Version: 2.11.0

Configure Eyeglass for STIG-Enabled PowerScale Environments

Introduction

This document outlines the configuration required to operate the Superna Core Agent Appliance (Eyeglass) in environments where Dell PowerScale clusters are secured using the OneFS STIG security profile. It is intended for scenarios where the appliance is already deployed and focuses on the post-deployment steps needed to ensure interoperability with STIG-enabled clusters.

Use this guide to align your Superna configuration with the security requirements of a STIG-enabled PowerScale environment.

Requirements

A deployed Eyeglass Core Agent Appliance (version 2.11.0 or later)

See the Installation Guide if needed
A reachable PowerScale cluster with the STIG security profile enabled
An Active Directory environment with Kerberos support

Configuration Steps

Configure PowerScale

Important

This is not a complete guide to hardening or STIG implementation for PowerScale clusters. It only includes the steps required to configure the system for compatibility with Superna solutions.

For full PowerScale STIG implementation and security hardening details, refer to Dell’s official documentation:

Dell PowerScale OneFS: Security Considerations

To configure PowerScale for a STIG-compatible Disaster Recovery solution:

Update passwords for local users

After updating the hash type, you must re-enter passwords for all relevant local users to ensure they are stored using the new SHA512 format.

Run the following command for each user (e.g., eyeglass):
```
isi auth users change-password <username>
```
Use the same password already assigned to the user. Only the hash format is being updated.
Update EyeglassAdmin role privileges

Add the required privilege to the EyeglassAdmin role to support REST API login bypass for multi-factor authentication (MFA) in STIG-enabled environments:
```
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_LOGIN_PAPI_BYPASS_MFA
```
This privilege is required for Eyeglass to function correctly when MFA restrictions are enforced.
Enable RAN Access for Eyeglass

Eyeglass requires access to the PowerScale WebUI Remote Access Node (RAN) for certain functionality. Enable the necessary settings using the following commands:
```
isi_gconfig -t web-config webui_ran_access=True
isi_gconfig -t web-config listen_on_ip=True
isi_gconfig -t http-config listen_on_ip=True
```
If you encounter a permission error when running these commands, ensure you're logged in as the root user.

These settings allow Eyeglass to communicate with the WebUI over the correct interfaces in a STIG-enabled environment.
Confirm SmartConnect Configuration

Verify that SmartConnect is configured for the subnet or pool used by Eyeglass (commonly hdfspool or an equivalent service pool in your environment).

SmartConnect is required for DNS-based load balancing and service discovery. If it is not configured, refer to Dell’s SmartConnect documentation or coordinate with your network administrator.
Configure access to /ifs/.ifsvar

To allow Eyeglass to access the required internal data directory, update the NFS export and set the appropriate permissions on the target folder.
1. Modify the NFS export
  
  Identify the export ID for /ifs/.ifsvar and run the following command:
```
isi nfs exports modify <export_id> \
    --map-non-root-enabled true \
    --map-non-root eyeglass \
    --force
```
  Replace <export_id> with the actual ID of the export associated with /ifs/.ifsvar.
  
  This maps non-root access to the eyeglass user, ensuring it has the correct identity when accessing the directory over NFS.
2. Apply ACL Permissions
  
  Grant the required access control permissions to the eyeglass user:
```
chmod +a user eyeglass allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit /ifs/.ifsvar
```
  These permissions allow Eyeglass to read directory contents and traverse the structure as needed for its internal operations.