R MOD 01-Unisphere Security and Basic Management

Unisphere Security and Basic Management
Upon completion of this module, you should be able to:

List Unisphere security features
Describe Unisphere authentication using LDAP
Audit Control Station events
Explain VNX system notification methods and
event monitoring
Implement Unisphere Security
Copyright 2014 EMC Corporation. All Rights Unisphere Security and Basic Management 1
Unisphere Security and Basic
Management
Lesson 1: Unisphere and CLI interfaces

This lesson covers the following topics:
VNX administration
Unisphere interface navigation
Command Line Interface (CLI) for File and Block
access
VNX Administration
Administration performed via GUI or CLI connection
to VNX
Unisphere GUI
CLI to Control Station (for File) or Host Secure CLI (for
Block)
EMC Unisphere
Enter the IP
address of the VNX
Control Station or
Storage Processor
Browser session
Unisphere
VNX Client
Unisphere Interface Terms and Components (1
of 8)
1
1
3 2
2
3
Expand
Main Pane
1. Top Navigation
Bar
2. Task Pane
3. Main Pane Expand
Task
Pane
of 8) 1
1 2
2
Hide
Navigation Task Menu
breadcrum
b
1. Toolbar Search Expand

Task
Option Menu
2. General Options
Logged
User
of 8)
TTTTTTTTTTTTTTTTTTTTTT
Mouse over an option of the

Top Navigation Bar opens
Right-click of mouse over a a submenu
query selection opens
menu with actions for
selected object
of 8)
Tools
Page
Help
Export to CSV
file
Refresh the
Page
of 8)
of 8)
Mouse cursor over field
name
Wait for pop-up
description
Quick answers for
simple usability
questions
Example:
User is creating a NFS
Export for a File System
(discussed later on this
course)
The Create NFS
export dialog box
opens with data form
Mouse cursor was Unisphere Security and Basic Management 10
Copyright 2014 EMC Corporation. All Rights
of 8)
Wizards
Generates pop-up window
Simplified step walk through
Designed for novice users
Further modification and management
done using Navigation and Task pages
VNX for File Command Line Interface (CLI)
Used for the completion of most administrative
tasks
Primary function: scripting of repetitive tasks
CLI can be accessed in the Control Station (CS)
Local access available directly at the Control Station
console
Remote access available via an SSH interface tool like
PuTTy
Approximately 80 Linux-like commands.
CS runs an EMC-customized Linux
Data Movers (DM) do not have CLI
Commands are entered from CS
CS route the commands to
Data Movers
Storage Systems
VNX for File CLI Commands
cel_ commands
Execute to remotely-linked VNX for File systems
cs_ commands
Execute to the local Control Station
fs_ commands
Execute to the specified file system
nas_ commands
Execute to the Control Station database
server_ commands
Execute directly to a Data Mover
Unisphere Integration with VNX for File CLI
Integration with Command Line Interface (CLI)
VNX for File CLI commands can be executed via GUI
interface
Only one command at a time
VNX for Block Command Line Interface (CLI)
Secure CLI is a comprehensive VNX CLI for Block solution
Client application installed on supported Windows, Linux /Unix hosts
Commands consist of naviseccli command and options
Commands: Storage connectivity/provisioning, and management, LUN
compression/expansion/migration, storage domain/host agents
SP Setup Page
Management
Lesson 1: Summary
During this lesson the following topics were covered:
VNX administration
Unisphere interface navigation
Command Line Interface (CLI) for File and Block
access
Management
Lesson 2: Unisphere Security Features

VNX Administrative user authentication
Unisphere Security Features
Unisphere authentication scopes
Unisphere user roles for system administration
VNX Management Access Security
Different management applications with access to
VNX system
Access limited to authorized users and applications
Authentication
Identify user making a request
Authorization
Determine if user has the right to exercise the request
Privacy
Avoid unauthorized disclosure of information to user
Trust
Verify the identity of the communication parties
Audit
Record of activities performed by authenticated user
VNX Administration Security
Login
VNX access via GUI or CLI interfaces require user

authentication
Administrative options for
Unique administrative user accounts
Role based administration
Secure authentication and management
SSL/TLS &SSH
Administrative Authentication Scope
Authentication Scopes
Global Storage Domain
Local
LDAP Global
Global
User
Login Local Local

