DELL InsightIQ 5.1.0 Elevated Performance Monitoring User Guide
- August 30, 2024
- Dell
Table of Contents
- InsightIQ 5.1.0 Elevated Performance Monitoring
- Product Information
- Specifications
- Product Usage Instructions
- Overview
- Scope
- Deployment Models
- Security Profiles
- Protect Authenticity and Integrity
- Q: Where can I find Dell advisories and updates?
- Q: How do I handle security false positives in InsightIQ
InsightIQ 5.1.0 Elevated Performance Monitoring
“`html
Product Information
Specifications
- Product Name: Dell InsightIQ 5.1.0
- Release Date: May 2024
- Security Configuration Guide
Product Usage Instructions
Overview
The Dell InsightIQ 5.1.0 Security Configuration Guide provides
controls and settings for secure deployment, usage, and maintenance
of InsightIQ. It is essential for maintaining the authenticity and
integrity of your system.
Scope
The guide covers security configurations specific to InsightIQ.
For security information related to other products or
subcomponents, refer to their respective security configuration
guides.
Deployment Models
InsightIQ supports various deployment models to cater to
different user requirements. Ensure you choose the appropriate
model that aligns with your needs.
Security Profiles
Understand the available security profiles in InsightIQ to
effectively manage access control and permissions within the
system.
Protect Authenticity and Integrity
Follow recommended practices to protect the authenticity and
integrity of your data within the InsightIQ environment. Regularly
update security configurations to mitigate potential risks.
Frequently Asked Questions (FAQ)
Q: Where can I find Dell advisories and updates?
A: Dell advisories and updates can be obtained from the
designated sources mentioned in the guide. Ensure you meet the
specified customer prerequisites for security updates.
Q: How do I handle security false positives in InsightIQ
5.1.0?
A: Refer to Appendix B of the guide for information on Security
False Positives for InsightIQ 5.1.0 and follow the recommended
steps to address them effectively.
“`
Dell InsightIQ 5.1.0
Security Configuration Guide
May 2024
Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of
your product. CAUTION: A CAUTION indicates either potential damage to hardware
or loss of data and tells you how to avoid the problem. WARNING: A WARNING
indicates a potential for property damage, personal injury, or death.
© 2009 – 2024 Dell Inc. or its subsidiaries. All rights reserved. Dell
Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its
subsidiaries. Other trademarks may be trademarks of their respective owners.
Contents
Preface……………………………………………………………………………………………………………………….. 5 Legal
disclaimers……………………………………………………………………………………………………………………………………………… 5 Scope of
document………………………………………………………………………………………………………………………………………….5 InsightIQ
documentation………………………………………………………………………………………………………………………………….5 Security
resources …………………………………………………………………………………………………………………………………………. 6 Getting
help…………………………………………………………………………………………………………………………………………………….. 6 Where to go
for support……………………………………………………………………………………………………………………………. 6 Reporting
security vulnerabilities……………………………………………………………………………………………………………………. 7 Follow
us online……………………………………………………………………………………………………………………………………………….. 7
Chapter 1: Security quick reference…………………………………………………………………………………. 8
Deployment models …………………………………………………………………………………………………………………………………………8
Security profiles………………………………………………………………………………………………………………………………………………. 8
Chapter 2: Product and subsystem security………………………………………………………………………10
Security controls map……………………………………………………………………………………………………………………………………. 10
Authentication………………………………………………………………………………………………………………………………………………… 11
Supported users………………………………………………………………………………………………………………………………………… 11
Session-based authentication…………………………………………………………………………………………………………………… 11
Login security …………………………………………………………………………………………………………………………………………….11
Authentication types and setup………………………………………………………………………………………………………………..12
User and credential management……………………………………………………………………………………………………………..13
Authentication to external systems…………………………………………………………………………………………………………. 14
Authorization………………………………………………………………………………………………………………………………………………….. 15
Role-Based Access Control (RBAC)……………………………………………………………………………………………………….. 15
Mapping roles to external users………………………………………………………………………………………………………………. 15
Elevated permissions for InsightIQ Simple administrator
user………………………………………………………………..15 Network
security…………………………………………………………………………………………………………………………………………….15 InsightIQ
ports………………………………………………………………………………………………………………………………………….. 15
TLS……………………………………………………………………………………………………………………………………………………………..16 NFS export
security…………………………………………………………………………………………………………………………………..16 Data
protection……………………………………………………………………………………………………………………………………………….17 Data
security………………………………………………………………………………………………………………………………………………17 Data-at-rest
encryption……………………………………………………………………………………………………………………………. 17 Data
sanitation………………………………………………………………………………………………………………………………………….. 17
Cryptography…………………………………………………………………………………………………………………………………………………. 17
Cryptography……………………………………………………………………………………………………………………………………………..17
Cryptographic configuration options………………………………………………………………………………………………………..
17 Certificate management…………………………………………………………………………………………………………………………… 18
Regulatory information…………………………………………………………………………………………………………………………….. 19
Auditing and logging………………………………………………………………………………………………………………………………………. 19
Logging……………………………………………………………………………………………………………………………………………………… 19
Alerting……………………………………………………………………………………………………………………………………………………….21 Physical
security……………………………………………………………………………………………………………………………………………..21
Contents
3
Serviceability………………………………………………………………………………………………………………………………………………….. 21
Maintenance Aids……………………………………………………………………………………………………………………………………… 21
Responsible service use by Dell……………………………………………………………………………………………………………….. 21
Security advisories and updates ……………………………………………………………………………………………………………………21
Obtain Dell advisories and updates…………………………………………………………………………………………………………..
21 Customer prerequisites for security
updates…………………………………………………………………………………………. 22
Protect authenticity and integrity…………………………………………………………………………………………………………………
22
Chapter 3: Miscellaneous Configuration and Management
Elements……………………………………..23 Software licensing and conditions for
use…………………………………………………………………………………………………… 23 Preventing
malware………………………………………………………………………………………………………………………………………. 23 Installing
client software………………………………………………………………………………………………………………………………..23 Backups of
application or data………………………………………………………………………………………………………………………23
Appendix A: TLS cipher suites……………………………………………………………………………………….. 24 Default
and supported TLS cipher suites…………………………………………………………………………………………………….. 24
Appendix B: SDL for InsightIQ 5.1.0: Security false positives
………………………………………………25 Security False Positives for InsightIQ 5.1.0
………………………………………………………………………………………………… 25
4
Contents
Preface
Legal disclaimers
NOTE: THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN
THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL DELL,
ITS AFFILIATES OR SUPPLIERS, BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING FROM
OR RELATED TO THE INFORMATION CONTAINED HEREIN OR ACTIONS THAT YOU DECIDE TO
TAKE BASED THEREON, INCLUDING ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF DELL, ITS AFFILIATES OR
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Dell takes reports of potential security vulnerabilities in our products very
seriously. If you discover a security vulnerability, you are encouraged to
report it to Dell immediately. Dell distributes Security Advisories to bring
important security information to the attention of users of the impacted
product(s). Dell assesses risk based on an average of risks across a diverse
set of installed systems and may not represent the actual risk to your local
installation and individual environment. It is recommended that all users
determine the applicability of this information to their individual
environments and take appropriate actions. All aspects of Dell’s Vulnerability
Response Policy are subject to change without notice and on a case-by-case
basis. Your use of the information contained in this document or materials
linked herein is at your own risk. Dell reserves the right to change or update
this document in its sole discretion and without notice at any time.
Scope of document
This guide provides an overview of the security configuration controls and
settings available in InsightIQ. This guide is intended to help facilitate
secure deployment, usage, and maintenance of InsightIQ. Security information
for other products or subcomponents that might be deployed with InsightIQ are
covered in their own security configuration guides.
InsightIQ documentation
Other documentation exists for InsightIQ. See the PowerScale InsightIQ Info Hub for links to the latest versions of the following InsightIQ publications.
Table 1. InsightIQ documentation Document Dell PowerScale InsightIQ Release Notes
Description
This document contains information about new features, enhancements, and known
issues for InsightIQ.
Dell PowerScale InsightIQ Installation Guide
This document contains information about how to install and configure InsightIQ and how to upgrade an existing installation of InsightIQ.
Dell PowerScale InsightIQ User Guide
This document contains information and instructions for monitoring a Dell PowerScale cluster with InsightIQ.
Dell PowerScale InsightIQ Administration Guide This document contains information and instructions for configuring and maintaining InsightIQ.
Dell PowerScale InsightIQ Security Configuration Guide
Dell PowerScale Supportability and Compatibility Guide
This document contains information about security controls and configurations
for InsightIQ.
This document contains information about compatibility between PowerScale
OneFS releases and InsightIQ releases.
Preface
5
Security resources
Resources include Dell Security Advisories (DSAs), Common Vulnerabilities and Exposures (CVEs), and a list of false positives.
Table 2. Security resources from Dell
Type
Description
DSAs and CVEs
Dell Security Advisories (DSAs) notify customers about potential security vulnerabilities and their remedies for Dell products. The advisories include specific details about an issue and instructions to help prevent or alleviate that security exposure.
CVEs
Common Vulnerabilities and Exposures (CVEs) identify publicly known security concerns. A DSA can address one or more CVEs.
False Positives
It is possible for a security scan to incorrectly identify a CVE as affecting a Dell product. CVEs in this category are termed false positives. False positives for InsightIQ are listed in SDL for InsightIQ 5.1.0: Security false positives .
Register for advisory notifications
On the product-specific page on the Dell support site, you can register to
receive email notifications of DSAs. A valid Dell support account is required.
- Go to product-specific page on the Dell support site. 2. If you are not signed in to the Support site, click Sign In on the banner and provide your Dell account information. 3. Click Contact Support on the right side of the page. 4. Click Notifications. 5. Click the Dell EMC Security Advisories toggle.
Getting help
The Dell Support site contains important information about products and
services: The direct link to the InsightIQ product page on the Dell Support
site is here. The product-specific page includes drivers, installation
packages, product documentation, knowledge base articles, and security
advisories. A valid support contract and account might be required to access
all the available information about a specific Dell product or service.
