Home Explore Help
Sign In
RONCC
/
Dell-Omnia-Clusters-HPC-AI
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 9fb395a4f5
Branches Tags
Dell-Omnia-C...
/
docs
/
Security
/
ENABLE_SECURITY_MANAGEMENT_STATION.md

ENABLE_SECURITY_MANAGEMENT_STATION.md 18 KB
History Raw

Enabling Security on the Management Station

Omnia uses FreeIPA (on RockyOS) and 389ds(on Leap) to enable security features like authorisation and access control.

Note: For 389ds/SSSD to work, an external LDAP server has to be set up in your environment as Omnia does not configure LDAP.

Enabling Authentication on the Management Station:

Set the parameter 'enable_security_support' to true in base_vars.yml

Prerequisites Before Enabling Security:

  • Set hostname of management station to hostname.domainname format using the below command: hostnamectl set-hostname <hostname>.<domainname>

    Eg: hostnamectl set-hostname valdiationms.omnia.test Note:

    • The Hostname should not contain the following characters: , (comma), . (period) or _ (underscore). However, the domain name is allowed commas and periods.
    • The Hostname cannot start or end with a hyphen (-).
    • No upper case characters are allowed in the hostname.
    • The hostname cannot start with a number.

  • Add the set hostname in /etc/hosts using vi editor.

vi /etc/hosts

  • Add the IP of the management station with the above hostname using hostnamectl command in last line of the file.

    Eg: xx.xx.xx.xx

  • Enter the relevant values in login_vars.yml:

    • Parameter Name Default Value Additional Information
    ms_directory_manager_password Password of the Directory Manager with full access to the directory for system management tasks.
    ms_kerberos_admin_password "admin" user password for the IPA server on RockyOS. If LeapOS is in use, it is used as the "kerberos admin" user password for 389-ds
    • Enter the relevant values in security_vars.yml:
    Variables [Required/ Optional] Default, Accepted values Description
    domain_name omnia.test The domain name should not contain an underscore ( _ )
    realm_name OMNIA.TEST The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations
    * The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory).
    * The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com).
    max_failures 3 Failures allowed before lockout.
    This value cannot currently be changed.
    failure_reset_interval 60 Period (in seconds) after which the number of failed login attempts is reset
    Accepted Values: 30-60
    lockout_duration 10 Period (in seconds) for which users are locked out.
    Accepted Values: 5-10
    session_timeout 180 Period (in seconds) after which idle users get logged out automatically
    Accepted Values: 30-90
    alert_email_address Email address used for sending alerts in case of authentication failure. Currently, only one email address is supported in this field.
    If this variable is left blank, authentication failure alerts will be disabled.
    user Array of users that are allowed or denied based on the allow_deny value. Multiple users must be separated by a space. Accepted user value formats are: root, root@xx.xx.xx.xx.
    Note: If IPs are to be specified in the user value, ensure that every IP associated with the host (often 2 or more) in question is listed in the user list.
    Eg: For a host with IPs xx.xx.xx.xx and yy.yy.yy.yy where root is to be restricted, the user array will contain root@xx.xx.xx.xx root@yy.yy.yy.yy
    allow_deny Allow This variable sets whether the user list is Allowed or Denied.
    Accepted Values: Allow, Deny
    restrict_program_support false This variable sets whether the network services/protocols listed in restrict_softwares are to be blocked.
    restrict_softwares Array of services/protocols to be blocked by Omnia. Values are to be separated by commas.
    Accepted values: telnet,lpd,bluetooth,rlogin,rexec
    Non Accepted values: ftp,smbd,nmbd,automount,portmap

    Note: In the event that control_plane.yml fails after executing the control plane security tasks, sshd services will have to be restarted manually by the User.

    Limiting User Authentication over sshd

    Users logging into this host will can be optionally allowed or denied using an access control list. All users to be allowed or denied are to be listed in the variable user in security_vars.yml.

    Note: All users on the server will have to be defined manually. Omnia does not create any users by default.

    Session Timeout

    To encourage security, users who have been idle over 3 minutes will be logged out automatically. To adjust this value, update the session_timeout variable in security_vars.yml. This variable is mandatory.

    Restricting Program Support

    Optionally, different communication protocols can be disabled on the management station using the restrict_program_support and restrict_softwares variables. These protocols include: telnet,lpd,bluetooth,rlogin and rexec. Features that cannot be disabled include: ftp,smbd,nmbd,automount and portmap.

    Log Aggregation via Grafana

    Loki is a datastore used to efficiently hold log data for security purposes. Using the promtail agent, logs are collated and streamed via a HTTP API.

    Note: When control_plane.yml is run, Loki is automatically set up as a data source on the Grafana UI.

    Querying Loki

    Loki uses basic regex based syntax to filter for specific jobs, dates or timestamps.

    • Select the Explore Explore Icon tab to select control-plane-loki from the drop down.
    • Using LogQL queries, all logs in /var/log can be accessed using filters (Eg: {job=”Omnia”} )

    Viewing Logs on the Dashboard

    All log files can be viewed via the Dashboard tab (Dashboard Icon). The Default Dashboard displays omnia.log and syslog. Custom dashboards can be created per user requirements.

    Below is a list of all logs available to Loki and can be accessed on the dashboard:

    Name Location Purpose Additional Information
    Omnia Logs /var/log/omnia.log Omnia Log This log is configured by Default
    syslogs /var/log/messages System Logging This log is configured by Default
    Audit Logs /var/log/audit/audit.log All Login Attempts This log is configured by Default
    CRON logs /var/log/cron CRON Job Logging This log is configured by Default
    Pods logs /var/log/pods/ * / * / * log k8s pods This log is configured by Default
    Access Logs /var/log/dirsrv/slapd-/access Directory Server Utilization This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true')
    Error Log /var/log/dirsrv/slapd-/errors Directory Server Errors This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true')
    CA Transaction Log /var/log/pki/pki-tomcat/ca/transactions FreeIPA PKI Transactions This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true')
    KRB5KDC /var/log/krb5kdc.log KDC Utilization This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true')
    Secure logs /var/log/secure Login Error Codes This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true')
    HTTPD logs /var/log/httpd/* FreeIPA API Call This log is available when FreeIPA or 389ds is set up ( ie when enable_security_support is set to 'true')
    DNF logs /var/log/dnf.log Installation Logs This log is configured on Rocky OS
    Zypper Logs /var/log/zypper.log Installation Logs This log is configured on Leap OS