Data Domain - System hardening and best practices guide
Summary: The hardening process is twofold. Traditionally, customers that are looking to harden a system are doing so because they are either under mandate, or are practicing secure computing practices. These tables provide both the hardening procedures and the mitigation steps to comply with federal Defense Information Systems Agency (DISA) Security Technical Implementation UIdes (STIGs) on the device. The information in this guide is related to our latest DDOS release 7.10. ...
Instructions
| Description | Hardening recommendation |
| Change the default password. | Log in as sysadmin and run # user change password |
| Configure frequent password rotation according to the company's password policy. |
Follow the company password policy to set the default password aging policy. # user password aging option set
{[min-days-between-change <days>]
[max-days-between-change <days>]
[warn-days-before-expire <days>]
[disable-days-after-expire <days>]}
|
| Configure a strong password policy. |
Set a user password strength policy: # user password strength set
{[min-length <length>]
[min-character-classes <num-classes>]
[passwords-remembered <0 - 24>][minpositions-changed <min-positions>]}
Password recommendations: |
| Enable security officer. |
Add security officer role user, force password change, and enable Authorization Policy. Use user add command to add security officer as a security role user. # user add <user>
[uid <uid>]
[role {admin | limited-admin | security |
user | backup-operator | none}]
[min-days-between-change <days>]
[max-days-between-change <days>]
[warn-days-before-expire <days>]
[disable-days-after-expire <days>]
[disable-date <date>]
[force-password-change {yes | no}]
Set force-password-change to yes when adding the security officer account. Log in as security officer, and run
# authorization policy set security-officer enabled
|
| Use limited-admin for day-to-day operation instead of admin or sysadmin. |
Add a limited-admin role user and set a password different to sysadmin/admin role users. # user add <user>
[uid <uid>]
[role {admin | limited-admin | security |
user | backup-operator | none}]
[min-days-between-change <days>]
[max-days-between-change <days>]
[warn-days-before-expire <days>]
[disable-days-after-expire <days>]
[disable-date <date>]
[force-password-change {yes | no}]
|
| Change the password of the security officer that is created by sysadmin. |
Log in as security officer, and then run
# user change password |
| Use client list to restrict access only to required hosts. |
For SSH:
● Add an SSH host.
# adminaccess ssh add <host-list>
● Delete hosts from the SSH list.
# adminaccess ssh del <host-list>
For HTTP and HTTPS:
● Add an HTTP/HTTPS host.
# adminaccess http add <host-list>
● Delete hosts from the HTTP/HTTPS list.
# adminaccess http del <host-list>
NOTE: Do not use a wildcard character enabling access
for any user. Type individual IP addresses or client names
instead.
|
By default static-key ciphers are supported, which cause security scanners to identify "Weak cipher suites were detected: Perfect Forward Secrecy is not supported" vulnerability. Configure TLS cipher-list to remove support static-key ciphers.
From DDOS v7.7, cipher-list can be
modified to support only cipher-suites with
perfect forward secrecy by running following
command: adminaccess option set cipherlist DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSAAES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCMSHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHEECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHERSA-AES256-SHA384:ECDHE-ECDSA-AES128-
SHA256:ECDHE-RSA-AES128-SHA256
| Monitor syslog to watch user creation and other sensitive activities in the system. |
● Configure and forward logs to syslog server.
● Monitor audit log and access log. See the DDOS Command
Reference UIde for more information.
○ # log view access-info
○ # log view audit-info
● Consider writing a script that runs the above commands
several times a day and reports any suspicious activities.
● Pay close attention to sensitive and not often used
commands that are related to user access management
and network settings, including time setting.
● Monitor authentication and authorization failures in
particular.
● Monitor all operations that require password.
● Monitor destruction operations and any failures and
repeating attempts.
