Hardening and Customizations BrickStor SP Admin Accounts BrickStor SP provides a default Administrator Account configured at installation. This account is configured with the necessary privileges so that most BrickStor SP administrative tasks can be performed by that user. However, certain tasks such as reboot require full root privileges. (ex. sudo reboot) Configure Active Directory login for BrickStor SP Manager and Hub Manage admin accounts to be configured to use Active Directory for authentication and authorization. These instructions assume the BrickStor SP is joined to the domain. For more information, see BrickStor SP User Guide. Obtain a DN or distinguishedName of a domain group used to allow BrickStor SP management access. Powershell example: Get-ADGroup -Identity "[groupName]" | Select-Object DistinguishedName Edit the AdminGroups property in the /etc/racktop/bsrapid/bsrapid.conf file, adding the distinguishedName value from step #1 enclosed in quotes. Multiple values can be added separated by a comma. See example below: Example 1. Adding Admins group AdminGroups = ["bsradmins", "CN=Admins,OU=Groups,OU=MGT,DC=racktoplabs,DC=com"] Restart the services hubd and bsrapid svcadm restart bsrapid hubd Password Restrictions To better fit a company’s password security regulations, BrickStor SP admins can configure the strength and expiration of passwords. Additionally, BrickStor SP prevents users from reusing the same password. Password restrictions are managed in the /etc/default/passwd file by providing the following options: PASSLENGTH= [characters] The minimum number of characters that a password must contain MINDIFF= [characters] Minimum number of characters in the new password that are distinct from the old password Example 2. Configure password to require 8 or more characters and be at least 4 characters different from the previous password PASSLENGTH=8 MINDIFF=4 Networking The networking section will provide any security best practices related to the network configuration. Configure Management Interface By default, BrickStor SP management services are available on all system’s IP addresses. It is a good security practice to isolate management services from the data network(s) using VLANs or designated network port. To configure management services to listen on a specific IP address: These instructions assume the management IP address is configured and functioning correctly. For more information, see BrickStor SP User Guide. Using BrickStor SP CLI, edit the ListenAddress and ListenAddressPub properties in the /etc/racktop/bsrapid/bsrapid.conf file. See example below: Example 3. Configure the bsrapid listen address ListenAddress = "192.168.1.2:8443" ListenAddressPub = "192.168.1.2:443" Edit the ListenAddress property in the /etc/racktop/hubd/hubd.conf file located under [Web] and [Connect] sections. See example below: Example 4. Configure the hubd listen address [Web] ListenAddress = "192.168.1.2" ... [Connect] ListenAddress = "192.168.1.2" Restart the services hubd and bsrapid svcadm restart hubd bsrapid Log Forwarding System Log You can forward RFC-5424 compliant system logs to a log repository. Edit the following document with the proper end point: vi /etc/rsyslog.d/remote.conf Example UDP Configuration *.* @192.168.1.123:514 Example TCP Configuration *.* @@192.168.1.123:514 Then restart the system-log service: svcadm restart system-log User Behavior Activity Log User Behavior activity can be forwarded to a SIEM or log centralization for off system processing and analysis. To configure User Behavior Activity to forward to another host, edit the following configuration file: /etc/racktop/ubcollectd/ubcollectd.conf: [Syslog] Protocol = "udp" Server = "<IP Address>:514" CertFile = "" Facility = "local0" Enabled = true File Protocols To restrict access to shares from other than dedicated network interfaces, configure host-based access control. SMB BrickStor SP supports up to version SMB 3.0.2 and admins can enable, disable and require signing and protocol encryption. Signing can slow down client connections because it requires more communication between the client and server; however, newer SMB clients are faster because they have reduced the amount of communication responses. The storage admin can also set a minimum protocol and a max protocol. The admin should set a minimum protocol of version 2.1 from the command line, using the following command: sharectl set -p min_protocol=2.1 smb Enable SMB signing and encryption by running the following commands: sharectl set -p encrypt=enabled smb sharectl set -p signing_enabled=true smb By requiring SMB signing and encryption, BrickStor SP will refuse unsigned connections or clients that can not encrypt the protocol. Require SMB signing and encryption by running the following commands: sharectl set -p encrypt=required smb sharectl set -p signing_required=true smb NFS Context Security Labels From the myRack Manager user interface, admins can enable context security labels on version NFS 4.2 to enable Mandatory Access Control (MAC). This can be configured on a per share basis or set globally from the command line to enforce it across all NFS shares. If using the system in an MLS environment, the minimum NFS server version should be set to version 4.2. Minimum NFS Server Protocol Admins can configure the minimum protocol to version 3, 4, 4.1, or 4.2 for BrickStor SP as an NFS server. From the command line, run the following command: sharectl set -p server_versmin=<num> NFS Example to set it to minimum