Skip to content

Commit

Permalink
PD-1611 / 25.04 / master branch followups (#3221)
Browse files Browse the repository at this point in the history
* PD-1611: master branch followups

* Update core-downloads.yaml

* Update core-releases.yaml

* Update release dates (anticipated)

* Update security recommendations and fix two broken images (#3262)

Update general security recommendations to note unplugging management interfaces when not in use and that Virtualization features are only recommended in 24.04 or newer releases (i.e. not CORE).

Fix two broken images on the Minis page

---------

Co-authored-by: MicJ <[email protected]>
  • Loading branch information
Mrt134 and micjohnson777 authored Nov 21, 2024
1 parent a7fa87d commit cdd8219
Show file tree
Hide file tree
Showing 7 changed files with 34 additions and 29 deletions.
29 changes: 15 additions & 14 deletions content/Solutions/Optimizations/Security.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Follow these best practices to administer TrueNAS securely.
* Keep TrueNAS up-to-date with the most recent updates for your supported version.
* Upgrade to new major releases promptly consistent with the deployment use case.
* Disable any network services not in use.
* Restrict the TrueNAS web UI, IPMI, and any other management interfaces to private subnets away from untrusted users.
* Restrict the TrueNAS web UI, IPMI, and any other management interfaces to private subnets away from untrusted users, or keep disconnected when not in active use.
* Configure **Syslog** settings to send logs to an external server ([CORE]({{< relref "/core/uireference/system/advanced/_index.md" >}}) | [SCALE]({{< relref "managesyslogsscale.md" >}})).
* In TrueNAS 24.04 (Dragonfish) or later, locally [monitor and review audit logs]({{< relref "auditingscale.md" >}}) using the **Audit** screen.
* In the **System > Advanced Settings**, always keep **Show Text Console without Password Prompt** set to **Disabled**.
Expand All @@ -29,14 +29,15 @@ Check back regularly for updates.

## User Accounts

Restrict new TrueNAS user accounts ([CORE]({{< relref "SettingUpUsersAndGroups.md" >}}) | [SCALE]({{< relref "ManageLocalUsersSCALE.md" >}})) to the most minimal set of storage ACL permissions and access possible.
Restrict new [TrueNAS user accounts]({{< relref "ManageLocalUsersSCALE.md" >}}) to the most minimal set of storage ACL permissions and access possible.

On TrueNAS 22.12 or newer, [create the administrator account]({{< relref "ManageLocalUsersSCALE.md#creating-an-admin-user-account" >}}) on install and disable root NAS administrative access.

On TrueNAS, [create the administrator account]({{< relref "ManageLocalUsersSCALE.md#creating-an-admin-user-account" >}}) on install and disable root NAS administrative access.
In TrueNAS 24.04 (Dragonfish) or later, use the **Credentials > Groups > Privileges** screen to define limited access administrative roles, such as read-only or share administrators.
Assign users to those groups to grant partial NAS administrative access.
Members of privilege groups can access the UI but cannot perform administrative tasks outside those defined by their role(s).

Use complex passwords and Two-Factor Authentication ([CORE]({{< relref "UsingTwoFactorAuthentication.md" >}}) | [SCALE]({{< relref "ManageGlobal2FASCALE.md" >}})) for all TrueNAS administrator accounts.
Use complex passwords and [Two-Factor Authentication]({{< relref "ManageGlobal2FASCALE.md" >}}) for all TrueNAS administrator accounts.

Grant TrueNAS user accounts (local or domain accounts) access to SSH or console shells only if that user is explicitly trusted.

Expand All @@ -47,7 +48,7 @@ However, it allows outside connections to the system and must be configured to m

### iSCSI

Follow the iSCSI creation wizard ([CORE]({{< relref "AddingiSCSIShare.md" >}}) | [SCALE]({{< relref "AddingISCSIShares.md" >}})) to create an iSCSI share.
Follow the [iSCSI creation wizard]({{< relref "AddingISCSIShares.md" >}}) to create an iSCSI share.

