Dell EMC OpenManage Ansible Modules 4.0.0 Security Configuration Guide August 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 - 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: Preface........................................................................................................................ 4 Scope of the document......................................................................................................................................................4 Document references.........................................................................................................................................................
1 Preface Dell EMC OpenManage Ansible Modules(OMAM) allows data center and IT administrators to use RedHat Ansible to automate and orchestrate the configuration, deployment, and update of Dell EMC PowerEdge Servers and modular infrastructure by leveraging the management automation capabilities in-built into the Integrated Dell Remote Access Controller (iDRAC), OpenManage Enterprise, and OpenManage Enterprise Modular.
2 Security Quick Reference Topics: • • Deployment Model Security Profiles Deployment Model OpenManage Ansible Modules release follows a monthly release cycle. Minor versions are released on the last week of each month and are posted to GitHub as well as to the Ansible-Galaxy (as collections).
3 Product and Subsystem Security Topics: • • • • • • • Security controls map Authentication Authentication with external systems Data security Serviceability Network security Auditing and logging Security controls map OpenManage Ansible Modules use Ansible Playbooks to run commands for interacting with iDRAC and Open Manage Enterprise. The system credentials are not stored by default.
● Session logout is performed by issuing a DELETE of the Session resource provided by the Login operation including the X-Auth-Token header. iDRAC authentication The Integrated Dell Remote Access Controller (iDRAC) is designed to make you more productive as a system administrator and improves the overall availability of Dell EMC servers. iDRAC alerts you on system issues, remotely manage your systems, and reduces the need for physical access to the system.
Auditing and logging OMAM does not have its own logging mechanism, and it depends on the default Ansible logging capability. By default, Ansible sends output about plays, tasks, and module arguments to your screen (STDOUT) on the control node see Logging Ansible Output for more details. Encryption with Ansible Vault only protects data at rest. Once the content is decrypted (data in use), play and plugin authors are responsible for avoiding any secret disclosure. For details on hiding output, see no_log.
4 Miscellaneous configuration and management Topics: • • • • OpenManage Ansible modules licensing Protect authenticity and integrity Signature file verification Ansible module security OpenManage Ansible modules licensing OMAM is open source and licensed under the GNU General Public License v3.0+. For more details see COPYING.md. iDRAC and OpenManage Enterprise may require its own licenses for some functions in OMAM to work. Refer the User Guide for more details.
Ansible module security For security guidelines for Ansible modules, see Module Best Practices. Any developer who wants to contribute to OMAM adhere to these guidelines, along with the UT and sanity requirements. Certain settings in Ansible are adjustable through a configuration file (ansible.cfg). The stock configuration should be sufficient for most users, but there may be reasons you would want to change them. Paths where the configuration file is searched are listed in the reference documentation.