Depending on your support plan, you may be able to use the Support site to
contact Dell for assistance in resolving problems.
Where to go for support
This topic lists support resources for InsightIQ.
Table 3. Resources for InsightIQ Resources Telephone support
Description
United States: 1-800-SVC-4EMC
(1-800-782-4362) Canada:
1-800-543-4782 Worldwide:
1-312-725-5401 Local phone numbers for
a specific country or region are available at Dell
Customer Support Centers.
Downloads, documentation, and security advisories
Community support
Info Hubs
PowerScale InsightIQ page on Dell Support
Dell Community PowerScale InsightIQ Info Hub PowerScale OneFS Info Hubs
6
Preface
Reporting security vulnerabilities
Dell takes reports of potential security vulnerabilities in its products
seriously. If you discover a security vulnerability, you are encouraged to
report it to Dell immediately. For the latest instructions on how to report a
security issue to Dell, see the Dell Vulnerability Response Policy.
Follow us online
To learn more about Dell and our commitment to security, you can follow the
latest information on these sites: Dell Security and Trust Center Dell Support
Site Home To provide feedback on this solution, email us at support@dell.com.
Preface
7
1
Security quick reference
This quick reference introduces InsightIQ from the security perspective. It
provides context for understanding the information in this guide.
Topics:
· Deployment models · Security profiles
Deployment models
A deployment model is the combination of installation, networking, and
physical layout (if applicable) for the product as an ecosystem. All InsightIQ
deployments maximize security goals and facilitate secure system management.
InsightIQ 5.x is a Kubernetes-based application. The installation process
deploys all required software, including Kubernetes, the InsightIQ
application, all supporting infrastructure and tools, and the database.
Physical deployment options
InsightIQ 5.x.x supports the following physical deployment models: InsightIQ
Simple is a one-node deployment on a VMware virtual machine running a
supported ESXi version. This deployment
is OVA-based using an .ova file. InsightIQ Scale is a three-node deployment on
three virtual or physical machines that are running a supported Red Hat
Enterprise Linux or ESXi version. This deployment uses an installation script
delivered in a .tar.gz file. For supported operating system versions for each
InsightIQ release, see the Prerequisites section in the release-specific Dell
PowerScale InsightIQ Installation Guide.
Datastore location options
The InsightIQ datastore is a PostgreSQL database. At installation time, the
database location is defined as either of the following: Local storage An NFS
export
Secure Remote Support options
InsightIQ does not have Dell remote support options.
Security profiles
Security profiles are representations of the product or subsystem security
posture through specific configuration setting combinations. InsightIQ
supports authentication for local users and LDAP or LDAPS users. All users
(local and LDAP/LDAPS) have one of the following predefined roles: admin role
read-only role
8
Security quick reference
Admin users
Users with admin role can configure InsightIQ settings, add and remove
PowerScale clusters to InsightIQ for monitoring purposes, and manage alerts,
users, and sessions. These users can also perform all actions available to the
read-only users. There are two types of admin users: The default administrator
user–The installation process creates one local user with the admin role. The
username for
this default local user is administrator. This default administrator user is
the only local user account that can have the admin role. Members of an LDAP
or LDAPS group that is mapped to the InsightIQ admin role–Any user with admin
role can perform the mapping to create additional admin users.
Read-only users
Users with the read-only role can define and access reports, view the
dashboard, and view alerts. Read-only users can be either: Local users with
read-only role–Any user with admin role can create local read-only users.
Members of an LDAP or LDAPS group that is mapped to the InsightIQ read-only
role–Any user with admin role can
perform the mapping.
More information
For information about adding users and mapping roles, see the “Manage users”
section in the Configuration chapter of the Dell PowerScale InsightIQ
Administration Guide.
Security quick reference
9
2
Product and subsystem security
InsightIQ contains the following security features.
Topics:
· Security controls map · Authentication · Authorization · Network security ·
Data protection · Cryptography · Auditing and logging · Physical security ·
Serviceability · Security advisories and updates · Protect authenticity and
integrity
Security controls map
The security controls map shows the network connections and user interfaces in
InsightIQ. The map indicates the security controls in InsightIQ that protect
those connections and interfaces from attack.
Figure 1. Security controls map
10
Product and subsystem security
Authentication
Authentication controls access to the system. This section describes default
security settings and configuration options that control how users and
processes authenticate with InsightIQ.
Supported users
InsightIQ supports local users and LDAP or LDAPS users.
Local users
The installation process creates one local user with the admin role. This
default local username is administrator. This default local user administrator
is the only local user account that can have the admin role. Any user with
admin role can create additional local users with the read-only role.
LDAP and LDAPS users
If LDAP or LDAPS is configured for InsightIQ, then LDAP users can gain access
to InsightIQ. By default, LDAP users do not have InsightIQ access. Those users
gain access if they are members of an LDAP group that is added to InsightIQ.
Any existing user with the admin role can add LDAP groups to InsightIQ. For
details, see the Dell PowerScale InsightIQ Administration Guide, in the
“Configuration” chapter, under Manage Users, see Add an LDAP group. When an
admin adds an LDAP group, they must assign an InsightIQ role to the group. The
roles are admin or read-only. Members of an LDAP group that is mapped to the
admin role have all the same privileges as the original local administrator
user. Members of an LDAP group that is mapped to the read-only role have all
the same privileges as local users with the read-only role.
