Hardened repository

[lowlander]

Hi,

we have a large NAS environment. Is it supported to present a NFS or SMB share to a physiscal Linux server and configure the presented storage in a hardened repository / use the immutability functionality ?

[Mildur]

Hi Lowlander

Mounted NFS or SMB shares on a linux server cannot be used as a immutable filesystem.
We have it documented in our helpcenter.

NFS does not accept immutability commands from Linux. Due to this, mind the following:
- You cannot use an NFS Share as a repository with the immutability.
- You cannot use an NFS volume mounted on a Linux server as a hardened repository with immutability (needs to be Local or DAS). You can use an NFS volume mounted on a Linux server as a hardened repository without immutability.

If you can can connect the NAS per ISCSI protocol to the Linux server, then immutability is possible. If you choose to use iSCSI LUN's, you must harden the security of the NAS. Best to disable access to all Admin interfaces as good as possible. If an attacker has admin access to the NAS, he can delete the iSCSI LUNs. The NAS doesn't know about the immutability inside the filesystem and will delete the LUNs.

Thanks
Fabian

[lowlander]

Hi Fabian,

read the manual

In the context of hardening it should be indeed the best to use local storage and not be dependend on external storage that could be possible impacted by vulnerabilities.

thanks for explaining.