ENABLE_SECURITY_LOGIN_NODE.md 13 KB
Enabling Security on the Login Node
Note: For 389ds/SSSD to work, an external LDAP server has to be set up in your environment as Omnia does not configure LDAP.
Prerequisites Before Enabling Security:
Verify that the login node host name has been set. If not, use the following steps to set it.
- Set hostname of the login node to hostname.domainname format using the below command:
hostnamectl set-hostname <hostname>.<domainname>>>Eg:hostnamectl set-hostname login-node.omnia.test - Add the set hostname in
/etc/hostsusing vi editor.
vi /etc/hosts- Add the IP of the login node with the above hostname using
hostnamectlcommand in last line of the file.
Eg: xx.xx.xx.xx
- Set hostname of the login node to hostname.domainname format using the below command:
- The Hostname should not contain the following characters: , (comma), . (period) or _ (underscore). However, the domain name is allowed commas and periods.
- The Hostname cannot start or end with a hyphen (-).
- No upper case characters are allowed in the hostname.
- The hostname cannot start with a number.
- Set the following parameters in
omnia_security_config.yml - Ensure that
enable_secure_login_nodeis set to true inomnia_config.yml - RockyOS has Kernel Lockdown mode (Integrity) enabled by default
- SUSE/Leap allows users to set Kernel Lockdown mode to Confidentiality or Integrity.
Note:
| Variables [Required/ Optional] | Default, Accepted values | Description |
|---|---|---|
| domain_name | omnia.test | The domain name should not contain an underscore ( _ ) |
| realm_name | OMNIA.TEST | The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations * The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory). * The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com). |
| max_failures | 3 | Failures allowed before lockout. This value cannot currently be changed. |
| failure_reset_interval | 60 | Period (in seconds) after which the number of failed login attempts is reset Accepted Values: 30-60 |
| lockout_duration | 10 | Period (in seconds) for which users are locked out. Accepted Values: 5-10 |
| session_timeout | 180 | Period (in seconds) after which idle users get logged out automatically Accepted Values: 30-90 |
| alert_email_address | Email address used for sending alerts in case of authentication failure. Currently, only one email address is supported in this field. If this variable is left blank, authentication failure alerts will be disabled. |
|
| user | Array of users that are allowed or denied based on the allow_deny value. Multiple users must be separated by a space. Accepted user value formats are: root, root@xx.xx.xx.xx. Note: If IPs are to be specified in the user value, ensure that every IP associated with the host (often 2 or more) in question is listed in the user list. Eg: For a host with IPs xx.xx.xx.xx and yy.yy.yy.yy where root is to be restricted, the user array will contain root@xx.xx.xx.xx root@yy.yy.yy.yy |
|
| allow_deny | Allow | This variable sets whether the user list is Allowed or Denied. Accepted Values: Allow, Deny |
| restrict_program_support | false | This variable sets whether the network services/protocols listed in restrict_softwares are to be blocked. |
| restrict_softwares | Array of services/protocols to be blocked by Omnia. Values are to be separated by commas. Accepted values: telnet,lpd,bluetooth,rlogin,rexec Non Accepted values: ftp,smbd,nmbd,automount,portmap |
Limiting User Authentication over sshd
Users logging into this host will can be optionally allowed or denied using an access control list. All users to be allowed or denied are to be listed in the variable user in omnia_security_vars.yml.
Note: All users on the server will have to be defined manually. Omnia does not create any users by default.
Session Timeout
To encourage security, users who have been idle over 3 minutes will be logged out automatically. To adjust this value, update the session_timeout variable in omnia_security_vars.yml. This variable is mandatory.
Restricting Program Support
Optionally, different communication protocols can be disabled on the management station using the restrict_program_support and restrict_softwares variables in `omnia_security_vars.yml. These protocols include: telnet,lpd,bluetooth,rlogin and rexec. Features that cannot be disabled include: ftp,smbd,nmbd,automount and portmap.