Session-based authentication
Session-based authentication applies to REST API sessions and web application
sessions. A JWT token is used to support session-based authentication. A
session is valid for 12 hours or until the user logs out.
Login security
The following sections describe capabilities for controlling login access.
Failed login behavior
Failed login behavior defines how the system handles one or more unsuccessful
attempts at authentication. InsightIQ permits users to perform any number of
multiple attempts to authenticate. For password reset procedures, see Password
resets later in this guide.
Emergency user lockout
Administrators can prevent users who are a potential threat to the system from
accessing any features in the system. Use the following methods to lock out a
user from accessing the system. Emergency session end–You can immediately log
users out of the current session and end the session. See Emergency
session end. Reset passwords–See Password resets.
Product and subsystem security
11
Emergency session end
A user with admin role can end existing user sessions and log out the users.
About this task A user with admin role can use the API to immediately end a
session and log out the user. The API is:
POST /insightiq/rest/security-iam/v1/auth/logout For more information, see the
section called “Authentication and session management” in the “REST API”
chapter in the Dell PowerScale InsightIQ Administration Guide.
NOTE: The logout API logs out the current user session. It does not invalidate
any other user session. Alternatively, a user with admin role can use the
following commands to end all sessions.
Steps 1. For InsightIQ Scale (three-node installation), log in to the system
as root user. For InsightIQ Simple, log in as the
administrator user. 2. Delete the secrets:
kubectl delete secrets security-iam-session-manager-tls -n atlantic
3. Get the security-iam pod identifier to use in the next step: kubectl get
pod -n atlantic | grep security-iam
4. Refresh the security-iam pod. kubectl delete pods
5. Logins cannot occur until after the pod restarts.
Authentication types and setup
The following sections describe the types of authentication that InsightIQ
supports.
Local authentication sources
Local authentication sources are files or other mechanisms for defining user
accounts that exist within the product. For detailed procedures for local
authentication configuration, in the Dell Powerscale InsightIQ Administration
Guide, in the “Configuration” chapter, see the “Manage users” section.
LDAP authentication
InsightIQ supports authentication through a Lightweight Directory Access
Protocol (LDAP) server. InsightIQ is RFC 2307-compliant. For integration
instructions, in the Dell PowerScale InsightIQ Administration Guide, in the
Configuration chapter, see “Configuring LDAP for authentication.”
12
Product and subsystem security
Certificate and key-based authentication
InsightIQ does not provide a certificate or key-based authentication. All
access is through a username and password.
Multifactor authentication
InsightIQ does not provide MFA-based authentication. All access is through a
username and password.
Unauthenticated interfaces
All access to InsightIQ requires a username and password. No component can be
accessed without authentication.
User and credential management
This section describes how to manage and secure credentials in InsightIQ.
Preloaded accounts
InsightIQ is installed with one predefined account. Table 4. Preloaded account
information Preloaded account name administrator
Initial privileges admin role
The administrator user
It is mandatory to reset the administrator user password at installation. The
InsightIQ installation creates a default administrator user. This user is an
InsightIQ local user with the admin role. The user cannot be deleted. Any
attempt to delete it results in an error message. Although there is a default
password associated with the administrator user, the customer is instructed to
reset that password as part of the installation process. The password must
conform to the InsightIQ password complexity rules. For the detailed list of
rules, see the “Manage users” section in the Configuration chapter of the Dell
PowerScale InsightIQ Administration Guide. If the installation completes
without resetting the password, the script instructs the installer to log in
to the InsightIQ web application to reset the password. In this case, the
initial login must use the default credentials. For more information, see the
Dell PowerScale InsightIQ Installation Guide. After the initial password
reset, if the new password is forgotten, only an LDAP user with the admin role
can reset the password for the default administrator user.
Default credentials
Ensure that default credentials are changed after installation. For details,
see the Dell PowerScale InsightIQ Installation Guide.
Create or remove local accounts
Users with admin role can create and remove local accounts. For instructions,
see the “Manage users” section in the Configuration chapter of the Dell
PowerScale InsightIQ Administration Guide. InsightIQ does not include a
function for disabling a local account.
Product and subsystem security
13
Managing credentials
The following sections describe how InsightIQ secures credentials internally,
how to change local passwords, and where to find password complexity rules.
Securing credentials
InsightIQ stores local user credentials after encrypting passwords. It uses
the SHA-384 hashing algorithm and adds salts to the password before storing
it.
Password resets
The InsightIQ web application supports resetting local user passwords. If the
local administrator user password is forgotten, an LDAP user with the admin
role can reset the local administrator password. This is the only way to reset
the local administrator user password. The local administrator user can reset
a password for local users with read-only roles. For either of these actions,
go to Settings > Manage Users, select the user whose password needs changing,
and click Reset Password. To reset LDAP user passwords, use procedures on the
LDAP platform.