User
LDAP
User
LDAP
LDAP Server
VNX Default Management Accounts
VNX for File and Unified systems default
management accounts
Account Description
VNX for File local account which provides
root
administrator level privileges on the CS
VNX for File local account which provides
nasadmin
administrator level privileges on the CS
Global system account which provides
sysadmin administrator level privileges for both VNX for File
and VNX for Block
VNX for Block systems do not have default factory

installed management accounts
A global account can be created during initialization
or first login
Administrative Roles
Areas of Administrative System-defined roles
responsibility Cannot be
Privileges to VNX object modified/deleted
Read/Modify/Full Control User-defined role
Associated to Users Custom configured
Primary group
Roles apply to GUI &
CLI
Unisphere SSL/TLS Certificates
Certificates secure VNX network
links for:
Management Client VMware
LDAP bindings Software ESXi
Establishing a trusted identity
PKI encoding and decoding
Default self-signed certificates
SPA, SPB & Control Station
2048 bit RSA keys
Generate Data Mover self-signed
certificates FileMover
LDAP
Configure CA-signed certificates SSL/TLS
SPA, SPB & Data Movers Management
VNX Log Auditing
Audit Logging on a VNX for Block system
Check for suspicious activity logged on the VNX SPs
Provides information on the affected SPs and the
associated hosts
Auditing on a VNX for File system
Capture management activities initiated from the
Control Station
Verify access to key system files and end-user data
Integration with RSA enVision
Application provides collection, analysis and reporting
of administrative events logged by the VNX storage
systems
Management
Lesson 2: Summary
VNX Administrative user authentication
Unisphere authentication scopes
Unisphere Security features
Unisphere user roles for system administration
Monitoring
Lesson 3: Unisphere Authentication using LDAP

VNX integration with LDAP for management
Binding the Control Station and SPs to LDAP
Configuring group mappings
Assigning administrative roles to LDAP users
Configuring LDAP Authentication Overview
Configure LDAP binding to LDAP server
Map a VNX Administrative Role to an LDAP Group
VNX creates Local group and maps it to LDAP Group
LDAP-based Domains
Microsoft AD
iPlanet
1 LDAP OpenLDAP
Binding
2 Role to Group
mapping
Group 3
mapping
Configuring LDAP Binding: Part 1
Settings > Security
From System Tasks pane Manage LDAP Domain
Server tab
IP address & port number
Server Type and Protocol
Domain Name
BindDN and Password
User and Group search Paths
Configuring LDAP Binding: Part 2
Role Mapping tab Advanced tab
For LDAP Group object Customize various LDAP
Domain group or user attributes
name
Role for user or group
Automatic LDAP Group Mapping
New local group automatically created on VNX
Automatic mapping between new local group and
LDAP domain group
Members of LDAP group granted administrative rights
for role
LDAP User Login
GUI Login
LDAP Credentials
Username/Password
Select Use LDAP option
CLI Login to Control
Station
LDAP credentials
Username format:
<username>@<domain name>
login as: ptesca@corp.hmarine.com

ptesca@corp.hmarine.com@10.127.57.130's password:*******
[ptesca@VNX3cs0
[ptesca@VNX3cs0 ~]$
~]$
Management
Lesson 3: Summary
Integration of VNX with LDAP domains and users
How to bind the Control Station and SPs to LDAP
Configuration of Group mappings
Assignment of Administrative Roles to LDAP users
Management
Lesson 4: Control Station Auditing

