deleted through the isi worm
files delete command.

off
Files committed to a WORM state cannot be deleted, even through the isi
worm files delete command.

disabled
Files committed to a WORM state cannot be deleted, even through the isi
worm files delete command. After this setting is applied, it cannot be
modified.

Default retention period

The default retention period for the directory. If a user does not specify a date to
release a file from a WORM state, the default retention period is assigned.
Times are expressed in the format "<integer> <time>", where <time> is one of
the following values:
Y
Specifies years

M
Specifies months

W
Specifies weeks

D
Specifies days

H
Specifies hours

m
Specifies minutes

s
Specifies seconds

Forever indicates that WORM committed files are retained permanently by

default. Use Min indicates that the default retention period is equal to the
minimum retention date. Use Max indicates that the default retention period is
equal to the maximum retention date.

134 OneFS 8.1.2 Security Configuration Guide

 Data security

Minimum retention period

The minimum retention period for the directory. Files are retained in a WORM
state for at least the specified amount of time, even if a user specifies an
expiration date that results in a shorter retention period.
Times are expressed in the format "<integer> <time>", where <time> is one of
the following values:
Y
Specifies years

M
Specifies months

W
Specifies weeks

D
Specifies days

H
Specifies hours
m
Specifies minutes

s
Specifies seconds

Forever indicates that all WORM committed files are retained permanently.

Maximum retention period

The maximum retention period for the directory. Files cannot be retained in a
WORM state for more than the specified amount of time, even if a user specifies
an expiration date that results in a longer retention period.
Times are expressed in the format "<integer> <time>", where <time> is one of
the following values:
Y
Specifies years

M
Specifies months

W
Specifies weeks

D
Specifies days

H
Specifies hours

m
Specifies minutes

Configuring SmartLock 135

Data security

s
Specifies seconds

Forever indicates that there is no maximum retention period.

Snapshots overview
A OneFS snapshot is a logical pointer to data that is stored on a cluster at a specific
point in time.
A snapshot references a directory on a cluster, including all data stored in the
directory and its subdirectories. If the data referenced by a snapshot is modified, the
snapshot stores a physical copy of the data that was modified. Snapshots are created
according to user specifications or are automatically generated by OneFS to facilitate
system operations.
To create and manage snapshots, you must activate a SnapshotIQ license on the
cluster. Some applications must generate snapshots to function but do not require you
to activate a SnapshotIQ license; by default, these snapshots are automatically
deleted when OneFS no longer needs them. However, if you activate a SnapshotIQ
license, you can retain these snapshots. You can view snapshots generated by other
modules without activating a SnapshotIQ license.
You can identify and locate snapshots by name or ID. A snapshot name is specified by
a user and assigned to the virtual directory that contains the snapshot. A snapshot ID
is a numerical identifier that OneFS automatically assigns to a snapshot.

Data protection with SnapshotIQ

You can create snapshots to protect data with the SnapShotIQ software module.
Snapshots protect data against accidental deletion and modification by enabling you
to restore deleted and modified files. To use SnapshotIQ, you must activate a
SnapshotIQ license on the cluster.
Snapshots are less costly than backing up your data on a separate physical storage
device in terms of both time and storage consumption. The time required to move data
to another physical device depends on the amount of data being moved, whereas
snapshots are always created almost instantaneously regardless of the amount of data
referenced by the snapshot. Also, because snapshots are available locally, end-users
can often restore their data without requiring assistance from a system administrator.
Snapshots require less space than a remote backup because unaltered data is
referenced rather than recreated.
Snapshots do not protect against hardware or file-system issues. Snapshots reference
data that is stored on a cluster, so if the data on the cluster becomes unavailable, the
snapshots will also be unavailable. Because of this, it is recommended that you back
up your data to separate physical devices in addition to creating snapshots.

Protection domains overview

Protection domains are markers that prevent modifications to files and directories. If a
domain is applied to a directory, the domain is also applied to all of the files and

136 OneFS 8.1.2 Security Configuration Guide

 Data security

subdirectories under the directory. You can specify domains manually; however,
OneFS usually creates domains automatically.
There are three types of domains: SyncIQ domains, SmartLock domains, and
SnapRevert domains. SyncIQ domains can be assigned to source and target
directories of replication policies. OneFS automatically creates a SyncIQ domain for
the target directory of a replication policy the first time that the policy is run. OneFS
also automatically creates a SyncIQ domain for the source directory of a replication
policy during the failback process. You can manually create a SyncIQ domain for a
source directory before you initiate the failback process by configuring the policy for
accelerated failback, but you cannot delete a SyncIQ domain that marks the target
directory of a replication policy.
SmartLock domains are assigned to SmartLock directories to prevent committed files
from being modified or deleted. OneFS automatically creates a SmartLock domain
when a SmartLock directory is created. You cannot delete a SmartLock domain.
However, if you delete a SmartLock directory, OneFS automatically deletes the
SmartLock domain associated with the directory.
SnapRevert domains are assigned to directories that are contained in snapshots to
prevent files and directories from being modified while a snapshot is being reverted.
OneFS does not automatically create SnapRevert domains. You cannot revert a
snapshot until you create a SnapRevert domain for the directory that the snapshot
contains. You can create SnapRevert domains for subdirectories of directories that
already have SnapRevert domains. For example, you could create SnapRevert domains
for both /ifs/data and /ifs/data/archive. You can delete a SnapRevert
domain if you no longer want to revert snapshots of a directory.

Protection domain considerations

You can manually create protection domains before they are required by OneFS to
perform certain actions. However, manually creating protection domains can limit your
ability to interact with the data marked by the domain.
l Copying a large number of files into a protection domain might take a very long
time because each file must be marked individually as belonging to the protection
domain.
l You cannot move directories in or out of protection domains. However, you can
move a directory contained in a protection domain to another location within the
same protection domain.
l Creating a protection domain for a directory that contains a large number of files
will take more time than creating a protection domain for a directory with fewer
files. Because of this, it is recommended that you create protection domains for
directories while the directories are empty, and then add files to the directory.
l If a domain is currently preventing the modification or deletion of a file, you cannot
create a protection domain for a directory that contains that file. For example,
if /ifs/data/smartlock/file.txt is set to a WORM state by a SmartLock
domain, you cannot create a SnapRevert domain for /ifs/data/.

Note

If you use SyncIQ to create a replication policy for a SmartLock compliance directory,
the SyncIQ and SmartLock compliance domains must be configured at the same root
directory level. A SmartLock compliance domain cannot be nested inside a SyncIQ
domain.

Protection domain considerations 137

Data security

Create a protection domain

You can create SyncIQ domains or SnapRevert domains to facilitate snapshot revert
and failover operations. You cannot create a SmartLock domain. OneFS automatically
creates a SmartLock domain when you create a SmartLock directory.
Procedure
1. Click Cluster Management > Job Operations > Job Types.
2. In the Job Types area, in the DomainMark row, from the Actions column,
select Start Job.
3. In the Domain Root Path field, type the path of the directory you want to
create a protection domain for.
4. From the Type of domain list, specify the type of domain you want to create.
5. Ensure that the Delete this domain check box is cleared.
6. Click Start Job.

Data-at-rest encryption overview

You can enhance data security with a EMC Isilon cluster that contains only self-
encrypting-drive nodes, providing data-at-rest protection.
The OneFS system is available as a cluster that is composed of Isilon OneFS nodes
that contain only self-encrypting drives (SEDs). The system requirements and
management of data at rest on self-encrypting nodes are identical to that of nodes
that do not contain self-encrypting drives. Clusters of mixed node types are not
supported.

Self-encrypting drives
Self-encrypting drives store data on a cluster that is specially designed for data-at-
rest encryption.
Data-at-rest encryption on self-encrypting drives occurs when data that is stored on a
device is encrypted to prevent unauthorized data access. All data that is written to the
storage device is encrypted when it is stored, and all data that is read from the
storage device is decrypted when it is read. The stored data is encrypted with a 256-
bit data AES encryption key and decrypted in the same manner. OneFS controls data
access by combining the drive authentication key with on-disk data-encryption keys.

Note

All nodes in a cluster must be of the self-encrypting drive type. Mixed nodes are not
supported.

138 OneFS 8.1.2 Security Configuration Guide

 Data security

Data-at-rest encryption for IsilonSD Edge

IsilonSD Edge does not support data-at-rest encryption because the IsilonSD nodes do
not support the self-encrypting drive type.

Data security on self-encrypting drives

Smartfailing self-encrypting drives guarantees data security after removal.
Data on self-encrypting drives is protected from unauthorized access by
authenticating encryption keys. Encryption keys never leave the drive. When a drive is
locked, successful authentication unlocks the drive for data access.
The data on self-encrypting drives is rendered inaccessible in the following conditions:
l When a self-encrypting drive is smartfailed, drive authentication keys are deleted
from the node. The data on the drive cannot be decrypted and is therefore
unreadable, which secures the drive.
l When a drive is smartfailed and removed from a node, the encryption key on the
drive is deleted. Because the encryption key for reading data from the drive must
be the same key that was used when the data was written, it is impossible to
decrypt data that was previously written to the drive. When you smartfail and then
remove a drive, it is cryptographically erased.

Note

Smartfailing a drive is the preferred method for removing a self-encrypting drive.

Removing a node that has been smartfailed guarantees that data is inaccessible.
l When a self-encrypting drive loses power, the drive locks to prevent unauthorized
access. When power is restored, data is again accessible when the appropriate
drive authentication key is provided.

Data migration to a cluster with self-encrypting drives

You can have data from your existing cluster migrated to a cluster of nodes made up
of self-encrypting drives (SEDs). As a result, all migrated and future data on the new
cluster will be encrypted.

Note

Data migration to a cluster with SEDs must be performed by Isilon Professional

Services. For more information, contact your EMC Isilon representative.

Chassis and drive states

You can view chassis and drive state details.
In a cluster, the combination of nodes in different degraded states determines
whether read requests, write requests, or both work. A cluster can lose write quorum
but keep read quorum. OneFS provides details about the status of chassis and drives
in your cluster. The following table describes all the possible states that you may
encounter in your cluster.

Data-at-rest encryption for IsilonSD Edge 139

Data security

Note

If you are running IsilonSD Edge, you can view and manage the chassis and drive state
details through the IsilonSD Management Plug-in. For more information, see the
IsilonSD Edge Installation and Administration Guide.

State Description Interface Error state

HEALTHY All drives in the node Command-line

are functioning interface, web
correctly. administration
interface

L3 A solid state drive Command-line

(SSD) was deployed interface
as level 3 (L3) cache
to increase the size of
cache memory and
improve throughput
speeds.

SMARTFAIL or The drive is in the Command-line

Smartfail or process of being interface, web
restripe in removed safely from administration
progress the file system, either interface
because of an I/O
error or by user
request. Nodes or
drives in a smartfail or
read-only state affect
only write quorum.

NOT AVAILABLE A drive is unavailable Command-line X

for a variety of interface, web
reasons. You can click administration
the bay to view interface
detailed information
about this condition.

Note

In the web
administration
interface, this state
includes the ERASE
and SED_ERROR
command-line
interface states.

SUSPENDED This state indicates Command-line

that drive activity is interface, web
temporarily administration
suspended and the interface
drive is not in use.
The state is manually
initiated and does not

140 OneFS 8.1.2 Security Configuration Guide

 Data security

State Description Interface Error state

occur during normal
cluster activity.

NOT IN USE A node in an offline Command-line

state affects both interface, web
read and write administration
quorum. interface

REPLACE The drive was Command-line

smartfailed interface only
successfully and is
ready to be replaced.

STALLED The drive is stalled Command-line

and undergoing stall interface only
evaluation. Stall
evaluation is the
process of checking
drives that are slow or
having other issues.
Depending on the
outcome of the
evaluation, the drive
may return to service
or be smartfailed. This
is a transient state.

NEW The drive is new and Command-line

blank. This is the interface only
state that a drive is in
when you run the isi
dev command with
the -a add option.

USED The drive was added Command-line

and contained an interface only
Isilon GUID but the
drive is not from this
node. This drive likely
will be formatted into
the cluster.

PREPARING The drive is Command-line

undergoing a format interface only
operation. The drive
state changes to
HEALTHY when the
format is successful.

EMPTY No drive is in this bay. Command-line

interface only

WRONG_TYPE The drive type is Command-line

wrong for this node. interface only
For example, a non-
SED drive in a SED
node, SAS instead of

Chassis and drive states 141

Data security

State Description Interface Error state

the expected SATA
drive type.

BOOT_DRIVE Unique to the A100 Command-line

drive, which has boot interface only
drives in its bays.

SED_ERROR The drive cannot be Command-line X

acknowledged by the interface, web
OneFS system. administration
interface
Note

In the web
administration
interface, this state is
included in Not
available.

ERASE The drive is ready for Command-line

removal but needs interface only
your attention
because the data has
not been erased. You
can erase the drive
manually to guarantee
that data is removed.

Note

In the web
administration
interface, this state is
included in Not
available.

INSECURE Data on the self- Command-line X

encrypted drive is interface only
accessible by
unauthorized
personnel. Self-
encrypting drives
should never be used
for non-encrypted
data purposes.

Note

In the web
administration
interface, this state is
labeled
Unencrypted
SED.

142 OneFS 8.1.2 Security Configuration Guide

 Data security

State Description Interface Error state

UNENCRYPTED Data on the self- Web administration X

encrypted drive is interface only
accessible by
unauthorized
personnel. Self-
encrypting drives
should never be used
for non-encrypted
data purposes.

Note

In the command-line
interface, this state is
labeled INSECURE.

Smartfailed drive REPLACE state

You can see different drive states during the smartfail process.
If you run the isi dev command while the drive in bay 1 is being smartfailed, the
system displays output similar to the following example:

Node 1, [ATTN]
Bay 1 Lnum 11 [SMARTFAIL] SN:Z296M8HK
000093172YE04 /dev/da1
Bay 2 Lnum 10 [HEALTHY] SN:Z296M8N5
00009330EYE03 /dev/da2
Bay 3 Lnum 9 [HEALTHY] SN:Z296LBP4
00009330EYE03 /dev/da3
Bay 4 Lnum 8 [HEALTHY] SN:Z296LCJW
00009327BYE03 /dev/da4
Bay 5 Lnum 7 [HEALTHY] SN:Z296M8XB
00009330KYE03 /dev/da5
Bay 6 Lnum 6 [HEALTHY] SN:Z295LXT7
000093172YE03 /dev/da6
Bay 7 Lnum 5 [HEALTHY] SN:Z296M8ZF
00009330KYE03 /dev/da7
Bay 8 Lnum 4 [HEALTHY] SN:Z296M8SD
00009330EYE03 /dev/da8
Bay 9 Lnum 3 [HEALTHY] SN:Z296M8QA
00009330EYE03 /dev/da9
Bay 10 Lnum 2 [HEALTHY] SN:Z296M8Q7
00009330EYE03 /dev/da10
Bay 11 Lnum 1 [HEALTHY] SN:Z296M8SP
00009330EYE04 /dev/da11
Bay 12 Lnum 0 [HEALTHY] SN:Z296M8QZ
00009330JYE03 /dev/da12

If you run the isi dev command after the smartfail completes successfully, the
system displays output similar to the following example, showing the drive state as
REPLACE:

Node 1, [ATTN]
Bay 1 Lnum 11 [REPLACE] SN:Z296M8HK
000093172YE04 /dev/da1
Bay 2 Lnum 10 [HEALTHY] SN:Z296M8N5
00009330EYE03 /dev/da2
Bay 3 Lnum 9 [HEALTHY] SN:Z296LBP4

