DELL InsightIQ 5.1.0 Elevated Performance Monitoring User Guide

August 30, 2024
Dell

InsightIQ 5.1.0 Elevated Performance Monitoring

“`html

Product Information

Specifications

  • Product Name: Dell InsightIQ 5.1.0
  • Release Date: May 2024
  • Security Configuration Guide

Product Usage Instructions

Overview

The Dell InsightIQ 5.1.0 Security Configuration Guide provides
controls and settings for secure deployment, usage, and maintenance
of InsightIQ. It is essential for maintaining the authenticity and
integrity of your system.

Scope

The guide covers security configurations specific to InsightIQ.
For security information related to other products or
subcomponents, refer to their respective security configuration
guides.

Deployment Models

InsightIQ supports various deployment models to cater to
different user requirements. Ensure you choose the appropriate
model that aligns with your needs.

Security Profiles

Understand the available security profiles in InsightIQ to
effectively manage access control and permissions within the
system.

Protect Authenticity and Integrity

Follow recommended practices to protect the authenticity and
integrity of your data within the InsightIQ environment. Regularly
update security configurations to mitigate potential risks.

Frequently Asked Questions (FAQ)

Q: Where can I find Dell advisories and updates?

A: Dell advisories and updates can be obtained from the
designated sources mentioned in the guide. Ensure you meet the
specified customer prerequisites for security updates.

Q: How do I handle security false positives in InsightIQ

5.1.0?

A: Refer to Appendix B of the guide for information on Security
False Positives for InsightIQ 5.1.0 and follow the recommended
steps to address them effectively.

“`

Dell InsightIQ 5.1.0
Security Configuration Guide
May 2024

Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
© 2009 – 2024 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Contents

Preface……………………………………………………………………………………………………………………….. 5 Legal disclaimers……………………………………………………………………………………………………………………………………………… 5 Scope of document………………………………………………………………………………………………………………………………………….5 InsightIQ documentation………………………………………………………………………………………………………………………………….5 Security resources …………………………………………………………………………………………………………………………………………. 6 Getting help…………………………………………………………………………………………………………………………………………………….. 6 Where to go for support……………………………………………………………………………………………………………………………. 6 Reporting security vulnerabilities……………………………………………………………………………………………………………………. 7 Follow us online……………………………………………………………………………………………………………………………………………….. 7
Chapter 1: Security quick reference…………………………………………………………………………………. 8 Deployment models …………………………………………………………………………………………………………………………………………8 Security profiles………………………………………………………………………………………………………………………………………………. 8
Chapter 2: Product and subsystem security………………………………………………………………………10 Security controls map……………………………………………………………………………………………………………………………………. 10 Authentication………………………………………………………………………………………………………………………………………………… 11 Supported users………………………………………………………………………………………………………………………………………… 11 Session-based authentication…………………………………………………………………………………………………………………… 11 Login security …………………………………………………………………………………………………………………………………………….11 Authentication types and setup………………………………………………………………………………………………………………..12 User and credential management……………………………………………………………………………………………………………..13 Authentication to external systems…………………………………………………………………………………………………………. 14 Authorization………………………………………………………………………………………………………………………………………………….. 15 Role-Based Access Control (RBAC)……………………………………………………………………………………………………….. 15 Mapping roles to external users………………………………………………………………………………………………………………. 15 Elevated permissions for InsightIQ Simple administrator user………………………………………………………………..15 Network security…………………………………………………………………………………………………………………………………………….15 InsightIQ ports………………………………………………………………………………………………………………………………………….. 15 TLS……………………………………………………………………………………………………………………………………………………………..16 NFS export security…………………………………………………………………………………………………………………………………..16 Data protection……………………………………………………………………………………………………………………………………………….17 Data security………………………………………………………………………………………………………………………………………………17 Data-at-rest encryption……………………………………………………………………………………………………………………………. 17 Data sanitation………………………………………………………………………………………………………………………………………….. 17 Cryptography…………………………………………………………………………………………………………………………………………………. 17 Cryptography……………………………………………………………………………………………………………………………………………..17 Cryptographic configuration options……………………………………………………………………………………………………….. 17 Certificate management…………………………………………………………………………………………………………………………… 18 Regulatory information…………………………………………………………………………………………………………………………….. 19 Auditing and logging………………………………………………………………………………………………………………………………………. 19 Logging……………………………………………………………………………………………………………………………………………………… 19 Alerting……………………………………………………………………………………………………………………………………………………….21 Physical security……………………………………………………………………………………………………………………………………………..21

