Security dashboard policies
Policy is a group of parameters and its expected values. Storage system is mapped to at most one security policy based on its family type.
After receiving the probe data through Data Collector or Advance Call Home, the retrieved configurations (parameters) that align with the system’s security policy are considered as supported. The supported parameters are evaluated against policy's recommended values to generate system's security posture.
The following are the applicable security policies:
IBM DS8000
IBM DS8000 supports four parameters,
Remote support status, Key group
state, Syslog server state, and IO port security.
Following is the parameter table for IBM DS8000:
| Category name | Command | Name | Parameter display name | Value range | Recommended value |
|---|---|---|---|---|---|
| Administrative access | lsaccess | aos | Assist on-site status | none, enabled, disabled | configured but disabled |
| Administrative access | lsaccess | remote_support_status* | Remote support status | none, enabled, disabled | configured but disabled |
| Administrative access | lsaccess | rsc | Remote support center status | none, enabled, disabled | configured but disabled |
| Encryption | lskeygrp | state | Key group state | accessible, inaccessible, unconfigured, rekeying | accessible |
| Audit logging | lssyslogserver | state | Syslog server state | none, active, inactive | active |
| Network configuration | showioport | security | IO port security | enabled, disabled, enforced | enabled |
*remote_support_status is a combination of aos and
rsc.
For more information about IBM DS8000, see IBM DS8000 documentation.
IBM FlashSystem family
Following is the parameter table for IBM FlashSystem Family:
| Category name | Command | Name | Parameter display name | Value range | Recommended value |
|---|---|---|---|---|---|
| Authentication and data access control | lsauthmultifactorverify | failmode | MFA server unavailability mode | secure, insecure | secure |
| Authentication and data access control | lssecurity | cli_timeout_mins | SSH session timeout | 5 to 240 | 15 |
| Authentication and data access control | lssecurity | expiry_warning_days | Password expiry warning | 0 to 30 | 14 |
| Authentication and data access control | lssecurity | gui_timeout_mins | Browser session timeout | 5 to 240 | 30 |
| Authentication and data access control | lssecurity | min_password_length | Minimum password length | 6 to 64 | 8 |
| Encryption | lssecurity | sshprotocol | SSH protocol security level | 1 to 4 | 3 |
| Administrative access | lssystem | enhanced_callhome | Enhanced call home data collection | on, off | on |
| Data protection | lssystem | safeguarded_copy_suspended | Safeguarded copy suspension status | yes, no | no |
| Data protection | lssystem | snapshot_policy_suspended | Snapshot policy suspension status | yes, no | no |
| Audit logging | lssystem | statistics_status | Statistics status | on, off | on |
| Data protection | lssystem | vdisk_protection_enabled | Volume protection setting | yes, no | yes |
For more information about IBM FlashSystem family, see IBM FlashSystem family documentation.
IBM FlashSystem V840
Following is the parameter table for IBM FlashSystem V840:
| Category name | Command | Name | Parameter display name | Value range | Recommended value |
|---|---|---|---|---|---|
| Authentication and data access control | lsauthmultifactorverify | failmode | MFA server unavailability mode | secure, insecure | secure |
| Authentication and data access control | lssecurity | cli_timeout_mins | SSH session timeout | 5 to 240 | 15 |
| Authentication and data access control | lssecurity | expiry_warning_days | Password expiry warning | 0 to 30 | 14 |
| Authentication and data access control | lssecurity | gui_timeout_mins | Browser session timeout | 5 to 240 | 30 |
| Authentication and data access control | lssecurity | min_password_length | Minimum password length | 6 to 64 | 8 |
| Encryption | lssecurity | sshprotocol | SSH protocol security level | 1 to 4 | 3 |
| Administrative access | lssystem | enhanced_callhome | Enhanced call home data collection | on, off | on |
| Data protection | lssystem | safeguarded_copy_suspended | Safeguarded copy suspension status | yes, no | no |
| Data protection | lssystem | snapshot_policy_suspended | Snapshot policy suspension status | yes, no | no |
| Audit logging | lssystem | statistics_status | Statistics status | on, off | on |
| Data protection | lssystem | vdisk_protection_enabled | Volume protection setting | yes, no | yes |
IBM SAN Volume Controller
Following is the parameter table for IBM SAN Volume Controller:
| Category name | Command | Name | Parameter display name | Value range | Recommended value |
|---|---|---|---|---|---|
| Authentication and data access control | lsauthmultifactorverify | failmode | MFA server unavailability mode | secure, insecure | secure |
| Authentication and data access control | lssecurity | cli_timeout_mins | SSH session timeout | 5 to 240 | 15 |
| Authentication and data access control | lssecurity | expiry_warning_days | Password expiry warning | 0 to 30 | 14 |
| Authentication and data access control | lssecurity | gui_timeout_mins | Browser session timeout | 5 to 240 | 30 |
| Authentication and data access control | lssecurity | min_password_length | Minimum password length | 6 to 64 | 8 |
| Encryption | lssecurity | sshprotocol | SSH protocol security level | 1 to 4 | 3 |
| Administrative access | lssystem | enhanced_callhome | Enhanced call home data collection | on, off | on |
| Data protection | lssystem | safeguarded_copy_suspended | Safeguarded copy suspension status | yes, no | no |
| Data protection | lssystem | snapshot_policy_suspended | Snapshot policy suspension status | yes, no | no |
| Audit logging | lssystem | statistics_status | Statistics status | on, off | on |
| Data protection | lssystem | vdisk_protection_enabled | Volume protection setting | yes, no | yes |
For more information about IBM SAN Volume Controller, see IBM SAN Volume Controller documentation.
IBM Storwize
Following is the parameter table for IBM Storwize:
| Category name | Command | Name | Parameter display name | Value range | Recommended value |
|---|---|---|---|---|---|
| Authentication and data access control | lsauthmultifactorverify | failmode | MFA server unavailability mode | secure, insecure | secure |
| Authentication and data access control | lssecurity | cli_timeout_mins | SSH session timeout | 5 to 240 | 15 |
| Authentication and data access control | lssecurity | expiry_warning_days | Password expiry warning | 0 to 30 | 14 |
| Authentication and data access control | lssecurity | gui_timeout_mins | Browser session timeout | 5 to 240 | 30 |
| Authentication and data access control | lssecurity | min_password_length | Minimum password length | 6 to 64 | 8 |
| Encryption | lssecurity | sshprotocol | SSH protocol security level | 1 to 4 | 3 |
| Administrative access | lssystem | enhanced_callhome | Enhanced call home data collection | on, off | on |
| Data protection | lssystem | safeguarded_copy_suspended | Safeguarded copy suspension status | yes, no | no |
| Data protection | lssystem | snapshot_policy_suspended | Snapshot policy suspension status | yes, no | no |
| Audit logging | lssystem | statistics_status | Statistics status | on, off | on |
| Data protection | lssystem | vdisk_protection_enabled | Volume protection setting | yes, no | yes |
For more information about IBM Storwize, see IBM Storwize documentation.
Note: When the device is connected through Advanced Call Home (ACH), and the
censor_callhome parameter is set to on, the
lssecurity command's parameters will not be available for evaluation. The
lssecurity command's parameters include cli_timeout_mins,
expiry_warning_days, gui_timeout_mins,
min_password_length, and sshprotocol.