version 4.1: sharectl set -p server_versmin=4.1 NFS Key Manager BrickStor SP’s Key Manager can store the keys for Self-Encrypting Drives (SEDs) and dataset/volume encryption or be configured to an external key manager over KMIP. This must be configured before the use of SEDs or dataset encryption. Data Encryption BrickStor SP supports two levels of FIPS encryption by using Self Encrypting Drives and dataset/volume level encryption. Self-Encrypting Drives must be enrolled into the system. Admins can use the BrickStor SP Manager’s Rack View. Click on any drive in Rack View Select the more option Click enroll (Optional) Select All Pools & Drives. Once the drives are enrolled, they will be displayed with a shield in the hardware view. The shield indicates the drive is enrolled and the FIPS ownership process has been completed. Now the system will manage the drive encryption keys. Media Sanitization Drives can be crypto erased in compliance with NIST purge standards through the command line using sedadm or through the UI and selecting the drive(s) you wish to erase. The sedadm command needs to be ran using full path as it’s not globally recognized. Data Replication Data can be replicated to another pool or system on a per dataset basis. Data in flight is protected with TLS encryption. Datasets and volumes that are encrypted on the source will also be encrypted on the destination. These datasets are not mounted or decrypted on the destination during normal operations. To recover a file or snapshot on the destination, the decryption keys for encrypted datasets and volumes must be imported on the destination system. Replication supports automatically forwarding keys and is configurable on a per dataset basis. Telemetry Information BrickStor SP includes features for sending telemetry data automatically to the myRackTop cloud for improved support. This information stream can be disabled with the following steps: Edit the file /etc/racktop/myrackd/myrackd.conf and change the line below: DisableMyrack = true Then restart the myrackd service: svcadm restart myrackd Online Update Support BrickStor SP checks for online updates daily for Internet connected systems. To disable this, perform the following steps: Edit the file /etc/bsrupdated/bsrupdated.conf and change the line below: DisableUpdateServer = true Then restart the bsrupdated service: svcadm restart bsrupdated Timing It is important to have consistent time across all systems for security and event logs. BrickStor SP should be connected to an NTP time source. By default, the system will look to Active Directory as the time source after a domain join. However, NTP can be configured to point to any compatible time source. The system will use the time source and time zone selected for all log Information. However, the GUI will adjust the times to the local time zone set on the desktop that launched the GUI. Active Directory/LDAP BrickStor SP can be joined to Active Directory and LDAP servers to support users and group permissions. User Behavior Auditing User Behavior Auditing can be enabled on a per dataset basis. The log provides the identity, source IP address, file path, file protocol, and operation. It also can provide permission changes. Open Network Port Requirements By default, the following ports are open to allow BrickStor SP to take advantage of various features and functionality. The following table lists these ports. Table 1. BrickStor SP Open Network Port Requirements Ports Description/Service Protocol Direction This port is open to/Purpose 22 SSH TCP bidirectional Receive Management and Replication data 22, 8444, 8544 TCP Replication TCP outbound Send Replication 25, 587 mail TCP outbound send notification emails 53 DNS UDP bidirectional Domain name Service 88 Kerberos UDP outbound Authentication 111 NFS/rpc TCP/UDP bidirectional NFS client access 123 NTP UDP bidirectional Time synchronization 139, 445 SMB TCP/UDP inbound SMB/CIFS client access 161 SNMP UDP bidirectional Monitoring with SNMP 162 SNMP traps UDP outbound Sending alerts to SNMP stations 389, 636 LDAP TCP/UDP outbound Access to directory service servers 443 HTTPS TCP outbound Call Home for Software Updates (https://myracktop.com) 443 HTTPS TCP inbound RMM/iLO Out of Band Management 443 hiavd TCP outbound High Availability Windows Witness 514 syslog TCP/UDP outbound Logging 623 RMCP TCP/UDP inbound HA Power/IPMI access 2049 NFS/portmap TCP/UDP inbound NFS client access 2379,2380 confd TCP inbound Configuration database 3205, 3260 iSCSI TCP inbound iSCSI client/initiator access 4045 NFS/lockmgr TCP/UDP inbound NFS client access 4746 hiavd TCP bidirectional High Availability (between HA nodes) 5696, 8445 KMIP TCP outbound Access to key management server 5697 keymgrd TCP bidirectional Key replication/sync 5699 bsrlicensed TCP bidirectional HA license check 8000 hubd TCP inbound Allows external appliances to connect to hub local (TLS) 8086, 8088 influxdb TCP inbound Used for BrickStor SP Manager (charts) 8123 hubd TCP inbound Web access to hub local admin interface (HTTPS) 80, 443, 8443 bsrapid TCP inbound Used for BrickStor SP Manager (http/https) ICMP echo (Ping) is required between all HA nodes, including the Witness. Port 4746 for hiavd relates to the first instance of hiavd. If there is a second instance of hiavd running on a witness, then you need to unlock port 4747. The Nth instance of hiavd will be at port 4745+N, and so on. The same logic is used for confd. Enable IPV4 ICMP echo ensuring all nodes in cluster can ping each other.