Contents

3

Serviceability………………………………………………………………………………………………………………………………………………….. 21 Maintenance Aids……………………………………………………………………………………………………………………………………… 21 Responsible service use by Dell……………………………………………………………………………………………………………….. 21
Security advisories and updates ……………………………………………………………………………………………………………………21 Obtain Dell advisories and updates………………………………………………………………………………………………………….. 21 Customer prerequisites for security updates…………………………………………………………………………………………. 22
Protect authenticity and integrity………………………………………………………………………………………………………………… 22
Chapter 3: Miscellaneous Configuration and Management Elements……………………………………..23 Software licensing and conditions for use…………………………………………………………………………………………………… 23 Preventing malware………………………………………………………………………………………………………………………………………. 23 Installing client software………………………………………………………………………………………………………………………………..23 Backups of application or data………………………………………………………………………………………………………………………23
Appendix A: TLS cipher suites……………………………………………………………………………………….. 24 Default and supported TLS cipher suites…………………………………………………………………………………………………….. 24
Appendix B: SDL for InsightIQ 5.1.0: Security false positives ………………………………………………25 Security False Positives for InsightIQ 5.1.0 ………………………………………………………………………………………………… 25

4

Contents

Preface

Legal disclaimers

NOTE: THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL DELL, ITS AFFILIATES OR SUPPLIERS, BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING FROM OR RELATED TO THE INFORMATION CONTAINED HEREIN OR ACTIONS THAT YOU DECIDE TO TAKE BASED THEREON, INCLUDING ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF DELL, ITS AFFILIATES OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Dell takes reports of potential security vulnerabilities in our products very seriously. If you discover a security vulnerability, you are encouraged to report it to Dell immediately. Dell distributes Security Advisories to bring important security information to the attention of users of the impacted product(s). Dell assesses risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. All aspects of Dell’s Vulnerability Response Policy are subject to change without notice and on a case-by-case basis. Your use of the information contained in this document or materials linked herein is at your own risk. Dell reserves the right to change or update this document in its sole discretion and without notice at any time.

Scope of document
This guide provides an overview of the security configuration controls and settings available in InsightIQ. This guide is intended to help facilitate secure deployment, usage, and maintenance of InsightIQ. Security information for other products or subcomponents that might be deployed with InsightIQ are covered in their own security configuration guides.

InsightIQ documentation

Other documentation exists for InsightIQ. See the PowerScale InsightIQ Info Hub for links to the latest versions of the following InsightIQ publications.

Table 1. InsightIQ documentation Document Dell PowerScale InsightIQ Release Notes

Description
This document contains information about new features, enhancements, and known issues for InsightIQ.

Dell PowerScale InsightIQ Installation Guide

This document contains information about how to install and configure InsightIQ and how to upgrade an existing installation of InsightIQ.

Dell PowerScale InsightIQ User Guide

This document contains information and instructions for monitoring a Dell PowerScale cluster with InsightIQ.

Dell PowerScale InsightIQ Administration Guide This document contains information and instructions for configuring and maintaining InsightIQ.

Dell PowerScale InsightIQ Security Configuration Guide
Dell PowerScale Supportability and Compatibility Guide

This document contains information about security controls and configurations for InsightIQ.
This document contains information about compatibility between PowerScale OneFS releases and InsightIQ releases.

Preface

5

Security resources

Resources include Dell Security Advisories (DSAs), Common Vulnerabilities and Exposures (CVEs), and a list of false positives.

Table 2. Security resources from Dell

Type

Description

DSAs and CVEs

Dell Security Advisories (DSAs) notify customers about potential security vulnerabilities and their remedies for Dell products. The advisories include specific details about an issue and instructions to help prevent or alleviate that security exposure.

CVEs

Common Vulnerabilities and Exposures (CVEs) identify publicly known security concerns. A DSA can address one or more CVEs.

False Positives

It is possible for a security scan to incorrectly identify a CVE as affecting a Dell product. CVEs in this category are termed false positives. False positives for InsightIQ are listed in SDL for InsightIQ 5.1.0: Security false positives .

Register for advisory notifications
On the product-specific page on the Dell support site, you can register to receive email notifications of DSAs. A valid Dell support account is required.

  1. Go to product-specific page on the Dell support site. 2. If you are not signed in to the Support site, click Sign In on the banner and provide your Dell account information. 3. Click Contact Support on the right side of the page. 4. Click Notifications. 5. Click the Dell EMC Security Advisories toggle.

Getting help
The Dell Support site contains important information about products and services: The direct link to the InsightIQ product page on the Dell Support site is here. The product-specific page includes drivers, installation packages, product documentation, knowledge base articles, and security advisories. A valid support contract and account might be required to access all the available information about a specific Dell product or service. Depending on your support plan, you may be able to use the Support site to contact Dell for assistance in resolving problems.

Where to go for support

This topic lists support resources for InsightIQ.

Table 3. Resources for InsightIQ Resources Telephone support

Description
United States: 1-800-SVC-4EMC (1-800-782-4362) Canada: 1-800-543-4782 Worldwide: 1-312-725-5401 Local phone numbers for a specific country or region are available at Dell
Customer Support Centers.