● Highly recommended is to write searches and dashboards
to view log forwarded info. Also setup alerts rules on your
log server. |
| Provide security officer credentials different from sysadmin. | Set different passwords for sysadmin, admin role users, and security officer. |
| No single person should know the sysadmin and security officer credentials. | It is recommended to have different persons as sysadmin and as security officer. |
| Use certificates issued by the data center. | DD systems come with self-signed certificates. It is recommended to import the certificates from your data center. |
| Use netfilter to disable ports if not required. | For example, disable port 111 and 2049 if DD Boost is not in use. |
| Do not enable telnet. |
Disable telnet by running # adminaccess disable telnet |
| Use FTPS and SCP, but not FTP. | FTP by default is disabled. Use FTPS and SCP, but not FTP. |
| Use SNMP v3 when SNMP is configured. | When SNMP is configured, enable SNMPv3. Ensure SNMPv1 and SNMPv2c are disabled. |
Encryption
| Description | Hardening recommendation |
| Use external key manager for encryption. | Data Domain Encryption - Frequently Asked Questions |
| Use of encryption algorithm and key length | The recommendation is to use 256-bit keys and AES algorithm in GCM mode. |
| Configure the system passphrase. |
Set and use a hardened system passphrase. The default
minimum length requirement is 9 characters. Use system
passphrase option set min-length to set higher
length requirements. To set and change System passphrase on the Data Domain system |
TLS for FTP
| Description | Hardening recommendation |
| TLS-version | By default, FTPS enables TLSv1.2. TLS versions TLSv1.0 and TLSv1.1 are disabled by default, if required use tls-version configuration option provided to enable TLS versions TLSv1.0 and TLSv1.1. |
| Cipher-list | Default cipher-list supports only TLSv1.2. To enable TLSv1.0 and TLSv1.1, change cipher-list accordingly. |
Replication
| Description | Hardening recommendation |
| Use encryption and two-way authentication. |
Configure two-way authentication when adding a replication
pair.
# replication add source <source>
destination <destination>
[low-bw-optim {enabled | disabled}]
[encryption {enabled [authentication-mode
{one-way | two-way | anonymous}] |
disabled}]
[propagate-retention-lock {enabled |
disabled}]
[ipversion {ipv4 | ipv6}]
[max-repl-streams <n>]
[destination-tenant-unit <tenant-unit>] |
DD Boost
| Description | Hardening recommendation |
| Set global-authentication-mode to two-way-password and enabled encryption. |
By default the global authentication mode is set to none, and encryption is disabled. The configurations ensure only DD Boost clients with at least two-way-password authentication support, those using DD Boost 3.3 or later, can attach and data is encrypted on the wire. NOTE: More secure configurations, one-way (per client) and two-way (global), are available. With these settings, DD Boost clients must provide the necessary certificates to connect. # ddboost option set global-authenticationmode two-way-password global-encryptionstrength <high/medium>
|
| Set password hash support to SHA512 |
By default the password hash is set to MD5. Modifying this to SHA512 prevents DD Boost clients unable to support the SHA512 from attaching. # adminaccess option set password-hash
{md5 | sha512}
|
| Configure DD Boost users with a role of none. NOTE: The none role for DD Boost users applies to standalone Data Domain and PowerProtect DD systems. When integrating DD Boost with backup software (i.e. Avamar), follow the user role instructions in the backup software documentation. |
Create a none role user and associates it to be a DD Boost user. # user add <user> role none # ddboost user assign <user> |
| Limit the assignment of a DD Boost user to a single storage unit. | Do not assign the same DD Boost user to multiple DD Boost storage-units. This limits the number of DD Boost clients that share the same DD Boost user credentials. |
| Use client list to limit access. |
# ddboost clients add client-list [encryption-strength {none | medium | high} authentication-mode {one-way | two-way | twoway-password | anonymous | kerberos}]NOTE: During configuration, do not use a wildcard character enabling access for any user. Type individual IP addresses or client names instead. |
| Enable encryption with two-way authentication for managed file replication. |
Use two-way authentication-mode. # ddboost file-replication option set encryption enabled authentication-mode twoway
|
| Configure NFS port to use something other than 2049 to prevent NFSv3 client access. |
# nfs option set nfs3-port <new port number> # nfs option set nfs4-port <new port number> |
| Use Kerberos for BoostFS. | Clients connecting to the DD system using BoostFS are encouraged to use Kerberos support only if FIPS is not an option. DD system Active Directory support must be configured. To configure BoostFS client's to use Kerberos, see the platform specific DD BoostFS Configuration UIde |
| Use Avamar default security settings for DD Boost connectivity if using Avamar. | Avamar by default use two-way TLS certificates, encryption, and token access for clients. It is recommended keeping the default. |
| If DD Boost or NFS is not in use, use netfilter option to disable portmapper port 111. |
# net filter add operation block protocol tcp ports 111 # net filter add operation block protocol udp ports 111 |
NFS
| Description | Hardening recommendation |
| Configure Kerberos with encryption. |
Ensures that data on the wire is encrypted.
# nfs export create <export name> path
<path> option sec=krb5p |
| Specify list of hosts who can access export. |
Delete NFS clients from an export
# nfs add <path> <client-list> [ ( <optionlist> ) ]
Delete NFS clients from an export.
