Enable_Security_ManagementStation.md 9.6 KB
Enabling Security on the Management Station
Omnia uses FreeIPA on RockyOS to enable security features like authorisation and access control.
Enabling Authentication on the Management Station:
Set the parameter 'enable_security_support' to true in base_vars.yml
Prerequisites Before Enabling Security:
- Enter the relevant values in
login_vars.yml:
| Parameter Name | Default Value | Additional Information |
|---|---|---|
| ms_directory_manager_password | Password of the Directory Manager with full access to the directory for system management tasks. | |
| ms_kerberos_admin_password | "admin" user password for the IPA server on RockyOS. If LeapOS is in use, it is used as the "kerberos admin" user password for 389-ds This field is not relevant to Management Stations running LeapOS |
- Enter the relevant values in `security_vars.yml:
If RockyOS is in use on the Management Station:
| Parameter Name | Default Value | Additional Information |
|---|---|---|
| domain_name | omnia.test | The domain name should not contain an underscore ( _ ) |
| realm_name | OMNIA.TEST | The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations * The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory). * The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com). |
| max_failures | 3 | Failures allowed before lockout. This value cannot currently be changed. |
| failure_reset_interval | 60 | Period (in seconds) after which the number of failed login attempts is reset Accepted Values: 30-60 |
| lockout_duration | 10 | Period (in seconds) for which users are locked out. Accepted Values: 5-10 |
| session_timeout | 180 | Period (in seconds) after which idle users get logged out automatically Accepted Values: 30-90 |
| alert_email_address | Email address used for sending alerts in case of authentication failure. Currently, only one email address is supported in this field. If this variable is left blank, authentication failure alerts will be disabled. |
|
| allow_deny | Allow | This variable sets whether the user list is Allowed or Denied. Accepted Values: Allow, Deny |
| user | Array of users that are allowed or denied based on the allow_deny value. Multiple users must be separated by a space. |
Log Aggregation via Grafana
Loki is a datastore used to efficiently hold log data for security purposes. Using the promtail agent, logs are collated and streamed via a HTTP API.
Note: When
control_plane.ymlis run, Loki is automatically set up as a data source on the Grafana UI.
Querying Loki
Loki uses basic regex based syntax to filter for specific jobs, dates or timestamps.
- Select the Explore
tab to select control-plane-loki from the drop down. - Using LogQL queries, all logs in
/var/logcan be accessed using filters (Eg:{job=”Omnia”})
Viewing Logs on the Dashboard
All log files can be viewed via the Dashboard tab (
). The Default Dashboard displays omnia.log and syslog. Custom dashboards can be created per user requirements.
Below is a list of all logs available to Loki and can be accessed on the dashboard:
| Name | Location | Purpose | Additional Information |
|---|---|---|---|
| Omnia Logs | /var/log/omnia.log | Omnia Log | This log is configured by Default |
| syslogs | /var/log/messages | System Logging | This log is configured by Default |
| Audit Logs | /var/log/audit/audit.log | All Login Attempts | This log is configured by Default |
| CRON logs | /var/log/cron | CRON Job Logging | This log is configured by Default |
| Pods logs | /var/log/pods/ * / * / * log | k8s pods | This log is configured by Default |
| Access Logs | /var/log/dirsrv/slapd-/access | Directory Server Utilization | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| Error Log | /var/log/dirsrv/slapd-/errors | Directory Server Errors | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| CA Transaction Log | /var/log/pki/pki-tomcat/ca/transactions | FreeIPA PKI Transactions | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| KRB5KDC | /var/log/krb5kdc.log | KDC Utilization | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| Secure logs | /var/log/secure | Login Error Codes | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| HTTPD logs | /var/log/httpd/* | FreeIPA API Call | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| DNF logs | /var/log/dnf.log | Installation Logs | This log is configured on Rocky OS |
| Zypper Logs | /var/log/zypper.log | Installation Logs | This log is configured on Leap OS |