1. Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x
  2. Backing Up the Configuration
  3. Security Considerations for Configuration Backups

Security Considerations for Configuration Backups

A configuration backup contains information that is normally only accessible to the local administrative root user on Oracle ZFS Storage Appliance or a local administrative user with authorization for creating, restoring, importing or exporting a saved configuration. Because a non-root user with one or more of the aforementioned discrete authorizations can read the backup file's contents, and because the contents might contain sensitive information, carefully plan how to grant these non-root user authorizations.

Also, note that non-root users with the create authorization or the restore authorization have the same full privileges as the root user; this is not true for the configuration export and import authorizations. Therefore, especially exercise caution when granting the create and restore authorizations to non-root users. To limit security concerns when non-root users perform configuration backup or restore operations, use the following guidelines:

  • Configuration Backup: Grant the create authorization (configBackup) to one user, and grant the export authorization (configExport) to another user.

  • Configuration Restore: Grant the import authorization (configImport) to one user, and grant the restore authorization (configRestore) to another user.

For user authorization details, see the Appliance scope in User Authorizations in Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x.

Any configuration backup that is exported to another system or into a filesystem share must apply security restrictions to the backup file to ensure that unauthorized users cannot read the backup file.

Local user passwords are stored in the backup file in encrypted (hashed) format, not as clear text. However, on the system, access to these password hashes is restricted, as they could be used as input to dictionary attacks. Therefore, administrators must carefully protect configuration backups that are exported, either by restricting file access to the backup, or by applying an additional layer of encryption to the entire backup file, or both.

Directory user passwords are not stored in the appliance, and therefore are not stored in the configuration backup. If you have deployed a directory service such as LDAP or AD for administrative user access, there are no copies of directory service password hashes for directory users stored in the configuration backup. Only the user name, user ID, preferences, and authorization settings for directory users are stored in the backup and then restored.

After a configuration restore operation is performed by a local administrative root user or a local administrative user with the configuration restore authorization, the user's password is not modified to the password at the time of the backup if it was different. The password is left as-is, unmodified, by the restore process to ensure that the retained password is for the user who executed the restore operation (and, thus, logged in with that password). If the user's intent was to also change the password at the time of the configuration restore, that step must be executed manually after the restore operation, using the normal password change procedure.