Smartfailed drive REPLACE state 143

Data security

00009330EYE03 /dev/da3
Bay 4 Lnum 8 [HEALTHY] SN:Z296LCJW
00009327BYE03 /dev/da4
Bay 5 Lnum 7 [HEALTHY] SN:Z296M8XB
00009330KYE03 /dev/da5
Bay 6 Lnum 6 [HEALTHY] SN:Z295LXT7
000093172YE03 /dev/da6
Bay 7 Lnum 5 [HEALTHY] SN:Z296M8ZF
00009330KYE03 /dev/da7
Bay 8 Lnum 4 [HEALTHY] SN:Z296M8SD
00009330EYE03 /dev/da8
Bay 9 Lnum 3 [HEALTHY] SN:Z296M8QA
00009330EYE03 /dev/da9
Bay 10 Lnum 2 [HEALTHY] SN:Z296M8Q7
00009330EYE03 /dev/da10
Bay 11 Lnum 1 [HEALTHY] SN:Z296M8SP
00009330EYE04 /dev/da11
Bay 12 Lnum 0 [HEALTHY] SN:Z296M8QZ
00009330JYE03 /dev/da12

If you run the isi dev command while the drive in bay 3 is being smartfailed, the
system displays output similar to the following example:

Node 1, [ATTN]
Bay 1 Lnum 11 [REPLACE] SN:Z296M8HK
000093172YE04 /dev/da1
Bay 2 Lnum 10 [HEALTHY] SN:Z296M8N5
00009330EYE03 /dev/da2
Bay 3 Lnum 9 [SMARTFAIL] SN:Z296LBP4
00009330EYE03 N/A
Bay 4 Lnum 8 [HEALTHY] SN:Z296LCJW
00009327BYE03 /dev/da4
Bay 5 Lnum 7 [HEALTHY] SN:Z296M8XB
00009330KYE03 /dev/da5
Bay 6 Lnum 6 [HEALTHY] SN:Z295LXT7
000093172YE03 /dev/da6
Bay 7 Lnum 5 [HEALTHY] SN:Z296M8ZF
00009330KYE03 /dev/da7
Bay 8 Lnum 4 [HEALTHY] SN:Z296M8SD
00009330EYE03 /dev/da8
Bay 9 Lnum 3 [HEALTHY] SN:Z296M8QA
00009330EYE03 /dev/da9
Bay 10 Lnum 2 [HEALTHY] SN:Z296M8Q7
00009330EYE03 /dev/da10
Bay 11 Lnum 1 [HEALTHY] SN:Z296M8SP
00009330EYE04 /dev/da11
Bay 12 Lnum 0 [HEALTHY] SN:Z296M8QZ
00009330JYE03 /dev/da12

144 OneFS 8.1.2 Security Configuration Guide

CHAPTER 10
Auditing and logging

This section contains the following topics:

l Auditing overview............................................................................................. 146

l Syslog...............................................................................................................146
l Protocol audit events........................................................................................147
l Supported event types..................................................................................... 148
l Supported audit tools....................................................................................... 149
l Configuring auditing......................................................................................... 149
l Events and alerts.............................................................................................. 152

Auditing and logging 145

Auditing and logging

Auditing overview
You can audit system configuration changes and protocol activity on an EMC Isilon
cluster. All audit data is stored and protected in the cluster file system and organized
by audit topics.
Auditing can detect many potential sources of data loss, including fraudulent
activities, inappropriate entitlements, and unauthorized access attempts. Customers
in industries such as financial services, health care, life sciences, and media and
entertainment, as well as in governmental agencies, must meet stringent regulatory
requirements developed to protect against these sources of data loss.
System configuration auditing tracks and records all configuration events that are
handled by the OneFS HTTP API. The process involves auditing the command-line
interface (CLI), web administration interface, and OneFS APIs. When you enable
system configuration auditing, no additional configuration is required. System
configuration auditing events are stored in the config audit topic directories.
Protocol auditing tracks and stores activity performed through SMB, NFS, and HDFS
protocol connections. You can enable and configure protocol auditing for one or more
access zones in a cluster. If you enable protocol auditing for an access zone, file-
access events through the SMB, NFS, and HDFS protocols are recorded in the
protocol audit topic directories. You can specify which events to log in each access
zone. For example, you might want to audit the default set of protocol events in the
System access zone but audit only successful attempts to delete files in a different
access zone.
The audit events are logged on the individual nodes where the SMB, NFS, or HDFS
client initiated the activity. The events are then stored in a binary file under /
ifs/.ifsvar/audit/logs. The logs automatically roll over to a new file after the
size reaches 1 GB. The logs are then compressed to reduce space.
The protocol audit log file is consumable by auditing applications that support the
EMC Common Event Enabler (CEE).

Syslog
Syslog is a protocol that is used to convey certain event notification messages. You
can configure an Isilon cluster to log audit events and forward them to syslog by using
the syslog forwarder.
By default, all protocol events that occur on a particular node are forwarded to
the /var/log/audit_protocol.log file, regardless of the access zone the event
originated from. All the config audit events are logged to /var/log/
audit_config.log by default.
Syslog is configured with an identity that depends on the type of audit event that is
being sent to it. It uses the facility daemon and a priority level of info. The protocol
audit events are logged to syslog with the identity audit_protocol. The config
audit events are logged to syslog with the identity audit_config.
To configure auditing on an Isilon cluster, you must either be a root user or you must
be assigned to an administrative role that includes auditing privileges
(ISI_PRIV_AUDIT).

146 OneFS 8.1.2 Security Configuration Guide

 Auditing and logging

Syslog forwarding
The syslog forwarder is a daemon that, when enabled, retrieves configuration changes
and protocol audit events in an access zone and forwards the events to syslog. Only
user-defined audit success and failure events are eligible for being forwarded to
syslog.
On each node there is an audit syslog forwarder daemon running that will log audit
events to the same node's syslog daemon.

Protocol audit events

By default, audited access zones track only certain events on the EMC Isilon cluster,
including successful and failed attempts to access files and directories.
The default tracked events are create, close, delete, rename, and set_security.
The names of generated events are loosely based on the Windows I/O request packet
(IRP) model in which all operations begin with a create event to obtain a file handle. A
create event is required before all I/O operations, including the following: close,
create, delete, get_security, read, rename, set_security, and write. A close event
marks when the client is finished with the file handle that was produced by a create
event.

Note

For the NFS and HDFS protocols, the rename and delete events might not be enclosed
with the create and close events.

These internally stored events are translated to events that are forwarded through the
EMC CEE to the auditing application. The EMC CEE export facilities on OneFS
perform this mapping. The EMC CEE can be used to connect to any third party
application that supports the EMC CEE.

Note

The EMC CEE does not support forwarding HDFS protocol events to a third-party
application.

Different SMB, NFS, and HDFS clients issue different requests, and one particular
version of a platform such as Windows or Mac OS X using SMB might differ from
another. Similarly, different versions of an application such as Microsoft Word or
Windows Explorer might make different protocol requests. For example, a client with a
Windows Explorer window open might generate many events if an automatic or
manual refresh of that window occurs. Applications issue requests with the logged-in
user's credentials, but you should not assume that all requests are purposeful user
actions.
When enabled, OneFS audit will track all changes that are made to the files and
directories in SMB shares, NFS exports, and HDFS data.

Syslog forwarding 147

Auditing and logging

Supported event types

You can view or modify the event types that are audited in an access zone.

Event name Example protocol Audited by Can be Cannot be

activity default exported exported
through CEE through CEE
create l Create a file or X X
directory
l Open a file,
directory, or
share
l Mount a share
l Delete a file

Note

While the SMB

protocol allows
you to set a file
for deletion with
the create
operation, you
must enable the
delete event in
order for the
auditing tool to
log the event.

close l Close a directory X X

l Close a modified
or unmodified file

rename Rename a file or X X

directory

delete Delete a file or X X

directory

set_security Attempt to modify X X

file or directory
permissions

read The first read X

request on an open
file handle

write The first write X

request on an open
file handle

get_security The client reads X

security information

148 OneFS 8.1.2 Security Configuration Guide

 Auditing and logging

Event name Example protocol Audited by Can be Cannot be

activity default exported exported
through CEE through CEE
for an open file
handle

logon SMB session create X

request by a client

logoff SMB session logoff X

tree_connect SMB first attempt to X

access a share

Supported audit tools

You can configure OneFS to send protocol auditing logs to servers that support the
EMC Common Event Enabler (CEE).
CEE has been tested and verified to work on several third-party software vendors.

Note

We recommend that you install and configure third-party auditing applications before
you enable the OneFS auditing feature. Otherwise, all the events that are logged are
forwarded to the auditing application, and a large backlog causes a delay in receiving
the most current events.

Configuring auditing
You can configure settings for change auditing and protocol access auditing.
The following sections describe configuration changes specifically related to security.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about auditing and additional auditing management tasks.

Enable protocol access auditing

You can audit SMB, NFS, and HDFS protocol access on a per-access zone basis and
optionally forward the generated events to the EMC Common Event Enabler (CEE)
for export to third-party products.

Note

Because each audited event consumes system resources, we recommend that you
only configure zones for events that are needed by your auditing application. In
addition, we recommend that you install and configure third-party auditing
applications before you enable the OneFS auditing feature. Otherwise, the large
backlog performed by this feature may cause results to not be updated for a
considerable amount of time.

Procedure
1. Click Cluster Management > Auditing.
2. In the Settings area, select the Enable Protocol Access Auditing checkbox.

Supported audit tools 149

Auditing and logging

3. In the Audited Zones area, click Add Zones.

4. In the Select Access Zones dialog box, select the check box for one or more
access zones, and then click Add Zones.
5. (Optional) In the Event Forwarding area, specify one or more CEE servers to
forward logged events to.
a. In the CEE Server URIs field, type the URI of each CEE server in the CEE
server pool.
The OneFS CEE export service uses round-robin load balancing when
exporting events to multiple CEE servers. Valid URIs start with http://
and include the port number and path to the CEE server if necessary—for
example, http://example.com:12228/cee.

b. In the Storage Cluster Name field, specify the name of the storage cluster
to use when forwarding protocol events.
This name value is typically the SmartConnect zone name, but in cases
where SmartConnect is not implemented, the value must match the
hostname of the cluster as the third-party application recognizes it. If the
field is left blank, events from each node are filled with the node name
(clustername + lnn). This setting is required only if needed by your third-
party audit application.

Note

Although this step is optional, be aware that a backlog of events will

accumulate regardless of whether CEE servers have been configured. When
configured, CEE forwarding begins with the oldest events in the backlog and
moves toward newest events in a first-in-first-out sequence.

6. Click Save Changes.

Results
The following protocol events are collected for audited access zones by default:
create, close, delete, rename, and set_security. You can modify the set of
events that are audited in an access zone by running the isi audit settings
modify command in the command-line interface. Because each audited event
consumes system resources, it is recommended that you only configure zones for
events that are needed by your auditing application.
After you finish
You can modify the types of protocol access events to be audited by running the isi
audit settings modify command. You can also enable forwarding of protocol
access events to syslog by running the isi audit settings modify command
with the --syslog-forwarding-enabled option. These procedures are available
only through the command-line interface.

Forward protocol access events to syslog

You can enable or disable forwarding of audited protocol access events to syslog in
each access zone. Forwarding is not enabled by default when protocol access auditing
is enabled. This procedure is available only through the command-line interface.
Before you begin
To enable forwarding of protocol access events in an access zone, you must first
enable protocol access auditing in the access zone.

150 OneFS 8.1.2 Security Configuration Guide

 Auditing and logging

The --audit-success and --audit-failure options define the event types that
are audited, and the --syslog-audit-events option defines the event types that
are forwarded to syslog. Only the audited event types are eligible for forwarding to
syslog. If syslog forwarding is enabled, protocol access events are written to
the /var/log/audit_protocol.log file.
Procedure
1. Open a Secure Shell (SSH) connection to any node in the cluster and log in.
2. Run the isi audit settings modify command with the --syslog-
forwarding-enabled option to enable or disable audit syslog.
The following command enables forwarding of the audited protocol access
events in the zone3 access zone and specifies that the only event types
forwarded are close, create, and delete events:

isi audit settings modify --syslog-forwarding-enabled=yes --

syslog-audit-events=close,create,delete --zone=zone3

The following command disables forwarding of audited protocol access events

from the zone3 access zone:

isi audit settings modify --syslog-forwarding-enabled=no --

zone=zone3

Enable system configuration auditing

OneFS can audit system configuration events on the Isilon cluster. All configuration
events that are handled by the API including writes, modifications, and deletions are
tracked and recorded in the config audit topic directories. When you enable or disable
system configuration auditing, no additional configuration is required.
Configuration events are logged to /var/log/audit_config.log only if you have
enabled syslog forwarding for config audit. Configuration change logs are populated in
the config topic in the audit back-end store under /ifs/.ifsvar/audit.

Note

Configuration events are not forwarded to the Common Event Enabler (CEE).

Procedure
1. Click Cluster Management > Auditing.
2. In the Settings area, select the Enable Configuration Change Auditing check
box.
3. Click Save Changes.
After you finish
You can enable forwarding of system configuration changes to syslog by running the
isi audit settings global modify command with the --config-syslog-
enabled option. This procedure is available only through the command-line interface.

Enable system configuration auditing 151

Auditing and logging

Forward system configuration changes to syslog

You can enable or disable forwarding of system configuration changes on the EMC
Isilon cluster to syslog, which is saved to /var/log/audit_config.log. This
procedure is available only through the command-line interface.
Before you begin
Forwarding is not enabled by default when system configuration auditing is enabled.
To enable forwarding of system configuration changes to syslog, you must first enable
system configuration auditing on the cluster.
Procedure
1. Open a Secure Shell (SSH) connection to any node in the cluster and log in.
2. Run the isi audit settings global modify command with the --
config-syslog-enabled option to enable or disable forwarding of system
configuration changes.
The following command enables forwarding of system configuration changes to
syslog:

isi audit settings global modify --config-syslog-enabled=yes

The following command disables forwarding of system configuration changes to

syslog:

isi audit settings global modify --config-syslog-enabled=no

Events and alerts

OneFS continuously monitors the health and performance of your cluster and
generates events when situations occur that might require your attention.
Events can be related to file system integrity, network connections, jobs, hardware,
and other vital operations and components of your cluster. After events are captured,
they are analyzed by OneFS. Events with similar root causes are organized into event
groups.

Note

For descriptions of individual event types by event type ID, see the OneFS Event
Reference. Certain events such as hardware events do not apply to IsilonSD Edge.

An event group is a single point of management for numerous events related to a

particular situation. You can determine which event groups you want to monitor,
ignore, or resolve.
An alert is the message that reports on a change that has occurred in an event group.
You can control how alerts related to an event group are distributed. Alerts are
distributed through channels. You can create and configure a channel to send alerts to
a specific audience, control the content the channel distributes, and limit frequency of
the alerts.

152 OneFS 8.1.2 Security Configuration Guide

 Auditing and logging

Events overview
Events are individual occurrences or conditions related to the data workflow,
maintenance operations, and hardware components of your cluster.
Throughout OneFS there are processes that are constantly monitoring and collecting
information on cluster operations.
When the status of a component or operation changes, the change is captured as an
event and placed into a priority queue at the kernel level.
Every event has two ID numbers that help to establish the context of the event:
l The event type ID identifies the type of event that has occurred.
l The event instance ID is a unique number that is specific to a particular occurrence
of an event type. When an event is submitted to the kernel queue, an event
instance ID is assigned. You can reference the instance ID to determine the exact
time that an event occurred.
You can view individual events. However, you manage events and alerts at the event
group level.

Event groups overview

Event groups are collections of individual events that are related symptoms of a single
situation on your cluster. Event groups provide a single point of management for
multiple event instances that are generated in response to a situation on your cluster.
For example, if a chassis fan fails in a node, OneFS might capture multiple events
related both to the failed fan itself, and to exceeded temperature thresholds within
the node. All events related to the fan will be represented in a single event group.
Because there is a single point of contact, you do not need to manage numerous
individual events. You can handle the situation as a single, coherent issue.
All management of events is performed at the event group level. You can mark an
event group as resolved or ignored. You can also configure how and when alerts are
distributed for an event group.

