Enable_Security_ManagementStation.md 9.3 KB
Enabling Security on the Management Station and Login Node
Omnia uses FreeIPA to enable security features like authorisation and access control.
Enabling Authentication on the Management Station:
Set the parameter 'enable_security_support' to true in base_vars.yml
Prerequisites Before Enabling Security:
- Enter the relevant values in
security_vars.yml:
| Parameter Name | Default Value | Additional Information |
|---|---|---|
| domain_name | omnia.test | The domain name should not contain an underscore ( _ ) |
| realm_name | OMNIA.TEST | The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations * The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory). * The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com). |
| max_failures | 3 | Failures allowed before lockout. This value cannot currently be changed. |
| failure_reset_interval | 60 | Period (in seconds) after which the number of failed login attempts is reset Accepted Values: 30-60 |
| lockout_duration | 10 | Period (in seconds) for which users are locked out. Accepted Values: 5-10 |
| session_timeout | 180 | Period (in seconds) after which idle users get logged out automatically Accepted Values: 30-90 |
| alert_email_address | Email address used for sending alerts in case of authentication failure If this variable is left blank, authentication failure alerts will be disabled. |
|
| allow_deny | Allow | This variable sets whether the user list is Allowed or Denied. Accepted Values: Allow, Deny |
| user | Array of users that are allowed or denied based on the allow_deny value. Multiple users must be separated by a space. |
- Enter the relevant values in
login_vars.yml:
| Parameter Name | Default Value | Additional Information |
|---|---|---|
| ms_directory_manager_password | Password of the Directory Manager with full access to the directory for system management tasks. | |
| ms_ipa_admin_password | "admin" user password for the IPA server |
Log Aggregation via Grafana
Loki is a datastore used to efficiently hold log data for security purposes. Using the promtail agent, logs are collated and streamed via a HTTP API.
Note: When
control_plane.ymlis run, Loki is automatically set up as a data source on the Grafana UI.
Querying Loki
Loki uses basic regex based syntax to filter for specific jobs, dates or timestamps.
- Select the Explore
tab to select control-plane-loki from the drop down. - Using LogQL queries, all logs in
/var/logcan be accessed using filters (Eg:{job=”Omnia”})
Viewing Logs on the Dashboard
All log files can be viewed via the Dashboard tab (
). The Default Dashboard displays omnia.log and syslog. Custom dashboards can be created per user requirements.
Below is a list of all logs available to Loki and can be accessed on the dashboard:
| Name | Location | Purpose | Additional Information |
|---|---|---|---|
| Omnia Logs | /var/log/omnia.log | Omnia Log | This log is configured by Default |
| syslogs | /var/log/messages | System Logging | This log is configured by Default |
| Audit Logs | /var/log/audit/audit.log | All Login Attempts | This log is configured by Default |
| CRON logs | /var/log/cron | CRON Job Logging | This log is configured by Default |
| Pods logs | /var/log/pods/ * / * / * log | k8s pods | This log is configured by Default |
| Access Logs | /var/log/dirsrv/slapd-/access | Directory Server Utilization | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| Error Log | /var/log/dirsrv/slapd-/errors | Directory Server Errors | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| CA Transaction Log | /var/log/pki/pki-tomcat/ca/transactions | FreeIPA PKI Transactions | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| KRB5KDC | /var/log/krb5kdc.log | KDC Utilization | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| Secure logs | /var/log/secure | Login Error Codes | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| HTTPD logs | /var/log/httpd/* | FreeIPA API Call | This log is available when FreeIPA is set up ( ie when enable_security_support is set to 'true') |
| DNF logs | /var/log/dnf.log | Installation Logs | This log is configured on Rocky OS |
| Zypper Logs | /var/log/zypper.log | Installation Logs | This log is configured on Leap OS |