# Enabling Security on the Management Station Omnia uses [FreeIPA (on RockyOS)](https://www.freeipa.org/page/Documentation ) and [389ds(on Leap)](https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-security-ldap.html ) to enable security features like authorisation and access control. >> __Note:__ For 389ds/SSSD to work, an external LDAP server has to be set up in your environment as Omnia does not configure LDAP. ## Enabling Authentication on the Management Station: Set the parameter 'enable_security_support' to true in `base_vars.yml` ## Prerequisites Before Enabling Security: * Enter the relevant values in `login_vars.yml`: | Parameter Name | Default Value | Additional Information | |----------------------------|---------------|--------------------------------------------------------------------------------------------------| | ms_directory_manager_password | | Password of the Directory Manager with full access to the directory for system management tasks. | | ms_kerberos_admin_password | | "admin" user password for the IPA server on RockyOS. If LeapOS is in use, it is used as the "kerberos admin" user password for 389-ds | * Enter the relevant values in `security_vars.yml: | Variables [Required/ Optional] | **Default**, Accepted values | Description | |--------------------------------------------------------------------------------------|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | domain_name | **omnia.test** | The domain name should not contain an underscore ( _ ) | | realm_name | **OMNIA.TEST** | The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations
* The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory).
* The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com). | | max_failures | **3** | Failures allowed before lockout.
This value cannot currently be changed. | | failure_reset_interval | **60** | Period (in seconds) after which the number of failed login attempts is reset
Accepted Values: 30-60 | | lockout_duration | **10** | Period (in seconds) for which users are locked out.
Accepted Values: 5-10 | | session_timeout | **180** | Period (in seconds) after which idle users get logged out automatically
Accepted Values: 30-90 | | alert_email_address | | Email address used for sending alerts in case of authentication failure. Currently, only one email address is supported in this field.
If this variable is left blank, authentication failure alerts will be disabled. | | user | | Array of users that are allowed or denied based on the `allow_deny` value. Multiple users must be separated by a space. | | allow_deny | **Allow** | This variable sets whether the user list is Allowed or Denied.
Accepted Values: Allow, Deny | | restrict_program_support | **false** | This variable sets whether the network services/protocols listed in `restrict_softwares` are to be blocked. | | restrict_softwares | | Array of services/protocols to be blocked by Omnia. Values are to be separated by commas.
Accepted values: telnet,lpd,bluetooth,rlogin,rexec
Non Accepted values: ftp,smbd,nmbd,automount,portmap | >> __Note:__ In the event that `control_plane.yml` fails after executing the control plane security tasks, `sshd` services will have to be restarted manually by the User. ## Log Aggregation via Grafana [Loki](https://grafana.com/docs/loki/latest/fundamentals/overview/) is a datastore used to efficiently hold log data for security purposes. Using the `promtail` agent, logs are collated and streamed via a HTTP API. >> __Note:__ When `control_plane.yml` is run, Loki is automatically set up as a data source on the Grafana UI. ### Querying Loki Loki uses basic regex based syntax to filter for specific jobs, dates or timestamps. * Select the Explore ![Explore Icon](../Telemetry_Visualization/Images/ExploreIcon.PNG) tab to select control-plane-loki from the drop down. * Using [LogQL queries](https://grafana.com/docs/loki/latest/logql/log_queries/), all logs in `/var/log` can be accessed using filters (Eg: `{job=”Omnia”}` ) ## Viewing Logs on the Dashboard All log files can be viewed via the Dashboard tab (![Dashboard Icon](../Telemetry_Visualization/Images/DashBoardIcon.PNG)). The Default Dashboard displays `omnia.log` and `syslog`. Custom dashboards can be created per user requirements. Below is a list of all logs available to Loki and can be accessed on the dashboard: | Name | Location | Purpose | Additional Information | |--------------------|-------------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------| | Omnia Logs | /var/log/omnia.log | Omnia Log | This log is configured by Default | | syslogs | /var/log/messages | System Logging | This log is configured by Default | | Audit Logs | /var/log/audit/audit.log | All Login Attempts | This log is configured by Default | | CRON logs | /var/log/cron | CRON Job Logging | This log is configured by Default | | Pods logs | /var/log/pods/ * / * / * log | k8s pods | This log is configured by Default | | Access Logs | /var/log/dirsrv/slapd-/access | Directory Server Utilization | This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true') | | Error Log | /var/log/dirsrv/slapd-/errors | Directory Server Errors | This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true') | | CA Transaction Log | /var/log/pki/pki-tomcat/ca/transactions | FreeIPA PKI Transactions | This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true') | | KRB5KDC | /var/log/krb5kdc.log | KDC Utilization | This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true') | | Secure logs | /var/log/secure | Login Error Codes | This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true') | | HTTPD logs | /var/log/httpd/* | FreeIPA API Call | This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true') | | DNF logs | /var/log/dnf.log | Installation Logs | This log is configured on Rocky OS | | Zypper Logs | /var/log/zypper.log | Installation Logs | This log is configured on Leap OS |