Revert a security hardening profile

You can revert a hardening profile that has been applied to the Isilon cluster.

Before you begin

Reverting security hardening requires root privileges and can be performed only through the command-line interface. To log in as the root user on a hardened cluster, you must connect through a serial console session. Root SSH is not allowed on a hardened cluster.

You must have an active security hardening license to revert a hardening profile on OneFS. To obtain a license, contact your Isilon sales representative.

Procedure

  1. Open a serial console session on any node in the cluster and log in as root.
  2. Run the isi hardening revert command.
    OneFS checks whether the system is in an expected state.
    • If OneFS does not encounter any issues, the hardening profile is reverted.
    • If OneFS encounters any issues, the system displays output similar to the following example:
      Found the following Issue(s) on the cluster:
      Issue #1 (Isilon Control_id:isi_GEN001200_01)
      Node: test-cluster-2
      1: /etc/syslog.conf: Actual permission 0664; Expected permission 0654
      
      Issue #2 (Isilon Control_id:isi_GEN001200_02)
      Node: test-cluster-3
      1: /usr/bin/passwd: Actual permission 4555; Expected permission 0555
      2: /usr/bin/yppasswd: Actual permission 4555; Expected permission 0555
      Node: test-cluster-2
      1: /usr/bin/passwd: Actual permission 4555; Expected permission 0555
      2: /usr/bin/yppasswd: Actual permission 4555; Expected permission 0555
      
      Total: 2 issue(s)
      Do you want to resolve the issue(s)?[Y/N]:
  3. Resolve any configuration issues. At the prompt Do you want to resolve the issue(s)?[Y/N], choose one of the following actions:
    • To allow OneFS to resolve all issues, type Y. OneFS sets the affected configurations to the expected state and then reverts the hardening profile.
    • To defer resolution and fix all of the found issues manually, type N. OneFS halts the revert process until all of the issues are fixed. After you have fixed all of the deferred issues, run the isi hardening revert command again.
    Note Image

    If OneFS encounters an issue that is considered catastrophic, the system will prompt you to resolve the issue manually. OneFS cannot resolve a catastrophic issue.