Apply a security hardening profile

You can apply the OneFS STIG hardening profile to the Isilon cluster.

Before you begin

Security hardening requires root privileges and can be performed only through the command-line interface.

Once hardening has been successfully applied to the cluster, root SSH is not allowed on a hardened cluster. To log in as the root user on a hardened cluster, you must connect through the web interface or a serial console session.

You must have an active security hardening license to apply a hardening profile to OneFS. To obtain a license, contact your Isilon sales representative.

Procedure

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
  2. Run the isi hardening apply command.
    The following command directs OneFS to apply the hardening profile to the Isilon cluster. 
    isi hardening apply --profile=STIG
    OneFS checks whether the system contains any configuration issues that must be resolved before hardening can be applied.
    • If OneFS does not encounter any issues, the hardening profile is applied.
    • If OneFS encounters issues, the system displays output similar to the following example: 
      Found the following Issue(s) on the cluster:
Issue #1 (Isilon Control_id:isi_GEN001200_01)
Node: test-cluster-2
1: /etc/syslog.conf: Actual permission 0664; Expected permission 0654

Issue #2 (Isilon Control_id:isi_GEN001200_02)
Node: test-cluster-3
1: /usr/bin/passwd: Actual permission 4555; Expected permission 0555
2: /usr/bin/yppasswd: Actual permission 4555; Expected permission 0555
Node: test-cluster-2
1: /usr/bin/passwd: Actual permission 4555; Expected permission 0555
2: /usr/bin/yppasswd: Actual permission 4555; Expected permission 0555

Total: 2 issue(s)
Do you want to resolve the issue(s)?[Y/N]:
  3. Resolve any configuration issues. At the prompt Do you want to resolve the issue(s)?[Y/N], choose one of the following actions:
    • To allow OneFS to resolve all issues, type Y. OneFS fixes the issues and then applies the hardening profile.
    • To defer resolution and fix all of the found issues manually, type N. After you have fixed all of the deferred issues, run the isi hardening apply command again.
    Note Image

    If OneFS encounters an issue that is considered catastrophic, the system prompts you to resolve the issue manually. OneFS cannot resolve a catastrophic issue.