Downloads, documentation, and security advisories
Community support
Info Hubs

PowerScale InsightIQ page on Dell Support
Dell Community PowerScale InsightIQ Info Hub PowerScale OneFS Info Hubs

6

Preface

Reporting security vulnerabilities
Dell takes reports of potential security vulnerabilities in its products seriously. If you discover a security vulnerability, you are encouraged to report it to Dell immediately. For the latest instructions on how to report a security issue to Dell, see the Dell Vulnerability Response Policy.
Follow us online
To learn more about Dell and our commitment to security, you can follow the latest information on these sites: Dell Security and Trust Center Dell Support Site Home To provide feedback on this solution, email us at support@dell.com.

Preface

7

1
Security quick reference
This quick reference introduces InsightIQ from the security perspective. It provides context for understanding the information in this guide.
Topics:
· Deployment models · Security profiles
Deployment models
A deployment model is the combination of installation, networking, and physical layout (if applicable) for the product as an ecosystem. All InsightIQ deployments maximize security goals and facilitate secure system management. InsightIQ 5.x is a Kubernetes-based application. The installation process deploys all required software, including Kubernetes, the InsightIQ application, all supporting infrastructure and tools, and the database.
Physical deployment options
InsightIQ 5.x.x supports the following physical deployment models: InsightIQ Simple is a one-node deployment on a VMware virtual machine running a supported ESXi version. This deployment
is OVA-based using an .ova file. InsightIQ Scale is a three-node deployment on three virtual or physical machines that are running a supported Red Hat
Enterprise Linux or ESXi version. This deployment uses an installation script delivered in a .tar.gz file. For supported operating system versions for each InsightIQ release, see the Prerequisites section in the release-specific Dell PowerScale InsightIQ Installation Guide.
Datastore location options
The InsightIQ datastore is a PostgreSQL database. At installation time, the database location is defined as either of the following: Local storage An NFS export
Secure Remote Support options
InsightIQ does not have Dell remote support options.
Security profiles
Security profiles are representations of the product or subsystem security posture through specific configuration setting combinations. InsightIQ supports authentication for local users and LDAP or LDAPS users. All users (local and LDAP/LDAPS) have one of the following predefined roles: admin role read-only role

8

Security quick reference

Admin users
Users with admin role can configure InsightIQ settings, add and remove PowerScale clusters to InsightIQ for monitoring purposes, and manage alerts, users, and sessions. These users can also perform all actions available to the read-only users. There are two types of admin users: The default administrator user–The installation process creates one local user with the admin role. The username for
this default local user is administrator. This default administrator user is the only local user account that can have the admin role. Members of an LDAP or LDAPS group that is mapped to the InsightIQ admin role–Any user with admin role can perform the mapping to create additional admin users.
Read-only users
Users with the read-only role can define and access reports, view the dashboard, and view alerts. Read-only users can be either: Local users with read-only role–Any user with admin role can create local read-only users. Members of an LDAP or LDAPS group that is mapped to the InsightIQ read-only role–Any user with admin role can
perform the mapping.
More information
For information about adding users and mapping roles, see the “Manage users” section in the Configuration chapter of the Dell PowerScale InsightIQ Administration Guide.

Security quick reference

9

2
Product and subsystem security
InsightIQ contains the following security features.
Topics:
· Security controls map · Authentication · Authorization · Network security · Data protection · Cryptography · Auditing and logging · Physical security · Serviceability · Security advisories and updates · Protect authenticity and integrity
Security controls map
The security controls map shows the network connections and user interfaces in InsightIQ. The map indicates the security controls in InsightIQ that protect those connections and interfaces from attack.

Figure 1. Security controls map

10

Product and subsystem security

Authentication
Authentication controls access to the system. This section describes default security settings and configuration options that control how users and processes authenticate with InsightIQ.
Supported users
InsightIQ supports local users and LDAP or LDAPS users.
Local users
The installation process creates one local user with the admin role. This default local username is administrator. This default local user administrator is the only local user account that can have the admin role. Any user with admin role can create additional local users with the read-only role.
LDAP and LDAPS users
If LDAP or LDAPS is configured for InsightIQ, then LDAP users can gain access to InsightIQ. By default, LDAP users do not have InsightIQ access. Those users gain access if they are members of an LDAP group that is added to InsightIQ. Any existing user with the admin role can add LDAP groups to InsightIQ. For details, see the Dell PowerScale InsightIQ Administration Guide, in the “Configuration” chapter, under Manage Users, see Add an LDAP group. When an admin adds an LDAP group, they must assign an InsightIQ role to the group. The roles are admin or read-only. Members of an LDAP group that is mapped to the admin role have all the same privileges as the original local administrator user. Members of an LDAP group that is mapped to the read-only role have all the same privileges as local users with the read-only role.
Session-based authentication
Session-based authentication applies to REST API sessions and web application sessions. A JWT token is used to support session-based authentication. A session is valid for 12 hours or until the user logs out.
Login security
The following sections describe capabilities for controlling login access.
Failed login behavior
Failed login behavior defines how the system handles one or more unsuccessful attempts at authentication. InsightIQ permits users to perform any number of multiple attempts to authenticate. For password reset procedures, see Password resets later in this guide.
Emergency user lockout
Administrators can prevent users who are a potential threat to the system from accessing any features in the system. Use the following methods to lock out a user from accessing the system. Emergency session end–You can immediately log users out of the current session and end the session. See Emergency
session end. Reset passwords–See Password resets.