Alerts overview
An alert is a message that describes a change that has occurred in an event group.
At any point in time, you can view event groups to track situations occurring on your
cluster. However, you can also create alerts that will proactively notify you if there is a
change in an event group.
For example, you can generate an alert when a new event is added to an event group,
when an event group is resolved, or when the severity of an event group changes.
You can configure your cluster to only generate alerts for specific event groups,
conditions, severity, or during limited time periods.
Alerts are delivered through channels. You can configure a channel to determine who
will receive the alert and when.

Channels overview
Channels are pathways by which event groups send alerts.
When an alert is generated, the channel associated with the alert determines how the
alert is distributed and who receives the alert.

Events overview 153

Auditing and logging

You can configure a channel to deliver alerts with one of the following mechanisms:
SMTP, SNMP, or ConnectEMC. You can also specify routing and labeling information
that is required by the delivery mechanism.

Configuring and managing events

You can configure and manage events and notifications that indicate the health and
performance of your EMC Isilon cluster.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about events and additional event management tasks.

Change the status of an event group

You can ignore or resolve an event group.
After you resolve an event group, you cannot reverse that action. Any new events that
would have been added to the resolved event group will be added to a new event
group.
Procedure
1. Click Cluster Management > Events and Alerts.
2. In the Actions column of the event group you want to change, click More.
3. In the menu that appears, click Mark Resolved to resolve the event group or
Ignore to ignore the event group.

Note

You can perform an action on multiple event groups by selecting the check box
next to the event group ID of the events you want to change, then selecting an
action from the Select a bulk action drop-down list.

4. Click Mark Resolved or Ignore to confirm the action.

Create a new alert

You can create new alerts to provide specific updates on event groups.
Procedure
1. Click Cluster Management > Events and Alerts > Alerts.
2. Click Create an Alert.
3. Modify the settings for the new alert as needed.
a. In the Name field, type the alert name.
b. In the Alert Channels area, click the checkbox next to the channel you want
to associate with the alert.
To associate a new channel with the alert, click Create an Alert Channel.

c. Click the checkbox next to the Event Group Categories you want to
associate with the alert.
d. In the Event Group ID field, enter the ID of the event group you would like
the alert to report on.
To add another event group ID to the alert, click Add Another Event Group
ID.

154 OneFS 8.1.2 Security Configuration Guide

 Auditing and logging

e. Select the an alert condition from the Condition drop-down list.

Note

Depending on the alert condition you select, other settings will appear.

f. For the New event groups, New events, Interval, Severity

increase, Severity decrease, and Resolved event group
conditions, enter a number and time value for how long you would like an
event to exist before the alert reports on it.
g. For the New events condition, in the Maximum Alert Limit field, edit the
maximum number of alerts that can be sent out for new events.
h. For the ONGOING condition, enter a number and time value for the interval
you want between alerts related to an ongoing event.
4. Click Create Alert.

Create a new channel

You can create and configure new channels to send out alert information.
Procedure
1. Click Cluster Management > Events and Alerts > Alerts.
2. In the Alert Channels area, click Create an Alert Channel.
3. In the Name field, type the channel name.
4. Click the Enable this Channel checkbox to enable or disable the channel.
5. Select the delivery mechanism for the channel from the Type drop-down list.

Note

Depending on the delivery mechanism you select, different settings will appear.

6. If you are creating an SMTP channel, you can configure the following settings:
a. In the Send to field, enter an email address you want to receive alerts on
this channel.
To add another email address to the channel, click Add Another Email
Address.

b. In the Send from field, enter the email address you want to appear in the
from field of the alert emails.
c. In the Subject field, enter the text you want to appear on the subject line of
the alert emails.
d. In the SMTP Host or Relay Address field, enter your SMTP host or relay
address.
e. In the SMTP Relay Port field, enter the number of your SMTP relay port.
f. Click the Use SMTP Authentication checkbox to specify a username and
password for your SMTP server.
g. Specify your connection security between NONE or STARTTLS.
h. From the Notification Batch Mode dropdown, select whether alerts will be
batched together, by severity, or by category.

Configuring and managing events 155

Auditing and logging

i. From the Notification Email Template dropdown, select whether emails will
be created from a standard or custom email template.
If you specify a custom template, enter the location of the template on your
cluster in the Custom Template Location field.

j. In the Master Nodes area, in the Allowed Nodes field, type the node
number of a node in the cluster that is allowed to send alerts through this
channel.
To add another allowed node to the channel, click Add another Node. If you
do not specify any nodes, all nodes in the cluster will be considered allowed
nodes.

k. In the Excluded Nodes field, type the node number of a node in the cluster
that is not allowed to send alerts through this channel.
To add another excluded node to the channel, click Exclude another Node.
7. If you are creating a ConnectEMC channel, you can configure the following
settings:
a. In the Master Nodes area, in the Allowed Nodes field, type the node
number of a node in the cluster that is allowed to send alerts through this
channel.
To add another allowed node to the channel, click Add another Node. If you
do not specify any nodes, all nodes in the cluster will be considered allowed
nodes.

b. In the Excluded Nodes field, type the node number of a node in the cluster
that is not allowed to send alerts through this channel.
To add another excluded node to the channel, click Exclude another Node.
8. If you are creating an SNMP channel, you can configure the following settings:
a. In the Community field, enter your SNMP community string.
b. In the Host field, enter your SNMP host name or address.
c. In the Master Nodes area, in the Allowed Nodes field, type the node
number of a node in the cluster that is allowed to send alerts through this
channel.
To add another allowed node to the channel, click Add another Node. If you
do not specify any nodes, all nodes in the cluster will be considered allowed
nodes.

d. In the Excluded Nodes field, type the node number of a node in the cluster
that is not allowed to send alerts through this channel.
To add another excluded node to the channel, click Exclude another Node.
9. Click Create Alert Channel.

Modify event storage settings

You can view your storage and maintenance settings.
Procedure
1. Click Cluster Management > Events and Alerts > Settings.
2. Locate the Event Retention Settings area.

156 OneFS 8.1.2 Security Configuration Guide

 Auditing and logging

3. In the Resolved Event Group Data Retention field, enter the number of days
you want resolved event groups to be stored before they are deleted.
4. In the Event Log Storage Limit field, enter the limit for the amount of storage
you want to set aside for event data.
The value in this field represents how many megabytes of data can be stored
per terabyte of total cluster storage.
5. Click Save Changes.

Schedule a maintenance window

You can schedule a maintenance window to discontinue alerts while you are
performing maintenance on your cluster.
Procedure
1. Click Cluster Management > Events and Alerts > Settings.
2. Locate the Maintenance Period Settings area.
3. In the Start Date field, enter the date you want the maintenance window to
begin.
4. From the Start Date dropdowns, select the time you want the maintenance
window to begin.
5. In the Duration field, enter a number and time value for how long you want the
maintenance window to last.
6. Click Save Changes.

Configuring and managing events 157

Auditing and logging

158 OneFS 8.1.2 Security Configuration Guide

CHAPTER 11
Physical security

This section contains the following topics:

l Physical security overview................................................................................160

l Security of the data center...............................................................................160
l Physical ports on Isilon nodes........................................................................... 160
l Statements of Volatility.................................................................................... 160

Physical security 159

Physical security

Physical security overview

Physical security addresses a different class of threats than the operating
environment and user access security concepts that are discussed elsewhere in this
guide. The objective of physical security is to safeguard company personnel,
equipment, and facilities from theft, vandalism, sabotage, accidental damage, and
natural or man-made disasters.
Physical security concepts are applicable to all corporate facilities, but data center
security is most relevant in terms of Isilon deployment.

Security of the data center

Isilon components are not designed to be self-secure in either resource discrimination
or physical access. For example, drive data encryption keys reside on node hardware.
If access is gained to these components, security of the data cannot be guaranteed.
Thus, data center physical security is a necessary compensating control.
In addition to superior resource delivery, a secure data center protects Isilon
components from security violations at the physical level including:
l Malicious power reset
l Interference with internal cabling
l Unauthorized local access to communication ports
l Unauthorized local access to internal node components
Optimal operation of an Isilon cluster is achieved when the cluster is installed in a data
center where proper measures have been taken to protect equipment and data. Refer
to the Isilon Site Preparation and Planning Guide for complete data center requirements.

Physical ports on Isilon nodes

There are several types of Isilon nodes. Refer to the node installation guide for a
particular node type to find the locations and descriptions of each of the ports.
Follow these security guidelines when using the ports on a node:
l Connect only the minimum number of cables required. If you do not need to use a
port, leave it empty.
l Follow the instructions in the node installation guide about which ports to use, and
which ports not to use.
l You can connect to a node using a serial cable and enter single user mode.
Exception: SmartLock compliance clusters do not allow you to boot into single
user mode.
l Contact Isilon Technical Support if you have any questions.

Statements of Volatility
A Statement of Volatility (SOV) details the conditions under which the non-disk
components of physical Isilon products, such as storage arrays or physical appliances,
are capable of retaining data when power is removed. It is important to understand
which parts of a product contain (and retain) customer-specific data when power is

160 OneFS 8.1.2 Security Configuration Guide

 Physical security

removed, because the data may be sensitive or covered by breach, scrubbing, or data
retention requirements.
Statements of Volatility are not directly customer accessible, but can be made
available to customers on request. Contact your account team for assistance.

Statements of Volatility 161

Physical security

162 OneFS 8.1.2 Security Configuration Guide

CHAPTER 12
Serviceability

This section contains the following topics:

l Self-service support......................................................................................... 164

l Remote support using ESRS.............................................................................164

Serviceability 163
Serviceability

Self-service support
EMC provides the Isilon Advisor (IA), a free application that enables customers to self-
support common Isilon issues.
The Isilon Advisor is the same application that is used by EMC Isilon Technical Support
Engineers and Field Representatives to resolve service requests. You can use it to
diagnose and troubleshoot issues. You can also use it to analyze the current health of
your cluster and identify items that require attention. This can help you avoid issues
that might arise in the future.
For more information about Isilon Advisor, and to download the latest version, see
https://help.psapps.emc.com/pages/viewpage.action?pageId=2853972.

Remote support using ESRS

EMC Isilon clusters support enablement of EMC Secure Remote Services (ESRS).
ESRS is a secure, IP-based customer service support system. ESRS features include
24x7 remote monitoring and secure authentication with AES 256-bit encryption and
RSA digital certificates. You can select monitoring on a node-by node basis, allow or
deny remote support sessions, and review remote customer service activities.
ESRS is similar to SupportIQ and performs many of the same functions:
l Send alerts regarding the health of your devices.
l Enable support personnel to run the same scripts used by SupportIQ to gather
data from your devices.
l Allow support personnel to establish remote access to troubleshoot your cluster.
You can only enable one remote support system on your Isilon cluster. We recommend
ESRS due to the following features:
l Manages nodes individually; you select which nodes should be managed
l Can monitor multiple EMC products.
l Preferable in a high-security environment.
See the most recent version of the document titled EMC Secure Remote Services
Technical Description for a complete description of ESRS features and functionality.
Additional documentation about ESRS can be found on the EMC Online Support site.

Configuring EMC Secure Remote Services support

You can configure support for EMC Secure Remote Services (ESRS) on the Isilon
cluster.
Before configuring ESRS, at least one ESRS gateway server must be installed and
configured. The gateway server acts as the single point of entry and exit for IP-based
remote support activities and monitoring notifications. If required, set up a secondary
gateway server as a fail over.

164 OneFS 8.1.2 Security Configuration Guide

 Serviceability

Table 1 Supported ESRS Gateway releases

ESRS OneFS Version 8.0 and OneFS Version 8.1 and later
earlier
ESRS Gateway server Version 2 Release 2 (if previously configured),
(backend) and Release 3 (required for OneFS
ESRS 3 features and
enhancements)

OneFS ESRS Version 2 Release 2 (if previously configured),

and Release 3 (required for new
features and enhancements)

ESRS does not support IPv6 communications. To support ESRS transmissions and
remote connections, at least one subnet on the EMC Isilon cluster must be configured
for IPv4 addresses. All nodes to be managed by ESRS must have at least one network
interface that is a member of an IPv4 address pool.
Designate one or more IP address pools that handle remote gateway connections by
support personnel. The IP address pool must belong to a subnet under groupnet0,
which is the default system groupnet and referenced by the System access zone. It is
recommended that you designate pools with static IP addresses that are dedicated to
remote connections through ESRS.
If ESRS transmissions fail, ESRS can send event notifications to a fail over SMTP
address. Also, specify whether an email should be sent on transmission failure. The
SMTP address and email address are specified in OneFS general cluster settings.
When you enable support for ESRS on a cluster, the serial number and IP address of
each node is sent to the gateway server. Once cluster information is received, you
can:
l Select what you want managed through ESRS with the ESRS Configuration Tool.
l Create rules for remote support connections to the Isilon cluster with the ESRS
Policy Manager.
The following documentation provides additional ESRS information:
l The most recent version of the document titled EMC Secure Remote Services Site
Planning Guide for a complete description the gateway server requirements,
installation, and configuration.
l The most recent version of EMC Secure Remote Services Installation and
Operations Guide for a complete description of the ESRS Configuration Tool.
l The most recent version of the document titled EMC Secure Remote Services
Policy Manager Operations Guide for a complete description of the ESRS Policy
manager.
l EMC Support By Product.
OneFS 8.1 and later uses the ESRS REST interface that supports the ESRS 3.x virtual
edition gateway. The entire cluster is now provisioned with a single registration, as
opposed to a node at a time as in previous versions of OneFS.

Configuring EMC Secure Remote Services support 165

Serviceability

Figure 3 OneFS Cluster relationship with the ESRS gateway connectivity backend

The following table lists the features and enhancements available with ESRS for
OneFS 8.1. To take advantage of the new features, ensure that you are running the
ESRS Gateway Server (virtual edition) Release 3.x before you enable ESRS on the
OneFS 8.1 and later cluster.

Table 2 ESRS features and enhancements

Feature Description
Consolidation ESRS consolidates access points for technical
support by providing a uniform, standards-
based architecture for remote access across
EMC product lines. The benefits include
reduced costs through the elimination of
modems and phone lines, controlled
authorization of access for remote services
events, and consolidated logging of remote
access for audit review.

Enhanced security l Comprehensive digital security — ESRS

security includes Transport Layer
Security (TLS) data encryption, TLS v1.0
tunneling with Advanced Encryption
Standard (AES) 256-bit data encryption
SHA-1, entity authentication (private
digital certificates), and remote access
user authentication verified through EMC
network security.
l Authorization controls — Policy controls
enable customized authorization to
accept, deny, or require dynamic approval

166 OneFS 8.1.2 Security Configuration Guide

 Serviceability

Table 2 ESRS features and enhancements (continued)

Feature Description

for connections to your EMC device

infrastructure at the support application
and device level, with the use of Policy
Manager.
l Secure remote access session tunnels —
ESRS establishes remote sessions using
secure IP and application port assignment
between source and target endpoints.

Licensing Usage Data Transfer ESRS VE REST APIs support transfer of

licensing usage data to EMC, from EMC
Products. Such Products must be managed
by ESRS VE, and be Usage Intelligence
enabled in order to send usage data. EMC
processes usage data and provides Usage
Intelligence reports, visible to Customers and
EMC, to better track product usage, and
manage compliance.

Automatic Software Updates ESRS VE automatically checks for software

updates, and notifies users via email as they
become available. In addition, the ESRS Web
UI Dashboard displays the latest available
updates when it becomes available. Users can
apply updates as they choose from the ESRS
VE Web UI.

Managed File Transfer (MFT) MFT is a bidirectional file transfer mechanism

that is provided as part of ESRS VE (Virtual
Edition). You can use MFT to send or receive
large files, such as log files, microcode,
firmware, scripts, or large installation files
between the product and EMC. A distribution
"locker" is used for bi-direction file staging.