When creating a new **Portal**, consider adding a **Discovery Authentication Method**.
This adds authentication between the initiator and the extent based on the chosen authentication method, CHAP or Mutual CHAP.
Expand All @@ -62,7 +63,7 @@ When these options are empty, all initiators and all networks can connect to the

### NFS

During share creation ([CORE]({{< relref "NFSShare.md" >}}) | [SCALE]({{< relref "AddingNFSShares.md" >}})), define which systems are authorized for share connections.
During [NFS share creation]({{< relref "AddingNFSShares.md" >}}), define which systems are authorized for share connections.
Leaving the **Authorized Networks** or **Authorized Hosts and IP addresses** lists empty allows any system to connect to the NFS share.
To define which systems can connect to the share, click the **Advanced Options** and enter all networks, hosts, and IP addresses to have share access.
All other systems are denied access.
Expand All @@ -74,13 +75,13 @@ To apply NFS ACLs, click **Advanced Options** on the add or edit screen for an N

### SMB

Select a **Purpose** during share creation ([CORE]({{< relref "/CORE/CORETutorials/Sharing/SMB/_index.md" >}}) | [SCALE]({{< relref "/SCALE/SCALETutorials/Shares/_index.md" >}})).
Select a **Purpose** during [SMB share creation]({{< relref "/SCALE/SCALETutorials/Shares/_index.md" >}}).
This changes the share configuration with one click.
For example, when selecting **Private SMB Datasets and Shares** from the list, TrueNAS adjusts the **Advanced Options** so the share is set up for private use.
To fully customize the share settings, select **No presets** as the **Purpose**.
Unless you require a specific purpose for the share, we recommend selecting **Default share parameters** as the **Purpose**.

[Do not use SMB1.]({{< relref "/CORE/CoreSecurityReports/SMB1Advisory.md" >}})
[Do not use SMB1.](https://www.truenas.com/docs/core/13.0/coresecurityreports/smb1advisory/)

SMB service settings are in **Services** after clicking the <span class="iconify" data-icon="mdi:pencil"></span> (pencil).

Expand All @@ -93,7 +94,7 @@ Administration group members have full permissions to modify or delete the share
## SSH

Using Secure Shell (SSH) to connect to your TrueNAS is very helpful when issuing commands through the CLI.
SSH settings ([CORE]({{< relref "ConfiguringSSH.md" >}}) | [SCALE]({{< relref "SSHServiceSCALE.md" >}})) are in **Services** after clicking the <span class="iconify" data-icon="mdi:pencil"></span> (pencil).
[SSH settings]({{< relref "SSHServiceSCALE.md" >}}) are in **Services** after clicking the <span class="iconify" data-icon="mdi:pencil"></span> (pencil).

For best security, disable all login options for root or admin accounts in the SSH service options.
Instead, create and exchange SSH keys between client systems and TrueNAS before attempting to connect with SSH.
Expand Down Expand Up @@ -145,12 +146,12 @@ Block both the **CBC** and **Arcfour** ciphers by going to **Services > SSH > Ed

## Virtualization: VMs, Plugins, Apps

Review any plugin, app, or virtual machine (VM) deployment scenario for additional security exposure or vulnerabilities.
{{< include file="/static/includes/COREFeatureSupport.md" >}}

Review any application or virtual machine (VM) deployment scenario for additional security exposure or vulnerabilities.
iXsystems cannot resolve security vulnerabilities introduced from within user-deployed virtualized environments.

After configuring a VM ([CORE]({{< relref "/CORE/CORETutorials/JailsPluginsVMs/VirtualMachines/_index.md" >}}) | [SCALE]({{< relref "/SCALE/SCALETutorials/Virtualization/_index.md" >}})), disable any VNC or SPICE virtual machine display devices.
After [configuring a VM]({{< relref "/SCALE/SCALETutorials/Virtualization/_index.md" >}}), disable any VNC or SPICE virtual machine display devices.