Password complexity
Password complexity policies require users to set strong passwords. The
InsightIQ password complexity rules are listed in the Dell PowerScale
InsightIQ Administration Guide, in the Configuration chapter, in the “Manage
users” section. That section also contains rules for InsightIQ local user
names.
Authentication to external systems
InsightIQ includes capabilities to communicate with and authenticate to
PowerScale clusters. This section describes the authentication mechanisms that
are used to establish trust with those clusters.
Remote connections
InsightIQ integrates with external systems. This section describes those
remote systems and provides connection information.
Remote component authentication
You must configure the credentials that are required for InsightIQ to
authenticate to the external system.
PowerScale clusters
InsightIQ can connect to PowerScale clusters. For connection instructions, in
the Dell PowerScale InsightIQ Administration Guide, in the “Configuration”
chapter, under “Manage monitored PowerScale clusters,” see “Add a PowerScale
cluster to monitor.” Another relevant topic in the same location is called
“Modify PowerScale cluster login credentials.”
LDAP server
InsightIQ can connect to an LDAP server. Connection requires the external
component usernames and passwords that have required privileges. For
connection information, see the Dell PowerScale InsightIQ Administration
Guide. In the Configuration chapter, under “Manage users,” see “Configuring
LDAP for authentication.”
14
Product and subsystem security
Credential security
InsightIQ stores the credentials for connecting to PowerScale clusters in a
datastore in an encrypted format.
Authorization
Authorization controls the permissions and authorized activities of
authenticated users and processes.
Role-Based Access Control (RBAC)
RBAC assigns privileges to users through roles. A role has associated
privileges that provide access to features and subsystems. The roles are
assigned to users and processes. InsightIQ uses role-based access control to
grant access to its features.
InsightIQ uses the following predefined roles.
Table 5. InsightIQ roles
Role name
Description
read-only
This role permits Dashboard viewing, report configuration, report data access, and alerts viewing.
admin
This role permits all read-only functions and all InsightIQ configuration, including user management, system configuration, and alerts configuration.
Mapping roles to external users
When authentication occurs using an external authentication system, you must
map an InsightIQ role to a group of users defined in the external system. For
mapping instructions, see the Dell PowerScale InsightIQ Administration Guide,
in the Configuration chapter, in the “Configuring LDAP for authentication”
section.
Elevated permissions for InsightIQ Simple administrator user
In InsightIQ Simple, the administrator user may perform certain privileged
commands for the purposes of system maintenance and troubleshooting.
In InsightIQ Simple, the OVA-based installation is a restricted environment
that includes the operating system. For security purposes, the InsightIQ
Simple administrator user has limited system access and does not have root
permissions, InsightIQ provides access to some system commands to allow the
administrator to perform expected administrative duties.
For descriptions of all elevated permissions that InsightIQ provides to the
InsightIQ Simple administrator user, see “InsightIQ Simple maintenance” in the
“Maintenance” chapter in the Dell PowerScale InsightIQ Administrator Guide.
Network security
Network security includes networking exposure through ports and services,
communications with remote systems, and firewall information.
InsightIQ ports
InsightIQ requires the following network ports to be open for communication.
Table 6. Required network ports
Port
Service Name
Protocol Communication Type
25
SMTP
TCP
Outbound
Usage and Description Used for Email deliveries
Product and subsystem security
15
Table 6. Required network ports (continued)
Port
Service Name
Protocol Communication Type
389
LDAP
TCP
Outbound
587
SMTP
TCP
Outbound
636
LDAPS
TCP
Outbound
5473
Calico-typha
HTTPS Inbound
6443
Rke2
8000 8080 8472
APIGateway OneFS Flannel VXLAN
9345 Rke2
10250 Metric server
TCP
Inbound
HTTPS TCP UDP
Inbound Outbound Outbound
TCP
Inbound
TCP
Outbound
Usage and Description
Used to configure LDAP users for login
Provides secure SMTP connection
Used to configure a secure LDAP connection
Used for the Calico-typha service, which is responsible for the Kubernetes
network layer. The port must be open on all nodes in the InsightIQ cluster so
that internal communication can happen.
NOTE: It is recommended that you block this port with a firewall rule on the
external switch. This recommendation makes the port inaccessible on the
external network.
NOTE: Internal communication through this port is authenticated using an
internal client certificate. The certificate is embedded in the Kubernetes
platform and included with InsightIQ installation.
The RKE2 server requires that this port is accessible by other nodes in the
InsightIQ cluster.
Accesses the InsightIQ user interface
Used to connect to PowerScale OneFS
When Flannel VXLAN is used, all InsightIQ nodes must reach other nodes over
this port.
The RKE2 server requires that this port be accessible by other nodes in the
InsightIQ cluster.
If users want to use the metrics server, this port must be open on each
InsightIQ node.
TLS
InsightIQ uses TLS 1.3 for all communication.
TLS Cipher Suites
A cipher suite defines technologies that secure your TLS communications. See
Appendix A for the list of TLS cipher suites that InsightIQ supports.