Auditing the administrative access to the Control
Station
Auditing events
Control Station audit commands, creation of logs
and reports
Auditing on the VNX Control Station
The purpose of auditing is to record the security-
relevant events that happen on a system
Provides information about who initiated the event
and the events affect on the system (e.g., success or
failure)
Auditing is driven by several factors including
compliance concerns and basic system
management
Auditing is enabled by default
Default Audit Events
Defined in /etc/audit/audit.rules
Root file system access by Administrators
A list of sensitive system files
Changes to the audit infrastructure
Users authenticating to the system
Record Types
Several main record types associated to audit
events
The main record types are listed on the table below
Record
Description
Type
SYSCALL Information associated with a system call invocation
PATH Information about a file being accessed
CWD The current working directory of the process
USER_XX
Events associated with a user authenticating to the system
XX
FS_WATC Associated with accessing a file system object that has an explicit watch
H placed on it.
Audit Commands
Native Linux commands
No VNX specific commands
Man pages
Requires root permissions
/sbin/auditctl
Controls the kernels audit subsystem
/sbin/ausearch
For reading the audit trail
/sbin/aureport
Produces summary reports of audit logs
/sbin/service auditd
Controls the audit subsystem
Options: start, stop, status, restart, reload, rotate,
condrestart
Audit Control
Configure Audit behavior - /sbin/auditctl
Example shows abbreviated output of this command
# help -h
# ./auditctl
./auditctl -h
usage:
usage: auditctl
auditctl [options]
[options]
-a <l,a>
-a <l,a> Append
Append rule
rule to
to end
end of
of <l>ist
<l>ist with
with <a>ction
<a>ction
-A <l,a>
-A <l,a> Add
Add rule
rule at
at beginning
beginning of
of <l>ist
<l>ist with
with <a>ction
<a>ction
-b <backlog>
-b <backlog> Set
Set max
max number
number of
of outstanding
outstanding audit
audit buffers
buffers
allowed
allowed Default=64
Default=64
-d
-d <l,a>
<l,a> Delete
Delete rule
rule from
from <l>ist
<l>ist with
with <a>ction
<a>ction
l=task,entry,exit,user,watch,exclude
l=task,entry,exit,user,watch,exclude
a=never,possible,always
a=never,possible,always
-D
-D Delete
Delete all
all rules
rules and
and watches
watches
-e
-e [0..2]
[0..2] Set
Set enabled
enabled flag
flag
-f
-f [0..2]
[0..2] Set
Set failure
failure flag
flag
0=silent 1=printk
0=silent 1=printk 2=panic
2=panic
-F f=v
-F f=v Build rule:
Build rule: field
field name,
name, operator(=,!=,<,>,<=,
operator(=,!=,<,>,<=,
>=,^,&)
>=,^,&) value
value
-h
-h Help
Help
Viewing Audit Log
Reading the audit trail - /sbin/ausearch
Example shows file system paths accessed
Output below is abbreviated.
#
# /sbin/ausearch
/sbin/ausearch -i
-i -m
-m PATH
PATH |grep
|grep cwd
cwd
type=CWD
type=CWD msg=audit(04/28/2011
msg=audit(04/28/2011 09:05:08.909:8442)
09:05:08.909:8442) :
: cwd=/nbsnas/server
cwd=/nbsnas/server
type=CWD msg=audit(04/28/2011 09:05:08.911:8443)
09:05:08.911:8443) :
cwd=/nbsnas/server
09:05:08.914:8444) :
cwd=/nbsnas/server
type=CWD
msg=audit(04/28/2011 09:05:08.916:8445)
09:05:08.916:8445) :
cwd=/nbsnas/server
type=CWD
msg=audit(04/28/2011 09:05:08.917:8446)
09:05:08.917:8446) :
cwd=/nbsnas/server
type=CWD
msg=audit(04/28/2011 09:05:08.974:8447)
09:05:08.974:8447) :
cwd=/nbsnas/server
type=CWD
msg=audit(04/28/2011 09:05:08.975:8448)
09:05:08.975:8448) :
cwd=/nbsnas/server
type=CWD
msg=audit(04/28/2011 09:10:01.119:8472)
09:10:01.119:8472) :
: cwd=/home/nasadmin
cwd=/home/nasadmin
type=CWD
msg=audit(04/28/2011 09:10:01.120:8473)
09:10:01.120:8473) :
cwd=/home/nasadmin
type=CWD
msg=audit(04/28/2011 09:10:01.132:8475)
09:10:01.132:8475) :
cwd=/home/nasadmin
09:10:01.133:8476) :
cwd=/home/nasadmin
09:10:01.137:8477) :
cwd=/home/nasadmin
Creating Audit Reports
Generating Audit Summary Reports - /sbin/aureport
Example shows Authentication Report
# ./sbin/aureport auth
#
Authentication Report
Authentication Report
============================================
============================================
#
# date
date time
time acct
acct host
host term
term exe
exe success
success event
event
============================================
============================================
1.
1. 04/28/2011
04/28/2011 07:30:04
07:30:04 acct="sysadmin
acct="sysadmin ?? ?
? /nas/sbin/change_passwd
/nas/sbin/change_passwd no
no 2803462
2803462
2.
2. 04/28/2011
04/28/2011 07:30:06
07:30:06 acct="root
acct="root ?
? ?
? /nas/sbin/change_passwd
no 2803522
2803522
3.
3. 04/28/2011
04/28/2011 07:30:08
07:30:08 acct="itechi
acct="itechi ?
? ?? /nas/sbin/change_passwd
no 2803547
2803547
4.
4. 04/28/2011
04/28/2011 07:34:52
07:34:52 acct="nasadmin
acct="nasadmin 10.12.247.3
10.12.247.3 ssh
ssh /usr/sbin/sshd
/usr/sbin/sshd yes
yes 54
54
5.
5. 04/28/2011
04/28/2011 07:35:09
07:35:09 acct="root
acct="root ?
? pts/0
pts/0 /bin/su
/bin/su yes
yes 256
256
Audit Backups
Audit logs are located in /celerra/audit
Backup of auditing configuration files and current
audit log file
To backend: /nas/var/auditing/
Each Control Station synched every 180 seconds
/nas/var/auditing/cs0/
/nas/var/auditing/cs1/
If Control Station in slot 0 is replaced, recovery code
will restore the audit configuration files
Slot 1 auditing configuration is restored manually
# ls /nas/var/auditing/
cs0 lost+found
# ls /nas/var/auditing/cs0
auditd.conf audit.log audit.rules
Management
Lesson 4: Summary
Auditing the administrative access to the Control
Station
Events that can be configured for auditing
Control Station audit commands used for the
creation of logs and reports
Management
Lesson 5: Notification Methods and Event

