In this post I would like to cover two main topics: auditing the administrative access to the Control Station, and auditing events. Auditing is a specialized form of logging. The purpose of auditing is to record the “security-relevant events” that happen on a system and provide sufficient information about who initiated the event and the event’s affect on the system (eg. success or failure).
Auditing on the VNX Control Station
Auditing is one of the highest priority customer requests in the system management arena. The auditing feature on VNX Control Station is enabled by default and starts when the CS is booted.
Default Audit Events
The default audit events are in audit.rules file, that is located in /etc/audit/audit.rules. The file is configured to provide auditing events important to the VNX. The file can be modified to provide any custom audit requirements. By default the audit is enabled for:
- root file system access by Administrators
- a list of “sensitive” system files
- changes to the audit infrastructure
- users authenticating to the system
Audit Events types
There are several main record types associated to the audit events:
- SYSCALL – information associated with a system call invocation
- PATH – information about a file being accessed
- CWD – the current working directory of the process
- USER_XXXX – events associated with a user authenticating to the system
- FS_WATCH – associated with accessing a file system object that has an explicit watch placed on it.
The commands for auditing are native Linux commands. There are no VNX specific commands for auditing. Of course all commands have man pages if you wish to gather more information, but in summary the commands are:
- /sbin/auditctl – this command controls the kernel’s audit subsystem.
- /sbin/ausearch – this command reads the audit trail
- The audit.log file is a plain text, but it contains numeric values that make it difficult to read. The ausearch command offers options that translate the values to names.
- /sbin/aureport – this command produces summary reports of the audit logs.
An example for creating Audit Reports
- /sbin/service auditd – this command controls the audit subsystem and has the listed options.
The auditing configuration files and the current audit log file are back up to the backend file system /nas/var/auditing. Every 180 seconds the auditing backup is performed for each Control Station. If the Control Station in slot 0 is replaces, the software recovery steps try to automatically restore the audit configuration from the backend backups. Recovery of the slot 1 Control Stations auditing has to be performed manually.
Let’s talk a little about VNX for File and monitoring features provided by Unisphere. I will explain where to find event logs, how to create an e-mail notifications, how to set up notifications for various Severity levels. Let’s first have a quick glympse of Unisphere monitoring features.
Unisphere System Monitoring features
There are several areas within the Unisphere System monitoring page, where the system can be monitored.
Unisphere Monitoring Page
Let’s quickly review few of them:
- Alerts for various system conditions
- In this section you can see if there are any critical errors, warnings, or other errors. Once you see an alert, you can double-click on it to retrieve it properties. Each alert detail has full description, recommended action, and event code. Take a look at example printscreen
Unisphere Alert Details
- SP Event Logs – SP logs can be collected and exported via the graphical interface.
- Background Task Monitoring for File – list of all tasks that are running in the background
- Event Logs for File – place where File related events can be monitored. The page can be configred to display log messages from the Control Station or the Data Movers.
- Notifications for File – a notification is an action that CS (Control Station) takes in response to a particular system condition. For example, the Control Station can send an email message to an admin when a critical system event occurs, such as a disk failure. Another example would be a threshold being reached, etc. Event Severity levels are: critical, error, warning, info.
- Statistics for File – this option provide the user with information file system and network performance. Graphs are configurable and given in real-time.
VNX Email Notifications
For Notifications to be sent via SMTP mail option Email User must be configured. To configure that option navigate to the Notifications page. Select the Manage Email User option. You can find it in the bottom right section called “Service Task”. The configuration screen looks like:
Unisphere Configure Email
Once you have configured the e-mail information (provided in the form above) you can now create an event. Navigate to System > Monitoring and Alerts > Notifications for File. Then select the Create button and a popup screen will prompt for which Facility you want to monitor. Take a look at picture below.
Unipshere Create notification
Choose the event you want monitored. The nchoose the Severity level (Critical, Error, Warning or Info) for events to be notified for. Select how the notification will be sent (the options are: mail, logfile, smtp trap). For logfile you have to provide an absolute path on the control station ot save it, for SMTP trap you can provide IP address, community name or a hostname. The example e-mail notification is presented above.
Unisphere is web-enabled software for remote management of storage environment. It has all the extras, like widgets and sortable tables, wizards etc. Unisphere Management Server runs on the Storage Processor (SP) and the Control Station.
(Update 08-01-2015: Check out Overview with few screenshots: EMC VNX – Unisphere – Quick overview)
How to launch?
To launch a Unisphere you can fire up an Internet browser and type the IP address of either one of the SPs or the Control Station.
How to login for fist time?
Default login/password for EMC VNX Unified system is:
* login: sysadmin
* password: sysadmin
Or for VNXe:
* login: admin
* password: Password123#
Administration of VNX is performed with the Unisphere graphical user interface (GUI). Administration of the VNX system can also be performed with a command line interface (CLI). File enabled VNX systems use a command line interface to the Control Station for file administrative tasks. Block enabled systems have a host-based Secure CLI software option available for block administrative tasks. The CLI can be used to automate management functions through shell scripts and batch files.
Administrative Authentication Scope
Unisphere Authentication Scopes
The VNX provides three different administrative user auth scopes.
* Global authentication scope is used when the VNX is configured to be a member of a Storage Domain. All the systems within the domain can be administrated using a single sign-on with a global account.
* Local authentication scope is used to manage a specific system only. Logging into a system using a local user account is recommended when there are a large number of systems in the domain.
* LDAP authentication scope is used when the VNX is configured to “bind” to an LDAP domain. The VNX performs an LDAP query to the domain to authenticate the administrative users.
Unisphere Storage Domains
Unisphere Storage Domain
By default each VNX is its own Storage Domain. Domain Members are:
* Control Station
* System managed by Unisphere session to any member
A VNX system can be manager using a Unisphere session to any member of the Storage Domain. The system also includes a default “sysadmin” Global user account in the Domain, which is configured with the Administrator role.
Adding VNX system to Domain
Adding VNX into Storage Domain
To add a VNX system into an existing VNX local domain, in Unisphere navigate to the System List, and perform Add operation. You have to provide an SP (Storage Processor) IP address of the VNX system to be added. When adding a system into the domain, the system being added will be removed from any of its existing domain configurations. Obviously you will also be asked for credentials to login to the VNX system being added. Once the VNX system is added, it will be displayed in the System List page.