Update plugins ([CORE]({{< relref "/CORE/CORETutorials/JailsPluginsVMs/Plugins/_index.md" >}})) or applications ([SCALE]({{< relref "/content/TruenasApps/_index.md" >}})) regularly.
Update [applications]({{< relref "/content/TruenasApps/_index.md" >}}) regularly.
TrueNAS monitors connected application catalogs and trains and displays available updates on the **Installed** applications screen.
To upgrade an app to the latest version, click **Update** on the **Application Info** widget.
To upgrade multiple apps, click the **Update All** button on the **Installed** applications header.
8 changes: 7 additions & 1 deletion data/properties/core-downloads.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ majorVersions:
majorVersion: "13.0"
majorLink: "https://download-core.sys.truenas.net/13.0/STABLE/"
releases:
- name: "13.0-U6.3"
link: "https://download-core.sys.truenas.net/13.0/STABLE/U6.3/"
date: "2024-11-21"
- name: "13.0-U6.2"
link: "https://download-core.sys.truenas.net/13.0/STABLE/U6.2/"
date: "2024-07-03"
Expand Down Expand Up @@ -69,8 +72,11 @@ majorVersions:
date: "2022-05-22"
- lifecycle: "Current"
majorVersion: "13.3"
majorLink: "https://download-core.sys.truenas.net/13.0/STABLE/"
majorLink: "https://download-core.sys.truenas.net/13.3/STABLE/"
releases:
- name: "13.3-U1"
link: "https://download-core.sys.truenas.net/13.3/STABLE/U1/"
date: "2024-11-21"
- name: "13.3-RELEASE"
link: "https://download-core.sys.truenas.net/13.3/STABLE/RELEASE/"
date: "2024-08-13"
Expand Down
10 changes: 5 additions & 5 deletions data/properties/core-releases.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,19 @@ majorVersions:
name: "TrueNAS CORE 13.0"
releaseName: "13.0"
releases:
- name: "13.0-U6.2"
- name: "13.0-U6.3"
type: "Enterprise"
link: "https://www.truenas.com/docs/core/13.0/gettingstarted/corereleasenotes/"
releaseDate: "2024-07-03"
releaseDate: "2024-11-21"
latest: true
- lifecycle: "Current"
name: "TrueNAS CORE 13.3"
releaseName: "13.3"
releases:
- name: "13.3-RELEASE"
- name: "13.3-U1"
type: "Community"
link: "https://www.truenas.com/docs/core/13.3/gettingstarted/corereleasenotes/#133-release-changelog"
releaseDate: "2024-08-13"
link: "https://www.truenas.com/docs/core/13.3/gettingstarted/corereleasenotes/#133-u1-changelog"
releaseDate: "2024-11-21"
latest: true
- lifecycle: "Next"
name: "TBD"
Expand Down
Binary file added static/images/Hardware/Minis/MiniX+XL+OOBM.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
10 changes: 4 additions & 6 deletions static/includes/COREFeatureSupport.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
&NewLine;

As of TrueNAS 13.3, this feature is untested and provided without support to the [TrueNAS Community](https://forums.truenas.com/).
<br>
<br>
Users with a critical need to use containers or virtualization solutions in production should migrate to the tested and supported virtualization features available in the Linux-based [TrueNAS 24.04 or newer](https://www.truenas.com/download-truenas-scale/).
[TrueNAS Enterprise customers](https://www.truenas.com/truenas-enterprise/) can contact iXsystems to schedule a deployment.
See [TrueNAS Migrations](https://www.truenas.com/docs/scale/gettingstarted/migrate/) for more information.
In TrueNAS 13.3, 13.0, and earlier, these features are obsolete and should not be used in production environments.

For production environments, use the tested and supported virtualization features available in TrueNAS 24.04 or newer.
[TrueNAS Enterprise customers](https://www.truenas.com/truenas-enterprise/) can contact iXsystems to schedule a TrueNAS deployment.
6 changes: 3 additions & 3 deletions static/includes/COREUpgradePaths.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,16 @@
{{< mermaid class="mermaid_sizing" >}}
flowchart LR
A["11.3-U5"] -->|update| B["12.0-U8.1"]
B -->|update| C["13.0-U6.2"]
C -->|manual update| D["13.3-RELEASE"]
B -->|update| C["13.0-U6.3"]
C -->|manual update| D["13.3-U1"]
{{< /mermaid >}}
</div>
<div class="upgrade-paths-container">
<img src="/images/tn-enterprise-logo.png" style="box-shadow: none; max-width: 225px; padding-bottom: 20px; padding-top: 40px;" title="TrueNAS CORE Enterprise" alt="TrueNAS CORE Enterprise">
{{< mermaid class="mermaid_sizing" >}}
flowchart LR
A["11.3-U5"] -->|update| B["12.0-U8.1"]
B -->|update| C["13.0-U6.2"]
B -->|update| C["13.0-U6.3"]
{{< /mermaid >}}
</div>
</div>

0 comments on commit cdd8219

Please sign in to comment.