NFS export security
If your InsightIQ setup uses an NFS export for its data store, you must ensure
the security of the shared export. The customer is responsible for configuring
the NFS export so that access is restricted to specific clients. You must not
leave the share open for all to access. Required configurations for an NFS
export as the InsightIQ data store are: 1. Configure the settings for
InsightIQ as described in the Dell PowerScale InsightIQ Installation Guide. 2.
Configure settings to restrict access to the NFS export as defined by your
organization.
16
Product and subsystem security
Data protection
Data protection secures and protects customer and application data that
InsightIQ stores, manages, and uses.
Data security
The data held, managed, used, or operated on by InsightIQ is stored securely.
All InsightIQ data is stored in a PostgreSQL database. It is a customer choice
whether the database is stored locally or on a Network File System (NFS)
export.
Data-at-rest encryption
Data-at-rest encryption protects data that is stored in databases and other
data repositories. Data-at-rest is data not moving through the network.
InsightIQ stores all sensitive data, such as passwords, in encrypted format.
Other data, including reports, are not encrypted.
Data sanitation
Sensitive data kept beyond its useful life or disposed of improperly can lead
to data leaks. Data sanitization is the process of removing information from
media such that information recovery is not possible. InsightIQ deletes
sensitive data such as user passwords from the database when the user is
deleted. Passwords are not stored if a user is deleted.
Cryptography
Cryptography is a method of protecting information and communications using
encrypted algorithms. The goal is to allow only those entities for whom the
information is intended to read and process the information.
Cryptography
InsightIQ uses globally recognized cryptographic algorithms and protocols. The
following protocols are used: HTTPS Transport Layer Security (TLS) TLS to
Lightweight Directory Access Protocol (LDAP)
Cryptographic configuration options
InsightIQ enforces the following cryptographic capabilities.
Default configurations
By default, InsightIQ uses TLS 1.3 for all communication. TLS version 1.3 is
required and cannot be changed.
Ciphers
By default, the installed product is configured to support the ciphers listed
in the “TLS Cipher Suites” appendix in this guide.
Product and subsystem security
17
Hashing algorithms
InsightIQ uses these hashing algorithms: 1. sha256: Used for password hashing
2. sha384: Used for password hashing 3. sha224: Used for hashing cookie
secrets
Certificate management
All InsightIQ API communication, which includes communication through the web
administration interface, is over Transport Layer Security (TLS). You can use
the default self-signed TLS certificate for the InsightIQ web administration
interface or replace it with a third-party TLS certificate. The TLS
certificate is used to access the InsightIQ web application through a browser.
The InsightIQ cluster initially contains a self-signed certificate for this
purpose. You can continue to use the existing self-signed certificate, or you
can replace it with either: A third party (public or private) CA-issued
certificate Another self-signed certificate that is generated by users
NOTE: To ensure timely renewal and prevent service disruption, you should
proactively monitor the expiration dates of your TLS certificates.
View the default certificate
You can view the self-signed default TLS server certificate that is installed
on the InsightIQ cluster from your web browser.
Prerequisites You can view the self-signed default TLS server certificate in a
web browser.
Steps 1. In a web browser, go to the InsightIQ login screen.
The URL format is https://
The browser displays the contents of the certificate.
Replace or renew a certificate
You can replace or renew the TLS certificate.
Prerequisites You must have a CA certificate or another self-signed
certificate. You must have a private key in a decrypted form. You must know
the credentials for logging in as described in step 1 below.
Steps 1. Log in as follows:
For InsightIQ Scale (three-node deployment), log in as the root user on the
primary node of the InsightIQ cluster. For InsightIQ Simple (OVA deployments),
log in as the VM administrator. 2. Create a Kubernetes secret that holds the
certificate.
kubectl create secret tls
18
Product and subsystem security
For example: kubectl create secret tls my-test-secret -n istio-system –cert
=my-self-signedcert.pem –key=my-private-key.pem
If the command is successful, you receive a message similar to the following:
secret/my-test-secret created
3. Change the istio gateway configuration as follows: a. Edit the
configuration file: kubectl edit gateway iiq-gateway -n atlantic
b. Set the credentialName field to the new
gateway.networking.istio.io/iiq-gateway edited 4. Verify the new certificate.
a. In a web browser, go to the InsightIQ login screen. The URL format is
https://
b. On the left side of the URL field, click the View site information icon. c.
Depending on the choices that appear, click Certificate is not valid or
Connection is secure > Certificate is valid.
The browser displays the contents of the certificate.
Regulatory information
Dell Technologies is committed to compliance with the laws and regulations in
each country or region into which the company ships the product. For
information about regulatory information for Dell PowerScale OneFS, see the
Dell compliance portal on the Dell Support site.
Auditing and logging
This section describes InsightIQ capabilities that are related to logging,
events, and auditing.
Logging
InsightIQ has several logging, alerting, and similar capabilities.
Log levels
InsightIQ uses the following log levels. The order of the list is from least
to most verbose. FATAL ERROR WARNING INFO–This is the default log level. DEBUG
Log Rotation
Log rotation capabilities are available in the logging configuration file. The
logging file defaults to five stored iterations. Each file size is 10 MB.
Product and subsystem security
19
System behavior on failed log attempts
When a log attempt fails, the log entry does not occur.
