Dell EMC iDRAC Service Module 3.6 Security Configuration Guide May 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: Overview...................................................................................................................... 5 Legal disclaimers.................................................................................................................................................................. 5 Reporting security vulnerabilities.....................................................................................................................................
Default roles.................................................................................................................................................................. 14 Configuring roles.......................................................................................................................................................... 14 Role mapping..................................................................................................................................................
1 Overview As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features. Contact your Dell EMC technical support professional if a product does not function properly or does not function as described in this document.
Reporting security vulnerabilities Dell EMC takes reports of potential security vulnerabilities in our products very seriously. If you discover a security vulnerability, you are encouraged to report it to Dell EMC immediately. For the latest on how to report a security issue to Dell EMC, see Dell Vulnerability Response Policy on the Dell.com site.
2 Security quick reference Deployment models iSM software can be deployed on all the supported operating systems referred to in the corresponding iSM version user's guide. The installer can be invoked only by a local or domain system administrator. There are two ways widely used to deploy iSM software on the host operating system. ● Using the iSM installer, download the software from the Dell EMC support site and run the installer on the host as an administrator.
3 Product and subsystem security Security controls map iDRAC Service Module (iSM) uses Intelligent Platform Management Interface (IPMI) over Keyboard Controller Style (KCS) to interact with iDRAC and to configure the Baseboard Management Controller (BMC) watchdog timer. The following figure describes the transport and communication mode of iSM with iDRAC. Figure 1.
Table 1. User interfaces and the required privileges Interface Local or remote CLI or UI Privilege Subsystem dcismcfg Local CLI Administrator Operating system dcism-sync Local CLI Administrator Operating system EnableiDRACAccessHostRoute Local CLI Administrator Operating system Enable-iDRACSNMPTrap.
Login security settings iDRAC Service Module (iSM) does not track or perform user authentication. However, to perform user authentication, all command line interfaces require either administrator- or root-user-level roles. Any failure to comply with this is audited in operating system logs or a console message is displayed. Login banner configuration iSM does not support any option to perform banner configuration.
Certificate and key-based authentication The iDRAC Service Module (iSM) generates the TLS self-signed certificates. iSM does not support custom certificate configurations. Both iDRAC and iSM authenticate each other using certificates over trusted channel such as Intelligent Platform Management Interface (IPMI) over Keyboard Controller Style (KCS). The minimum TLS version that is required for a successful handshake is TLS 1.2.
Pre-loaded accounts Not applicable. Default credentials Not applicable. Disabling accounts ● The ismtech utility installed by iSM can be used to create an iDRAC user for support purposes. From the host operating system, the ismtech utility can be used to delete the user so created. As a security measure, the iSM service deletes the ismtech user account automatically after 24 hours.
Authentication to external systems Apart from communication with iDRAC, iSM tries to communicate with Dell EMC SupportAssist servers to upload the support logs from the node, fetch the system warranty, or open a case against a potential issue. The SupportAssist server certificate is authenticated before transaction of the data. Configuring remote connections A successful connection to Dell EMC support servers need an active internet connection with outbound port number 443.
External authorization associations Not applicable. Entitlement export iSM does not support any separate or distinguished way of generating an entitlement report. Actions not requiring authorization Not applicable. RBAC privileges iSM does not support any explicit way to configure or modify the roles applied to a user. However, iSM runs as a root service on Linux and as a local service on Microsoft Windows operating systems.
Table 2. Network ports in-use by iSM Port Number Protocol Direction Subsystem 161 UDP Inbound iDRAC 162 UDP Outbound Trap destination 1266 TCP Inbound Remote management station 5986 HTTPS Inbound WSMan Communication security settings Not applicable. Firewall settings Depending on the feature configuration the iSM service adds the necessary firewall rules for the following ports to establish a successful communication with the peer entity. Table 3.
Data integrity iSM log collection artifacts such as SPD logs are checked for integrity before they are used for any task. Other data security features Not applicable. Cryptography iSM supports TLS 1.2 and generates self-signed certificates to communicate with iDRAC. The following sections indicate the set of algorithms supported by iSM and iDRAC during TLS handshake. Cryptographic configuration options There are no interface options in iSM to configure cryptographic algorithms.
Table 6. TLS ciphers supported by iDRAC firmware version 4.40.10 and later iDRAC 4.40.
SEC0704 The authentication check operation that is done by iSM has failed for the following module or application because either the binary load path is incorrect or the binary configuration file is tampered with, replaced, or untrusted . Log management iSM supports specific warning logging for SupportAssist functionality. The logs can be enabled runtime using the following utility. The logs rotate after 1 MB of logs are filled.
Physical security options Not applicable. Customer service access iSM does not use any service specific accounts. The logged-in operating system administrator account will be used for the invoked operations. Tamper evidence and resistance The binaries installed by iSM are signed and the signature is verified by the iSM process at run time before loading. Any failure to verify the signature of the library prompts an audit logging with critical severity.
4 Miscellaneous configuration and management elements Licensing Not applicable. Customer modification and customization Customers or administrators can modify or update the iDRAC Service Module configuration to the most current version available. Protect authenticity and integrity The binaries installed by iSM are signed, and the signature is verified by the iSM process at run time and before loading. The public certificate is packaged and installed by iSM on the file system.
5 Internal security information Embedded component usage The open-source packages used by iSM are as follows: Table 8. Open-source packages installed by iSM Product or module Component name Component version Operating system collector 7zip 64 bit 16.02 Operating system collector Python 3.9.0 Operating system collector Libxml2 2.9.10 Operating system collector Libxslt 1.1.34 Operating system collector Getopt 1.23 Operating system collector Libffi 3.0.
6 Resources and support For more information on iSM 3.6.0, see the documentation at www.dell.com/ismmanuals.com. Additional support documentation are: ● Dell EMC iDRAC Service Module 3.6 Release Notes ● Dell EMC iDRAC Service Module DUP supported platforms ● Dell EMC iDRAC Service Module 3.6 User's Guide Latest released documents To access the latest version of iSM documents: 1. Go to www.dell.com/idracmanuals. 2.
7 Contacting Dell EMC Dell EMC provides several online and telephone-based support and service options. Availability varies by country and product, and some services may not be available in your area. To contact Dell EMC for sales, technical support, or customer service issues, see www.dell.com/contact. If you do not have an active Internet connection, you can find contact information on your purchase invoice, packing slip, bill, or the product catalog.
