StorageGuard analyzes the security of Dell EMC Symmetrix, VMAX and PowerMax systems by gathering configuration details from Dell EMC Solutions Enabler (SE) and from Dell EMC Unisphere. It's recommended to scan both SE and Unisphere.
Preparation for Scanning Dell EMC PowerMax and VMAX: Solutions Enabler (SE)
StorageGuard collects configuration data from EMC VMAX and PowerMax storage systems by running read-only SYMCLI commands on a storage management host installed with Solutions Enabler (SYMCLI host).
The following table lists the requirements for scanning Dell EMC VMAX and PowerMax systems:
|1||Provide the network name or IP address of SYMCLI hosts.|
|2||Provide a user account (and password) for each SYMCLI host.
|3||The user account should be granted with permissions to run read-only "list" and "view" SYMCLI commands in general and for each array SID in scope. Also, the user should be able to read configuration files and list directories (folders). Examples of read-only commands used:
|4||For a Unix/Linux host:
|5||For a Windows host:
Creating an SE User Account for Scanning Dell EMC PowerMax and VMAX
The following suggested methods can be used to create a user account with appropriate privileges:
Method #1 (sudo-based, Linux/Unix only):
Edit the sudoers file, add:
username ALL= NOPASSWD: /bin/cat *, /bin/ls *
username ALL= NOPASSWD: /usr/symcli/bin/* list*, /usr/symcli/bin/* show*,/usr/symcli/bin/* get*, /usr/symcli/bin/symcli -def, /usr/symcli/bin/symacl -unique
Method #2 (based on Dell SE User Management):
- Log in to the Solutions Enabler host with root (Linux) or a user with administrative rights (Windows).
- Edit the daemon_users file and add the following line: sguard <all>
- The file is located by default at /var/symapi/config (Linux) or %PROGRAMFILES%\EMC\SYMAPI\config (Windows)
- Create a assign_user.cmd file and add the following line: assign user sguard to role Auditor;
- For each array SID, run the following command: symauth -sid <sid> -file assign_user.cmd commit
- Edit the sudoers file and add the following line: sguard ALL= NOPASSWD: /bin/cat *, /bin/ls *
- The sguard username is provided as an example. Any username can be used.
- If used by your organization, PowerBroker, seSUDO and similar privilege management solutions can be configured instead of native sudo.
- In case eMGMT is used:
- StorageGuard should be provided with the IP of a SYMCLI client host instead of eMGMT SYMAPI Server IP.
- The SYMCLI_connect and SYMCLI_CONNECT_TYPE environment variables should be defined for the sguard user on the client host, as follows -
- Add the following variable to the sguard .profile file:
- Press "Windows Key + Pause", Click Advanced system Settings>Advanced> Environment Variables>User variables for sguard>New
- Variable Name: SYMCLI_CONNECT Value: SYMAPI_SERVER _NAME
- Variable Name: SYMCLI_CONNECT Value: REMOTE
- Note that the SYMAPI_SERVER_NAME should match the name configured in the symapi/config/netcnfg file.
Preparation for Scanning Dell EMC Unisphere for PowerMax/VMAX
StorageGuard collects configuration data from Dell EMC Unisphere for VMAX/PowerMax by opening an HTTP or HTTPS connection to the EMC Unisphere management server and running read-only REST API calls.
The following table lists the requirements for scanning Dell EMC Unisphere for VMAX/PowerMax:
|1||Provide the network name or IP address of the Unisphere host.|
|2||Provide a user account (and password) for the Unisphere application.
|3||The user account should be assigned with an unlimited read-only role, capable of running all GET requests. Examples of read-only REST API calls used:
Creating a User Account for Scanning Dell EMC Unisphere for VMAX/PowerMax
The following suggested method can be used to create a user account with appropriate privileges:
- Navigate to the User Management section under Settings > Users and Groups in Unisphere.
- Create a new user with the Auditor role.