Using Administrator Logins

Root account logins are deprecated in TrueNAS Bluefin 22.12.0 or newer for security hardening and to comply with Federal Information Processing Standards (FIPS). All TrueNAS users should create an administrator account with all required permissions and begin using it to access TrueNAS. When the root user password is disabled, only an administrative user account can log in to the TrueNAS web interface.

TrueNAS plans to permanently disable root account access in a future release.

Read full post gdoc_arrow_right_alt

Advanced Settings Screen

Advanced settings have reasonable defaults in place. A warning message displays for some settings advising of the dangers of making changes. Changing advanced settings can be dangerous when done incorrectly. Use caution before saving changes.

Make sure you are comfortable with ZFS, Linux, and system configuration, backup, and restoration before making any changes.

The Advanced Settings screen provides configuration options for the console, syslog, audit, kernel, sysctl, storage (system dataset pool), replication, WebSocket sessions, cron jobs, init/shutdown scripts, allowed IP addresses, isolated GPU device(s), self-encrypting drives, and global two-factor authentication.

Read full post gdoc_arrow_right_alt

Security Recommendations

Follow these best practices to administer TrueNAS securely.

General Recommendations

  • Modifying the base TrueNAS firmware image is unsupported and can create security issues.
  • Keep TrueNAS up-to-date with the most recent updates for your supported version.
  • Upgrade to new major releases promptly consistent with the deployment use case.
  • Disable any network services when not in use.
  • Restrict the TrueNAS web UI, IPMI, and any other management interfaces to private subnets away from untrusted users, or keep them disconnected when not in active use.
  • Configure Syslog settings to send logs to an external server (CORE | SCALE).
  • In TrueNAS 24.04 (Dragonfish) or later, locally monitor and review audit logs using the Audit screen.
  • In the System > Advanced Settings, always keep Show Text Console without Password Prompt set to Disabled.

Read full post gdoc_arrow_right_alt

STIG Compliance

TrueNAS Compliance

TrueNAS falls into the category of an appliance with its own operating system as covered in General Purpose Operating System SRG findings. Through connection to Active Directory, TrueNAS also complies with the Active Directory Domain Security Technical Implementation Guide SRG findings related to authentication and access controls for user, group, and systems.

Read full post gdoc_arrow_right_alt

Two-Factor Authentication Screen

Two-factor authentication is time-based and requires a correct system time setting.

The Two-Factor Authentication screen, accessed from the Settings menu on the top toolbar, allows managing user-level two-factor authentication (2FA) credentials. It shows a different message if 2FA enabled than when not configured or disabled.

To configure 2FA settings go to the Advanced Settings screen. For more information, see the Managing Global 2FA tutorial.

Actions

Renew Secret changes the system-generated Secret and Provisioning URI values.

Read full post gdoc_arrow_right_alt

Managing Global 2FA (Two-Factor Authentication)

Global Two-factor authentication (2FA) is great for increasing security.

TrueNAS offers global 2FA to ensure that entities cannot use a compromised administrator or root password to access the administrator interface.

Advanced settings have reasonable defaults in place. A warning message displays for some settings advising of the dangers of making changes. Changing advanced settings can be dangerous when done incorrectly. Use caution before saving changes.

Make sure you are comfortable with ZFS, Linux, and system configuration, backup, and restoration before making any changes.

Read full post gdoc_arrow_right_alt