Remote support scripts

After you enable remote support through ESRS, Isilon Technical Support personnel
can request logs with scripts that gather EMC Isilon cluster data and then upload the
data.
The remote support scripts based on the Isilon isi diagnostics gather start,
and isi diagnostics netlogger tools are located in the /ifs/data/
Isilon_Support/ directory on each node.

Note

The isi diagnostics gather, and isi diagnostics netlogger commands

replace the isi gather info command.

Additionally, isi_phone_home, a tool that focuses on cluster- and node-specific

data, is enabled if ESRS is enabled. This tool is pre-set to send information about a

Remote support scripts 167

Serviceability

cluster to Isilon Technical Support on a weekly basis. You can disable or enable
isi_phone_home from the OneFS command-line interface.
The following tables list the data-gathering activities that remote support scripts
perform. At the request of an Isilon Technical Support representative, these scripts
can be run automatically to collect information about the configuration settings and
operations of a cluster. ESRS is used to upload the information to a secure Isilon FTP
site, so that it is available for Isilon Technical Support personnel to analyze. The
remote support scripts do not affect cluster services or data availability.

Table 3 Commands and subcommands for isi diagnostics gather

Command Description
isi diagnostics gather start Begins the collection, and uploads all recent
cluster log information.

isi diagnostics gather stop Stops the collection of cluster information.

isi diagnostics gather status Provides the cluster status.

isi diagnostics gather view View the information.

isi diagnostics gather settings Clear the value of the FTP host for which to
modify--clear ftp host upload.

isi diagnostics gather settings Clear the value for FTP users password.
modify--clear ftp pass

isi diagnostics gather settings Clear the value for path on FTP server for the
modify--clear ftp path upload.

isi diagnostics gather settings Clear the value for proxy server for FTP.
modify--clear ftp proxy

isi diagnostics gather settings Clear the value for port for proxy server for
modify--clear ftp proxy port FTP.

isi diagnostics gather settings Clear the value for FTP user.
modify--clear ftp ftp user

isi diagnostics gather settings Clear the value for HTTP host to upload to.
modify--clear http host

isi diagnostics gather settings Clear the value for path for the upload.
modify--clear htttp path

isi diagnostics gather settings Clear the value for proxy to use for HTTP
modify--clear htttp proxy upload.

isi diagnostics gather settings Clear the value for proxy port to use for HTTP
modify--clear htttp proxy port Upload.

isi diagnostics gather settings Use ESRS for gather upload.

modify--esrs

isi diagnostics gather settings Use the FTP host to upload to.
modify --ftp-host

isi diagnostics gather settings The FTP users password.

modify --ftp-pass

isi diagnostics gather settings The path on FTP server for the upload.
modify --ftp-path

168 OneFS 8.1.2 Security Configuration Guide

 Serviceability

Table 3 Commands and subcommands for isi diagnostics gather (continued)

Command Description
isi diagnostics gather settings Proxy server for FTP.
modify --ftp-proxy

isi diagnostics gather settings The port for proxy server for FTP.
modify --ftp-proxy-port

isi diagnostics gather settings Whether or not to use FTP upload on

modify --ftp-upload completed gather.

isi diagnostics gather settings The FTP user.

modify --ftp-user

isi diagnostics gather settings Type of gather: incremental, or full.

modify --ftp-gather-mode

isi diagnostics gather settings Display help for this command.

modify--help

isi diagnostics gather settings The HTTP host to upload to.

modify --http-host

isi diagnostics gather settings The path for the upload.

modify --http-path

isi diagnostics gather settings The proxy to use for HTTP upload.
modify --http-proxy

isi diagnostics gather settings The proxy port to use for HTTP Upload.
modify --http-proxy-port

isi diagnostics gather settings Whether or not to use HTTP upload on

modify --http-upload completed gather.

isi diagnostics gather settings Enable gather upload.

modify --upload

Table 4 Commands and subcommands for isi diagnostics netlogger

Command Description
isi diagnostics netlogger start Starts the netlogger process.

isi diagnostics netlogger stop Stops the netlogger process if it is running.

isi diagnostics netlogger status Provides the netlogger status.

isi diagnostics netlogger view View the netlogger capture files.

isi diagnostics netlogger Client IP address or addresses for which to

settings modify --clients filter.

isi diagnostics netlogger The number of capture files to keep after they
settings modify --count reach the duration limit. Defaults to the last 3
files.

isi diagnostics netlogger How long to run the capture before rotating
settings modify --duration the capture file. The default is10 minutes.

Remote support scripts 169

Serviceability

Table 4 Commands and subcommands for isi diagnostics netlogger (continued)

Command Description
isi diagnostics netlogger Displays help for this command.
settings modify --help

isi diagnostics netlogger Specify the network interfaces on which to

settings modify --interfaces capture.

isi diagnostics netlogger List of nodes on which to run capture.

settings modify --nodelist

isi diagnostics netlogger TCP or UDP port or ports for which to filter.
settings modify --ports

isi diagnostics netlogger Protocols to filter: TCP, UDP, IP, ARP.

settings modify --protocols

isi diagnostics netlogger Specify how much of the packet to display.

settings modify --snaplength The default is 320 bytes, a 0 value shows all
of the packet.

Table 5 Cluster information scripts

Action Description
Clean watch folder Clears the contents of /var/crash.

Get application data Collects and uploads information about

OneFS application programs.

Generate dashboard file daily Generates daily dashboard information.

Generate dashboard file sequence Generates dashboard information in the

sequence that it occurred.

Get ABR data (as built record) Collects as-built information about
hardware.

Get ATA control and GMirror status Collects system output and invokes a
script when it receives an event that
corresponds to a predetermined
eventid.
Get cluster data Collects and uploads information about
overall cluster configuration and
operations.

Get cluster events Gets the output of existing critical

events and uploads the information.

Get cluster status Collects and uploads cluster status

details.

Get contact info Extracts contact information and

uploads a text file that contains it.

Get contents (var/crash) Uploads the contents of /var/crash.

Get job status Collects and uploads details on a job that

is being monitored.

170 OneFS 8.1.2 Security Configuration Guide

 Serviceability

Table 5 Cluster information scripts (continued)

Action Description
Get domain data Collects and uploads information about
the cluster’s Active Directory Services
(ADS) domain membership.

Get file system data Collects and uploads information about

the state and health of the OneFS /
ifs/ file system.

Get IB data Collects and uploads information about

the configuration and operation of the
InfiniBand back-end network.

Get logs data Collects and uploads only the most

recent cluster log information.

Get messages Collects and uploads active /var/log/

messages files.

Get network data Collects and uploads information about

cluster-wide and node-specific network
configuration settings and operations.

Get NFS clients Runs a command to check if nodes are

being used as NFS clients.

Get node data Collects and uploads node-specific

configuration, status, and operational
information.

Get protocol data Collects and uploads network status

information and configuration settings
for the NFS, SMB, HDFS, FTP, and
HTTP protocols.

Get Pcap client stats Collects and uploads client statistics.

Get readonly status Warns if the chassis is open and uploads

a text file of the event information.

Get usage data Collects and uploads current and

historical information about node
performance and resource usage.

Enable and configure ESRS

You can enable support for, and configure EMC Secure Remote Services (ESRS) on
an Isilon cluster in the OneFS Web UI.
Before you begin
The OneFS software must have a signed license before you can enable and configure
ESRS.
Also, ESRS gateway server 3.x must be installed and configured before you can enable
ESRS for OneFS 8.1 on an Isilon cluster. The IP address pools that handle gateway
connections must exist in the system and must belong to a subnet under groupnet0,
which is the default system groupnet.

Enable and configure ESRS 171

Serviceability

Procedure
1. Click Cluster Management > General Settings > Remote Support.
2. To enable ESRS, click Enable ESRS.
Figure 4 ESRS Web UI

3. If your OneFS license is unsigned, click Update license now and follow the
instructions in Licensing.
Figure 5 unsigned license warning

When you have a signed OneFS license added, you can enable and configure
ESRS.

172 OneFS 8.1.2 Security Configuration Guide

 Serviceability

4. Click the Enable ESRS gateway support check box.

Figure 6 Edit ESRS Settings

The Settings window opens.

Figure 7 ESRS settings

5. In the Primary ESRS Gateway Server field, type an IPv4 address or the name
of the primary gateway server.

Enable and configure ESRS 173

Serviceability

6. In the Secondary ESRS Gateway Server field, type an IPv4 address or the
name of the secondary gateway server.
7. To move IP address pools between the Available Pools and Selected Pools
lists, click the Add or Remove arrows in the Gateway Access Pools section.
The Available Pools list only displays IP address pools that belong to a subnet
under groupnet0, which is the default system groupnet. Choose pools that
contain IPv4 address ranges.
8. To specify that event notifications must be sent to a fail over SMTP address if
ESRS transmission fails, select Use SMTP if ESRS transmission fails.
The SMTP address is configured at Cluster Management > General Settings >
Email Settings.
9. To send an alert to a customer email address if ESRS transmission fails, select
Send email if ESRS transmission fails.
The email address is configured at Cluster Management > General Settings >
Cluster Identity.
10. To save the settings, and close the window click Save Changes.

174 OneFS 8.1.2 Security Configuration Guide

CHAPTER 13
Antivirus

This section contains the following topics:

l Antivirus overview............................................................................................ 176

l On-access scanning..........................................................................................176
l Antivirus policy scanning................................................................................... 177
l Individual file scanning...................................................................................... 177
l Antivirus scan reports....................................................................................... 177
l ICAP servers..................................................................................................... 177
l Antivirus threat responses................................................................................ 178
l Configuring antivirus.........................................................................................179

Antivirus 175
Antivirus

Antivirus overview
You can scan the files you store on an Isilon cluster for computer viruses, malware,
and other security threats by integrating with third-party scanning services through
the Internet Content Adaptation Protocol (ICAP).
OneFS sends files through ICAP to a server running third-party antivirus scanning
software. These servers are referred to as ICAP servers. ICAP servers scan files for
viruses.
After an ICAP server scans a file, it informs OneFS of whether the file is a threat. If a
threat is detected, OneFS informs system administrators by creating an event,
displaying near real-time summary information, and documenting the threat in an
antivirus scan report. You can configure OneFS to request that ICAP servers attempt
to repair infected files. You can also configure OneFS to protect users against
potentially dangerous files by truncating or quarantining infected files.
Before OneFS sends a file to be scanned, it ensures that the scan is not redundant. If
a file has already been scanned and has not been modified, OneFS will not send the file
to be scanned unless the virus database on the ICAP server has been updated since
the last scan.

Note

Antivirus scanning is available only on nodes in the cluster that are connected to the
external network.

On-access scanning
You can configure OneFS to send files to be scanned before they are opened, after
they are closed, or both. This can be done through file access protocols such as SMB,
NFS, and SSH. Sending files to be scanned after they are closed is faster but less
secure. Sending files to be scanned before they are opened is slower but more secure.
If OneFS is configured to ensure that files are scanned after they are closed, when a
user creates or modifies a file on the cluster, OneFS queues the file to be scanned.
OneFS then sends the file to an ICAP server to be scanned when convenient. In this
configuration, users can always access files without any delay. However, it is possible
that after a user modifies or creates a file, a second user might access the file before
the file is scanned. If a virus was introduced to the file from the first user, the second
user will be able to access the infected file. Also, if an ICAP server is unable to scan a
file, the file will still be accessible to users.
If OneFS ensures that files are scanned before they are opened, when a user attempts
to download a file from the cluster, OneFS first sends the file to an ICAP server to be
scanned. The file is not sent to the user until the scan is complete. Scanning files
before they are opened is more secure than scanning files after they are closed,
because users can access only scanned files. However, scanning files before they are
opened requires users to wait for files to be scanned. You can also configure OneFS to
deny access to files that cannot be scanned by an ICAP server, which can increase the
delay. For example, if no ICAP servers are available, users will not be able to access
any files until the ICAP servers become available again.
If you configure OneFS to ensure that files are scanned before they are opened, it is
recommended that you also configure OneFS to ensure that files are scanned after
they are closed. Scanning files as they are both opened and closed will not necessarily
improve security, but it will usually improve data availability when compared to

176 OneFS 8.1.2 Security Configuration Guide

 Antivirus

scanning files only when they are opened. If a user wants to access a file, the file may
have already been scanned after the file was last modified, and will not need to be
scanned again if the ICAP server database has not been updated since the last scan.

Antivirus policy scanning

Using the OneFS Job Engine, you can create antivirus scanning policies that send files
from a specified directory to be scanned. Antivirus policies can be run manually at any
time, or configured to run according to a schedule.
Antivirus policies target a specific directory on the cluster. You can prevent an
antivirus policy from sending certain files within the specified root directory based on
the size, name, or extension of the file. On-access scans also support filtering by size,
name, and extensions, using the isi antivirus settings command. Antivirus
policies do not target snapshots. Only on-access scans include snapshots.

Individual file scanning

You can send a specific file to an ICAP server to be scanned at any time.
If a virus is detected in a file but the ICAP server is unable to repair it, you can send
the file to the ICAP server after the virus database had been updated, and the ICAP
server might be able to repair the file. You can also scan individual files to test the
connection between the cluster and ICAP servers.

Antivirus scan reports

OneFS generates reports about antivirus scans. Each time that an antivirus policy is
run, OneFS generates a report for that policy. OneFS also generates a report every 24
hours that includes all on-access scans that occurred during the day.
Antivirus scan reports contain the following information:
l The time that the scan started.
l The time that the scan ended.
l The total number of files scanned.
l The total size of the files scanned.
l The total network traffic sent.
l The network throughput that was consumed by virus scanning.
l Whether the scan succeeded.
l The total number of infected files detected.
l The names of infected files.
l The threats associated with infected files.
l How OneFS responded to detected threats.

ICAP servers
The number of ICAP servers that are required to support an Isilon cluster depends on
how virus scanning is configured, the amount of data a cluster processes, and the
processing power of the ICAP servers.
If you intend to scan files exclusively through antivirus scan policies, it is
recommended that you have a minimum of two ICAP servers per cluster. If you intend

Antivirus policy scanning 177

Antivirus

to scan files on access, it is recommended that you have at least one ICAP server for
each node in the cluster.
If you configure more than one ICAP server for a cluster, it is important to ensure that
the processing power of each ICAP server is relatively equal. OneFS distributes files to
the ICAP servers on a rotating basis, regardless of the processing power of the ICAP
servers. If one server is significantly more powerful than another, OneFS does not
send more files to the more powerful server.

CAUTION

When files are sent from the cluster to an ICAP server, they are sent across the
network in cleartext. Make sure that the path from the cluster to the ICAP server
is on a trusted network. In addition, authentication is not supported. If
authentication is required between an ICAP client and ICAP server, hop-by-hop
Proxy Authentication must be used.

Antivirus threat responses

You can configure the system to repair, quarantine, or truncate any files that the ICAP
server detects viruses in.
OneFS and ICAP servers react in one or more of the following ways when threats are
detected:
Alert
All threats that are detected cause an event to be generated in OneFS at the
warning level, regardless of the threat response configuration.

Repair
The ICAP server attempts to repair the infected file before returning the file to
OneFS.

Quarantine
OneFS quarantines the infected file. A quarantined file cannot be accessed by any
user. However, a quarantined file can be removed from quarantine by the root
user if the root user is connected to the cluster through secure shell (SSH). If you
back up your cluster through NDMP backup, quarantined files will remain
quarantined when the files are restored. If you replicate quarantined files to
another Isilon cluster, the quarantined files will continue to be quarantined on the
target cluster. Quarantines operate independently of access control lists (ACLs).

Truncate
OneFS truncates the infected file. When a file is truncated, OneFS reduces the
size of the file to zero bytes to render the file harmless.

You can configure OneFS and ICAP servers to react in one of the following ways when
threats are detected:
Repair or quarantine
Attempts to repair infected files. If an ICAP server fails to repair a file, OneFS
quarantines the file. If the ICAP server repairs the file successfully, OneFS sends
the file to the user. Repair or quarantine can be useful if you want to protect
users from accessing infected files while retaining all data on a cluster.