Product and subsystem security

11

Emergency session end
A user with admin role can end existing user sessions and log out the users.
About this task A user with admin role can use the API to immediately end a session and log out the user. The API is:
POST /insightiq/rest/security-iam/v1/auth/logout For more information, see the section called “Authentication and session management” in the “REST API” chapter in the Dell PowerScale InsightIQ Administration Guide.
NOTE: The logout API logs out the current user session. It does not invalidate any other user session. Alternatively, a user with admin role can use the following commands to end all sessions.
Steps 1. For InsightIQ Scale (three-node installation), log in to the system as root user. For InsightIQ Simple, log in as the
administrator user. 2. Delete the secrets:
kubectl delete secrets security-iam-session-manager-tls -n atlantic
3. Get the security-iam pod identifier to use in the next step: kubectl get pod -n atlantic | grep security-iam
4. Refresh the security-iam pod. kubectl delete pods -n atlantic
5. Logins cannot occur until after the pod restarts.
Authentication types and setup
The following sections describe the types of authentication that InsightIQ supports.
Local authentication sources
Local authentication sources are files or other mechanisms for defining user accounts that exist within the product. For detailed procedures for local authentication configuration, in the Dell Powerscale InsightIQ Administration Guide, in the “Configuration” chapter, see the “Manage users” section.
LDAP authentication
InsightIQ supports authentication through a Lightweight Directory Access Protocol (LDAP) server. InsightIQ is RFC 2307-compliant. For integration instructions, in the Dell PowerScale InsightIQ Administration Guide, in the Configuration chapter, see “Configuring LDAP for authentication.”

12

Product and subsystem security

Certificate and key-based authentication
InsightIQ does not provide a certificate or key-based authentication. All access is through a username and password.

Multifactor authentication
InsightIQ does not provide MFA-based authentication. All access is through a username and password.

Unauthenticated interfaces
All access to InsightIQ requires a username and password. No component can be accessed without authentication.

User and credential management
This section describes how to manage and secure credentials in InsightIQ.

Preloaded accounts
InsightIQ is installed with one predefined account. Table 4. Preloaded account information Preloaded account name administrator

Initial privileges admin role

The administrator user
It is mandatory to reset the administrator user password at installation. The InsightIQ installation creates a default administrator user. This user is an InsightIQ local user with the admin role. The user cannot be deleted. Any attempt to delete it results in an error message. Although there is a default password associated with the administrator user, the customer is instructed to reset that password as part of the installation process. The password must conform to the InsightIQ password complexity rules. For the detailed list of rules, see the “Manage users” section in the Configuration chapter of the Dell PowerScale InsightIQ Administration Guide. If the installation completes without resetting the password, the script instructs the installer to log in to the InsightIQ web application to reset the password. In this case, the initial login must use the default credentials. For more information, see the Dell PowerScale InsightIQ Installation Guide. After the initial password reset, if the new password is forgotten, only an LDAP user with the admin role can reset the password for the default administrator user.
Default credentials
Ensure that default credentials are changed after installation. For details, see the Dell PowerScale InsightIQ Installation Guide.
Create or remove local accounts
Users with admin role can create and remove local accounts. For instructions, see the “Manage users” section in the Configuration chapter of the Dell PowerScale InsightIQ Administration Guide. InsightIQ does not include a function for disabling a local account.

Product and subsystem security

13

Managing credentials
The following sections describe how InsightIQ secures credentials internally, how to change local passwords, and where to find password complexity rules.
Securing credentials
InsightIQ stores local user credentials after encrypting passwords. It uses the SHA-384 hashing algorithm and adds salts to the password before storing it.
Password resets
The InsightIQ web application supports resetting local user passwords. If the local administrator user password is forgotten, an LDAP user with the admin role can reset the local administrator password. This is the only way to reset the local administrator user password. The local administrator user can reset a password for local users with read-only roles. For either of these actions, go to Settings > Manage Users, select the user whose password needs changing, and click Reset Password. To reset LDAP user passwords, use procedures on the LDAP platform.
Password complexity
Password complexity policies require users to set strong passwords. The InsightIQ password complexity rules are listed in the Dell PowerScale InsightIQ Administration Guide, in the Configuration chapter, in the “Manage users” section. That section also contains rules for InsightIQ local user names.
Authentication to external systems
InsightIQ includes capabilities to communicate with and authenticate to PowerScale clusters. This section describes the authentication mechanisms that are used to establish trust with those clusters.
Remote connections
InsightIQ integrates with external systems. This section describes those remote systems and provides connection information.
Remote component authentication
You must configure the credentials that are required for InsightIQ to authenticate to the external system.
PowerScale clusters
InsightIQ can connect to PowerScale clusters. For connection instructions, in the Dell PowerScale InsightIQ Administration Guide, in the “Configuration” chapter, under “Manage monitored PowerScale clusters,” see “Add a PowerScale cluster to monitor.” Another relevant topic in the same location is called “Modify PowerScale cluster login credentials.”
LDAP server
InsightIQ can connect to an LDAP server. Connection requires the external component usernames and passwords that have required privileges. For connection information, see the Dell PowerScale InsightIQ Administration Guide. In the Configuration chapter, under “Manage users,” see “Configuring LDAP for authentication.”