# nfs del <path> <client-list>NOTE: When configuring, do not use a wildcard character enabling access for any user. Type individual IP addresses or client names instead. |
| Not using no_root_squash |
Verify using the following command: # nfs export show list
Should verify no_root_squash is not configured for any exports. |
VTL/vDisk
| Description | Hardening recommendations |
| Use default options. | Existing default options are considered best practices. |
DISA STIG standards
The following table contains DISA STIG/SRG rules with their corresponding hardening steps.
These recommendations can be used to comply with DISA STIG standards for the device type.
| Description | Hardening recommendation |
| Enable FIPS 140-2 approved encryption. | DD supports use of only FIPS 140-2 approved ciphers for secured connections. DD recommends using UI or CLI to enable FIPS mode: ● UI: Administration > Setting > FIPS mode ● CLI: system fips-mode enable |
| The application server must limit the number of concurrent sessions to an organization-defined number for all accounts and account types. | DD recommends UI or CLI hardening: ● UI: Administration > Access > More Tasks > Change Login Options (to set active login to 100) ● CLI: adminaccess option set login-maxactive 100 |
| The network device must be configured to enforce the limit of three consecutive invalid logs in attempts, after which time it must block any login attempt for 15 minutes. | DD recommends use of UI or CLI to configure: ● UI: Administration > Access > More Tasks > Change value on Maximum login Attempts as 3, Unlock timeout as 900 sec |
DISA STIG standards
| Description | Hardening recommendation |
| Enable FIPS 140-2 approved encryption. |
DD supports use of only FIPS 140-2 approved ciphers for
secured connections. DD recommends using UI or CLI to
enable FIPS mode:
● UI: Administration > Setting > FIPS mode
● CLI: system fips-mode enable |
| The application server must limit the number of concurrent sessions to an organization-defined number for all accounts and account types. |
DD recommends UI or CLI hardening:
● UI: Administration > Access > More Tasks > Change
Login Options (to set active login to 100)
● CLI: adminaccess option set login-maxactive 100 |
| The network device must be configured to enforce the limit of three consecutive invalid logs in attempts, after which time it must block any login attempt for 15 minutes. |
DD recommends use of UI or CLI to configure: ● CLI:
○ adminaccess option set login-maxattempts 3
○ adminaccess option set login-unlocktimeout 900
|
| The application server must automatically terminate a user session after organization-defined conditions or trigger events requiring a session disconnect. The system must be configured so that all network connections that are associated with a communication session are terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. |
DD supports terminating connections at the end of the session and support session termination after configured time of inactivity. There is a CLI to specify the inactivity period. SSH connection is still alive but any request from the client is rejected. A session clean-up process is running and cleanup and terminates sessions that are no longer valid. DD recommends the following for UI or CLI hardening: ● UI: Administration > Access > Check on HTTPS >
Configure > ADVANCE and set timeout value as 600 sec.
Repeat the same for SSH by clicking SSH in Services.
● CLI:
○ SSH: adminaccess ssh option set sessiontimeout 600
○ https: adminaccess web option set
session-timeout 600
|
| Various password aging requirements |
DD recommends the CLI user password aging option. By default the password policy is relaxed to be backward compatible. The customer can use UI or CLIs to modify the password configuration so it is more restrictive and meets the aging requirements. ● UI: Administration > Access > More Tasks > Change Login Options NOTE: Per user option can be set through Administration > Access > Local Users > Modify > Advanced ● CLI: user password aging
|
| Various Passwords and strength requirements |
DD supports a comprehensive password policy and recommends using CLI or UI to harden the password. Set or modify account password policy characteristics and complexity to whatever is wanted within the application code. See the password policy for more information about requirements. ● UI: Administration > Access > More Tasks > Change Login Options ● CLI: user password strength set
|
| Operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | DD recommends using UI or CLI to configure NTP server. ● UI: Administration > Settings > MORE TASKS > Configure Time Settings Enter NTP server info by clicking the + sign.
