Reverting security hardening requires root privileges and can be performed only through the command-line interface. To log in as the root user on a hardened cluster, you must connect through a serial console session. Root SSH is not allowed on a hardened cluster.
Before you begin
You must have an active security hardening license to revert a hardening profile on OneFS. To obtain a license, contact your Isilon sales representative.
- Open a serial console session on any node in the cluster and log in as root.
- Run the
isi hardening revert command.
OneFS checks whether the system is in an expected state.
- If OneFS does not encounter any issues, the hardening profile is reverted.
- If OneFS encounters any issues, the system displays output similar to the following example:
Found the following Issue(s) on the cluster: Issue #1 (Isilon Control_id:isi_GEN001200_01) Node: test-cluster-2 1: /etc/syslog.conf: Actual permission 0664; Expected permission 0654 Issue #2 (Isilon Control_id:isi_GEN001200_02) Node: test-cluster-3 1: /usr/bin/passwd: Actual permission 4555; Expected permission 0555 2: /usr/bin/yppasswd: Actual permission 4555; Expected permission 0555 Node: test-cluster-2 1: /usr/bin/passwd: Actual permission 4555; Expected permission 0555 2: /usr/bin/yppasswd: Actual permission 4555; Expected permission 0555 Total: 2 issue(s) Do you want to resolve the issue(s)?[Y/N]:
- Resolve any configuration issues. At the prompt
Do you want to resolve the issue(s)?[Y/N], choose one of the following actions:
If OneFS encounters an issue that is considered catastrophic, the system will prompt you to resolve the issue manually. OneFS cannot resolve a catastrophic issue.
- To allow OneFS to resolve all issues, type Y. OneFS sets the affected configurations to the expected state and then reverts the hardening profile.
- To defer resolution and fix all of the found issues manually, type N. OneFS halts the revert process until all of the issues are fixed. After you have fixed all of the deferred issues, run the isi hardening revert command again.