Support security baselining
As a PI administrator, I need to baseline the security configuration of my PI System to ensure OSIsoft security best practices are followed.
Below is a list of requested features.
Baseline verification (read-only) for PI Data Archive:
- PI Data Archive Table Security - examines the database security of the PI Data Archive and flag any ACLs that contain access for PIWorld as weak.
- PIADMIN role - verify that the piadmin PI user is not used in any mappings or trusts.
- PI Data Archive Version - verify that the PI Data Archive is using the most recent release.
- Tuning parameters (Expensive Query Protection, archive data modification protection - EditDays) - verifies that the PI Data Archive has protection against expensive queries and that EditDays parameter is set.
- Auto Trust Configuration - verifies that the autotrustconfig tuning parameter is set to create either no trusts or a trust for the loopback automatically (127.0.0.1).
- Explicit Login Disabled - verifies that explicit login is disabled as an authentication protocol.
- PI Server Service Principal Name (SPN) configuration - verifies that the PIServer SPN exists and is assigned to the correct AD principal.
- PI Collective - verifies that the PI Data Archive is a member of a High Availability Collective.
- PI Firewall Used - verifies that PI Firewall is used.
- PI Backup Configured - ensures that PI Backups are configured and current.
Baseline configuration for PI Data Archive (via Powershell DSC configuration):
- Disable PIWorld PI identity
- Restrict use of the piadmin superuser
- Specify EditDays and Expensive query protection tuning parameters
- Auto Trust configuration
- Diable Explicit Login authentication
- Enable PI Firewall
- Create custom identities, map them to selected AD groups, and configure PI Database security appropriately.
Looks like this is strictly Archive. Will this be expanded to AF, PI Web API, etc?