From 10a00708186dffc4e75a78cb881de845f506029b Mon Sep 17 00:00:00 2001 From: MicJ Date: Wed, 9 Oct 2024 16:39:50 -0400 Subject: [PATCH 1/7] PD-1333 Create STIG Compliance Content Initial commit of STIG and security compliance content --- .../Solutions/Optimizations/STIGCompliance.md | 152 ++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 content/Solutions/Optimizations/STIGCompliance.md diff --git a/content/Solutions/Optimizations/STIGCompliance.md b/content/Solutions/Optimizations/STIGCompliance.md new file mode 100644 index 0000000000..a25ef23c28 --- /dev/null +++ b/content/Solutions/Optimizations/STIGCompliance.md @@ -0,0 +1,152 @@ +--- +title: "STIG Compliance" +description: "Resonse to STIG SRG for the TrueNAS appliance." +weight: 35 +aliases: +tags: + - ssh + - 2fa +keywords: + - TrueNAS Security + - TrueNAS STIG Compliance +--- + + +## TrueNAS Compliance +TrueNAS falls into the catagory of an appliance with its own operating system as covered in [General Purpose Operating System SRG](https://www.stigviewer.com/stig/general_purpose_operating_system_srg/) findings. +Through connection to Active Directory, TrueNAS also complies with the [Active Directory Domain Security Technical Implementation Guide SRG](https://www.stigviewer.com/stig/active_directory_domain/) findings related to authentication and access controls for user, group, and systems. + +## Customizing TrueNAS Security Options +Many areas of compliance with the STIG SGR findings are automatically addressed through the TrueNAS kernel and middleware, but some are optional settings and features in the TrueNAS UI are customizable by administration users to suit individual use cases and preferences. +This article details customizable settings to accomplish a security-hardened systems. + +## Administration Accounts +TrueNAS creates either the root user or an administration user at installation. +Releases of TrueNAS might use **root** as the default administration user, while other releases have either the **admin** or **truenas_admin** as the default user. + +TrueNAS 13.0 and 13.3 can only have **root** as the administration user. Assign a complex password and change it frequently to protect access to the system. + +TrueNAS systems with the **root** user, or either the **admin** or **truenas_admin** user should create a new administration user with full control privileges and assign a complex password that you should also change on a frequent basis. + +Additionally, after testing the login for the new adminstration user, disable both the **root** user password if not already disabled and the the default **admin** or **truenas_admin** user password to security-harden the system. +Only enable the root user password when necessary to perform functions not available to adminstration user. + +If creating multiple administration user accounts for individuals that fill specific role, limit privileges and access to what is minimally required to perform their system responsibilities. + +### Restrict Access to Roles +TrueNAS 23.10 and later allow for role-based access control (RBAC) through the privileges function and the predefined readonly and sharing_administrator roles. + +In 24.04, 24.10 and later releases, full administrators can configure new privileges to create administration user roles limited to specific tasks such as replication, cloud sync, cloud backup, apps and docker, directory services, system audit, and keychain read/write capabilities. +Create the new privilege and assign them to a new or existing group and assign the new group to the administration user. + +{{< hint type="info" title="Use Caution">}} +Use caution when creating new privileges. +Incorrectly configuring privileges can result in unintended consequences. +Do not modify the default existing privileges! +{{< /hint >}} + +### Restrict Access to SSH +Enable SSH access only for the administration user (Local Administrator) with full control privileges, but do not leave the SSH service enabled when not in use. + +Turn SSH service off when not in use. +Do not set the SSH service to start automatically if the system reboots to prevent starting and leaving it running when not needed. See [SSH Service]({{< relref "/SCALETutorials/SystemSettings/Services/SSHServiceSCALE.md" >}}) for more information. + +If using multiple administration user accounts, limit access to SSH session to only users that require this ability to communicate with TrueNAS at the command-line level. See [Restrict Access to Sudo Commands](#restrict-access-to-ssh) for more information. + +### Restrict Access to Sudo Commands +Only the main system administration account and the root user should have access to `sudo` commands. + +Where possible, restrict administration user access to specific `sudo` commands rather than allowing unlimited access. +Also limit administration users `sudo` command entry by requiring password entery before any `sudo` command can be executed in an SSH or shell session. + +If creating multiple administration users with permissions to perform specific tasks, do not enable `sudo` commands or configure the user with limited access by entering only the specific commands they need. +See [Managing Users]({{< relref "ManageLocalUsersSCALE.md" >}}) for more information on creating users and configuring `sudo` commands. + +### Restrict Access to Shell +Configure access to the shell for only the main administration user with full control. +For better control leave access to the shell to only the root user. +Enable the root user password only when required. + +If creating multiple administration users, deny or restrict administration user access to the shell. +If granting limited access to the shell, restrict `sudo` command access to only those commands necessary for the role the administration user fills and enforce password entry for commands. + +## Lock Users +To prevent or restrict user access for a limited period of time, use the **Lock User** option. +This is useful when a specific administration role transfers from one user to another. +For example, if you create a sharing_administrator account rather than assigning the role to an individual existing user. +Locking the account disables but does not delete the account. +Before unlocking the account, change the password and then assign the role to another user. + +## Configure Two Factor Authentication +Two Factor Authentication adds a second level of security to log in access. See [Managing Global Two-Factor Authentication]({{< relref "MaageGlobal2faSCALE.md" >}}) for more information + +## Session Controls +Monitor the user session displayed on the **Access** widget located on the **System > Advanced Settings** screen. +Use **Terminate Other Sessions** to end a websocket session/connection to TrueNAS if necessary. +Configure session timeout in seconds to limit the how long TrueNAS remains logged in when not in active use. + +## System Auditing +Customize system auditing retention period by specifying how long the TrueNAS dataset retains the audting records. +Specify the storage quota size and percentage + + +## System Logging +Configure TrueNAS to send system logs to an external server using the **Syslog** widget on the **System > Advanced Settings** screen in [release 24.10 and later]({{< relref "managesyslogsscale.md" >}}), or the **System > Advanced** screen in [release 13.0 or later]({{< relref "/core/uireference/system/advanced/_index.md" >}}). + +Enter the IP address or host name for the remote system logging server. +Select the preconfigured system certificate or create a new dedicate certificate authority and certificate to secure the connection with the remote server for additional security. +A certificate is required if using TLS protocl to use syslog transport for the remote log server connection. + +To include the fully-qualified domain name (FQDN) in logs to precisesly identify systems with similar host names, select or enable the **Use FQDN for Logging** option. + +## Alert Settings +Configure alert settings to monitor system, user, and process activity from the **System > Alert Settings** screen. +Configure the email address to receive alerts from the system when the alert criteria is met. +Next configure the individual alert parameters for your use case. +Consider setting the following alerts for STIG compliance: +{{< truetable >}} +| Category | Alert | Reason | +|----------|-------|---------| +| **Audit** | **Audit Service Backend Failed** | Set alert level preference to send notifications when an auditing function failure occurs to promptly correct the issue and not lose audit logs. | +| | **Audit Service Setup Failed** | Set alert level preference to send notifications when the auditing setup fails to correct the issue promptly and not lose audit logs. | +| **Certificates** | **Certificate is Expiring Soon**
**Certificate is Expiring**
**Certificate has Expired** | Set alert level preferences to send notifications when a certificate is about to or has expired to either renew or replace the certificate before functions relying on certificates are impacted, and to keep those functions protected. | +| | **Certificate Revoked** | Set alert preferences to send notifications when a certificate is revoked to promptly address the issue or obtain a new certificate. | +| | **WEeb UI HTTPS Certificate Setup Failed** | Set alert level preferences to send notifications when the web UI HTTPS certificate setup fails to promptly address issues that impact the security of HTTPS access to the TrueNAS web UI. | +| **Directory Services** | **Active Directory Domain Validation Failed** | Set the alert level prefrence to send notifications when Active Directory domain verificaiton fails to propmptly investigate and take corrective action. | +| **Key Management Interoperability Protocol (KMIP)** | **Failed to Communicate with KMIP Server** | Set alert level preference to send notifications when a communication failure with the KMIP server occurs to promptly diagnose and correct issues. | +| | **Failed to Sync SED Global Password with KMIP Server**
**Failed to sync SED Keys with KMIP Server**
**Failed to Sync ZFS Keys with KMIP Server** | Set the alert level preference to send notifications when the SED global password fails to sync with the KMIP server to promptly diagose and correct password and/or sync issues.| +| **Sharing** | **Deprecated Service Configuration Detected**
**Deprectated Service is Running** | Set the alert level preference to send notifications when | +| | | Set the alert level preference to send notifications when deprecated services or service configuration are detected to reconfigure the system to use replacement services or implement replacements. Deprecation notices are provided in the release notes and in tutorials for effected Shares protocols. | +| | **IP Addresses Bound to an iSCSI Portal Were Not Found**
**NFS Services Could Not Bind to Specific IP Addresses Using 0.0.0**
**NFS shares reference hosts that could not be resolved** | Set the alert level preference to send notifications when network connections are not found or cannot bind to promptly remove or replace these configurations. | +| | **NTLMv1 authentication has been attempted in the last 24 hours** | Set the alert level preference to send notifications when this authentication protocol is used, to monitor validation between TrueNAS and Windows servers. This protocol provides some session security, message integrity, and confidentiality but is not as robust as more modern protocols. NTLMv1 is susceptible to replay attachs and certain type sof brute-force attacks. Take prompt steps to correct issues leading to this type of authentication. | +| | **SMB share path has unresolvable issues** | Set the alert level preference to send notifications when there are unresolvable issues with an SMB share path.Leaving share paths issues unaddressed can leave the system and data in the shares vulnerable to attack. | +| **Storage** | **Pool consuming USB disks** | Set the alert level preference to send notifications when TrueNAS detects USB disk connected to an used by the system. USB drives can put data and data security at risk if used for normal storage, and as a potential source of unauthorized data transfer medium. USB drives are not recommended as a target for system and data backups. | +| **System** | **Admin User is Overriden**
**Administrator account activity**
**SSH Login Failures** | Set the alert level preference to send notifications when TrueNAS detects adminitrator user activity related to web UI and SSH sessions. Setting these alerts provides visiblity to potential unauthorized access to TrueNAS features, functions, system configuration, and data storage. | +| | **The Web Interface Could Not Bind to Configured Address** | Set the alert level preference to send notifications when TrueNAS detects problems binding to any network address. Address incorrectly configured network addresses promptly to maintain secure communication between TrueNAS and other remote servers. | +{{< /truetable >}} + +## Allowed Domains and IP Addresses/Hosts +To increase network and share security, consider configuring allowed domains on the [**Network > Global Configuration** screen]({{< relref "ManagingGlobalConfig.md" >}}) and allowed host names or IP addresses for [SMB shares]({{< relref "/scale/scaletutorials/shares/smb/_index.md #configuring-share-advanced-options-settings" >}}) or [NFS shares]({{< relref "/AddingNFSShares.md #adding-nfs-share-networks-and-hosts" >}}. + +## Disable Unused Network Connections +Unused network connections, whether in network interfaces such as a bridge, VLAN, or link aggregate, interface aliases, or static routes. +Left active in the system and if publicly accessible, these addresses present security vulnerabilities. +Check share advanced options and share service configurations for invalid network addresses or connections to discontinued remote servers. + +## Dataset Security + + +### Lock Datasets + +### Configure Access Control Lists + +### Configure Encryption + +## Data Transfer Security + +### Encrypt Replication Tasks + +## Manage Boot Environments + +## Configure a Banner + From e9bc306550058c899c42829b43fc3d4e67776719 Mon Sep 17 00:00:00 2001 From: MicJ Date: Thu, 10 Oct 2024 15:01:22 -0400 Subject: [PATCH 2/7] PD-1333 Update STIG Response Article Content This commit adds additional TrueNAS configuration areas subject to manual configuration choices for the STIG response. Fixes spelling errors --- .../Solutions/Optimizations/STIGCompliance.md | 215 +++++++++++++----- 1 file changed, 159 insertions(+), 56 deletions(-) diff --git a/content/Solutions/Optimizations/STIGCompliance.md b/content/Solutions/Optimizations/STIGCompliance.md index a25ef23c28..bab412f07b 100644 --- a/content/Solutions/Optimizations/STIGCompliance.md +++ b/content/Solutions/Optimizations/STIGCompliance.md @@ -1,6 +1,6 @@ --- title: "STIG Compliance" -description: "Resonse to STIG SRG for the TrueNAS appliance." +description: "Response to General Operating System STIG SRG for the TrueNAS appliance." weight: 35 aliases: tags: @@ -13,31 +13,43 @@ keywords: ## TrueNAS Compliance -TrueNAS falls into the catagory of an appliance with its own operating system as covered in [General Purpose Operating System SRG](https://www.stigviewer.com/stig/general_purpose_operating_system_srg/) findings. +TrueNAS falls into the category of an appliance with its own operating system as covered in [General Purpose Operating System SRG](https://www.stigviewer.com/stig/general_purpose_operating_system_srg/) findings. Through connection to Active Directory, TrueNAS also complies with the [Active Directory Domain Security Technical Implementation Guide SRG](https://www.stigviewer.com/stig/active_directory_domain/) findings related to authentication and access controls for user, group, and systems. -## Customizing TrueNAS Security Options -Many areas of compliance with the STIG SGR findings are automatically addressed through the TrueNAS kernel and middleware, but some are optional settings and features in the TrueNAS UI are customizable by administration users to suit individual use cases and preferences. -This article details customizable settings to accomplish a security-hardened systems. +## Customizing TrueNAS Security Options for STIG Compliance +Many areas of compliance with the STIG SGR findings are automatically addressed through the TrueNAS kernel and middleware, but some are optional settings and features in the TrueNAS UI administration users customize to suit individual use cases and security policies. +This article details customizable settings to accomplish a security-hardened systems for STIG compliance. + +## Install TrueNAS +Existing TrueNAS systems can upgrade to the latest release through the UI. +Earlier releases of TrueNAS can upgrade by following the established migration paths, or might need to clean-install the latest release of SCALE using the iso +. Refer to documentation on upgrading existing systems found [here]({{< relref "SoftwareReleases.md" >}}). + +If side-grading (migrating) from an earlier release to the latest TrueNAS release, follow guidance in the [Preparing to Migrate]({{< relref "/SCALE/GettingStarted/Migrate/MigratePrep.md" >}}) article before beginning the migration. + +If clean-installing TrueNAS for the first time, follow guidance in the [Installation Instructions]({{< relref "/content/SCALE/GettingStarted/Install/_index.md" >}}) articles. + +### Prerequisites +Installing TrueNAS on servers other than iXsystems-provided systems, should read and follow guidance in the [TrueNAS Hardware Guide]({{< relref "SCALEHardwareGuide.md" >}}). ## Administration Accounts -TrueNAS creates either the root user or an administration user at installation. -Releases of TrueNAS might use **root** as the default administration user, while other releases have either the **admin** or **truenas_admin** as the default user. +TrueNAS creates the root user and an administration user at installation. +Some releases of TrueNAS might only have **root** as the default administration user, while other releases have either the **admin** or **truenas_admin** as the default user. -TrueNAS 13.0 and 13.3 can only have **root** as the administration user. Assign a complex password and change it frequently to protect access to the system. +TrueNAS systems with the **root** user, or either the **admin** or **truenas_admin** user should create a new administration user with full control privileges and assign a complex password that you should change on a frequent basis. -TrueNAS systems with the **root** user, or either the **admin** or **truenas_admin** user should create a new administration user with full control privileges and assign a complex password that you should also change on a frequent basis. +After testing the login for the new administration user, disable both the **root** user password if not already disabled and the the default **admin** or **truenas_admin** user password to security-harden the system. +Only enable the root user password when necessary to perform functions not available to administration user, and when tasks are complete, disable the root user password again. -Additionally, after testing the login for the new adminstration user, disable both the **root** user password if not already disabled and the the default **admin** or **truenas_admin** user password to security-harden the system. -Only enable the root user password when necessary to perform functions not available to adminstration user. +If creating multiple administration user accounts for individuals that fill specific roles, limit privileges and access to what is minimally required to perform the system responsibilities. -If creating multiple administration user accounts for individuals that fill specific role, limit privileges and access to what is minimally required to perform their system responsibilities. +See [Using Administrator Logins]({{< relref "AdminRoldes.md" >}}) for more information on administration user accounts. ### Restrict Access to Roles -TrueNAS 23.10 and later allow for role-based access control (RBAC) through the privileges function and the predefined readonly and sharing_administrator roles. +TrueNAS allows for role-based access control (RBAC) through the privileges function such as the predefined, full control, readonly, and sharing_administrator roles. -In 24.04, 24.10 and later releases, full administrators can configure new privileges to create administration user roles limited to specific tasks such as replication, cloud sync, cloud backup, apps and docker, directory services, system audit, and keychain read/write capabilities. -Create the new privilege and assign them to a new or existing group and assign the new group to the administration user. +In 24.10 and later releases, full administrators can configure new privileges to create other administration user roles that are limited to specific tasks such as replication, cloud sync, cloud backup, apps and docker, directory services, system audit, and keychain read/write capabilities. +Create the new privilege and assign it to a new or existing group, and then assign the new group to the administration user. {{< hint type="info" title="Use Caution">}} Use caution when creating new privileges. @@ -45,22 +57,26 @@ Incorrectly configuring privileges can result in unintended consequences. Do not modify the default existing privileges! {{< /hint >}} +See [Using Administrator Logins]({{< relref "AdminRoldes.md" >}}) for more information on administration user accounts. + ### Restrict Access to SSH -Enable SSH access only for the administration user (Local Administrator) with full control privileges, but do not leave the SSH service enabled when not in use. +Enable SSH access only for the full-control administration user (Local Administrator) but do not leave the SSH service enabled when not in use. Disable the SSH service after completing the required tasks until access is needed again. -Turn SSH service off when not in use. -Do not set the SSH service to start automatically if the system reboots to prevent starting and leaving it running when not needed. See [SSH Service]({{< relref "/SCALETutorials/SystemSettings/Services/SSHServiceSCALE.md" >}}) for more information. +Do not set the SSH service to start automatically if the system reboots to prevent starting and leaving SSH running when not needed. +See [SSH Service]({{< relref "/SCALETutorials/SystemSettings/Services/SSHServiceSCALE.md" >}}) for more information. -If using multiple administration user accounts, limit access to SSH session to only users that require this ability to communicate with TrueNAS at the command-line level. See [Restrict Access to Sudo Commands](#restrict-access-to-ssh) for more information. +If using multiple administration user accounts, limit SSH session access to only users that require this ability to communicate with TrueNAS at the command-line level. +See [Restrict Access to Sudo Commands](#restrict-access-to-ssh) for more information. ### Restrict Access to Sudo Commands -Only the main system administration account and the root user should have access to `sudo` commands. +Only the main system administration account should have access to `sudo` commands. + +If other administration users need access to SSH or `sudo` command, restrict access to specific `sudo` commands rather than allowing unlimited access. +Also limit `sudo` command entry by imposing the requirement to enter a password before any `sudo` command can be executed in an SSH or shell session. -Where possible, restrict administration user access to specific `sudo` commands rather than allowing unlimited access. -Also limit administration users `sudo` command entry by requiring password entery before any `sudo` command can be executed in an SSH or shell session. +If creating multiple administration users with permissions to perform specific tasks, do not enable `sudo` commands or configure limited access by entering only the specific commands they need to use to complete required tasks. -If creating multiple administration users with permissions to perform specific tasks, do not enable `sudo` commands or configure the user with limited access by entering only the specific commands they need. -See [Managing Users]({{< relref "ManageLocalUsersSCALE.md" >}}) for more information on creating users and configuring `sudo` commands. +See [Managing Users]({{< relref "ManageLocalUsersSCALE.md" >}}) and [Using Administrator Logins]({{< relref "AdminRoldes.md" >}}) for more information on creating users and allowing `sudo` command access. ### Restrict Access to Shell Configure access to the shell for only the main administration user with full control. @@ -70,38 +86,82 @@ Enable the root user password only when required. If creating multiple administration users, deny or restrict administration user access to the shell. If granting limited access to the shell, restrict `sudo` command access to only those commands necessary for the role the administration user fills and enforce password entry for commands. -## Lock Users -To prevent or restrict user access for a limited period of time, use the **Lock User** option. -This is useful when a specific administration role transfers from one user to another. -For example, if you create a sharing_administrator account rather than assigning the role to an individual existing user. +### Lock Users +If necessary, use the **Lock User** option on the **Credentials > Users > Edit User** screen to prevent or restrict user access for a limited period of time. Locking the account disables but does not delete the account. -Before unlocking the account, change the password and then assign the role to another user. -## Configure Two Factor Authentication -Two Factor Authentication adds a second level of security to log in access. See [Managing Global Two-Factor Authentication]({{< relref "MaageGlobal2faSCALE.md" >}}) for more information +## Web UI Security +Various settings found on the **System > General Settings** and **Advanced Setings** screens can limit web UI access, increase visibility of system activity, and increase system security. +TrueNAS can also require login credential entry before permitting access to the Console Setup menu after the system installation. + +### Require Login to Show Console Setup Menu +After the initial system installation, administration users with full control can configure TrueNAS to require a user login before showing the Console Setup menu screen. +Go to **System > Advanced Settings** and click **Configure** on the **Console** widget. Clearing the **Show Text Console without Password Prompt** sets TrueNAS to show the login prompt before showing the Console Setup menu. + +### Set Up a GUI SSL Certificate +TrueNAS provides a default, self-signed certificate to enable encrypted web interface connections but users can obtain, import, or create a new certificate to use for this function for added security. +If adding or importing a certificate, go to **Credentials > Certificates** then first add or import the certificate authority (CA) and then create or import the certificate to add it as a selectable option in the **GUI SSL Certificate** field on the **System > General Settings > GUI Settings** screen. + +### Configure HTTPS TLS Protocols +TrueNAS is configured to use the TLSv1.2 and TLSv1.3 to provide cryptographic protocol for securing client/server connections. +TrueNAS provides the TLSv1.0 and TLSv1.1 options for backward compatibility but these protocols are less secure than the default protocol selections. +To change the default selections, go to **System > General Settings**, click **Settings** on the **GUI** widget. Click the dropdown arrow for **HTTPS Protocols**, make the change and then click **Save**. + +### Configure a Banner +TrueNAS allow configuring a banner message to show before logging into the web UI or SSH login screens. + +To configure a web UI banner message, go to **System > Advanced Settings** and click **Configure** on the **Access** widget. +Type the text into the **Login Banner** field, and click **Save**. +This shows a banner screen when users first enter the web UI IP address. Users click **Continue** to gain access the the TrueNAS login screen. + +To configure a banner before an authorized users can log into an SSH session, go to **System > Advanced Settings** and click **Console**. +Enter the text for the message in the **MOTD Banner** field and click **Save**. ## Session Controls Monitor the user session displayed on the **Access** widget located on the **System > Advanced Settings** screen. Use **Terminate Other Sessions** to end a websocket session/connection to TrueNAS if necessary. Configure session timeout in seconds to limit the how long TrueNAS remains logged in when not in active use. -## System Auditing -Customize system auditing retention period by specifying how long the TrueNAS dataset retains the audting records. -Specify the storage quota size and percentage +### Configure Two Factor Authentication +Two Factor Authentication adds a second level of security to log in access. +TrueNAS provides the option to force two-factor authentication for all users wanting to log into the web UI. +A separate option allows requiring two-factor authentication to log into an SSH session. + +See [Managing Global Two-Factor Authentication]({{< relref "MaageGlobal2faSCALE.md" >}}) for more information + +## Monitor System Activity -## System Logging -Configure TrueNAS to send system logs to an external server using the **Syslog** widget on the **System > Advanced Settings** screen in [release 24.10 and later]({{< relref "managesyslogsscale.md" >}}), or the **System > Advanced** screen in [release 13.0 or later]({{< relref "/core/uireference/system/advanced/_index.md" >}}). +### Monitor System Console Messages +TrueNAS allows showing real-time console messages at the bottom of the web UI screen. +Turning this on allows the administration user to monitor console messages detailing system activity. +Click on the banner at the bottom of the UI screen to open a dialog showing system activity for a few days of system activity. +Go to **System > General Settings** and click **Settings** on the **GUI** widget. Select **Show Console Messages** and click **Save** to show console messages. + +### System Auditing +To customize the system auditing retention period, specify how long the TrueNAS retains auditing records. +See [Audit Logs]({{< relref "AuditingSCALE.md" >}}) for more information on TrueNAS audit logs and configuring auditing settings. + +To keep audit log records beyond the retention period, use the **Export** button to download a copy of the audit database. +Move the file to a remote backup server to retain a copy of the log based on your data security policies. +TrueNAS prevents modification of the audit log database on the TrueNAS server. Use other data protection measures to prevent modification of a downloaded copy of the file. + +### System Logging +Configure TrueNAS to send system logs to an external server using the **Syslog** widget on the **System > Advanced Settings** screen in [release 24.10 and later]({{< relref "managesyslogsscale.md" >}}). Enter the IP address or host name for the remote system logging server. -Select the preconfigured system certificate or create a new dedicate certificate authority and certificate to secure the connection with the remote server for additional security. -A certificate is required if using TLS protocl to use syslog transport for the remote log server connection. +Select the preconfigured system certificate. + +A certificate is required if using TLS protocol to use syslog transport for the remote log server connection. +Create a new dedicate certificate authority and certificate to secure the TLS connection with the remote server. -To include the fully-qualified domain name (FQDN) in logs to precisesly identify systems with similar host names, select or enable the **Use FQDN for Logging** option. +To include the fully-qualified domain name (FQDN) in logs to precisely identify systems with similar host names, select or enable the **Use FQDN for Logging** option. -## Alert Settings +### Alert Settings Configure alert settings to monitor system, user, and process activity from the **System > Alert Settings** screen. + Configure the email address to receive alerts from the system when the alert criteria is met. + Next configure the individual alert parameters for your use case. Consider setting the following alerts for STIG compliance: {{< truetable >}} @@ -112,41 +172,84 @@ Consider setting the following alerts for STIG compliance: | **Certificates** | **Certificate is Expiring Soon**
**Certificate is Expiring**
**Certificate has Expired** | Set alert level preferences to send notifications when a certificate is about to or has expired to either renew or replace the certificate before functions relying on certificates are impacted, and to keep those functions protected. | | | **Certificate Revoked** | Set alert preferences to send notifications when a certificate is revoked to promptly address the issue or obtain a new certificate. | | | **WEeb UI HTTPS Certificate Setup Failed** | Set alert level preferences to send notifications when the web UI HTTPS certificate setup fails to promptly address issues that impact the security of HTTPS access to the TrueNAS web UI. | -| **Directory Services** | **Active Directory Domain Validation Failed** | Set the alert level prefrence to send notifications when Active Directory domain verificaiton fails to propmptly investigate and take corrective action. | +| **Directory Services** | **Active Directory Domain Validation Failed** | Set the alert level preference to send notifications when Active Directory domain verification fails to promptly investigate and take corrective action. | | **Key Management Interoperability Protocol (KMIP)** | **Failed to Communicate with KMIP Server** | Set alert level preference to send notifications when a communication failure with the KMIP server occurs to promptly diagnose and correct issues. | -| | **Failed to Sync SED Global Password with KMIP Server**
**Failed to sync SED Keys with KMIP Server**
**Failed to Sync ZFS Keys with KMIP Server** | Set the alert level preference to send notifications when the SED global password fails to sync with the KMIP server to promptly diagose and correct password and/or sync issues.| -| **Sharing** | **Deprecated Service Configuration Detected**
**Deprectated Service is Running** | Set the alert level preference to send notifications when | +| | **Failed to Sync SED Global Password with KMIP Server**
**Failed to sync SED Keys with KMIP Server**
**Failed to Sync ZFS Keys with KMIP Server** | Set the alert level preference to send notifications when the SED global password fails to sync with the KMIP server to promptly diagnose and correct password and/or sync issues.| +| **Sharing** | **Deprecated Service Configuration Detected**
**Deprecated Service is Running** | Set the alert level preference to send notifications when | | | | Set the alert level preference to send notifications when deprecated services or service configuration are detected to reconfigure the system to use replacement services or implement replacements. Deprecation notices are provided in the release notes and in tutorials for effected Shares protocols. | | | **IP Addresses Bound to an iSCSI Portal Were Not Found**
**NFS Services Could Not Bind to Specific IP Addresses Using 0.0.0**
**NFS shares reference hosts that could not be resolved** | Set the alert level preference to send notifications when network connections are not found or cannot bind to promptly remove or replace these configurations. | -| | **NTLMv1 authentication has been attempted in the last 24 hours** | Set the alert level preference to send notifications when this authentication protocol is used, to monitor validation between TrueNAS and Windows servers. This protocol provides some session security, message integrity, and confidentiality but is not as robust as more modern protocols. NTLMv1 is susceptible to replay attachs and certain type sof brute-force attacks. Take prompt steps to correct issues leading to this type of authentication. | -| | **SMB share path has unresolvable issues** | Set the alert level preference to send notifications when there are unresolvable issues with an SMB share path.Leaving share paths issues unaddressed can leave the system and data in the shares vulnerable to attack. | +| | **NTLMv1 authentication has been attempted in the last 24 hours** | Set the alert level preference to send notifications when this authentication protocol is used, to monitor validation between TrueNAS and Windows servers. This protocol provides some session security, message integrity, and confidentiality but is not as robust as more modern protocols. NTLMv1 is susceptible to replay attacks and certain types of brute-force attacks. Take prompt steps to correct issues leading to this type of authentication. | +| | **SMB share path has unresolvable issues** | Set the alert level preference to send notifications when there are unresolvable issues with an SMB share path. Leaving share paths issues unaddressed can leave the system and data in the shares vulnerable to attack. | | **Storage** | **Pool consuming USB disks** | Set the alert level preference to send notifications when TrueNAS detects USB disk connected to an used by the system. USB drives can put data and data security at risk if used for normal storage, and as a potential source of unauthorized data transfer medium. USB drives are not recommended as a target for system and data backups. | | **System** | **Admin User is Overriden**
**Administrator account activity**
**SSH Login Failures** | Set the alert level preference to send notifications when TrueNAS detects adminitrator user activity related to web UI and SSH sessions. Setting these alerts provides visiblity to potential unauthorized access to TrueNAS features, functions, system configuration, and data storage. | | | **The Web Interface Could Not Bind to Configured Address** | Set the alert level preference to send notifications when TrueNAS detects problems binding to any network address. Address incorrectly configured network addresses promptly to maintain secure communication between TrueNAS and other remote servers. | {{< /truetable >}} -## Allowed Domains and IP Addresses/Hosts -To increase network and share security, consider configuring allowed domains on the [**Network > Global Configuration** screen]({{< relref "ManagingGlobalConfig.md" >}}) and allowed host names or IP addresses for [SMB shares]({{< relref "/scale/scaletutorials/shares/smb/_index.md #configuring-share-advanced-options-settings" >}}) or [NFS shares]({{< relref "/AddingNFSShares.md #adding-nfs-share-networks-and-hosts" >}}. +## Network Security +Do not leave inactive network connections configured or active in TrueNAS even if they are non-public IP addresses. + +### Allowed IP Addresses +To limit the IP address(es) allowed access to the TrueNAS web UI to a single or range of IP addresses in a subnet, go to **System > Advanced Settings > Allowed IP Addresses** and either enter a single IP address to restrict access to one IP address, or enter an IP address and subnet mask to restrict access to a range of IP addresses. -## Disable Unused Network Connections +Use caution when configuring the system to restrict access to avoid locking out web UI access to all users! +If locked out of the web UI, connect a terminal and keyboard to the system server to change this setting to allow web UI access again. + +### Disable Unused Network Connections Unused network connections, whether in network interfaces such as a bridge, VLAN, or link aggregate, interface aliases, or static routes. Left active in the system and if publicly accessible, these addresses present security vulnerabilities. Check share advanced options and share service configurations for invalid network addresses or connections to discontinued remote servers. -## Dataset Security +### Allowed Domains and IP Addresses/Hosts +To increase network, consider configuring allowed domains on the [**Network > Global Configuration** screen]({{< relref "ManagingGlobalConfig.md" >}}). +To increase share security, configure allowed host names or IP addresses for [SMB shares]({{< relref "/scale/scaletutorials/shares/smb/_index.md #configuring-share-advanced-options-settings" >}}) or [NFS shares]({{< relref "/AddingNFSShares.md #adding-nfs-share-networks-and-hosts" >}}. -### Lock Datasets +## Data Security +To keep data secure, TrueNAS provides dataset access controls, encryption, and the ability to lock/unlock datasets. +Shares have the ability to configure share or filesystem access controls. +Applications allow configuring access control on the storage volumes or host path datasets they use for container storage. -### Configure Access Control Lists +### Configure Access Control Lists (ACLs) +TrueNAS provides both POSIX and NFSv4 access control protocol and applies them based on the dataset preset selected when creating the dataset. +Advanced users can override the default ACL protocol applies through advanced dataset setting options to suit their security protocols or individual uses cases. -### Configure Encryption +Access to datasets can be configured for the owner, per user, group, or everyone, set to allow or deny settings, with permission limited to read only, read/write, or full control. +See [Setting Up Permissions]({{< relref "PermissionsSCALE.md" >}}) for more information. -## Data Transfer Security +SMB share permit setting up permissions for just the share but not the dataset for the share, or for both the dataset and the share. +See [Windows Shares]({{< relref "/content/SCALE/SCALETutorials/Shares/SMB/_index.md" >}}) for more information on SMB shares, creating shares, and configuring settings including permissions. -### Encrypt Replication Tasks +NFS shares do not have the same setting options and rely on the dataset ACL settings. +See [NFS Shares]({{< relref "/SCALETutorials/shares/AddingNFSShares.md" >}}) for more information. -## Manage Boot Environments +Apps installation wizards for apps in the **enterprise** and **stable** trains, and some **community** apps include the option to enable ACLs where you set the owner and permissions level by storage volume/dataset host path. -## Configure a Banner +### Configure Encryption +TrueNAS allows users to set encryption at the dataset level, but does not recommend setting it at the pool level. Pool-level encryption forces encryption on all datasets created in the pool and can only use key encryption. +Encrypting at the dataset level allow more granular control over encrypted verses unencrypted datasets, and allows setting the encryption type to either key or passphrase protection. +Child datasets of encrypted datasets inherit encryption from the parent dataset. +See [Storage Encryption]({{< relref "EncryptionSCALE.md" >}}) for more information on encrypting datasets. + +Datasets with encryption allow users to lock the datasets to prevent reading from or writing to the dataset until it is unlocked. +## Data Transfer Security +TrueNAS allows encryption on data transfers made through cloud sync and replication tasks. +This adds a layer of encryption on top of dataset-level encryption whether the dataset is encrypted or not. + +See [Encrypting Cloud Sync Tasks]({{< relref "/SCALETutorials/DataProtection/CloudSyncTasks.md #encrypting-cloud-sync-tasks" >}}) for more information on encrypting cloud sync tasks, or [Adding Transfer Encryption]({{< relref "/SCALETutorials/DataProtection/Replication/Advanced Replication.md #adding-transfer-encryption" >}}) for information on adding encryption to remote replication tasks. + +### Maintain SSH Connection Credentials +TrueNAS uses SSH connection credentials for cloud backup tasks, cloud sync tasks, rsync tasks, and replication tasks. +Purge the list of SSH connection to backup servers no longer actively useds to minimize security vulnerabilities through connections to the remote servers or services no longer used. +Select out-of-date or inactive SSH connections, SSH Keypair, or cloud credential to edit or delete it. + +## Updating TrueNAS Releases +TrueNAS provides a way to update to the latest releases from the UI. The main Dashboard and Software > Updates screen provide access to the latest releases for the currently installed release train selected in TrueNAS. +Alternatively, users can use an iso to clean install the latest version of TrueNAS. +Each release upgrade creates a new boot environment. + +### Manage Boot Environments +To manage versions of TrueNAS releases, go to **System > Boot** to open the **Boot Environments** screen. +Select the checkbox(es) for releases you want to delete from the list of inactive releases. +Maintaining releases does not pose security risks but does consume space on the boot pool. +See [Boot Pool Management]({{< relref "ManageBootEnvironSCALE.md" >}}) for more information on working with boot pool environments. \ No newline at end of file From b2023a0ffc932039c15e50179e1f49799b5f7df4 Mon Sep 17 00:00:00 2001 From: MicJ Date: Thu, 10 Oct 2024 15:50:08 -0400 Subject: [PATCH 3/7] PD-1333 Fix broken relrefs --- .../Solutions/Optimizations/STIGCompliance.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/Solutions/Optimizations/STIGCompliance.md b/content/Solutions/Optimizations/STIGCompliance.md index bab412f07b..9cfd30f0ae 100644 --- a/content/Solutions/Optimizations/STIGCompliance.md +++ b/content/Solutions/Optimizations/STIGCompliance.md @@ -23,7 +23,7 @@ This article details customizable settings to accomplish a security-hardened sys ## Install TrueNAS Existing TrueNAS systems can upgrade to the latest release through the UI. Earlier releases of TrueNAS can upgrade by following the established migration paths, or might need to clean-install the latest release of SCALE using the iso -. Refer to documentation on upgrading existing systems found [here]({{< relref "SoftwareReleases.md" >}}). +. Refer to documentation on upgrading existing systems found [here]({{< relref "/content/TrueNASUpgrades/_index.md" >}}). If side-grading (migrating) from an earlier release to the latest TrueNAS release, follow guidance in the [Preparing to Migrate]({{< relref "/SCALE/GettingStarted/Migrate/MigratePrep.md" >}}) article before beginning the migration. @@ -43,7 +43,7 @@ Only enable the root user password when necessary to perform functions not avail If creating multiple administration user accounts for individuals that fill specific roles, limit privileges and access to what is minimally required to perform the system responsibilities. -See [Using Administrator Logins]({{< relref "AdminRoldes.md" >}}) for more information on administration user accounts. +See [Using Administrator Logins]({{< relref "AdminRoles.md" >}}) for more information on administration user accounts. ### Restrict Access to Roles TrueNAS allows for role-based access control (RBAC) through the privileges function such as the predefined, full control, readonly, and sharing_administrator roles. @@ -57,13 +57,13 @@ Incorrectly configuring privileges can result in unintended consequences. Do not modify the default existing privileges! {{< /hint >}} -See [Using Administrator Logins]({{< relref "AdminRoldes.md" >}}) for more information on administration user accounts. +See [Using Administrator Logins]({{< relref "AdminRoles.md" >}}) for more information on administration user accounts. ### Restrict Access to SSH Enable SSH access only for the full-control administration user (Local Administrator) but do not leave the SSH service enabled when not in use. Disable the SSH service after completing the required tasks until access is needed again. Do not set the SSH service to start automatically if the system reboots to prevent starting and leaving SSH running when not needed. -See [SSH Service]({{< relref "/SCALETutorials/SystemSettings/Services/SSHServiceSCALE.md" >}}) for more information. +See [SSH Service]({{< relref "SSHServiceSCALE.md" >}}) for more information. If using multiple administration user accounts, limit SSH session access to only users that require this ability to communicate with TrueNAS at the command-line level. See [Restrict Access to Sudo Commands](#restrict-access-to-ssh) for more information. @@ -76,7 +76,7 @@ Also limit `sudo` command entry by imposing the requirement to enter a password If creating multiple administration users with permissions to perform specific tasks, do not enable `sudo` commands or configure limited access by entering only the specific commands they need to use to complete required tasks. -See [Managing Users]({{< relref "ManageLocalUsersSCALE.md" >}}) and [Using Administrator Logins]({{< relref "AdminRoldes.md" >}}) for more information on creating users and allowing `sudo` command access. +See [Managing Users]({{< relref "ManageLocalUsersSCALE.md" >}}) and [Using Administrator Logins]({{< relref "AdminRoles.md" >}}) for more information on creating users and allowing `sudo` command access. ### Restrict Access to Shell Configure access to the shell for only the main administration user with full control. @@ -127,7 +127,7 @@ Two Factor Authentication adds a second level of security to log in access. TrueNAS provides the option to force two-factor authentication for all users wanting to log into the web UI. A separate option allows requiring two-factor authentication to log into an SSH session. -See [Managing Global Two-Factor Authentication]({{< relref "MaageGlobal2faSCALE.md" >}}) for more information +See [Managing Global Two-Factor Authentication]({{< relref "ManageGlobal2faSCALE.md" >}}) for more information ## Monitor System Activity @@ -220,7 +220,7 @@ SMB share permit setting up permissions for just the share but not the dataset f See [Windows Shares]({{< relref "/content/SCALE/SCALETutorials/Shares/SMB/_index.md" >}}) for more information on SMB shares, creating shares, and configuring settings including permissions. NFS shares do not have the same setting options and rely on the dataset ACL settings. -See [NFS Shares]({{< relref "/SCALETutorials/shares/AddingNFSShares.md" >}}) for more information. +See [NFS Shares]({{< relref "AddingNFSShares.md" >}}) for more information. Apps installation wizards for apps in the **enterprise** and **stable** trains, and some **community** apps include the option to enable ACLs where you set the owner and permissions level by storage volume/dataset host path. @@ -236,7 +236,7 @@ Datasets with encryption allow users to lock the datasets to prevent reading fro TrueNAS allows encryption on data transfers made through cloud sync and replication tasks. This adds a layer of encryption on top of dataset-level encryption whether the dataset is encrypted or not. -See [Encrypting Cloud Sync Tasks]({{< relref "/SCALETutorials/DataProtection/CloudSyncTasks.md #encrypting-cloud-sync-tasks" >}}) for more information on encrypting cloud sync tasks, or [Adding Transfer Encryption]({{< relref "/SCALETutorials/DataProtection/Replication/Advanced Replication.md #adding-transfer-encryption" >}}) for information on adding encryption to remote replication tasks. +See [Encrypting Cloud Sync Tasks]({{< relref "/SCALE/SCALETutorials/dataprotection/CloudSyncTasks/_index.md" >}}) for more information on encrypting cloud sync tasks, or [Adding Transfer Encryption]({{< relref "/scale/scaletutorials/dataprotection/replication/advancedreplication/_index.md" >}}) for information on adding encryption to remote replication tasks. ### Maintain SSH Connection Credentials TrueNAS uses SSH connection credentials for cloud backup tasks, cloud sync tasks, rsync tasks, and replication tasks. From 34f052bf130c94ddb6348ac0ebed3e45a70a0c07 Mon Sep 17 00:00:00 2001 From: MicJ Date: Thu, 10 Oct 2024 15:55:44 -0400 Subject: [PATCH 4/7] PD-1333 Fix Alert Table Formatting --- content/Solutions/Optimizations/STIGCompliance.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/content/Solutions/Optimizations/STIGCompliance.md b/content/Solutions/Optimizations/STIGCompliance.md index 9cfd30f0ae..2e57627cd4 100644 --- a/content/Solutions/Optimizations/STIGCompliance.md +++ b/content/Solutions/Optimizations/STIGCompliance.md @@ -169,19 +169,18 @@ Consider setting the following alerts for STIG compliance: |----------|-------|---------| | **Audit** | **Audit Service Backend Failed** | Set alert level preference to send notifications when an auditing function failure occurs to promptly correct the issue and not lose audit logs. | | | **Audit Service Setup Failed** | Set alert level preference to send notifications when the auditing setup fails to correct the issue promptly and not lose audit logs. | -| **Certificates** | **Certificate is Expiring Soon**
**Certificate is Expiring**
**Certificate has Expired** | Set alert level preferences to send notifications when a certificate is about to or has expired to either renew or replace the certificate before functions relying on certificates are impacted, and to keep those functions protected. | +| **Certificates** |
  • **Certificate is Expiring Soon**