178 OneFS 8.1.2 Security Configuration Guide

 Antivirus

Repair or truncate
Attempts to repair infected files. If an ICAP server fails to repair a file, OneFS
truncates the file. If the ICAP server repairs the file successfully, OneFS sends
the file to the user. Repair or truncate can be useful if you do not care about
retaining all data on your cluster, and you want to free storage space. However,
data in infected files will be lost.

Alert only
Only generates an event for each infected file. It is recommended that you do not
apply this setting.

Repair only
Attempts to repair infected files. Afterwards, OneFS sends the files to the user,
whether or not the ICAP server repaired the files successfully. It is recommended
that you do not apply this setting. If you only attempt to repair files, users will still
be able to access infected files that cannot be repaired.

Quarantine
Quarantines all infected files. It is recommended that you do not apply this
setting. If you quarantine files without attempting to repair them, you might deny
access to infected files that could have been repaired.
Truncate
Truncates all infected files. It is recommended that you do not apply this setting.
If you truncate files without attempting to repair them, you might delete data
unnecessarily.

Configuring antivirus
You can create antivirus policies, configure settings, and manage antivirus scans and
reports.
See the OneFS Web Administration Guide or the OneFS CLI Administration Guide for
more information about antivirus and additional antivirus management tasks.

Enable or disable antivirus scanning

You can enable or disable all antivirus scanning.
This procedure is available only through the web administration interface.
Procedure
1. Click Data Protection > Antivirus > Summary.
2. In the Service area, select or clear Enable Antivirus service.

Exclude files from antivirus scans

You can exclude files from antivirus scans.

Note

The settings listed in this section apply to all antivirus scans. All settings apply to on-
access scanning only, and policy scan settings are per-policy under the Policy tab.

Configuring antivirus 179

Antivirus

Procedure
1. Click Data Protection > Antivirus > Settings.
2. (Optional) To exclude files based on file size, in the Maximum File Scan Size
area, specify the largest file size you want to scan.
3. To exclude files based on file name, perform the following steps:
a. Select Enable filters.
b. In the Filter Matching area, specify whether you want to scan all files that
match a specified filter or all files that do not match a specified filter.
c. Specify one or more filters.
a. Click Add Filters.
b. Specify the filter.
You can include the following wildcard characters:

Wildcard character Description

* Matches any string in place of the
asterisk. For example, specifying m*
would match movies and m123.

[ ] Matches any characters contained in

the brackets, or a range of characters
separated by a dash.
For example, specifying b[aei]t
would match bat, bet, and bit.
For example, specifying 1[4-7]2
would match 142, 152, 162, and
172.
You can exclude characters within
brackets by following the first bracket
with an exclamation mark.
For example, specifying b[!ie] would
match bat but not bit or bet.
You can match a bracket within a
bracket if it is either the first or last
character.
For example, specifying [[c]at would
match cat and [at.
You can match a dash within a bracket
if it is either the first or last character.
For example, specifying car[-s]
would match cars and car-.

? Matches any character in place of the

question mark.
For example, specifying t?p would
match tap, tip, and top.

c. Click Add Filters.

180 OneFS 8.1.2 Security Configuration Guide

 Antivirus

4. Click Save Changes.

Configure on-access scanning settings

You can configure OneFS to automatically scan files as they are accessed by users.
On-access scans operate independently of antivirus policies.
Procedure
1. Click Data Protection > Antivirus > Settings.
2. In the On-Access Scans area, specify whether you want files to be scanned as
they are accessed.
l To require that all files be scanned before they are opened by a user, select
Enable scan of files on open, and then specify whether you want to allow
access to files that cannot be scanned by selecting or clearing Enable file
access when scanning fails.
l To scan files after they are closed, select Enable scan of files on close.
3. In the All Scans area, in the Path Prefixes field, specify the directories that
you want to apply on-access settings to.
4. Click Save Changes.

Configure antivirus threat response settings

You can configure how OneFS responds to detected threats.
Procedure
1. Click Data Protection > Antivirus > Settings.
2. In the Action On Detection area, specify how you want OneFS to react to
potentially infected files.

Configure antivirus report retention settings

You can configure how long OneFS retains antivirus reports before automatically
deleting them.
Procedure
1. Click Data Protection > Antivirus > Settings.
2. In the Reports area, specify how long you want OneFS to keep reports.

Add and connect to an ICAP server

You can add and connect to an ICAP server. After a server is added, OneFS can send
files to the server to be scanned for viruses.
Procedure
1. Click Data Protection > Antivirus > ICAP Servers.
2. In the ICAP Servers area, click Add an ICAP Server.
3. (Optional) To enable the ICAP server, click Enable ICAP Server.
4. In the Create ICAP Server dialog box, in the ICAP Server URL field, type the
IPv4 or IPv6 address of an ICAP server.
5. (Optional) To add a description of the server, type text into the Description
field.

Configure on-access scanning settings 181

Antivirus

6. Click Add Server.

Create an antivirus policy

You can create an antivirus policy that causes specific files to be scanned for viruses
each time the policy is run.
Procedure
1. Click Data Protection > Antivirus > Policies.
2. Click Create an Antivirus Policy.
3. (Optional) To enable the policy, click Enable antivirus policy.
4. In the Policy Name field, type a name for the antivirus policy.
5. (Optional) To specify an optional description of the policy, in the Description
field, type a description.
6. In the Paths field, specify the directory that you want to scan.
Optionally, click Add another directory path to specify additional directories.
7. In the Recursion Depth area, specify how much of the specified directories you
want to scan.
l To scan all subdirectories of the specified directories, click Full recursion.
l To scan a limited number of subdirectories of the specified directories, click
Limit depth and then specify how many sub directories you want to scan.
8. (Optional) To scan all files regardless of whether OneFS has marked files as
having been scanned, or if global settings specify that certain files should not be
scanned, select Enable force run of policy regardless of impact policy.
9. (Optional) To modify the default impact policy of the antivirus scans, from the
Impact Policy list, select a new impact policy.
10. In the Schedule area, specify whether you want to run the policy according to a
schedule or manually.
Scheduled policies can also be run manually at any time.

Option Description
Run the policy only manually. Click Manual
Run the policy according to a a. Click Scheduled.
schedule.
b. Specify how often you want the policy
to run.

11. Click Create Policy.

Scan a file
You can manually scan an individual file for viruses.
Procedure
1. Run the isi antivirus scan command.

182 OneFS 8.1.2 Security Configuration Guide

 Antivirus

The following command scans the /ifs/data/virus_file file for viruses:

isi antivirus scan /ifs/data/virus_file

Manually quarantine a file

You can quarantine a file to prevent the file from being accessed by users.
Procedure
1. Click Data Protection > Antivirus > Detected Threats.
2. In the Antivirus Threat Reports table, in the row of a file, click More >
Quarantine File .

Manually truncate a file

If a threat is detected in a file, and the file is irreparable and no longer needed, you can
manually truncate the file.
This procedure is available only through the command-line interface (CLI).
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the truncate command on a file.
The following command truncates the /ifs/data/virus_file file:

truncate -s 0 /ifs/data/virus_file

Manually quarantine a file 183

Antivirus

184 OneFS 8.1.2 Security Configuration Guide

CHAPTER 14
Security best practices

This section contains the following topics:

l Overview.......................................................................................................... 186
l Persistence of security settings .......................................................................186
l General cluster security best practices.............................................................188
l Best practices for login, authentication, and privileges..................................... 196
l SNMP security best practices.......................................................................... 201
l SSH security best practices............................................................................. 202
l Best practices for data-access protocols.........................................................209
l Web interface security best practices...............................................................217

Security best practices 185

Security best practices

Overview
This chapter provides suggestions and recommendations to help administrators
maximize security on Isilon clusters. Consider these recommendations in the context
of your specific business policies and use cases.
Root-level privileges are required to perform many of the procedures. However, this
chapter also includes procedures to use the following options instead:
l Restrict the root account and use an RBAC account with root privileges
l Restrict the root account and use the sudo command with privilege elevation
If a procedure requires you to "log in as root," it is assumed that you will log in using a
business-authorized privileged account, whether it be root, an RBAC account with
root privileges, or sudo.

Note
Ensure that you have the latest security patches installed. For more information, see
the Current Isilon OneFS Patches document on the Customer support site.

Persistence of security settings

Some of these best practice configurations do not persist after OneFS is upgraded,
and might not persist after a patch for OneFS is applied. For best results, keep track
which best practices you implement, so that if the settings do not persist, you can
configure them again.
The following table lists each of the best practices that are described in this chapter,
and a column stating whether the changed setting persists after an upgrade or patch.
You can use the last column of the table as a checklist to track which security settings
you implement on the cluster.

Security setting Persists after Implemented

a OneFS on cluster?
upgrade or
patch?
General cluster best practices

Create a login message Yes

Set a timeout for idle CLI sessions Yes

Set a timeout for idle SSH sessions Yes

Forward audited events to a remote server Yes

Disable OneFSservices that are not in use Yes

Configure WORM directories using SmartLock Yes

Specify an NTP time server Yes

Best practices for login, authentication, and privileges

Assign RBAC access and privileges Yes

186 OneFS 8.1.2 Security Configuration Guide

 Security best practices

Security setting Persists after Implemented

a OneFS on cluster?
upgrade or
patch?
Privilege elevation: Assign select root-level Yes
privileges to non-root users

Restrict authentication by external providers Yes

Replace the TLS certificate Yes

SNMP best practices

Use SNMPv3 for cluster monitoring Yes

Disable SNMP Yes

SSH best practices

General SSH hardening Yes

Restrict SSH access to specific users and groups Yes

Restrict SSH access to specific IP addresses Yes

Disable root SSH access to the cluster Yes

Best practices for data-access protocols

Disable FTP access Yes

Delete the default /ifs SMB share Yes

Limit access to SMB shares Yes

Disable SMB access Yes

Enable SMB signing for all connections Yes

Enable SMB signing for the control path only Yes

Delete the default /ifs NFS export Yes

Limit access to NFS exports Yes

Disable NFS access Yes

Limit HDFS access to specific access zones Yes

Disable HDFS access Yes

Disable Swift access Yes

Limit HTTP access Yes

Disable HTTP access Yes

Web interface security best practices

Limit web interface access to specific IP Check and

addresses reapply the
setting if
necessary.

Secure the web interface headers Check and

reapply the

Persistence of security settings 187

Security best practices

Security setting Persists after Implemented

a OneFS on cluster?
upgrade or
patch?
setting if
necessary.

Accept up-to-date versions of TLS in the web Check and

interface reapply the
setting if
necessary.

General cluster security best practices

The following general security recommendations can be applied to any cluster.

Create a login message

The login message appears as a separate box on the login page of the OneFS web
administration interface, and also as the last line of introductory text on the
command-line interface after a user logs in. The login message can convey
information, instructions, or warnings that a user should know before using the
cluster.
Procedure
1. On the OneFS web administration interface, click Cluster Management >
General Settings > Cluster Identity.
2. (Optional) In the Login Message area, type a title in the Message Title field
and a message in the Message Body field.
3. Click Save Changes.

Set a timeout for idle CLI sessions (CLI)

The timeout value is the maximum period after which a user's inactive CLI session is
terminated. This timeout applies to both SSH connections and serial console
connections that are running in the bash, rbash, ksh, and zsh shells.
For additional security, it is recommended that you also configure an idle SSH session
timeout (see the Set a timeout for idle SSH sessions section of this guide). If you
configure both timeouts, the shorter timeout applies to SSH sessions only.

Note

These changes take effect for all new shell logins for all existing and new users. Users
who are logged in while these changes are being made will not be affected by these
changes until they log out and log in again.

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.

188 OneFS 8.1.2 Security Configuration Guide

 Security best practices

2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Check whether the /etc/profile file exists on every node in the cluster:

isi_for_array 'test -f /etc/profile || echo /etc/profile \

missing on node `hostname`'

If the file exists on every node in the cluster, there is no output. If the file does
not exist on every node, the output displays which nodes do not contain the file.
5. Perform one of the following actions:
l If the file exists on every node in the cluster, run the following two
commands to make a working copy and a backup copy in the /ifs/data/
backup directory:

cp /etc/profile /ifs/data/backup/profile

cp /etc/profile /ifs/data/backup/profile.bak

Note

If a file with the name profile.bak exists in the backup directory, either
overwrite the existing file, or, to save the old backups, rename the new file
with a timestamp or other identifier.
l If the file does not exist on every node in the cluster, the integrity of the
OneFS installation is in doubt. Stop here and contact Isilon Technical
Support to check the OneFS installation on the node. This file is part of a
normal installation and it is important to understand how and why it was
removed.
6. Open the /ifs/data/backup/profile file in a text editor.
7. Add the following lines at the end of the file, after the # End Isilon entry.
Replace <seconds> with the timeout value in seconds. For example, a 10-minute
timeout would be 600 seconds.

# Begin Security Best Practice

# Set shell idle timeout to <seconds> seconds
TMOUT=<seconds>
export TMOUT
readonly TMOUT
# End Security Best Practice

8. Confirm that the changes are correct. Then save the file and exit the text
editor.

Set a timeout for idle CLI sessions (CLI) 189

Security best practices

9. Check whether the /etc/zprofile file exists, and then do one of the
following things:
l If the file exists, run the following two commands to make a working copy
and a backup copy in the /ifs/data/backup directory:

cp /etc/zprofile /ifs/data/backup/zprofile

cp /etc/zprofile /ifs/data/backup/zprofile.bak

Note

If a file with the name zprofile.bak exists in the backup directory, either
overwrite the existing file, or, to save the old backups, rename the new file
with a timestamp or other identifier.
l If the file does not exist, create it in the /ifs/data/backup directory:

touch /ifs/data/backup/zprofile

10. Open the /ifs/data/backup/zprofile file in a text editor.

11. Add the same lines that you added to the /ifs/data/backup/profile file,
where <seconds> is the timeout value in seconds. Add these lines at the very
end of the file:

# Begin Security Best Practice

# Set shell idle timeout to <seconds> seconds
TMOUT=<seconds>
export TMOUT
readonly TMOUT
# End Security Best Practice

12. Confirm that the changes are correct. Then save the file and exit the text
editor.
13. Set the permissions on both files to 644 by running the following command:

chmod 644 /ifs/data/backup/profile /ifs/data/backup/zprofile

14. Run the following two commands to copy the two files to the /etc directory on
all of the nodes in the cluster:

isi_for_array 'cp /ifs/data/backup/profile /etc/profile'

isi_for_array 'cp /ifs/data/backup/zprofile /etc/zprofile

190 OneFS 8.1.2 Security Configuration Guide

 Security best practices

15. (Optional) Delete the working and backup copies from the /ifs/data/
backup directory:

rm /ifs/data/backup/profile /ifs/data/backup/profile.bak \
/ifs/data/backup/zprofile /ifs/data/backup/zprofile.bak

Set a timeout for idle SSH sessions (CLI)

The timeout value is the maximum period after which a user's inactive SSH session is
terminated.
If you are connected to the cluster through a serial console, the SSH timeout does not
apply. Therefore, it is recommended that you also configure an idle CLI session
timeout for additional security. For instructions, see the Set a timeout value for idle CLI
sessions section of this guide.

Note

If you configure both timeouts, the shorter timeout applies to SSH sessions only.

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Make a working copy of the /etc/mcp/templates/sshd_config file in the

backup directory:

cp /etc/mcp/templates/sshd_config /ifs/data/backup/

5. Make a backup copy of the /etc/mcp/templates/sshd_config file in the

backup directory:

cp /etc/mcp/templates/sshd_config \
/ifs/data/backup/sshd_config.bak

Note

If a file with the same name exists in the backup directory, either overwrite the
existing file, or, to save the old backups, rename the new file with a timestamp
or other identifier.