14

Product and subsystem security

Credential security
InsightIQ stores the credentials for connecting to PowerScale clusters in a datastore in an encrypted format.

Authorization
Authorization controls the permissions and authorized activities of authenticated users and processes.

Role-Based Access Control (RBAC)

RBAC assigns privileges to users through roles. A role has associated privileges that provide access to features and subsystems. The roles are assigned to users and processes. InsightIQ uses role-based access control to grant access to its features.
InsightIQ uses the following predefined roles.

Table 5. InsightIQ roles

Role name

Description

read-only

This role permits Dashboard viewing, report configuration, report data access, and alerts viewing.

admin

This role permits all read-only functions and all InsightIQ configuration, including user management, system configuration, and alerts configuration.

Mapping roles to external users
When authentication occurs using an external authentication system, you must map an InsightIQ role to a group of users defined in the external system. For mapping instructions, see the Dell PowerScale InsightIQ Administration Guide, in the Configuration chapter, in the “Configuring LDAP for authentication” section.

Elevated permissions for InsightIQ Simple administrator user
In InsightIQ Simple, the administrator user may perform certain privileged commands for the purposes of system maintenance and troubleshooting.
In InsightIQ Simple, the OVA-based installation is a restricted environment that includes the operating system. For security purposes, the InsightIQ Simple administrator user has limited system access and does not have root permissions, InsightIQ provides access to some system commands to allow the administrator to perform expected administrative duties.
For descriptions of all elevated permissions that InsightIQ provides to the InsightIQ Simple administrator user, see “InsightIQ Simple maintenance” in the “Maintenance” chapter in the Dell PowerScale InsightIQ Administrator Guide.

Network security
Network security includes networking exposure through ports and services, communications with remote systems, and firewall information.

InsightIQ ports

InsightIQ requires the following network ports to be open for communication.

Table 6. Required network ports

Port

Service Name

Protocol Communication Type

25

SMTP

TCP

Outbound

Usage and Description Used for Email deliveries

Product and subsystem security

15

Table 6. Required network ports (continued)

Port

Service Name

Protocol Communication Type

389

LDAP

TCP

Outbound

587

SMTP

TCP

Outbound

636

LDAPS

TCP

Outbound

5473

Calico-typha

HTTPS Inbound

6443

Rke2

8000 8080 8472

APIGateway OneFS Flannel VXLAN

9345 Rke2

10250 Metric server

TCP

Inbound

HTTPS TCP UDP

Inbound Outbound Outbound

TCP

Inbound

TCP

Outbound

Usage and Description
Used to configure LDAP users for login
Provides secure SMTP connection
Used to configure a secure LDAP connection
Used for the Calico-typha service, which is responsible for the Kubernetes network layer. The port must be open on all nodes in the InsightIQ cluster so that internal communication can happen.
NOTE: It is recommended that you block this port with a firewall rule on the external switch. This recommendation makes the port inaccessible on the external network.
NOTE: Internal communication through this port is authenticated using an internal client certificate. The certificate is embedded in the Kubernetes platform and included with InsightIQ installation.
The RKE2 server requires that this port is accessible by other nodes in the InsightIQ cluster.
Accesses the InsightIQ user interface
Used to connect to PowerScale OneFS
When Flannel VXLAN is used, all InsightIQ nodes must reach other nodes over this port.
The RKE2 server requires that this port be accessible by other nodes in the InsightIQ cluster.
If users want to use the metrics server, this port must be open on each InsightIQ node.

TLS
InsightIQ uses TLS 1.3 for all communication.
TLS Cipher Suites
A cipher suite defines technologies that secure your TLS communications. See Appendix A for the list of TLS cipher suites that InsightIQ supports.
NFS export security
If your InsightIQ setup uses an NFS export for its data store, you must ensure the security of the shared export. The customer is responsible for configuring the NFS export so that access is restricted to specific clients. You must not leave the share open for all to access. Required configurations for an NFS export as the InsightIQ data store are: 1. Configure the settings for InsightIQ as described in the Dell PowerScale InsightIQ Installation Guide. 2. Configure settings to restrict access to the NFS export as defined by your organization.