● CLI: ntp add timeserver <server-name> ntp enable |
| The Apache web server must be configured to use a specified IP address and port. |
DD supports different HTTPS port and limiting of certain interface instead of default of all interfaces for HTTPS connections. DD recommends using adminaccess and netfilter CLI command to harden: ● adminaccess web option set https-port <port> ● net filter add operation allow protocol tcp ports <port> interfaces <IP_address> NOTE: IP address must be an active interface reported by ifconfig command. |
|
The application server must uniquely identify all network-connected endpoint devices before establishing any connection. The Apache web server must restrict inbound connections from nonsecure zones. |
To restrict inbound connections, DD recommends configuring allowed host in HTTPS and SSH connections using UI or CLI command. ● UI: Administration > Access > ADMINISTRATOR ACCESS > select HTTPS/SSH > CONFIGURE > GENERAL and click the + (Add) sign. ● CLI:
○ adminaccess http add <host_list>
○ adminaccess ssh add <host-list>
|
| Notifications when reaching audit log storage capacity |
Email alert can be sent when audit log storage space reaches 80% and 100% threshold. DD recommends use of UI or CLI to configure the system to "Send Alert Notification Emails." ● UI: Health > Alerts > NOTIFICATION > ADD(Groups on file system Class with WARNING and CRITICAL and Subscriber CONFIGURE (Add email addresses and Groups) ● CLI:
○ alerts notify-list create <group name
warning> class filesystem severity
warning
○ alerts notify-list add <group name
warning> emails <email>
○ alerts notify-list create <group name
critical> class filesystem severity
critical
○ alerts notify-list add <group name
critical> emails <email>
|
| Enabling Audit Log Forwarding: |
DD supports syslog forwarding and recommends using CLI to
set up connection to a remote syslog server.
● log host add <Remote_syslog_Server>
● log host enable
|
| Using Authentication Server for authenticating users before granting administrative access. |
DD supports multiple name servers protocols such as LDAP,
NIS, and AD. DD recommends using OpenLDAP with FIPS
enabled. DD manages only local accounts. DD recommends
using UI or CLI to configure LDAP.
● UI: Administration > Access > Authentication
● CLI: Authentication LDAP commands
Active Directory can also be configured for user logins with
FIPS enabled. However, CIFS data access with AD users is no
longer be supported with that configuration. |
| The network device must authenticate network management SNMP endpoints before establishing a local, remote, or network connection using bi-directional authentication that is cryptographically based. |
DD supports SNMPV3 that is FIPS-compliant. DD
recommends using UI or CLI to configure SNMPV3.
● UI: Administration > Settings > SNMP
● CLI: SNMP commands |
| The application server must accept Personal Identity Verification (PIV) credentials to access the management interface. |
DD supports using of DoD issued CAC/PIV card at client browser to log in using UI. This is a multifactor login using certificate of CAC/PIV card. DD recommends UI or CLI command to configure MFA and set up OpenLDAP for user authorization. General Procedure: |
| The application server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information over the network. |
DD supports CRL on MFA with issuing CA revoking CAC
certificate by importing CRL cert to DD. DD recommends
using CLI to import CRL certificate.
● CLI: adminaccess certificate cert-revokelist import application login-auth |
| The Apache web server must be configured to immediately disconnect or disable remote access to the hosted applications. |
DD recommends disabling HTTPS service to terminate all
active sessions by UI or CLI.
● UI: Administration > Access > Administrator Access >
HTTPS > CONFIGURE (clear HTTPS and save).
● CLI: adminaccess disable https |
| The Red Hat Enterprise Linux operating system must not allow a noncertificate trusted host SSH log in to the system. |
DD supports SSH connection using ssh keys instead of password-based login. If password-based login is disabled, UI login using password is also disabled. DD recommends using CLI to import the key certificate and disable password-based SSH login. ● CLI:
○ adminaccess add ssh-keys user
<user_name>
○ adminaccess option set password-auth
disable
NOTE: Sysadmin account must have ssh key imported first to disable password-based login. |
| Use a FIPS 140-2 approved cryptographic hashing algorithm. |
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise. NOTE: The DDOS Command Reference UIde describes how to use the adminaccess option set passwordhash {md5 | sha512} command to set the FIPS 140-2-approved cryptographic hashing on the system. Changing the hash algorithm does not change the hash value for any existing passwords. Any existing passwords that were hashed with md5 will still have md5 hash values after changing the password-hash algorithm to sha512. Those passwords must be reset so that a new sha512 hash value is computed. |
| Remove telnet-server package. |
Telnet can be removed. Run adminaccess uninstall telnet to remove the telnet package from the DD system. NOTE: If telnet is removed, it cannot be added back to the system. |
| Audit log forwarding to remote syslog server | DD supports forwarding of local audit log to syslog server. ● CLI ○ log host add <Remote_syslog_IP> ○ log host enable NOTE: Corresponding configuration to accept system syslog at Remote Syslog server is required. |
| User's consent to Notice and Consent Banner |
DD can be configured to prompt for user consent prior to log in to the system UI interface.
● UI: Administration > LOGIN BANNER > CONFIGURE
● CLI: system option set loginbanner /ddr/var/releases/<banner_file>
● Where <banner_file> is uploaded to
DD's /ddr/var/releases as text file |