Set a timeout for idle SSH sessions (CLI) 191

Security best practices

6. Open the /ifs/data/backup/sshd_config file in a text editor.

7. Find the existing KeepAlive line and edit it as shown here. Then add two new
lines directly below that line, as shown, where <seconds> is the timeout value in
seconds. For example, to configure a 10-minute timeout, the number of seconds
would be 600. Enclose these three lines with # Begin Security Best
Practice and # End Security Best Practice.

# Begin Security Best Practice

KeepAlive no
ClientAliveInterval <seconds>
ClientAliveCountMax 0
# End Security Best Practice

8. Confirm that the changes are correct. Then save the file and exit the text
editor.
9. Copy the updated file to the /etc/mcp/templates directory on all nodes:

isi_for_array 'cp /ifs/data/backup/sshd_config \

/etc/mcp/templates/sshd_config'

10. (Optional) Delete the working and backup copies from the /ifs/data/
backup directory:

rm /ifs/data/backup/sshd_config \
/ifs/data/backup/sshd_config.bak

11. Restart the sshd service by running the following command:

Note

Restarting the sshd service disconnects all current SSH connections to the
cluster. To minimize the potential impact, coordinate this activity with other
cluster administrators.

isi_for_array 'killall -HUP sshd'

Forward audited events to remote server

We strongly recommend that you use the auditing and audit forwarding capabilities in
OneFS. Auditing can detect many potential sources of data loss, including fraudulent
activities, inappropriate entitlements, and unauthorized access attempts. Forwarding
audited events to a remote server has the following security benefits:
l You can scan the data for security issues on the remote server and avoid
interfering with cluster operation or performance.
l You can send syslog output from multiple locations to the same remote server, and
run scanning software on all of the logs in one location. This may be easier and
more convenient than trying to run scanning software on the cluster.
l When hackers access a system such as an Isilon cluster, they try to erase their
tracks. If audit information is forwarded to a remote server, the audit trail on the

192 OneFS 8.1.2 Security Configuration Guide

 Security best practices

remote server is preserved, making identification and containment of the breach

faster and easier.
l If the cluster node that contains the syslog events fails, you can still access the
information that was forwarded to the remote server for diagnosis and
troubleshooting.

Instructions for forwarding audited events to a remote server

To forward protocol access auditing and system configuration changes to a remote
server, you must enable auditing, enable the forwarding of audited events to syslog,
and configure syslog forwarding on the cluster.
Procedure
1. Enable auditing. For instructions, see the following sections of this guide:
l Enable protocol access auditing
l Enable system configuration auditing

2. Enable forwarding of the audit logging to syslog. For instructions, see the
following sections of this guide:
l Forward protocol access events to syslog
l Forward system configuration changes to syslog

3. Configure syslog forwarding on the cluster. For instructions, see OneFS: How
to configure remote logging from a cluster to a remote server (syslog
forwarding).

Firewall security
Use an external firewall to limit access to the cluster to only those trusted clients and
servers that require access. Allow restricted access only to ports that are required for
communication. Block access to all other ports.
We recommend that you limit access to the cluster web administration interface to
specific administrator terminals via IP address, or isolate web-based access to a
specific management network.
See the Network port usage section of this guide for more information about all of the
ports on the Isilon cluster.

Disable OneFS services that are not in use

OneFS has a number of services that are safe to disable when they are not in use.
See the OneFS Services section of this guide for a list of all of the services that should
be disabled when they are not in use, and instructions for disabling them.

Firewall security 193

Security best practices

Configure WORM directories using SmartLock

Use the SmartLock feature to create write-once read-many (WORM) directories to
protect files from being modified for a specified retention period.

Note

WORM file access does not protect against hardware or file system issues. If the data
on the cluster becomes unavailable, the WORM files are also unavailable. Therefore,
we recommend that you additionally back up the cluster data to separate physical
devices.

Back up cluster data

OneFS offers a range of options to preserve user and application data in the event of
accidental or malicious modification, deletion, or encryption (for example, through a
ransomware attack).
We strongly recommend that you use local snapshots, plus either SyncIQ replication
or NDMP backups, to protect data in case it becomes compromised.

Option Required Description

license
Replication SyncIQ Replicate data from one Isilon cluster to another. You
to a can specify which files and directories to replicate.
secondary SyncIQ also offers automated failover and failback
Isilon cluster capabilities so that you can continue operations on the
secondary cluster should the primary cluster become
unavailable. While this option does not make the data
more secure, it does provide a backup if the data is
compromised or lost.
It is recommended that the secondary cluster be
located in a different geographical area from the
primary cluster to protect against physical disasters. It
is also recommended that the secondary cluster have a
different password from the primary cluster in case the
primary cluster is compromised.

NDMP None Back up and restore data through the Network Data
backups Management Protocol (NDMP). From a backup server,
you can direct backup and restore processes between
the cluster and backup devices such as tape devices,
media servers, and virtual tape libraries (VTLs). While
this option does not make the original data more
secure, it does provide a backup if the data is
compromised or lost.
It is recommended that the external backup system be
located in a different geographical area from the Isilon
cluster to protect against physical disasters.

Local SnapshotIQ Snapshots protect data against accidental deletion and

snapshots modification by enabling you to restore deleted and
modified files.

194 OneFS 8.1.2 Security Configuration Guide

 Security best practices

Option Required Description

license
Snapshots do not protect against hardware or file
system issues. Snapshots reference data that is stored
on a cluster. If the data on the cluster becomes
unavailable, the snapshots are also unavailable.
Therefore, it is recommended that you additionally back
up the cluster data to separate physical devices.

Use NTP time

Network Time Protocol (NTP) is recommended as the most consistent source for
cluster time. In a Windows environment, it is strongly recommended to use the Active
Directory Domain Control NTP service.
Use the OneFS web administration interface to configure NTP time service
synchronization to an external time service. For instructions, see the Specifying an
NTP time server section of this guide.
For additional recommendations for using NTP time with Smartlock directories and
Smartlock compliance mode, see the Replication and backup with Smartlock section of
this guide.

Specify an NTP time server

You can specify one or more Network Time Protocol (NTP) servers to synchronize the
system time on the EMC Isilon cluster. The cluster periodically contacts the NTP
servers and sets the date and time based on the information that it receives.
Procedure
1. Click Cluster Management > General Settings > NTP.
2. In the NTP Servers area, type the IPv4 or IPv6 address of one or more NTP
servers. If you want to use a key file, type the key numbers in the field next to
the server's IP address.
Click Add Another NTP Server if you are specifying multiple servers.
3. (Optional) If you are using a key file for the NTP server, type the file path for
that file in the Path to Key File field.
4. In the Chimer Settings area, specify the number of chimer nodes that contact
NTP servers (the default is 3).
5. To exclude a node from chiming, type its logical node number (LNN) in the
Nodes Excluded from Chiming field.
6. Click Save Changes.

Use NTP time 195

Security best practices

Best practices for login, authentication, and privileges

Following are security best practice recommendations for configuring how users will
log in to the cluster, authenticate, and access privileges.

Restrict root logins to the cluster

A strong security stance entails using the root account as little as possible. You can
use one or more of the following methods to restrict root access to the cluster:
l Use SmartLock compliance mode to completely remove root access to the cluster.
This is the most restrictive method. When you are logged in to a SmartLock
compliance mode cluster through the compliance administrator account, you can
perform administrative tasks through the sudo command. Using the sudo
command provides an audit trail by logging all command activity to /var/log/
auth.log. For more information, see the SmartLock overview section of this
guide.
l Disable root SSH access to the cluster. You can still log in as root using other
methods. See the Disable root SSH access to the cluster section of this guide for
details and instructions.
l Limit the number of people who know the root password by doing one or both of
the following:
n Assign admin users an RBAC role with only the privileges that they require to
do their job. For instructions, see the Roles and Privileges chapter of this guide.
n If an admin user needs greater privileges than the RBAC role can provide, use
privilege elevation to give them select root-level privileges. For instructions,
see the Privilege elevation: Assign select root-level privileges to non-root users
section of this guide.

Use RBAC accounts instead of root

Instead of using the root account, assign roles and privileges to users and groups as
needed by using the role-based access control (RBAC) functionality. The following
RBAC best practices are recommended:
l Ensure that each administrator has a unique user account. Do not allow users to
share accounts.
l For each user and group, assign the lowest level of privileges required. See the
Role-based access and Privileges sections of this guide for more information.
l Use privilege elevation to assign select root-level privileges to specified users as
needed. See the Privilege elevation: Assign select root-level privileges to non-root
users section of this guide for more information.

Privilege elevation: Assign select root-level privileges to non-root users

A root account is necessary for some cluster administrative purposes, but for security
reasons the root privileges should be closely monitored. Instead of providing the root
account to an administrator, you can elevate the administrator's privileges so that
they can run selected root-level commands using sudo. Using the sudo command
also provides an audit trail by logging all command activity to /var/log/auth.log.

196 OneFS 8.1.2 Security Configuration Guide

 Security best practices

Note

This procedure is not intended for use on clusters that are in SmartLock compliance
mode. In SmartLock compliance mode, the compadmin account exists with the correct
sudo infrastructure.

Note

Users who are logged in while these changes are being made will not be affected by
these changes until they log out and log in again.

You can also perform steps 1 - 5 of this procedure by using the OneFS web interface.
See the OneFS Web Administration Guide for instructions.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command to create a group to assign elevated privileges to,
where <groupname> is the name of the group. This group must be in the local
provider and System zone.

isi auth groups create <groupname> --provider local --zone

system

For example, we can create a group named SPECIAL, as follows:

isi auth groups create SPECIAL --provider local --zone system

3. (Optional) Verify that the users that you want to add to the SPECIAL group are
already members of either the SystemAdmin or the SecurityAdmin role. Since
these two roles have strong security privileges, this step ensures that the user
has already been approved for a high level of access. To check whether the user
is a member of the SystemAdmin or SecurityAdmin role, run the following two
commands to list the members of those roles:

isi auth roles members list SystemAdmin

isi auth roles members list SecurityAdmin

4. Run the following command to add a user to the group you will assign elevated
privileges to, where <groupname> is the name of the group and <username> is
the name of the user that you want to add:

isi auth groups modify <groupname> –-add-user <username>

For example, to add a user named bob to the SPECIAL group, the command
would be:

isi auth groups modify SPECIAL –-add-user bob

Privilege elevation: Assign select root-level privileges to non-root users 197

Security best practices

5. Run the following command to confirm that the user has been added to the
group:

isi auth groups members list <groupname>

6. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

7. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

8. Make a working copy of the /etc/mcp/override/sudoers file in the

backup directory:

cp /etc/mcp/override/sudoers /ifs/data/backup

9. Make a backup copy of the /etc/mcp/override/sudoers file in the backup

directory:

cp /etc/mcp/override/sudoers /ifs/data/backup/sudoers.bak

Note

If a file with the same name exists in the backup directory, either overwrite the
existing file, or, to save the old backups, rename the new file with a timestamp
or other identifier.

10. Open the /ifs/data/backup/sudoers file in a text editor.

11. Add the following entry, where <groupname> is the name of the group:

Note

You can make additional changes to this entry as described in the last bullet
below.

# Begin Security Best Practices

%<groupname> ALL=(ALL) PASSWD: PROCESSES, SYSADMIN, ISI,
ISI_ADMIN, \ ISI_SUPPORT, ISI_HWTOOLS, ISI_HARDENING
# End Security Best Practices

For example, for the SPECIAL group, the entry would look like the following:

%SPECIAL ALL=(ALL) PASSWD: PROCESSES, SYSADMIN, ISI,

ISI_ADMIN, \ ISI_SUPPORT, ISI_HWTOOLS, ISI_HARDENING

198 OneFS 8.1.2 Security Configuration Guide

 Security best practices

This entry in the sudoers file provides the following security benefits:
l Requires the user to preface all root-level commands with sudo.
l Requires the user to type the user password the first time that they run a
sudo command in a session, and caches these credentials for five minutes.
After five minutes, the user must re-type the user password to run sudo
commands.
l Assigns a comma-separated list of command sets (called command aliases)
to the group (for example, PROCESSES, SYSADMIN, ISI, and so on). The
command aliases that are listed in the line as written above include all of the
diagnostic and hardware tools available, making the privileges equivalent to
the compadmin role in a SmartLock compliance mode cluster. You can
modify the line to include fewer command aliases, or different command
aliases, to allow only the privileges that you want the group to have. To see
the available command aliases and the lists of commands included in each
alias, review the /etc/mcp/templates/sudoers file.

CAUTION

Do not modify the /etc/mcp/templates/sudoers file.

12. Confirm that the changes are correct. Then save the file and exit the text
editor.
13. Copy the /ifs/data/backup/sudoers file to the /etc/mcp/override/
sudoers file.

cp /ifs/data/backup/sudoers /etc/mcp/override/sudoers

14. To identify the commands that are now available to the user, log in as the user
and run the following command:

sudo -l

The output looks similar to the following. The privileges listed after (ALL)
NOPASSWD are the privileges for the user's assigned RBAC role, and they do not
require the user to re-type the user password to use the privileges. The
commands listed after (ALL) PASSWD are the sudo commands that are
available to the user, and they require the user to type the user password after
typing the command.

Note

If the user's existing RBAC role includes commands that are also granted by
privilege elevation, then the user does not need to re-type the user password to
access these commands.

User bob may run the following commands on this host:

(ALL) NOPASSWD: ISI_PRIV_SYS_TIME, (ALL) /usr/sbin/
isi_upgrade_logs, (ALL)
ISI_PRIV_ANTIVIRUS, (ALL) /usr/sbin/isi_audit_viewer, (ALL)
ISI_PRIV_CLOUDPOOLS, (ALL) ISI_PRIV_CLUSTER, (ALL)
ISI_PRIV_DEVICES, (ALL)
ISI_PRIV_EVENT, (ALL) ISI_PRIV_FILE_FILTER, (ALL)
ISI_PRIV_FTP, (ALL)

Privilege elevation: Assign select root-level privileges to non-root users 199

Security best practices

ISI_PRIV_HARDENING, (ALL) ISI_PRIV_HDFS, (ALL)

ISI_PRIV_HTTP, (ALL)
ISI_PRIV_JOB_ENGINE, (ALL) ISI_PRIV_LICENSE, (ALL)
ISI_PRIV_NDMP, (ALL)
ISI_PRIV_NETWORK, (ALL) ISI_PRIV_NFS, (ALL) ISI_PRIV_NTP,
(ALL)
ISI_PRIV_QUOTA, (ALL) ISI_PRIV_REMOTE_SUPPORT, (ALL)
ISI_PRIV_SMARTPOOLS,
(ALL) ISI_PRIV_SMB, (ALL) ISI_PRIV_SNAPSHOT, (ALL)
ISI_PRIV_SNMP, (ALL)
ISI_PRIV_STATISTICS, (ALL) ISI_PRIV_SWIFT, (ALL)
ISI_PRIV_SYNCIQ, (ALL)
ISI_PRIV_VCENTER, (ALL) ISI_PRIV_WORM
(ALL) PASSWD: /bin/date, /sbin/sysctl, /sbin/shutdown, /bin/
ps,
/usr/sbin/ntpdate, /sbin/ifconfig, /usr/sbin/
newsyslog, /usr/sbin/nfsstat,
/usr/sbin/pciconf, /usr/sbin/tcpdump, (ALL) /usr/bin/
isi_classic,
/usr/bin/isi_for_array, /usr/bin/isi_gconfig, /usr/bin/
isi_job_d,
/usr/bin/isi_vol_copy
15. Verify that everything looks correct.
16. (Optional) Delete the working and backup copies from the /ifs/data/
backup directory:

rm /ifs/data/backup/sudoers /ifs/data/backup/sudoers.bak

Restrict authentication by external providers

OneFS provides certain system-defined accounts for the file provider in the System
zone (also known as the System file provider). OneFS relies on the identity of these
system-defined accounts to ensure normal cluster functionality and security. The
identity includes the UID, GID, shell, passwords, privileges, permissions, and so on.
Problems can arise if an external authentication provider authenticates a user or group
with the same name as one of these system-defined accounts.
The OneFS mapping service consolidates all user or group accounts with the same
name from all authentication providers into a single access token which identifies the
user and controls access to directories and files. For each access zone in OneFS,
there is an ordered list of providers.
When an identity is found in more than one authentication provider, the provider that
comes earliest in the list acts as the source for that identity. If the external provider
comes earlier in the list than the System file provider, then the externally provided
identity "overrides" the system-defined identity. If this happens, unintended users
could gain inappropriate access to the cluster, and appropriate administrators could
lose access to the cluster.
OneFS provides the following cluster management accounts for the System file
provider:
User accounts
l root
l admin
l compadmin
l ftp

200 OneFS 8.1.2 Security Configuration Guide

 Security best practices

l www
l nobody
l insightiq
l remotesupport

Group accounts
l wheel
l admin
l ftp
l guest
l ifs
l nobody

To prevent externally provided identities from overriding the system-defined

identities, use the unfindable-users and unfindable-groups options of the
isi auth ads|ldap|nis CLI command. Run the command for each user or group
account that you do not want to be overridden. These accounts can be in any access
zone, and can include the system-defined accounts that are described here, as well as
accounts that you create.
For details on how to use the commands, see the OneFS CLI Administration Guide.
To view the users and groups that the System file provider manages, click Access >
Membership & Roles. Click either the Users or the Groups tab. Select System from
the Current Access Zone list, and select FILE: System from the Providers list.
Alternatively, you can run one of the following commands on the command-line
interface:

isi auth users list --provider='lsa-file-provider:System'

isi auth groups list --provider='lsa-file-provider:System'

Replace the TLS certificate

Isilon clusters ship with a self-signed TLS certificate. We recommend that you replace
the default TLS certificate with a signed certificate.
For instructions, see the Replacing or renewing the TLS certificate section of this guide.