Monitoring
Unisphere monitoring features
Event logs for VNX system activities
Event monitor operations
Event monitor notifications
Unisphere System Monitoring
System > Monitoring and Alerts >
Unisphere Monitoring: Alerts
System > Monitoring and Alerts > Alerts
Unisphere Monitoring: Background Tasks for
File
System > Monitoring and Alerts > Background
Tasks for File
Unisphere Monitoring: Event Logs for File
VNX for File related

events
Messages from Data
Mover or Control
Station
Selected time interval
and severity level
Right-click the mouse
over selection and
select details
Unisphere Monitoring: SP Event Logs
VNX for Block related events
Events logged on the Storage Processor
Unisphere Monitoring: Notifications for File
System Event Notification: Facility, Severity, Action, Destination
System Resource Utilization: Storage usage, Storage Protection, DM load
Events Description
Query
Facility Facility value must match this value to
trigger notification
Severity Severity level that will trigger the
notification:
0, 1, and 2 Critical
3 Error
4 Warning
4, 6 informational
Action Action that must be taken if event meet
Facility and Severity criteria.
Destination Destination of notification.
Format depends on type of action:
- Absolute path on CS for log file
- Single SNMP trap
- Comma separated e-mail addresses
(SMTP)
Unisphere Monitoring: Notifications for Block
Creation and Centralized or Distributed Monitors
Creation and Configuration of Notification templates
Event Severity: Information, Warning, Error, Critical
Event Category: Basic Array, MirrorView, SnapView, SAN
Copy, NQM, Alerts, Virtual Provisioning, VNX Snapshots
Actions: Logs, Combine events, add response, e-mail
notification, paging service, SNMP trap
Unisphere Monitoring: Statistics for File
Graphics with info about usage and performance

File System
Storage
Network device
Change of parameters for visualization and Flexible
navigation
Unisphere Monitoring: Statistics for Block
Unisphere Analyzer
Management
Lesson 5: Summary
Unisphere monitoring features
Event logs for VNX system activities
Event monitor operations
Event monitor notifications
Management
Lesson 6: Implementing Unisphere Security

Configuring storage domain management of VNX
systems
Configuration of administrative users and
assignment of administrative roles
Creating email notifications
Setting notifications for various severity levels
Unisphere Storage Domains
All Systems > Domains
Each VNX is its own storage domain
Domain members: SPA, SPB, Control Station
System managed by Unisphere session to any member
Global user account
sysadmin: Administrative role
Storage Domain
SPA SPB
CS
Multi-Domain Management
All Systems > Domains
Adding a VNX System to Domain
All Systems > System List > Add
SP IP
Address
Creating New Administrative Users
Settings > Security > User Management
Requires Administrator or Security Administrator role
Global users
Local users
For File
For Block
Assigning Administrative Roles
Settings > Security > User Management > User Customization for File
> Users > Properties
Primary Group
Group Role
Membership
Client Access
VNX Email Notifications: Email User
Setup email account
VNX Notifications: Create Notifications for File
Create event to monitor
Select recipient of notification
Event Monitoring Configuration
1. Event Monitor Type

Distributed
Centralized
2. Selection of hosts to
monitor
3. Events by Category
Basic Array
MirrorView
SnapView
SAN Copy
Alerts
VNX Snapshots
4. Severity
Critical
Error
Warnings
Informational
5. Response
Send e-mail
Send SNMP trap
Management
Lesson 6: Summary
Configuring and management of storage domain
Configuration of administrative users and
assignment of administrative roles
Setting email notifications
Setting notifications for File for various severity
levels
Summary
Key points covered in this module:
VNX provides multiple interface options, including
VNX Unisphere and CLI
Unisphere supports Global, Local, and LDAP
authentication Options, as well as built-in
management accounts. Default and custom
administrative roles help to control management
access.
Control Station auditing can be used to manage
desired events.
Unisphere monitoring and notification can also be
used to manage and report on events.

R MOD 01-Unisphere Security and Basic Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

R MOD 01-Unisphere Security and Basic Management

Uploaded by

Copyright:

Available Formats

Unisphere Security and Basic Management

Upon completion of this module, you should be able to:

Lesson 1: Unisphere and CLI interfaces

1. Toolbar Search Expand

Mouse over an option of the

Lesson 2: Unisphere Security Features

VNX access via GUI or CLI interfaces require user

Login Local Local

VNX for Block systems do not have default factory

Lesson 3: Unisphere Authentication using LDAP

login as: ptesca@corp.hmarine.com

Lesson 4: Control Station Auditing

Lesson 5: Notification Methods and Event

VNX for File related

Graphics with info about usage and performance

Lesson 6: Implementing Unisphere Security

1. Event Monitor Type

You might also like