Log format
The format of a log entry is: format = %(asctime)s [%(levelname)s]
<%(threadName)s : %(thread)d> [%(name)s : % (funcName)s() : %(lineno)d]
%(message)s
Gather product logs
You can run a script that gathers all the InsightIQ logs.
Prerequisites You must be able to log in with appropriate credentials. See
step 1.
About this task The log collection script gathers logs from all InsightIQ
nodes. If any node is inaccessible, the script skips log collection for that
specific node. The script puts the collected logs in /var/log/iiq_logs.tar.gz.
Steps 1. Start an SSH session to the InsightIQ primary node using the
following credentials:
For InsightIQ Scale (three-node deployment)–Log in as root user. For InsightIQ
Simple (OVA deployment)– Log in as the default administrator user. 2. Change
to the scripts directory:
cd ~/usr/share/storagemonitoring/scripts/deploymentmanager
3. Run the script: bash iiq_log_bundler.sh
The script downloads the required package. 4. For InsightIQ Scale, respond to
the prompts for the root passwords for the worker nodes.
The script needs worker node passwords to gather logs from those nodes. Enter
root password for
Gather Istio logs
You can gather all the logs that Istio generates on the Istio pod.
Steps 1. Log in to the primary node of the InsightIQ cluster. 2. Run the
following commands:
kubectl get pod n istio-system kubectl logs istio-ingressgateway-
xxxxxxxxxxxx-xxxxxx n istio-system > /var/log/ iiq_istio_logs.log
20
Product and subsystem security
Alerting
InsightIQ generates alerts based on key performance indicators (KPIs). Alert
generation is configurable. Alerting features include: InsightIQ generates
alerts when the threshold for a key performance indicator (KPI) is crossed.
Policies define the KPIs that you want to monitor for selected PowerScale
clusters. Users can view alerts on the InsightIQ web application.
NOTE: If a PowerScale cluster is removed from InsightIQ, existing alerts that
were generated for that cluster are no longer visible on the InsightIQ web
application. Administrators can configure InsightIQ to send email status
alerts to specified email addresses. For information about configuring and
viewing alerts, see the Alerts chapter in the Dell Technologies InsightIQ
Administration Guide.
Physical security
InsightIQ depends on the following interfaces and deployment expectations for
physical security: The InsightIQ platform uses native Kubernetes controls for
cluster security. For more information about Kubernetes security,
see the Kubernetes documentation for securing a cluster here. The Dell
PowerScale InsightIQ Installation Guide describes specific steps that are
related to physical security.
Serviceability
If you encounter operational issues with InsightIQ, contact Dell Customer
Support. See the Preface in this guide for contact information.
Maintenance Aids
Maintenance aids are hardware or software tools in InsightIQ that perform
diagnostic or remedial actions. For information about diagnostic methods, see
the “Troubleshooting InsightIQ” chapter in the Dell PowerScale InsightIQ
Administration Guide.
Responsible service use by Dell
Dell maintains a responsible partnership with its customers. This partnership
respects customer security boundaries while offering efficient world-class
support.
Security advisories and updates
You must remain knowledgeable about security vulnerabilities and apply product
updates as they become available.
Obtain Dell advisories and updates
Dell technical advisories (DTAs), Dell security advisories (DSAs), and code
updates are available on the Dell Support site. These documents provide
important information and solutions for issues that affect InsightIQ.
Steps 1. To view current lists of DTAs and DSAs:
a. Go to the InsightIQ product page on the Dell Support site here. b. Click
the Advisories tab.
Product and subsystem security
21
c. Select Technical or Security. 2. To subscribe to receive email
notifications about new DTAs and DSAs:
a. Go to the InsightIQ product page on the Support site. b. Ensure that you
are logged in with a Dell Technologies customer account. c. Locate the Contact
Us tab on the right side of the browser window, and click Contact Us >
Notifications . d. Select one or both of these toggles:
Dell Technical Advisory Dell Security Advisory 3. To download product updates:
a. Go to the InsightIQ product page on the Dell Support site. b. Ensure that
you are logged in with a Dell Technologies customer account. c. Click the
Downloads tab. d. Use the filters to find updates for your product version.
NOTE: Your Dell Technologies customer account controls access to product
downloads.
Customer prerequisites for security updates
This section describes the prerequisites that must be in place before you can
successfully apply security updates. The only prerequisite for applying an
InsightIQ security update is that you must be running the specific version of
InsightIQ for which the update is intended. See the Readme file that
accompanies each security update.
Protect authenticity and integrity
InsightIQ uses the following methods to ensure and protect the integrity of
the code that it distributes.
Code signing
Dell Technologies digitally signs all InsightIQ software packages. The term
software package includes installation packages for full releases and all
upgrades. To verify that an installation package remains unaltered after
downloading, see “Verify code authenticity” in the Installation chapter of the
Dell PowerScale InsightIQ Installation Guide. That guide provides verification
steps for .tar.gz and .ova files. It is recommended that you perform these
verification steps immediately before installation.
Certificates
InsightIQ ships with a self-signed Transport Layer Security (TLS) certificate.