SNMP security best practices

If you plan to monitor cluster statistics, we recommend that you use SNMPv3. If you
do not plan to monitor cluster statistics, you should disable the SNMP service.

Use SNMPv3 for cluster monitoring

If you plan to monitor cluster statistics, SNMPv3 is recommended. When SNMPv3 is
used, OneFS requires the SNMP-specific security level of AuthNoPriv as the default

Replace the TLS certificate 201

Security best practices

value when querying the EMC Isilon cluster. The security level AuthPriv is not
supported.
For more information about how to configure SNMP, see the OneFS CLI Administration
Guide or the OneFS Web Administration Guide.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Enable SMNPv3 access by running the following command:

isi snmp settings modify --snmp-v3-access=yes

3. (Recommended) Disable SNMPv1 and SNMPv2 access:

isi snmp settings modify --snmp-v1-v2c-access no

Disable SNMP
Disable the SNMP service if SNMP monitoring is not required. Disabling SNMP on the
cluster does not affect the sending of SNMP trap alerts from the cluster to an SNMP
server.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi services snmp disable

SSH security best practices

This section provides recommendations for general SSH hardening, restricting SSH
access, and disabling root SSH access to the cluster. You can perform one or more of
these procedures, depending on what is best for your environment.

Perform general SSH hardening

It is generally recommended to deny port tunneling and X11 forwarding over SSH.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

202 OneFS 8.1.2 Security Configuration Guide

 Security best practices

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Make a working copy of the /etc/mcp/templates/sshd_config file in the

backup directory:

cp /etc/mcp/templates/sshd_config /ifs/data/backup

5. Make a backup copy of the sshd_config file in the backup directory:

cp /etc/mcp/templates/sshd_config \
/ifs/data/backup/sshd_config.bak

Note

If a file with the same name exists in the backup directory, either overwrite the
existing file, or, to save the old backups, rename the new file with a timestamp
or other identifier.

6. Open the /ifs/data/backup/sshd_config in a text editor.

7. Delete the following existing X11 forwarding entry:

X11Forwarding yes

8. Add the following lines at the end of the file to deny port tunneling and X11
forwarding:

# Begin Security Best Practice

# Deny port tunneling and disable X11 Forwarding
PermitTunnel no
X11Forwarding no
# End Security Best Practice

9. Confirm that the changes are correct. Then save the file and exit the text
editor.
10. Copy the edited file to the /etc/mcp/templates directory on all of the nodes
in the cluster:

isi_for_array 'cp /ifs/data/backup/sshd_config \

/etc/mcp/templates/sshd_config'

11. (Optional) Delete the working and backup copies from the /ifs/data/
backup directory:

rm /ifs/data/backup/sshd_config \
/ifs/data/backup/sshd_config.bak

Perform general SSH hardening 203

Security best practices

12. Restart the sshd service by running the following command:

Note

Restarting the sshd service disconnects all current SSH connections to the
cluster. To minimize the potential impact, coordinate this activity with other
cluster administrators.

isi_for_array 'killall -HUP sshd'

Restrict SSH access to specific users and groups

By default, only the SecurityAdmin, SystemAdmin, and AuditAdmin roles have SSH
access privileges. You can grant SSH access for specific cluster management tasks to
users and groups that have more restricted roles.
Before you begin
To perform these steps, you must log in as a user who has the ISI_PRIV_ROLE
privilege, which allows you to create roles and assign privileges.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Create a custom role by running the following command, where <role_name> is
the name of the custom role:

isi auth roles create <role_name>

3. Add the ISI_PRIV_LOGIN_SSH privilege to the role:

isi auth roles modify <role_name> --add-priv

ISI_PRIV_LOGIN_SSH

4. Add a user or a group to the role by running one or both of the following
commands, where <user_name> is the name of the user, and <group_name> is
the name of the group:

isi auth roles modify <role_name> --add-user <user_name>

isi auth roles modify <role_name> --add-group <group_name>

Restrict SSH access to specific IP addresses

Allow only authorized IP addresses to connect to a cluster through SSH.

Note

If you add new nodes later, you must perform these steps for the new nodes.

204 OneFS 8.1.2 Security Configuration Guide

 Security best practices

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Check whether the /etc/mcp/override/hosts.allow file exists, and then

do one of the following:
l If the file exists, run the following two commands to make a working copy
and a backup copy in the /ifs/data/backup directory:

cp /etc/mcp/override/hosts.allow \
/ifs/data/backup/hosts.allow

cp /etc/mcp/override/hosts.allow \
/ifs/data/backup/hosts.allow.bak

Note

If a file named hosts.allow.bak exists in the backup directory, either

overwrite the existing file, or, to save the old backups, rename the new file
with a timestamp or other identifier.
l If the file does not exist, create it in the /ifs/data/backup directory:

cp /etc/mcp/templates/hosts.allow \
/ifs/data/backup/hosts.allow

5. Open the /ifs/data/backup/hosts.allow file in a text editor.

6. Delete the following line:

ALL : ALL : allow

7.
Note

This step is critical for maintaining intra-cluster communication.

From the same place where you just deleted the line, add an instance of the
following line for every node in the cluster, where <node_nameX> is the name
of the node. Add each new line directly below the preceding line as shown in the

Restrict SSH access to specific IP addresses 205

Security best practices

following three-node example. Begin the list with # Begin Security Best
Practices.

# Begin Security Best Practices

ALL: <node_name1> : allow
ALL: <node_name2> : allow
ALL: <node_name3> : allow

8. Directly under the last line from the previous step, add an instance of the
following line for each device for which you want to allow SSH access. In each
line, replace <ip_addressX> with the IP address or the fully qualified domain
name (FQDN) of the device. Add each new line directly below the preceding line
as shown in the following example.

sshd: <ip_address1> : allow

sshd: <ip_address2> : allow
sshd: <ip_address3> : allow

9. Add the following lines directly under the last line from the previous step:

sshd: ALL : deny

# End Security Best Practices

10. Verify that all of the node IP addresses in the cluster are in the edited list. Verify
that the IP address or FQDN of every client that is allowed to use SSH is in the
edited list.
11. Save the file and exit the text editor.
12. Copy the file to the /etc/mcp/override directory:

cp /ifs/data/backup/hosts.allow /etc/mcp/override/hosts.allow

The updated /etc/mcp/override/hosts.allow file is propagated to all of

the nodes in the cluster.
13. While the current connection is still active, perform the following three steps to
verify connectivity between the nodes in the cluster.
14. Verification step 1
a. From the node that you are currently logged in to, try to connect to a
different node in the cluster. Run the following command, where
<user_name> is the account that you used to log in (for example, root),
and <node_name2> is the name of any node except for the one that you are
currently logged in to:

ssh <user_name>@<node_name2>

For example:

ssh root@cluster-2

206 OneFS 8.1.2 Security Configuration Guide

 Security best practices

b. Type the account password at the prompt.

c. If you successfully connected to the other node, go to the next step. If you
could not connect to the other node, there is something wrong with the
edits that you made to the hosts.allow file. Review and correct the edits
or restore the file using the backup and start over.
15. Verification step 2
a. Try to establish an SSH connection to the cluster from an unauthorized IP
address. An unauthorized IP address is any IP address that you do not
specifically allow in the hosts.allow file (as described in a previous step in
this procedure).
b. If you successfully established an SSH connection to the cluster, go to the
next step. If you could not establish an SSH connection, there is something
wrong with the edits that you made to the hosts.allow file. Review and
correct the edits or restore the file using the backup and start over.
16. Verification step 3
a. Try to establish an SSH connection to the cluster from an authorized IP
address. An authorized IP address is an IP address that you specifically allow
in the hosts.allow file (as described in a previous step in this procedure).
b. If you successfully established an SSH connection to the cluster, go to the
next step. If you could not establish an SSH connection, there is something
wrong with the edits that you made to the hosts.allow file. Review and
correct the edits or restore the file using the backup and start over.
17. (Optional) After you verify connectivity between the nodes by performing the
three verification steps, delete the working and backup copies from the /ifs/
data/backup directory:

rm /ifs/data/backup/hosts.allow \
/ifs/data/backup/hosts.allow.bak

18. Run the following command to restart the sshd service:

Note

Restarting the sshd service disconnects all current SSH connections to the
cluster. To minimize potential impact, coordinate this activity with other cluster
administrators.

isi_for_array 'killall -HUP sshd'

Disable root SSH access to the cluster

Disabling root SSH access to the cluster prevents attackers from accessing the
cluster by brute-force hacking of the root password.
After disabling root SSH access, you can still log in as root by performing one of the
following actions:
l Physically connect to the cluster using a serial cable, and log in as root.
l Open a secure shell (SSH) connection to any node in the cluster and log in using
an RBAC-authorized account. At the command prompt, type login root and

Disable root SSH access to the cluster 207

Security best practices

press ENTER. Type the root password when prompted. This method has the
security benefit of requiring two passwords (the user password and the root
password).
You can also elevate the privileges for select users to give them access to specified
root-level commands (see the Privilege elevation: Assign select root-level privileges to
non-root users section of this guide).
Procedure
1. Ensure that there is at least one non-root administrator account that is
configured and working, and that allows remote SSH login to the cluster, before
you disable root SSH access.
2. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
3. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

4. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

5. Copy the /etc/mcp/templates/sshd_config file to the /ifs/data/

backup directory:

cp /etc/mcp/templates/sshd_config /ifs/data/backup

6. Make a backup copy of the sshd_config file:

cp /etc/mcp/templates/sshd_config \
/ifs/data/backup/sshd_config.bak

Note

If a file with the same name exists in the backup directory, either overwrite the
existing file, or, to save the old backups, rename the new file with a timestamp
or other identifier.

7. Open the /ifs/data/backup/sshd_config file in a text editor.

8. Delete the following line:

PermitRootLogin yes

9. Add the following lines to the end of the file:

# Begin Security Best Practices

# Deny Root Logins over SSH

208 OneFS 8.1.2 Security Configuration Guide

 Security best practices

PermitRootLogin no
# End Security Best Practices

10. Confirm that the changes are correct. Then save the file and exit the text
editor.
11. Copy the updated file to the /etc/mcp/templates directory on all nodes:

isi_for_array 'cp /ifs/data/backup/sshd_config \

/etc/mcp/templates/sshd_config'

12. (Optional) Delete the working and backup copies from the /ifs/data/
backup directory:

rm /ifs/data/backup/sshd_config \
/ifs/data/backup/sshd_config.bak

13. Restart the sshd service:

Note

Restarting the sshd service disconnects all current SSH connections to the
cluster. To minimize the potential impact, coordinate this activity with other
cluster administrators.

isi_for_array 'killall -HUP sshd'

Best practices for data-access protocols

To prevent unauthorized client access through unused or unmonitored protocols,
disable protocols that you do not support. For those protocols that you do support,
limit access to only those clients that require it.
The following sections provide instructions for limiting or disabling these protocols.
For more information about the protocols, see the Data-access protocols section of
this guide.

Use a trusted network to protect files and authentication credentials that are
sent in cleartext
The security between a client and the Isilon cluster is dependent on which protocol is
being used. Some protocols send files and/or authentication credentials in cleartext.
Unless you implement a compensating control, the best way to protect your data and
authentication information from interception is to ensure that the path between
clients and the cluster is on a trusted network. Even if you do implement a
compensating control, a trusted network provides an additional layer of security.

Best practices for data-access protocols 209

Security best practices

Use compensating controls to protect authentication credentials that are

sent in cleartext
Some protocols send authentication credentials in cleartext. You can use
compensating controls to enable more secure authentication.
Protocols that send authentication credentials in cleartext include:
l FTP
l HDFS (and WebHDFS)
l HTTP
l NFS
l Swift
Compensating controls for cleartext authentication in OneFS include:
l Kerberos authentication (supported by some protocols).
l NTLM authentication (supported by some protocols).
l Secure impersonation on HDFS. For more information, see the Secure
impersonation section of this guide.
l Enabling TLS on the FTP service. For more information, see the FTP security
section of this guide.
l SSH tunneling (wraps an existing non-secure protocol and moves all
communication to an encrypted channel).
l The OneFS API (all authentication credentials are sent over TLS).

Use compensating controls to protect files that are sent in cleartext

Files specific to the web interface are sent over TLS. Files specific to /ifs are sent
differently depending on the protocol. You can use compensating controls to increase
the security of files that are sent in cleartext.
Protocols that send /ifs data files in cleartext include:
l FTP
l HDFS (and WebHDFS)
l HTTP
l NFS
l SMB
Compensating controls for data transmission in OneFS include:
l The OneFS API (all file access communication is sent over TLS.
l SSH tunneling (wraps an existing non-secure protocol and moves all
communication to an encrypted channel).

210 OneFS 8.1.2 Security Configuration Guide

 Security best practices

Disable FTP access

The FTP service is disabled by default. It should remain disabled unless it is required.

Disable FTP access (Web UI)

Procedure
1. Click Protocols > FTP Settings.
2. In the Service area, clear the Enable FTP service check box.
3. Click Save Changes.

Disable FTP access (CLI)

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi services vsftpd disable

Limit or disable HDFS access

The HDFS service on the cluster is enabled by default, and is configured on a per-
access-zone basis. If you support Hadoop, you should disable HDFS access from any
access zones that do not require it. If you do not support Hadoop, you should disable
the HDFS service entirely.

Limit HDFS access to specific access zones

If you are using Hadoop, you should disable HDFS access from any access zones that
do not require it.

Note

Disabling HDFS for an individual access zone prevents HDFS access to that zone. It
does not disable the HDFS service on the cluster.

Procedure
1. From the OneFS web administration interface, click Protocols > Hadoop
(HDFS) > Settings.
2. From the Current Access Zone list, select the access zone for which you want
to disable HDFS.
3. In the HDFS Service Settings area, clear the Enable HDFS Service check box.
4. Click Save Changes.
Results
HDFS is disabled for the selected access zone.

Disable FTP access 211

Security best practices

Disable HDFS access

If you do not support HDFS, you should disable the HDFS service entirely.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi services hdfs disable

Limit or disable HTTP access

HTTP is used to access the OneFS web administration interface, the OneFS API,
WebHDFS, and file sharing. HTTP access to the cluster is enabled by default.
If you support HTTP, there are several options that you can use to limit access. If you
do not support HTTP, you can disable the apache2 service on the cluster.
Administrators must consider whether limiting or disabling HTTP is suitable for their
deployment, and manage the security implications appropriately.

