CS Dell EMC PowerMax Benchmark | CS Dell EMC VMAX Benchmark

This post covers security recommendations that you should follow to harden Dell EMC VMAX storage systems, Dell EMC PowerMax storage systems and their storage management hosts.

Rule IDSeverityTitleDescriptionResolution
K0601I0MP725HighEncrypt administrative sessionsEnsure that administrative API sessions are encrypted to prevent sensitive information from being transmitted as cleartext.Verify that the SYMAPI_SECURITY_LEVEL option is set to SECURE.
K0401000P350HighLimit administrative rights to authorized personnelReview the list of users and groups assigned with storage administrative rights. Administrative rights should be limited to authorized personnel only. Misuse of administrative rights is a prominent form of attack.symauth -sid {param1} commit <<!
delete {param2} {param3};!
# param1 Symmetrix SID
# param2 “group” or “user”
# param3 name of the user or group
K0101000P150MediumEvents logged on a transactional basisTo prevent loss of audit log entries if the base daemon is stopped and restarted before all entries are written, ensure that events are saved immediately to disk.Verify that the BACKGROUND_AUDIT_LOG option is set to ENABLED.
K0401I000947 HighRestrict access to storage management folders and filesOnly privileged administrators should be able to access and modify the folders or files of the storage management software (Solutions Enabler, Unisphere).Review the ownership and permissions of the following directories:

<SYMAPI_HOME>/config
<SYMAPI_HOME>/db
<SYMAPI_HOME>/config/daemon_users

K0401I000383HighEnforce user authorization rulesEnsure that user authorization rules are honored and enforced by Solutions Enabler (AKA SYMCLI). SYMCLI uses the authorization control state to determine enforcement of rules. User authorization rules are used to restrict management access to arrays.symauth -sid {param1} set enforcement enforce
# param1 Symmetrix SID
K0201I000285 HighUse reliable and effective host access ID on clustered hosts and virtual machinesFor added security on x86_64 (64-bit), IA64, and BS2000 hardware platforms, use alternate access IDs instead of hardware-based access IDs.Verify that the SYMAPI_ALTERNATE_ACCESS_ID option is set to ENABLE on hosts installed with management software that meet the specified criteria.
K0201000P115HighChange default (factory) passwordsChange default (factory) passwords for built-in user accounts.Change password for the following user accounts:

  • smc
  • admin (ECOM)
  • admin (ESRS)
  • seconfig (vApp Unisphere, Solutions Enabler)
  • cseadmin (vApp Unisphere, Solutions Enabler, VASA)
  • vpconfig (VASA)
  • nodename@SELockbox1 (Lockbox)
K0401I000535 MediumLimit directory access to Solutions Enabler daemonWhen the storsrvd runs as root, it can present security vulnerabilities in situations where a user through a CLI or some other application provides a pathname on which a daemon can operate.Verify that the storsrvd:SECURE_DIRECTORY_PATH option is configured with minimal set of required paths when the storage management host is meeting the specified criteria.
K0101000P743 HighLUN access controlReview LUN zoning and masking configurations to ensure that storage volumes are accessible only to designated hosts or clusters.Contact us.
K0101000P190HighAudit log retentionContact us.
K010100MP100HighAudit log sent to central logging serversContact us.
K0101000P160HighAudit log contentContact us.
K20010V0P220HighIdentify and resolve Storage OS and software vulnerabilities (CVE)Contact us.
K0201I0MP120HighLimit use of local user accountsContact us.
K1301000P650HighData at-rest encryptionContact us.
K1301000P655HighFIPS 140-2 complianceContact us.
K0201I00P120HighInterested in the complete list of rules?

Our Data Security Advisor solution includes:

⇒  The complete list of rules for EMC and other storage vendors,  including hundreds of additional best practices.

⇒ The ability to automatically scan and validate the rules in your storage environment.

⇒ Detailed remediation guidance.

⇒ Mapping to information security standards.

Contact us to learn more about our Data Security Advisor product and our assessment services.

K010100M0612High
K060100MP927High
K130100MP006Medium
Hundreds of additional rules are available in Data Security Advisor.

 

We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree