Articles in this section

See more

Dell EMC PowerMax and VMAX | Scan Requirements

Avatar
Peter
  • Updated

StorageGuard analyzes the security of Dell EMC Symmetrix, VMAX and PowerMax systems by gathering configuration details from Dell EMC Solutions Enabler (SE) and from Dell EMC Unisphere. It's recommended to scan both SE and Unisphere. 

Preparation for Scanning Dell EMC PowerMax and VMAX: Solutions Enabler (SE)

StorageGuard collects configuration data from EMC VMAX and PowerMax storage systems by running read-only SYMCLI commands on a storage management host installed with Solutions Enabler (SYMCLI host).

The following table lists the requirements for scanning Dell EMC VMAX and PowerMax systems:

# Description
1 Provide the network name or IP address of SYMCLI hosts.
2 Provide a user account (and password) for each SYMCLI host.
3 The user account should be granted with permissions to run read-only "list" and "view" SYMCLI commands in general and for each array SID in scope. Also, the user should be able to read configuration files and list directories (folders). Examples of read-only commands used:
  • symauth list
  • symacl show
  • symaccess list
  • cat daemon_options
4 For a Unix/Linux host:
  • A regular user account should be provided.
  • Make sure that IP connectivity through SSH is available between the StorageGuard server and each host.
5 For a Windows host:
  • The user account should be granted local administrative rights.
  • Make sure that IP connectivity through WinRM (80, 5985) and CIFS (445) is available between the StorageGuard server and each host.
  • If WinRM is not used by your organization, make sure that IP connectivity is permitted through WMI on all TCP ports and UDP ports 135, 137, 138, and 139.

 

Creating an SE User Account for Scanning Dell EMC PowerMax and VMAX 

The following suggested methods can be used to create a user account with appropriate privileges:

Method #1 (sudo-based, Linux/Unix only):

Edit the sudoers file, add:

username ALL= NOPASSWD: /bin/cat *, /bin/ls *

username ALL= NOPASSWD: /usr/symcli/bin/* list*, /usr/symcli/bin/* show*,/usr/symcli/bin/* get*, /usr/symcli/bin/symcli -def, /usr/symcli/bin/symacl -unique

Method #2 (based on Dell SE User Management):

  • Log in to the Solutions Enabler host with root (Linux) or a user with administrative rights (Windows).
  • Edit the daemon_users file and add the following line: sguard <all>
  • The file is located by default at /var/symapi/config (Linux) or %PROGRAMFILES%\EMC\SYMAPI\config (Windows)
  • Create a assign_user.cmd file and add the following line: assign user sguard to role Auditor;
  • For each array SID, run the following command: symauth -sid <sid> -file assign_user.cmd commit
  • Edit the sudoers file and add the following line: sguard ALL= NOPASSWD: /bin/cat *, /bin/ls *

FAQ

  • The sguard username is provided as an example. Any username can be used.
  • If used by your organization, PowerBroker, seSUDO and similar privilege management solutions can be configured instead of native sudo.
  • In case eMGMT is used:
    • StorageGuard should be provided with the IP of a SYMCLI client host instead of eMGMT SYMAPI Server IP.
    • The SYMCLI_connect and SYMCLI_CONNECT_TYPE environment variables should be defined for the sguard user on the client host, as follows -
    • Linux:
    • Add the following variable to the sguard .profile file:
    • SYMCLI_CONNECT=SYMAPI_SERVER_NAME
    • SYMCLI_CONNECT_TYPE=REMOTE
    • Windows:
    • Press "Windows Key + Pause", Click Advanced system Settings>Advanced> Environment Variables>User variables for sguard>New
    • Variable Name: SYMCLI_CONNECT Value: SYMAPI_SERVER _NAME
    • Variable Name: SYMCLI_CONNECT Value: REMOTE
    • Note that the SYMAPI_SERVER_NAME should match the name configured in the symapi/config/netcnfg file.

Preparation for Scanning Dell EMC Unisphere for PowerMax/VMAX

StorageGuard collects configuration data from Dell EMC Unisphere for VMAX/PowerMax by opening an HTTP or HTTPS connection to the EMC Unisphere management server and running read-only REST API calls.

The following table lists the requirements for scanning Dell EMC Unisphere for VMAX/PowerMax:

# Description
1 Provide the network name or IP address of the Unisphere host.
2 Provide a user account (and password) for the Unisphere application.
3 The user account should be assigned with an unlimited read-only role, capable of running all GET requests. Examples of read-only REST API calls used:
  • GET system/info
  • GET system/alert
  • GET system/esrs

 

Creating a User Account for Scanning Dell EMC Unisphere for VMAX/PowerMax

The following suggested method can be used to create a user account with appropriate privileges:

  • Navigate to the User Management section under Settings > Users and Groups in Unisphere.
  • Create a new user with the Auditor role.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.