Limit HTTP access

For options and instructions on how to limit HTTP access, see the following sections
of this guide:
l Enable and configure HTTP
l Web interface security best practices

Disable HTTP access

Disabling HTTP closes the HTTP port that is used for file access. If you disable HTTP,
you can still access the OneFS web interface by using HTTPS and specifying the port
number in the URL. The default port is 8080.

Disable HTTP access (Web UI)

Procedure
1. Click Protocols > HTTP Settings.
2. In the Service area, select Disable HTTP.
3. Click Save Changes.

Disable HTTP access (CLI)

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi services apache2 disable

212 OneFS 8.1.2 Security Configuration Guide

 Security best practices

NFS best practices

NFS data access to the cluster is enabled by default. In addition, the NFS export /ifs
has no access restrictions.
Administrators must consider whether these configurations are suitable for their
deployment, and manage the security implications appropriately.
If you support NFS, recommendations for limiting access are provided in the following
sections. If you do not support NFS, you should disable the NFS service on the
cluster.

Delete the default /ifs NFS export

If you support NFS, we recommend that you delete the default NFS export of /ifs. If
you choose to keep the /ifs export, you should assess the security attributes of the
export and configure the attributes appropriately for your environment.

Limit access to NFS exports

Use the OneFS web administration interface or command-line interface to control
which IP addresses or machines can access NFS shares, and to configure their access
levels.
For details, see the OneFS Web Administration Guide or the OneFS CLI Administration
Guide.

Disable NFS access

If you do not support NFS, you should disable NFS the NFS service.

Disable NFS access (Web UI)

Procedure
1. Click Protocols > UNIX Sharing (NFS) > Global Settings.
2. In the Settings area, clear the Enable NFS Export Service check box:
3. Click Save Changes.

Disable NFS access (CLI)

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi services nfs disable

SMB best practices

SMB data access to the cluster is enabled by default. In addition, Isilon provides the
following default configurations with no access restrictions:
l An unrestricted SMB share (/ifs)
l Unlimited access to the /ifs directory for the Everyone account

NFS best practices 213

Security best practices

Isilon cluster administrators must consider whether these configurations are suitable
for their deployment, and manage the security implications appropriately.
If you support SMB, recommendations for limiting access are provided in the following
sections. If you do not support SMB, you should disable the SMB service on the
cluster.

Delete the default /ifs SMB share

If you support SMB, we recommend that you delete the default SMB share of /ifs. If
you choose to keep the /ifs share, you should assess the security attributes of the
share and configure the attributes appropriately for your environment.

Limit access to SMB shares

It is possible to restrict access to a share by using the share access control list (ACL).
However, it is preferred to configure the share ACL to grant full control to everyone,
and manage access to individual files and directories by using the file system ACLs.
Limiting the entire share to read or read/write permissions can complicate
management because these restrictive permissions on the entire share override more
permissive permissions that may exist on individual files and directories. For example,
if the entire share is configured for read-only access, but an individual file is
configured for read/write access, only read access is granted to the file. More
permissive permissions on the share do not override more restrictive permissions that
exist on individual files and directories.
For details, see the OneFS Web Administration Guide or the OneFS CLI Administration
Guide.

Disable SMB access

If you do not support SMB, you should disable the SMB service.

Disable SMB access (Web UI)

Procedure
1. Click Protocols > Windows Sharing (SMB) > SMB Server Settings.
2. In the Service area, clear the Enable SMB Service check box.
3. Click Save Changes.

Disable SMB access (CLI)

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi services smb disable

SMB signing
SMB is used for file sharing and is a transport protocol for Remote Procedure Call
(RPC) services such as SAMR (modify local users), LSAR (look up local users), and
SRVSVC (modify SMB shares configuration). SMB, and the Distributed Computing
Environment Remote Procedure Call (DCERPC) services, which use SMB for
transport, are susceptible to man-in-the-middle attacks. A man-in-the-middle attack

214 OneFS 8.1.2 Security Configuration Guide

 Security best practices

occurs when an attacker intercepts and potentially alters communication between

parties who believe that they are in direct communication with one another.
SMB signing can prevent man-in-the-middle attacks within the SMB protocol.
However, SMB signing has performance implications and is disabled by default on
Isilon clusters. Customers should carefully consider whether the security benefits of
SMB signing outweigh the performance costs. The performance degradation that is
caused by SMB signing can vary widely depending on the network and storage system
implementation. Actual performance can be verified only through testing in your
network environment.
If SMB signing is desired, you can perform one of the following actions:
l Enable SMB signing for all connections. This is the easiest and most secure
solution. However, this option causes significant performance degradation
because it requires SMB signing for both file transfer and control path DCERPC
connections.
l Enable SMB signing for the control path only. This solution requires that clients
use SMB signing when accessing all DCERPC services on the cluster, but does not
require signed connections for the data path. This option requires you to enable
four advanced parameters on the cluster. With these parameters enabled, the
OneFS server rejects any non-signed IPC request that a client initiates. If clients
are configured not to sign, they can access files over SMB, but cannot perform
certain other functions, such as SMB share enumeration.

Enable SMB signing for all connections

To enable SMB signing for all connections, perform the following steps.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi smb settings global modify --require-security-signatures

yes

3. Configure the client to enable SMB signing. SMB signing may already be
enabled by default. See the client documentation for instructions.

Enable SMB signing for the control path only

To enable SMB signing for the control path only, perform the following steps.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.

SMB signing 215

Security best practices

2. Run the following four commands. The value of 1 at the end of the command
enables the parameter:

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\

\Services\\lsass\\Parameters\\RPCServers\\lsarpc]"
"RequireConnectionIntegrity" 1

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\

\Services\\lsass\\Parameters\\RPCServers\\samr]"
"RequireConnectionIntegrity" 1

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\

\Services\\lsass\\Parameters\\RPCServers\\dssetup]"
"RequireConnectionIntegrity" 1

/usr/likewise/bin/lwregshell set_value "[HKEY_THIS_MACHINE\

\Services\\srvsvc\\Parameters]" "RequireConnectionIntegrity" 1

3. To review the value for each of the settings, run the following four commands.
In the output, the value in the line for "RequireConnectionIntegrity"
indicates whether the parameter is enabled (1) or disabled (0).

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\

\Services\\lsass\\Parameters\\RPCServers\\lsarpc]"

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\

\Services\\lsass\\Parameters\\RPCServers\\samr]"

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\

\Services\\lsass\\Parameters\\RPCServers\\dssetup]"

/usr/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\

\Services\\srvsvc\\Parameters]"

Example output:

"LpcSocketPath" REG_SZ "/var/lib/

likewise/rpc/lsass"
"Path" REG_SZ "/usr/likewise/lib/
lsa-rpc/lsa.so"
"RegisterTcpIp" REG_DWORD 0x00000000 (0)
"RequireConnectionIntegrity" REG_DWORD 0x00000000 (1)
4. Configure the client to require SMB signing. This step is required in order for
the DCERPC services to function. See the client documentation for
instructions.

216 OneFS 8.1.2 Security Configuration Guide

 Security best practices

Disable Swift access

The Swift service on the cluster is enabled by default. If Swift is not being used to
access the cluster, a strong security posture requires that the service be disabled
entirely.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Run the following command:

isi services lwswift disable

Web interface security best practices

This section provides recommendations for limiting access to the OneFS web
administration interface, securing the web interface headers, and configuring the
system to use the most up-to-date versions of TLS. You can perform one or more of
these procedures, depending on what is best for your environment.

Secure the web interface headers

Securing the web interface header helps to protect against sniffing, clickjacking, and
cross-site scripting attacks.
Before you begin
Ensure that you have the latest security patches installed. For more information, see
the Current Isilon OneFS Patches document on the Customer support site.

Note

l This procedure will restart the httpd service. Restarting the httpd service
disconnects all current web interface sessions to the cluster. To minimize the
potential impact, coordinate this activity with other cluster administrators.
l Changes will not be preserved following upgrade and rollback options.
l Changes will not be copied to new nodes.
l Changes might be removed during patching.
l Changes might block security hardening from working.

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in as
root.
2. Create a backup directory by running the following command:

mkdir /ifs/data/backup/

Disable Swift access 217

Security best practices

3. Set the permissions on the backup directory to 700:

chmod 700 /ifs/data/backup

4. Make working copies of the /etc/mcp/templates/webui_httpd.conf

and the /etc/mcp/templates/apache24.conf files in the backup
directory:

cp /etc/mcp/templates/webui_httpd.conf /ifs/data/backup

cp /etc/mcp/templates/apache24.conf /ifs/data/backup

5. Make backup copies of the /etc/mcp/templates/webui_httpd.conf and

the /etc/mcp/templates/apache24.conf files in the backup directory:

cp /etc/mcp/templates/webui_httpd.conf \
/ifs/data/backup/webui_httpd.conf.bak

cp /etc/mcp/templates/apache24.conf \
/ifs/data/backup/apache24.conf.bak

Note

If a file with the same name exists in the backup directory, either overwrite the
existing file, or, to save the old backups, rename the new file with a timestamp
or other identifier.

6. Open the /ifs/data/backup/webui_httpd.conf and the /etc/mcp/

templates/apache24.conf files in a text editor.
7. Add the following lines to the very bottom of the file (after </VirtualHost>):

# Begin Security Best Practices

Header always append X-Frame-Options SAMEORIGIN
Header always append X-Content-Type-Options nosniff
Header always append X-XSS-Protection "1; mode=block"
# End Security Best Practices

8. Confirm that the changes are correct. Then save the file and exit the text
editor.
9. Copy the updated file to the /etc/mcp/templates directory on all nodes in
the cluster:

isi_for_array 'cp /ifs/data/backup/webui_http.conf \

/etc/mcp/templates/webui_httpd.conf'

isi_for_array 'cp /ifs/data/backup/apache24.conf \

/etc/mcp/templates/apache24.conf'

218 OneFS 8.1.2 Security Configuration Guide

 Security best practices

10. (Optional) Delete the working and backup copies from the /ifs/data/
backup directory:

rm /ifs/data/backup/webui_httpd.conf \
/ifs/data/backup/webui_httpd.conf.bak

rm /ifs/data/backup/apache24.conf \
/ifs/data/backup/apache24.conf.bak

Accept up-to-date versions of TLS in the OneFS web interface

If required, configure the OneFS web administration interface to accept transmissions
from the most up-to-date versions of the TLS protocol.
Before you begin
If your current configuration at /etc/mcp/templates/webui_httpd.conf
contains +TLSv1, install the latest security patches. For more information, see the
Current Isilon OneFS Patches document on the Customer support site.

Accept up-to-date versions of TLS in the OneFS web interface 219

Security best practices

220 OneFS 8.1.2 Security Configuration Guide

CHAPTER 15
Additional security best practices for IsilonSD
Edge

This section contains the following topics:

l Security recommendations for EMC IsilonSD Edge front-end network............ 222

l Security requirements for EMC IsilonSD Edge back-end network....................223
l Updating the IsilonSD Edge management server..............................................223

Additional security best practices for IsilonSD Edge 221

Additional security best practices for IsilonSD Edge

Security recommendations for EMC IsilonSD Edge front-

end network
Follow these recommendations to help protect the IsilonSD clusters from attacks over
the external network.
l Restrict access to the IsilonSD Management Server virtual machine to trusted
host IP addresses. These trusted hosts include the VMware vCenter Server, the
ESXi servers hosting the cluster nodes, the ESXi server hosting the management
server virtual machine, and the IsilonSD cluster nodes themselves.
l Disable the management server when it is not in use. The management server
enables you to deploy IsilonSD clusters. After a cluster is deployed, the
management server is not required for the cluster to function. However, the
management server must be enabled to perform all cluster management activities,
including the following:
n Adding, smartfailing, or removing nodes
n Adding, smartfailing, or removing drives
n Installing or upgrading licenses
n Collecting logs
To disable the management server, connect to the management server through an
SSH client with administrator credentials, and run sudo service virtmgmt
stop. To enable the management server, connect to the management server
through an SSH client with administrator credentials, and run sudo service
virtmgmt start.
l Allow hosts to access only the following ports on the management server:

Port Function
22 Enables SSH access to the management server.

5480 Allows administration of the management server.

8080 Enables serial console access to the IsilonSD nodes. Serial console access
is accomplished through a virtual serial port concentrator (vSPC) that
runs on the management server and listens on this port.
9443 Enables administrative and management tasks, such as adding licenses,
creating IsilonSD clusters, adding and removing nodes, adding templates,
and changing settings on the IsilonSD cluster.

For detailed information about IsilonSD Edge, see the IsilonSD Edge Installation and
Administration Guide.

222 OneFS 8.1.2 Security Configuration Guide

 Additional security best practices for IsilonSD Edge

Security requirements for EMC IsilonSD Edge back-end

network
To protect the IsilonSD clusters against network spoofing, sniffing, and tampering
threats, the back-end network must be secured adequately by following one of the
best practices that are mentioned in this section.
l Use a dedicated Ethernet switch to connect to the VMware ESXi host interfaces
that are used to route the back-end network traffic. For enhanced security, do not
connect any untrusted infrastructure to the Ethernet switch.
l Route the back-end network traffic through a dedicated VLAN. When you
configure network subnets on the IsilonSD cluster, use the isi network
subnets create command with the appropriate options. For example:

isi network subnets create --vlan-enabled true --vlan-id

<integer>

Refer to the OneFS CLI Administration Guide for details about using the isi
network subnets create command and the available options.
Refer to the VMware vSphere ESXi and vCenter Server documentation set for
guidelines on securing networks with VLANs and switches.

Updating the IsilonSD Edge management server

Specific software configurations are validated and supported for the IsilonSD
Management Server.

Note

To preserve the supported configuration, we recommend that you do not use yum or
any other tool to update the virtual machine that hosts the management server, unless
you are specifically directed to do so.

Should it become necessary to update the virtual machine configuration, EMC will
issue an advisory containing specific instructions.

Note

Back up the management server database before initiating any configuration change.

Security requirements for EMC IsilonSD Edge back-end network 223

Additional security best practices for IsilonSD Edge

224 OneFS 8.1.2 Security Configuration Guide

CHAPTER 16
Additional security best practices for
CloudPools

This section contains the following topics:

l Configuring network proxy servers with CloudPools........................................ 226

Additional security best practices for CloudPools 225

Additional security best practices for CloudPools

Configuring network proxy servers with CloudPools

You can configure CloudPools so that data that is archived to, or recalled from, a
public cloud provider is routed through a proxy server.
By default, CloudPools communicates directly with the designated cloud provider. If
the cloud provider is private, such as another EMC Isilon cluster or an ECS appliance
running on the same corporate network, the default communication protocol might be
acceptable.
However, if CloudPools is archiving data to a public cloud provider, such as Amazon
S3 or Microsoft Azure, communication happening directly through the public Internet
might violate security policies that are established by some organizations.
In a typical configuration, the Isilon cluster is installed in a data center behind one or
more firewalls. Ports that would enable communication to the public Internet often are
closed. To enable CloudPools to archive data to a public cloud provider, CloudPools
can be configured to work with a proxy server.
CloudPools works with proxy servers running the following protocols:
l SOCKS v4
l SOCKS v5
l HTTP
Configuration on the CloudPools side includes creating a network proxy entry and
connecting the network proxy to a cloud storage account. Both SOCKS v5 and HTTP
can be configured with or without authentication. SOCKS v4 does not support
authentication.
From OneFS, you can also list network proxies, view network proxy properties, modify
proxy settings, and delete proxies. Except for connecting the network proxy to a cloud
storage account, you must use the CLI to run all other proxy server commands.
For details about creating a network proxy, see the OneFS CLI Administration Guide or
the OneFS Web Administration Guide.

226 OneFS 8.1.2 Security Configuration Guide