16

Product and subsystem security

Data protection
Data protection secures and protects customer and application data that InsightIQ stores, manages, and uses.
Data security
The data held, managed, used, or operated on by InsightIQ is stored securely. All InsightIQ data is stored in a PostgreSQL database. It is a customer choice whether the database is stored locally or on a Network File System (NFS) export.
Data-at-rest encryption
Data-at-rest encryption protects data that is stored in databases and other data repositories. Data-at-rest is data not moving through the network. InsightIQ stores all sensitive data, such as passwords, in encrypted format. Other data, including reports, are not encrypted.
Data sanitation
Sensitive data kept beyond its useful life or disposed of improperly can lead to data leaks. Data sanitization is the process of removing information from media such that information recovery is not possible. InsightIQ deletes sensitive data such as user passwords from the database when the user is deleted. Passwords are not stored if a user is deleted.
Cryptography
Cryptography is a method of protecting information and communications using encrypted algorithms. The goal is to allow only those entities for whom the information is intended to read and process the information.
Cryptography
InsightIQ uses globally recognized cryptographic algorithms and protocols. The following protocols are used: HTTPS Transport Layer Security (TLS) TLS to Lightweight Directory Access Protocol (LDAP)
Cryptographic configuration options
InsightIQ enforces the following cryptographic capabilities.
Default configurations
By default, InsightIQ uses TLS 1.3 for all communication. TLS version 1.3 is required and cannot be changed.
Ciphers
By default, the installed product is configured to support the ciphers listed in the “TLS Cipher Suites” appendix in this guide.

Product and subsystem security

17

Hashing algorithms
InsightIQ uses these hashing algorithms: 1. sha256: Used for password hashing 2. sha384: Used for password hashing 3. sha224: Used for hashing cookie secrets
Certificate management
All InsightIQ API communication, which includes communication through the web administration interface, is over Transport Layer Security (TLS). You can use the default self-signed TLS certificate for the InsightIQ web administration interface or replace it with a third-party TLS certificate. The TLS certificate is used to access the InsightIQ web application through a browser. The InsightIQ cluster initially contains a self-signed certificate for this purpose. You can continue to use the existing self-signed certificate, or you can replace it with either: A third party (public or private) CA-issued certificate Another self-signed certificate that is generated by users
NOTE: To ensure timely renewal and prevent service disruption, you should proactively monitor the expiration dates of your TLS certificates.
View the default certificate
You can view the self-signed default TLS server certificate that is installed on the InsightIQ cluster from your web browser.
Prerequisites You can view the self-signed default TLS server certificate in a web browser.
Steps 1. In a web browser, go to the InsightIQ login screen.
The URL format is https://:8000/insightiqui/login. 2. On the left side of the URL field, click the View site information icon. 3. Depending on the choices that appear, click Certificate is not valid or Connection is secure > Certificate is valid.
The browser displays the contents of the certificate.
Replace or renew a certificate
You can replace or renew the TLS certificate.
Prerequisites You must have a CA certificate or another self-signed certificate. You must have a private key in a decrypted form. You must know the credentials for logging in as described in step 1 below.
Steps 1. Log in as follows:
For InsightIQ Scale (three-node deployment), log in as the root user on the primary node of the InsightIQ cluster. For InsightIQ Simple (OVA deployments), log in as the VM administrator. 2. Create a Kubernetes secret that holds the certificate.
kubectl create secret tls -n istio-system –cert=<certificate file> -key=

18

Product and subsystem security

For example: kubectl create secret tls my-test-secret -n istio-system –cert =my-self-signedcert.pem –key=my-private-key.pem
If the command is successful, you receive a message similar to the following: secret/my-test-secret created
3. Change the istio gateway configuration as follows: a. Edit the configuration file: kubectl edit gateway iiq-gateway -n atlantic
b. Set the credentialName field to the new that you provided in Step 2. c. Save the file. If the configuration change is successful, you receive the following message.
gateway.networking.istio.io/iiq-gateway edited 4. Verify the new certificate.
a. In a web browser, go to the InsightIQ login screen. The URL format is https://:8000/insightiqui/login.
b. On the left side of the URL field, click the View site information icon. c. Depending on the choices that appear, click Certificate is not valid or Connection is secure > Certificate is valid.
The browser displays the contents of the certificate.
Regulatory information
Dell Technologies is committed to compliance with the laws and regulations in each country or region into which the company ships the product. For information about regulatory information for Dell PowerScale OneFS, see the Dell compliance portal on the Dell Support site.
Auditing and logging
This section describes InsightIQ capabilities that are related to logging, events, and auditing.
Logging
InsightIQ has several logging, alerting, and similar capabilities.
Log levels
InsightIQ uses the following log levels. The order of the list is from least to most verbose. FATAL ERROR WARNING INFO–This is the default log level. DEBUG
Log Rotation
Log rotation capabilities are available in the logging configuration file. The logging file defaults to five stored iterations. Each file size is 10 MB.