It is recommended that you replace the default TLS certificate with a signed
certificate from a trusted Certificate Authority. For steps to view and
replace certificates, see “Certificate management” in the “Cryptography”
section of this guide.
22
Product and subsystem security
3
Miscellaneous Configuration and Management Elements
Topics:
· Software licensing and conditions for use · Preventing malware · Installing
client software · Backups of application or data
Software licensing and conditions for use
The license to download and use Dell Technologies InsightIQ software is
included with a Dell Technologies PowerScale OneFS license. On first login,
the administrator user must accept the conditions for use. The Installation
Guide describes how to download and install InsightIQ and how to log in to the
InsightIQ user interface the first time. On first login, InsightIQ prompts the
user to read and accept the conditions for use. No further usage is allowed
until the user accepts the conditions. After the conditions are accepted, the
prompt does not occur again. For a matrix showing the InsightIQ releases and
the PowerScale OneFS releases that they support, see the PowerScale OneFS
Supportability and Compatibility Guide.
Preventing malware
InsightIQ includes the following malware detection capabilities and options.
All InsightIQ downloadable packages are scanned for malware by Dell before
they are posted to the Dell Support site. At the customer site, we recommend
that the following Kubernetes directories are excluded from malware scanning:
/run/containerd/ /var/lib/containerd/ /var/lib/rancher/rke2/agent/containerd/
For more information about removing these directories, see the “System
Requirements” chapter in the Dell PowerScale InsightIQ Installation Guide.
Installing client software
The Dell PowerScale InsightIQ Installation Guide describes all requirements
and expectations for deploying InsightIQ on customer-supplied hardware.
Backups of application or data
InsightIQ does not include backup functionality. Customers may choose to run
backups of report data using their own backup procedures.
Miscellaneous Configuration and Management Elements
23
A
TLS cipher suites
This appendix lists the TLS cipher suites that InsightIQ supports.
Topics:
· Default and supported TLS cipher suites
Default and supported TLS cipher suites
A cipher suite defines technologies that secure your TLS communications.
InsightIQ supports the following TLS cipher suites: 1.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 2. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
3. TLS_AKE_WITH_AES_128_GCM_SHA256 4. TLS_AKE_WITH_AES_256_GCM_SHA384 5.
TLS_AKE_WITH_CHACHA20_POLY1305_SHA256
24
TLS cipher suites
B
SDL for InsightIQ 5.1.0: Security false positives
Topics:
· Security False Positives for InsightIQ 5.1.0
Security False Positives for InsightIQ 5.1.0
The following table describes security false positives from various scanners
for InsightIQ 5.1.0.
The table shows the embedded component name that has a false positive
associated with it and the Common Vulnerabilities and Exposures (CVE) ID. The
next columns describe the vulnerability, the reason that InsightIQ is not
vulnerable, and the date of the false positive finding.
Table 7. False positives for InsightIQ 5.1.0
Embedded CVE id Component
Summary of Vulnerability
urllib3
CVE-2023-43 804
The urllib3 component is an HTTP client library for Python. It does not do anything special with a Cookie HTTP header or provide any helpers for managing cookies over HTTP. Those tasks are the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information using HTTP redirects to a different origin if that user does not disable redirects explicitly. This issue is updated in urllib3 version 1.26.17 or 2.0.5.
postgresql 16
CVE-2024-09 85
A flaw was found in PostgreSQL that allows authenticated database users to run arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This issue enables the execution of arbitrary code on the target system. It allows users to write arbitrary bytes to memory and extensively read the server’s memory.
certifi version
CVE-2023-37 920
Certifi is a curated collection of root certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes e-Tugra root certificates. e-Tugra root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi
Reason that InsightIQ is False Positive
not vulnerable
Date
According to the CVE,
March 26, 2024
this flow exists in versions
earlier than 1.25.10.
InsightIQ is using version
1.26.14. Hence this is a false
positive.
According to the CVE, this flow exists in versions earlier than 16.1. InsightIQ is using version 16.2. Hence this is a false positive.
March 26, 2024
The OpenSUSE website
March 26, 2024
marks python Certifi as not
affected for SLES 15 SP4.
SDL for InsightIQ 5.1.0: Security false positives
25
Table 7. False positives for InsightIQ 5.1.0 (continued)
Embedded CVE id Component
Summary of Vulnerability
Reason that InsightIQ is False Positive
not vulnerable
Date
2023.07.22 removes root certificates from e-Tugra from the root store.
pip version
CVE-2018-202 25
An issue was discovered in pip (all versions). It installs the version with
the highest version number, even if the user intends to obtain a private
package from a private index. The issue only affects use of the –extra-index-
url option. Exploitation requires that the package does not already exist in
the public index. (An attacker is thus permitted to put a package with an
arbitrary version number.)
NOTE: This issue is reported as intended functionality, with the user
responsible for using -extra-index-url securely. This
vulnerability was first assigned with CVE-2018-20225, and it is still under
dispute. This vulnerability still poses a threat when using the –extraindex-
url.
The OpenSUSE website marks it as ignore for SLES 15 SP4.
March 26, 2024
26
SDL for InsightIQ 5.1.0: Security false positives
References
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>