|
|
@@ -1,25 +1,37 @@
|
|
|
-# Enabling Security on the Management Station and Login Node
|
|
|
+# Enabling Security on the Management Station
|
|
|
|
|
|
-Omnia uses FreeIPA to enable security features like authorisation and access control.
|
|
|
+Omnia uses FreeIPA on RockyOS to enable security features like authorisation and access control.
|
|
|
|
|
|
## Enabling Authentication on the Management Station:
|
|
|
|
|
|
Set the parameter 'enable_security_support' to true in `base_vars.yml`
|
|
|
|
|
|
-## Prerequisites Before Enabling FreeIPA:
|
|
|
-* Enter the relevant values in `security_vars.yml`:
|
|
|
-
|
|
|
-| Parameter Name | Default Value | Additional Information |
|
|
|
-|----------------|---------------|------------------------------------------------------------------------------------------------------------------|
|
|
|
-| domain_name | omnia.test | The domain name should not contain an underscore ( _ ) |
|
|
|
-| realm_name | omnia.test | The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations <br> * The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory). <br> * The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com). |
|
|
|
+## Prerequisites Before Enabling Security:
|
|
|
|
|
|
* Enter the relevant values in `login_vars.yml`:
|
|
|
|
|
|
| Parameter Name | Default Value | Additional Information |
|
|
|
|----------------------------|---------------|--------------------------------------------------------------------------------------------------|
|
|
|
-| directory_manager_password | | Password of the Directory Manager with full access to the directory for system management tasks. |
|
|
|
-| ipa_admin_password | | "admin" user password for the IPA server |
|
|
|
+| ms_directory_manager_password | | Password of the Directory Manager with full access to the directory for system management tasks. |
|
|
|
+| ms_kerberos_admin_password | | "admin" user password for the IPA server on RockyOS. If LeapOS is in use, it is used as the "kerberos admin" user password for 389-ds <br> This field is not relevant to Management Stations running `LeapOS` |
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+* Enter the relevant values in `security_vars.yml:
|
|
|
+
|
|
|
+If `RockyOS` is in use on the Management Station:
|
|
|
+
|
|
|
+| Parameter Name | Default Value | Additional Information |
|
|
|
+|------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
|
+| domain_name | omnia.test | The domain name should not contain an underscore ( _ ) |
|
|
|
+| realm_name | OMNIA.TEST | The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations <br> * The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory). <br> * The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com). |
|
|
|
+| max_failures | 3 | Failures allowed before lockout. <br> This value cannot currently be changed. |
|
|
|
+| failure_reset_interval | 60 | Period (in seconds) after which the number of failed login attempts is reset <br> Accepted Values: 30-60 |
|
|
|
+| lockout_duration | 10 | Period (in seconds) for which users are locked out. <br> Accepted Values: 5-10 |
|
|
|
+| session_timeout | 180 | Period (in seconds) after which idle users get logged out automatically <br> Accepted Values: 30-90 |
|
|
|
+| alert_email_address | | Email address used for sending alerts in case of authentication failure. Currently, only one email address is supported in this field. <br> If this variable is left blank, authentication failure alerts will be disabled. |
|
|
|
+| allow_deny | Allow | This variable sets whether the user list is Allowed or Denied. <br> Accepted Values: Allow, Deny |
|
|
|
+| user | | Array of users that are allowed or denied based on the `allow_deny` value. Multiple users must be separated by a space. |
|
|
|
|
|
|
|
|
|
## Log Aggregation via Grafana
|
|
|
@@ -34,12 +46,12 @@ Set the parameter 'enable_security_support' to true in `base_vars.yml`
|
|
|
|
|
|
Loki uses basic regex based syntax to filter for specific jobs, dates or timestamps.
|
|
|
|
|
|
-* Select the Explore  tab to select control-plane-loki from the drop down.
|
|
|
+* Select the Explore  tab to select control-plane-loki from the drop down.
|
|
|
* Using [LogQL queries](https://grafana.com/docs/loki/latest/logql/log_queries/), all logs in `/var/log` can be accessed using filters (Eg: `{job=”Omnia”}` )
|
|
|
|
|
|
## Viewing Logs on the Dashboard
|
|
|
|
|
|
-All log files can be viewed via the Dashboard tab (). The Default Dashboard displays `omnia.log` and `syslog`. Custom dashboards can be created per user requirements.
|
|
|
+All log files can be viewed via the Dashboard tab (). The Default Dashboard displays `omnia.log` and `syslog`. Custom dashboards can be created per user requirements.
|
|
|
|
|
|
Below is a list of all logs available to Loki and can be accessed on the dashboard:
|
|
|
|
|
|
@@ -49,7 +61,7 @@ Below is a list of all logs available to Loki and can be accessed on the dashboa
|
|
|
| syslogs | /var/log/messages | System Logging | This log is configured by Default |
|
|
|
| Audit Logs | /var/log/audit/audit.log | All Login Attempts | This log is configured by Default |
|
|
|
| CRON logs | /var/log/cron | CRON Job Logging | This log is configured by Default |
|
|
|
-| Pods logs | /var/log/pods/*/*/*log | k8s pods | This log is configured by Default |
|
|
|
+| Pods logs | /var/log/pods/ * / * / * log | k8s pods | This log is configured by Default |
|
|
|
| Access Logs | /var/log/dirsrv/slapd-<Realm Name>/access | Directory Server Utilization | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
|
|
|
| Error Log | /var/log/dirsrv/slapd-<Realm Name>/errors | Directory Server Errors | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
|
|
|
| CA Transaction Log | /var/log/pki/pki-tomcat/ca/transactions | FreeIPA PKI Transactions | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
|
Sujit Jadhav