Product and subsystem security

19

System behavior on failed log attempts
When a log attempt fails, the log entry does not occur.
Log format
The format of a log entry is: format = %(asctime)s [%(levelname)s] <%(threadName)s : %(thread)d> [%(name)s : % (funcName)s() : %(lineno)d] %(message)s
Gather product logs
You can run a script that gathers all the InsightIQ logs.
Prerequisites You must be able to log in with appropriate credentials. See step 1.
About this task The log collection script gathers logs from all InsightIQ nodes. If any node is inaccessible, the script skips log collection for that specific node. The script puts the collected logs in /var/log/iiq_logs.tar.gz.
Steps 1. Start an SSH session to the InsightIQ primary node using the following credentials:
For InsightIQ Scale (three-node deployment)–Log in as root user. For InsightIQ Simple (OVA deployment)– Log in as the default administrator user. 2. Change to the scripts directory:
cd ~/usr/share/storagemonitoring/scripts/deploymentmanager
3. Run the script: bash iiq_log_bundler.sh
The script downloads the required package. 4. For InsightIQ Scale, respond to the prompts for the root passwords for the worker nodes.
The script needs worker node passwords to gather logs from those nodes. Enter root password for : Enter root password for :
Gather Istio logs
You can gather all the logs that Istio generates on the Istio pod.
Steps 1. Log in to the primary node of the InsightIQ cluster. 2. Run the following commands:
kubectl get pod ­n istio-system kubectl logs istio-ingressgateway- xxxxxxxxxxxx-xxxxxx ­n istio-system > /var/log/ iiq_istio_logs.log

20

Product and subsystem security

Alerting
InsightIQ generates alerts based on key performance indicators (KPIs). Alert generation is configurable. Alerting features include: InsightIQ generates alerts when the threshold for a key performance indicator (KPI) is crossed. Policies define the KPIs that you want to monitor for selected PowerScale clusters. Users can view alerts on the InsightIQ web application.
NOTE: If a PowerScale cluster is removed from InsightIQ, existing alerts that were generated for that cluster are no longer visible on the InsightIQ web application. Administrators can configure InsightIQ to send email status alerts to specified email addresses. For information about configuring and viewing alerts, see the Alerts chapter in the Dell Technologies InsightIQ Administration Guide.
Physical security
InsightIQ depends on the following interfaces and deployment expectations for physical security: The InsightIQ platform uses native Kubernetes controls for cluster security. For more information about Kubernetes security,
see the Kubernetes documentation for securing a cluster here. The Dell PowerScale InsightIQ Installation Guide describes specific steps that are related to physical security.
Serviceability
If you encounter operational issues with InsightIQ, contact Dell Customer Support. See the Preface in this guide for contact information.
Maintenance Aids
Maintenance aids are hardware or software tools in InsightIQ that perform diagnostic or remedial actions. For information about diagnostic methods, see the “Troubleshooting InsightIQ” chapter in the Dell PowerScale InsightIQ Administration Guide.
Responsible service use by Dell
Dell maintains a responsible partnership with its customers. This partnership respects customer security boundaries while offering efficient world-class support.
Security advisories and updates
You must remain knowledgeable about security vulnerabilities and apply product updates as they become available.
Obtain Dell advisories and updates
Dell technical advisories (DTAs), Dell security advisories (DSAs), and code updates are available on the Dell Support site. These documents provide important information and solutions for issues that affect InsightIQ.
Steps 1. To view current lists of DTAs and DSAs:
a. Go to the InsightIQ product page on the Dell Support site here. b. Click the Advisories tab.

Product and subsystem security

21

c. Select Technical or Security. 2. To subscribe to receive email notifications about new DTAs and DSAs:
a. Go to the InsightIQ product page on the Support site. b. Ensure that you are logged in with a Dell Technologies customer account. c. Locate the Contact Us tab on the right side of the browser window, and click Contact Us > Notifications . d. Select one or both of these toggles:
Dell Technical Advisory Dell Security Advisory 3. To download product updates: a. Go to the InsightIQ product page on the Dell Support site. b. Ensure that you are logged in with a Dell Technologies customer account. c. Click the Downloads tab. d. Use the filters to find updates for your product version.
NOTE: Your Dell Technologies customer account controls access to product downloads.
Customer prerequisites for security updates
This section describes the prerequisites that must be in place before you can successfully apply security updates. The only prerequisite for applying an InsightIQ security update is that you must be running the specific version of InsightIQ for which the update is intended. See the Readme file that accompanies each security update.
Protect authenticity and integrity
InsightIQ uses the following methods to ensure and protect the integrity of the code that it distributes.
Code signing
Dell Technologies digitally signs all InsightIQ software packages. The term software package includes installation packages for full releases and all upgrades. To verify that an installation package remains unaltered after downloading, see “Verify code authenticity” in the Installation chapter of the Dell PowerScale InsightIQ Installation Guide. That guide provides verification steps for .tar.gz and .ova files. It is recommended that you perform these verification steps immediately before installation.
Certificates
InsightIQ ships with a self-signed Transport Layer Security (TLS) certificate. It is recommended that you replace the default TLS certificate with a signed certificate from a trusted Certificate Authority. For steps to view and replace certificates, see “Certificate management” in the “Cryptography” section of this guide.