  • **Certificate is Expiring**
  • **Certificate has Expired**
  • | Set alert level preferences to send notifications when a certificate is about to or has expired to either renew or replace the certificate before functions relying on certificates are impacted, and to keep those functions protected. | | | **Certificate Revoked** | Set alert preferences to send notifications when a certificate is revoked to promptly address the issue or obtain a new certificate. | | | **WEeb UI HTTPS Certificate Setup Failed** | Set alert level preferences to send notifications when the web UI HTTPS certificate setup fails to promptly address issues that impact the security of HTTPS access to the TrueNAS web UI. | | **Directory Services** | **Active Directory Domain Validation Failed** | Set the alert level preference to send notifications when Active Directory domain verification fails to promptly investigate and take corrective action. | | **Key Management Interoperability Protocol (KMIP)** | **Failed to Communicate with KMIP Server** | Set alert level preference to send notifications when a communication failure with the KMIP server occurs to promptly diagnose and correct issues. | -| | **Failed to Sync SED Global Password with KMIP Server**
    **Failed to sync SED Keys with KMIP Server**
    **Failed to Sync ZFS Keys with KMIP Server** | Set the alert level preference to send notifications when the SED global password fails to sync with the KMIP server to promptly diagnose and correct password and/or sync issues.| -| **Sharing** | **Deprecated Service Configuration Detected**
    **Deprecated Service is Running** | Set the alert level preference to send notifications when | -| | | Set the alert level preference to send notifications when deprecated services or service configuration are detected to reconfigure the system to use replacement services or implement replacements. Deprecation notices are provided in the release notes and in tutorials for effected Shares protocols. | -| | **IP Addresses Bound to an iSCSI Portal Were Not Found**
    **NFS Services Could Not Bind to Specific IP Addresses Using 0.0.0**
    **NFS shares reference hosts that could not be resolved** | Set the alert level preference to send notifications when network connections are not found or cannot bind to promptly remove or replace these configurations. | +| |
  • **Failed to Sync SED Global Password with KMIP Server**
  • **Failed to sync SED Keys with KMIP Server**
  • **Failed to Sync ZFS Keys with KMIP Server**
  • | Set the alert level preference to send notifications when the SED global password fails to sync with the KMIP server to promptly diagnose and correct password and/or sync issues.| +| **Sharing** |
  • **Deprecated Service Configuration Detected**
  • **Deprecated Service is Running**
  • | Set the alert level preference to send notifications when deprecated services or service configuration are detected to reconfigure the system to use replacement services or implement replacements. Deprecation notices are provided in the release notes and in tutorials for effected Shares protocols. | +| |
  • **IP Addresses Bound to an iSCSI Portal Were Not Found**
  • **NFS Services Could Not Bind to Specific IP Addresses Using 0.0.0**
  • **NFS shares reference hosts that could not be resolved**
  • | Set the alert level preference to send notifications when network connections are not found or cannot bind to promptly remove or replace these configurations. | | | **NTLMv1 authentication has been attempted in the last 24 hours** | Set the alert level preference to send notifications when this authentication protocol is used, to monitor validation between TrueNAS and Windows servers. This protocol provides some session security, message integrity, and confidentiality but is not as robust as more modern protocols. NTLMv1 is susceptible to replay attacks and certain types of brute-force attacks. Take prompt steps to correct issues leading to this type of authentication. | | | **SMB share path has unresolvable issues** | Set the alert level preference to send notifications when there are unresolvable issues with an SMB share path. Leaving share paths issues unaddressed can leave the system and data in the shares vulnerable to attack. | | **Storage** | **Pool consuming USB disks** | Set the alert level preference to send notifications when TrueNAS detects USB disk connected to an used by the system. USB drives can put data and data security at risk if used for normal storage, and as a potential source of unauthorized data transfer medium. USB drives are not recommended as a target for system and data backups. | -| **System** | **Admin User is Overriden**
    **Administrator account activity**
    **SSH Login Failures** | Set the alert level preference to send notifications when TrueNAS detects adminitrator user activity related to web UI and SSH sessions. Setting these alerts provides visiblity to potential unauthorized access to TrueNAS features, functions, system configuration, and data storage. | +| **System** |
  • **Admin User is Overriden**
  • **Administrator account activity**
  • **SSH Login Failures**
  • | Set the alert level preference to send notifications when TrueNAS detects adminitrator user activity related to web UI and SSH sessions. Setting these alerts provides visiblity to potential unauthorized access to TrueNAS features, functions, system configuration, and data storage. | | | **The Web Interface Could Not Bind to Configured Address** | Set the alert level preference to send notifications when TrueNAS detects problems binding to any network address. Address incorrectly configured network addresses promptly to maintain secure communication between TrueNAS and other remote servers. | {{< /truetable >}} From 1277cf56df0c79ef434379946ad3166386f6e580 Mon Sep 17 00:00:00 2001 From: MicJ Date: Fri, 11 Oct 2024 09:15:06 -0400 Subject: [PATCH 5/7] PD-1333 Updates to STIG for VMs and Future Compliance Items This commit adds the VM and future Fangtooth compliance items. --- .../Solutions/Optimizations/STIGCompliance.md | 81 ++++++++++++------- 1 file changed, 50 insertions(+), 31 deletions(-) diff --git a/content/Solutions/Optimizations/STIGCompliance.md b/content/Solutions/Optimizations/STIGCompliance.md index 2e57627cd4..99ff2078c5 100644 --- a/content/Solutions/Optimizations/STIGCompliance.md +++ b/content/Solutions/Optimizations/STIGCompliance.md @@ -32,7 +32,10 @@ If clean-installing TrueNAS for the first time, follow guidance in the [Installa ### Prerequisites Installing TrueNAS on servers other than iXsystems-provided systems, should read and follow guidance in the [TrueNAS Hardware Guide]({{< relref "SCALEHardwareGuide.md" >}}). -## Administration Accounts +## Configuring TrueNAS +After installing TrueNAS, users must complete the initial configuration of network, storage, users, sharing, and data backup solutions. See [Configuration Instructions]({{< relref "/SCALE/gettingstarted/configure/_index.md" >}}) for more information. + +### Administration Accounts TrueNAS creates the root user and an administration user at installation. Some releases of TrueNAS might only have **root** as the default administration user, while other releases have either the **admin** or **truenas_admin** as the default user. @@ -45,7 +48,7 @@ If creating multiple administration user accounts for individuals that fill spec See [Using Administrator Logins]({{< relref "AdminRoles.md" >}}) for more information on administration user accounts. -### Restrict Access to Roles +#### Restrict Access to Roles TrueNAS allows for role-based access control (RBAC) through the privileges function such as the predefined, full control, readonly, and sharing_administrator roles. In 24.10 and later releases, full administrators can configure new privileges to create other administration user roles that are limited to specific tasks such as replication, cloud sync, cloud backup, apps and docker, directory services, system audit, and keychain read/write capabilities. @@ -59,7 +62,7 @@ Do not modify the default existing privileges! See [Using Administrator Logins]({{< relref "AdminRoles.md" >}}) for more information on administration user accounts. -### Restrict Access to SSH +#### Restrict Access to SSH Enable SSH access only for the full-control administration user (Local Administrator) but do not leave the SSH service enabled when not in use. Disable the SSH service after completing the required tasks until access is needed again. Do not set the SSH service to start automatically if the system reboots to prevent starting and leaving SSH running when not needed. @@ -68,7 +71,7 @@ See [SSH Service]({{< relref "SSHServiceSCALE.md" >}}) for more information. If using multiple administration user accounts, limit SSH session access to only users that require this ability to communicate with TrueNAS at the command-line level. See [Restrict Access to Sudo Commands](#restrict-access-to-ssh) for more information. -### Restrict Access to Sudo Commands +#### Restrict Access to Sudo Commands Only the main system administration account should have access to `sudo` commands. If other administration users need access to SSH or `sudo` command, restrict access to specific `sudo` commands rather than allowing unlimited access. @@ -78,7 +81,7 @@ If creating multiple administration users with permissions to perform specific t See [Managing Users]({{< relref "ManageLocalUsersSCALE.md" >}}) and [Using Administrator Logins]({{< relref "AdminRoles.md" >}}) for more information on creating users and allowing `sudo` command access. -### Restrict Access to Shell +#### Restrict Access to Shell Configure access to the shell for only the main administration user with full control. For better control leave access to the shell to only the root user. Enable the root user password only when required. @@ -86,28 +89,28 @@ Enable the root user password only when required. If creating multiple administration users, deny or restrict administration user access to the shell. If granting limited access to the shell, restrict `sudo` command access to only those commands necessary for the role the administration user fills and enforce password entry for commands. -### Lock Users +#### Lock Users If necessary, use the **Lock User** option on the **Credentials > Users > Edit User** screen to prevent or restrict user access for a limited period of time. Locking the account disables but does not delete the account. -## Web UI Security +### Web UI Security Various settings found on the **System > General Settings** and **Advanced Setings** screens can limit web UI access, increase visibility of system activity, and increase system security. TrueNAS can also require login credential entry before permitting access to the Console Setup menu after the system installation. -### Require Login to Show Console Setup Menu +#### Require Login to Show Console Setup Menu After the initial system installation, administration users with full control can configure TrueNAS to require a user login before showing the Console Setup menu screen. Go to **System > Advanced Settings** and click **Configure** on the **Console** widget. Clearing the **Show Text Console without Password Prompt** sets TrueNAS to show the login prompt before showing the Console Setup menu. -### Set Up a GUI SSL Certificate +#### Set Up a GUI SSL Certificate TrueNAS provides a default, self-signed certificate to enable encrypted web interface connections but users can obtain, import, or create a new certificate to use for this function for added security. If adding or importing a certificate, go to **Credentials > Certificates** then first add or import the certificate authority (CA) and then create or import the certificate to add it as a selectable option in the **GUI SSL Certificate** field on the **System > General Settings > GUI Settings** screen. -### Configure HTTPS TLS Protocols +#### Configure HTTPS TLS Protocols TrueNAS is configured to use the TLSv1.2 and TLSv1.3 to provide cryptographic protocol for securing client/server connections. TrueNAS provides the TLSv1.0 and TLSv1.1 options for backward compatibility but these protocols are less secure than the default protocol selections. To change the default selections, go to **System > General Settings**, click **Settings** on the **GUI** widget. Click the dropdown arrow for **HTTPS Protocols**, make the change and then click **Save**. -### Configure a Banner +#### Configure a Banner TrueNAS allow configuring a banner message to show before logging into the web UI or SSH login screens. To configure a web UI banner message, go to **System > Advanced Settings** and click **Configure** on the **Access** widget. @@ -117,28 +120,27 @@ This shows a banner screen when users first enter the web UI IP address. Users c To configure a banner before an authorized users can log into an SSH session, go to **System > Advanced Settings** and click **Console**. Enter the text for the message in the **MOTD Banner** field and click **Save**. -## Session Controls +### Session Controls Monitor the user session displayed on the **Access** widget located on the **System > Advanced Settings** screen. Use **Terminate Other Sessions** to end a websocket session/connection to TrueNAS if necessary. Configure session timeout in seconds to limit the how long TrueNAS remains logged in when not in active use. -### Configure Two Factor Authentication +#### Configure Two Factor Authentication Two Factor Authentication adds a second level of security to log in access. TrueNAS provides the option to force two-factor authentication for all users wanting to log into the web UI. A separate option allows requiring two-factor authentication to log into an SSH session. See [Managing Global Two-Factor Authentication]({{< relref "ManageGlobal2faSCALE.md" >}}) for more information +### Monitor System Activity -## Monitor System Activity - -### Monitor System Console Messages +#### Monitor System Console Messages TrueNAS allows showing real-time console messages at the bottom of the web UI screen. Turning this on allows the administration user to monitor console messages detailing system activity. Click on the banner at the bottom of the UI screen to open a dialog showing system activity for a few days of system activity. Go to **System > General Settings** and click **Settings** on the **GUI** widget. Select **Show Console Messages** and click **Save** to show console messages. -### System Auditing +#### System Auditing To customize the system auditing retention period, specify how long the TrueNAS retains auditing records. See [Audit Logs]({{< relref "AuditingSCALE.md" >}}) for more information on TrueNAS audit logs and configuring auditing settings. @@ -146,7 +148,7 @@ To keep audit log records beyond the retention period, use the **Export** button Move the file to a remote backup server to retain a copy of the log based on your data security policies. TrueNAS prevents modification of the audit log database on the TrueNAS server. Use other data protection measures to prevent modification of a downloaded copy of the file. -### System Logging +#### System Logging Configure TrueNAS to send system logs to an external server using the **Syslog** widget on the **System > Advanced Settings** screen in [release 24.10 and later]({{< relref "managesyslogsscale.md" >}}). Enter the IP address or host name for the remote system logging server. @@ -157,7 +159,7 @@ Create a new dedicate certificate authority and certificate to secure the TLS co To include the fully-qualified domain name (FQDN) in logs to precisely identify systems with similar host names, select or enable the **Use FQDN for Logging** option. -### Alert Settings +#### Alert Settings Configure alert settings to monitor system, user, and process activity from the **System > Alert Settings** screen. Configure the email address to receive alerts from the system when the alert criteria is met. @@ -184,31 +186,31 @@ Consider setting the following alerts for STIG compliance: | | **The Web Interface Could Not Bind to Configured Address** | Set the alert level preference to send notifications when TrueNAS detects problems binding to any network address. Address incorrectly configured network addresses promptly to maintain secure communication between TrueNAS and other remote servers. | {{< /truetable >}} -## Network Security +### Network Security Do not leave inactive network connections configured or active in TrueNAS even if they are non-public IP addresses. -### Allowed IP Addresses +#### Allowed IP Addresses To limit the IP address(es) allowed access to the TrueNAS web UI to a single or range of IP addresses in a subnet, go to **System > Advanced Settings > Allowed IP Addresses** and either enter a single IP address to restrict access to one IP address, or enter an IP address and subnet mask to restrict access to a range of IP addresses. Use caution when configuring the system to restrict access to avoid locking out web UI access to all users! If locked out of the web UI, connect a terminal and keyboard to the system server to change this setting to allow web UI access again. -### Disable Unused Network Connections +#### Disable Unused Network Connections Unused network connections, whether in network interfaces such as a bridge, VLAN, or link aggregate, interface aliases, or static routes. Left active in the system and if publicly accessible, these addresses present security vulnerabilities. Check share advanced options and share service configurations for invalid network addresses or connections to discontinued remote servers. -### Allowed Domains and IP Addresses/Hosts +#### Allowed Domains and IP Addresses/Hosts To increase network, consider configuring allowed domains on the [**Network > Global Configuration** screen]({{< relref "ManagingGlobalConfig.md" >}}). To increase share security, configure allowed host names or IP addresses for [SMB shares]({{< relref "/scale/scaletutorials/shares/smb/_index.md #configuring-share-advanced-options-settings" >}}) or [NFS shares]({{< relref "/AddingNFSShares.md #adding-nfs-share-networks-and-hosts" >}}. -## Data Security +### Data Security To keep data secure, TrueNAS provides dataset access controls, encryption, and the ability to lock/unlock datasets. Shares have the ability to configure share or filesystem access controls. Applications allow configuring access control on the storage volumes or host path datasets they use for container storage. -### Configure Access Control Lists (ACLs) +#### Configure Access Control Lists (ACLs) TrueNAS provides both POSIX and NFSv4 access control protocol and applies them based on the dataset preset selected when creating the dataset. Advanced users can override the default ACL protocol applies through advanced dataset setting options to suit their security protocols or individual uses cases. @@ -223,7 +225,7 @@ See [NFS Shares]({{< relref "AddingNFSShares.md" >}}) for more information. Apps installation wizards for apps in the **enterprise** and **stable** trains, and some **community** apps include the option to enable ACLs where you set the owner and permissions level by storage volume/dataset host path. -### Configure Encryption +#### Configure Encryption TrueNAS allows users to set encryption at the dataset level, but does not recommend setting it at the pool level. Pool-level encryption forces encryption on all datasets created in the pool and can only use key encryption. Encrypting at the dataset level allow more granular control over encrypted verses unencrypted datasets, and allows setting the encryption type to either key or passphrase protection. Child datasets of encrypted datasets inherit encryption from the parent dataset. @@ -231,24 +233,41 @@ See [Storage Encryption]({{< relref "EncryptionSCALE.md" >}}) for more informati Datasets with encryption allow users to lock the datasets to prevent reading from or writing to the dataset until it is unlocked. -## Data Transfer Security +### Data Transfer Security TrueNAS allows encryption on data transfers made through cloud sync and replication tasks. This adds a layer of encryption on top of dataset-level encryption whether the dataset is encrypted or not. See [Encrypting Cloud Sync Tasks]({{< relref "/SCALE/SCALETutorials/dataprotection/CloudSyncTasks/_index.md" >}}) for more information on encrypting cloud sync tasks, or [Adding Transfer Encryption]({{< relref "/scale/scaletutorials/dataprotection/replication/advancedreplication/_index.md" >}}) for information on adding encryption to remote replication tasks. -### Maintain SSH Connection Credentials +#### Maintain SSH Connection Credentials TrueNAS uses SSH connection credentials for cloud backup tasks, cloud sync tasks, rsync tasks, and replication tasks. Purge the list of SSH connection to backup servers no longer actively useds to minimize security vulnerabilities through connections to the remote servers or services no longer used. Select out-of-date or inactive SSH connections, SSH Keypair, or cloud credential to edit or delete it. -## Updating TrueNAS Releases +### Updating TrueNAS Releases TrueNAS provides a way to update to the latest releases from the UI. The main Dashboard and Software > Updates screen provide access to the latest releases for the currently installed release train selected in TrueNAS. Alternatively, users can use an iso to clean install the latest version of TrueNAS. Each release upgrade creates a new boot environment. -### Manage Boot Environments +#### Manage Boot Environments To manage versions of TrueNAS releases, go to **System > Boot** to open the **Boot Environments** screen. Select the checkbox(es) for releases you want to delete from the list of inactive releases. Maintaining releases does not pose security risks but does consume space on the boot pool. -See [Boot Pool Management]({{< relref "ManageBootEnvironSCALE.md" >}}) for more information on working with boot pool environments. \ No newline at end of file +See [Boot Pool Management]({{< relref "ManageBootEnvironSCALE.md" >}}) for more information on working with boot pool environments. + +### Virtualization +This document does not cover the virtual machine envirnoments created by users. +STIG compliance for these users-deployed environments is based on the operating system and applications deployed in these VMs. + +## Future STIG Compliance +TrueNAS does not comply with STIG for the following findings that are planned for a future release: + +{{< expand " SRG-OS-00366-GPOS-10153" "v" >}} +The opertating system must prevent the installation of patches, service packs, device drivers, or OS components without verification, and that are digitally signed using a certificate recognized and approved by the organization. +{{< /expand >}} +{{< expand "SRG-OS-000477-GPOS-00222" "v" >}} +The operating system must genrate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. +{{< /expand >}} +{{< exapnd "SRG-OS-000278-GPOS-00108" "v" >}} +Completion of compliance with this finding stating the operating system must use cryptographic mechanisims to protect the intergrity of audit tools. +{{< /expand >}} \ No newline at end of file From 238be15c084c7bc738fb2361ef0fd308340419fe Mon Sep 17 00:00:00 2001 From: MicJ Date: Fri, 11 Oct 2024 09:47:19 -0400 Subject: [PATCH 6/7] PD-1333 Fix Expand shortcode --- content/Solutions/Optimizations/STIGCompliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/Solutions/Optimizations/STIGCompliance.md b/content/Solutions/Optimizations/STIGCompliance.md index 99ff2078c5..6bd4b1277a 100644 --- a/content/Solutions/Optimizations/STIGCompliance.md +++ b/content/Solutions/Optimizations/STIGCompliance.md @@ -268,6 +268,6 @@ The opertating system must prevent the installation of patches, service packs, d {{< expand "SRG-OS-000477-GPOS-00222" "v" >}} The operating system must genrate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. {{< /expand >}} -{{< exapnd "SRG-OS-000278-GPOS-00108" "v" >}} +{{< expand "SRG-OS-000278-GPOS-00108" "v" >}} Completion of compliance with this finding stating the operating system must use cryptographic mechanisims to protect the intergrity of audit tools. {{< /expand >}} \ No newline at end of file From b0e1f2161b6f26e529eb569b9d1a01f84dc43460 Mon Sep 17 00:00:00 2001 From: MicJ Date: Fri, 11 Oct 2024 10:27:43 -0400 Subject: [PATCH 7/7] PD-1333 Make Suggested Edit This commit makes suggested edit made in the initial security review of this content. --- content/Solutions/Optimizations/STIGCompliance.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/Solutions/Optimizations/STIGCompliance.md b/content/Solutions/Optimizations/STIGCompliance.md index 6bd4b1277a..2bd8dfd83e 100644 --- a/content/Solutions/Optimizations/STIGCompliance.md +++ b/content/Solutions/Optimizations/STIGCompliance.md @@ -17,8 +17,8 @@ TrueNAS falls into the category of an appliance with its own operating system as Through connection to Active Directory, TrueNAS also complies with the [Active Directory Domain Security Technical Implementation Guide SRG](https://www.stigviewer.com/stig/active_directory_domain/) findings related to authentication and access controls for user, group, and systems. ## Customizing TrueNAS Security Options for STIG Compliance -Many areas of compliance with the STIG SGR findings are automatically addressed through the TrueNAS kernel and middleware, but some are optional settings and features in the TrueNAS UI administration users customize to suit individual use cases and security policies. -This article details customizable settings to accomplish a security-hardened systems for STIG compliance. +Many areas of compliance with the STIG SRG findings are automatically addressed through the TrueNAS kernel and middleware, but some are optional settings and features in the TrueNAS UI administration users customize to suit individual use cases and security policies. +This article details customizable settings to accomplish a security-hardened systems for STIG and FIPS compliance. ## Install TrueNAS Existing TrueNAS systems can upgrade to the latest release through the UI. @@ -39,7 +39,7 @@ After installing TrueNAS, users must complete the initial configuration of netwo TrueNAS creates the root user and an administration user at installation. Some releases of TrueNAS might only have **root** as the default administration user, while other releases have either the **admin** or **truenas_admin** as the default user. -TrueNAS systems with the **root** user, or either the **admin** or **truenas_admin** user should create a new administration user with full control privileges and assign a complex password that you should change on a frequent basis. +TrueNAS systems with the **root** user, or either the **admin** or **truenas_admin** user should create a new administration user with full control privileges and assign a complex password that follow current guidelines for managing passwords. After testing the login for the new administration user, disable both the **root** user password if not already disabled and the the default **admin** or **truenas_admin** user password to security-harden the system. Only enable the root user password when necessary to perform functions not available to administration user, and when tasks are complete, disable the root user password again. @@ -173,7 +173,7 @@ Consider setting the following alerts for STIG compliance: | | **Audit Service Setup Failed** | Set alert level preference to send notifications when the auditing setup fails to correct the issue promptly and not lose audit logs. | | **Certificates** |
  • **Certificate is Expiring Soon**
  • **Certificate is Expiring**
  • **Certificate has Expired**
  • | Set alert level preferences to send notifications when a certificate is about to or has expired to either renew or replace the certificate before functions relying on certificates are impacted, and to keep those functions protected. | | | **Certificate Revoked** | Set alert preferences to send notifications when a certificate is revoked to promptly address the issue or obtain a new certificate. | -| | **WEeb UI HTTPS Certificate Setup Failed** | Set alert level preferences to send notifications when the web UI HTTPS certificate setup fails to promptly address issues that impact the security of HTTPS access to the TrueNAS web UI. | +| | **Web UI HTTPS Certificate Setup Failed** | Set alert level preferences to send notifications when the web UI HTTPS certificate setup fails to promptly address issues that impact the security of HTTPS access to the TrueNAS web UI. | | **Directory Services** | **Active Directory Domain Validation Failed** | Set the alert level preference to send notifications when Active Directory domain verification fails to promptly investigate and take corrective action. | | **Key Management Interoperability Protocol (KMIP)** | **Failed to Communicate with KMIP Server** | Set alert level preference to send notifications when a communication failure with the KMIP server occurs to promptly diagnose and correct issues. | | |
  • **Failed to Sync SED Global Password with KMIP Server**
  • **Failed to sync SED Keys with KMIP Server**
  • **Failed to Sync ZFS Keys with KMIP Server**
  • | Set the alert level preference to send notifications when the SED global password fails to sync with the KMIP server to promptly diagnose and correct password and/or sync issues.| @@ -260,7 +260,7 @@ This document does not cover the virtual machine envirnoments created by users. STIG compliance for these users-deployed environments is based on the operating system and applications deployed in these VMs. ## Future STIG Compliance -TrueNAS does not comply with STIG for the following findings that are planned for a future release: +TrueNAS does not comply with STIG SGR GPOS for the following findings that are planned for a future release: {{< expand " SRG-OS-00366-GPOS-10153" "v" >}} The opertating system must prevent the installation of patches, service packs, device drivers, or OS components without verification, and that are digitally signed using a certificate recognized and approved by the organization.