22

Product and subsystem security

3
Miscellaneous Configuration and Management Elements
Topics:
· Software licensing and conditions for use · Preventing malware · Installing client software · Backups of application or data
Software licensing and conditions for use
The license to download and use Dell Technologies InsightIQ software is included with a Dell Technologies PowerScale OneFS license. On first login, the administrator user must accept the conditions for use. The Installation Guide describes how to download and install InsightIQ and how to log in to the InsightIQ user interface the first time. On first login, InsightIQ prompts the user to read and accept the conditions for use. No further usage is allowed until the user accepts the conditions. After the conditions are accepted, the prompt does not occur again. For a matrix showing the InsightIQ releases and the PowerScale OneFS releases that they support, see the PowerScale OneFS Supportability and Compatibility Guide.
Preventing malware
InsightIQ includes the following malware detection capabilities and options. All InsightIQ downloadable packages are scanned for malware by Dell before they are posted to the Dell Support site. At the customer site, we recommend that the following Kubernetes directories are excluded from malware scanning: /run/containerd/ /var/lib/containerd/ /var/lib/rancher/rke2/agent/containerd/ For more information about removing these directories, see the “System Requirements” chapter in the Dell PowerScale InsightIQ Installation Guide.
Installing client software
The Dell PowerScale InsightIQ Installation Guide describes all requirements and expectations for deploying InsightIQ on customer-supplied hardware.
Backups of application or data
InsightIQ does not include backup functionality. Customers may choose to run backups of report data using their own backup procedures.

Miscellaneous Configuration and Management Elements

23

A
TLS cipher suites
This appendix lists the TLS cipher suites that InsightIQ supports.
Topics:
· Default and supported TLS cipher suites
Default and supported TLS cipher suites
A cipher suite defines technologies that secure your TLS communications. InsightIQ supports the following TLS cipher suites: 1. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 2. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 3. TLS_AKE_WITH_AES_128_GCM_SHA256 4. TLS_AKE_WITH_AES_256_GCM_SHA384 5. TLS_AKE_WITH_CHACHA20_POLY1305_SHA256

24

TLS cipher suites

B

SDL for InsightIQ 5.1.0: Security false positives

Topics:
· Security False Positives for InsightIQ 5.1.0

Security False Positives for InsightIQ 5.1.0

The following table describes security false positives from various scanners for InsightIQ 5.1.0.
The table shows the embedded component name that has a false positive associated with it and the Common Vulnerabilities and Exposures (CVE) ID. The next columns describe the vulnerability, the reason that InsightIQ is not vulnerable, and the date of the false positive finding.

Table 7. False positives for InsightIQ 5.1.0

Embedded CVE id Component

Summary of Vulnerability

urllib3

CVE-2023-43 804

The urllib3 component is an HTTP client library for Python. It does not do anything special with a Cookie HTTP header or provide any helpers for managing cookies over HTTP. Those tasks are the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information using HTTP redirects to a different origin if that user does not disable redirects explicitly. This issue is updated in urllib3 version 1.26.17 or 2.0.5.

postgresql 16

CVE-2024-09 85

A flaw was found in PostgreSQL that allows authenticated database users to run arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This issue enables the execution of arbitrary code on the target system. It allows users to write arbitrary bytes to memory and extensively read the server’s memory.

certifi version

CVE-2023-37 920

Certifi is a curated collection of root certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes e-Tugra root certificates. e-Tugra root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi

Reason that InsightIQ is False Positive

not vulnerable

Date

According to the CVE,

March 26, 2024

this flow exists in versions

earlier than 1.25.10.

InsightIQ is using version

1.26.14. Hence this is a false

positive.

According to the CVE, this flow exists in versions earlier than 16.1. InsightIQ is using version 16.2. Hence this is a false positive.

March 26, 2024

The OpenSUSE website

March 26, 2024

marks python Certifi as not

affected for SLES 15 SP4.

SDL for InsightIQ 5.1.0: Security false positives

25

Table 7. False positives for InsightIQ 5.1.0 (continued)

Embedded CVE id Component

Summary of Vulnerability

Reason that InsightIQ is False Positive

not vulnerable

Date

2023.07.22 removes root certificates from e-Tugra from the root store.

pip version

CVE-2018-202 25

An issue was discovered in pip (all versions). It installs the version with the highest version number, even if the user intends to obtain a private package from a private index. The issue only affects use of the –extra-index- url option. Exploitation requires that the package does not already exist in the public index. (An attacker is thus permitted to put a package with an arbitrary version number.)
NOTE: This issue is reported as intended functionality, with the user responsible for using -extra-index-url securely. This
vulnerability was first assigned with CVE-2018-20225, and it is still under dispute. This vulnerability still poses a threat when using the –extraindex- url.

The OpenSUSE website marks it as ignore for SLES 15 SP4.

March 26, 2024

26

SDL for InsightIQ 5.1.0: Security false positives

References

Read User Manual Online (PDF format)

Loading......

Download This Manual (PDF format)

Download this manual  >>

Related Manuals