Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
From: Trevor Fiatal (trevor@fiatal.net)Date: 11/01/01
- Next in thread: Fabrice Bacchella: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Next in thread: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: Fabrice Bacchella: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: dbell: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: David Foster: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BE100CB.A4C602D1@fiatal.net> Date: Wed, 31 Oct 2001 23:59:07 -0800 From: Trevor Fiatal <trevor@fiatal.net> To: Markus.Fleischmann@ConSors.de Subject: Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
Markus.Fleischmann@ConSors.de wrote:
>
> Hello,
>
> we, at our company, use two Sun Clusters (one 3.0, the other 2.2) with OPS
> (8.1.7) running on both
> and like to make them (at least more) secure. Now the question is, if there
> are any restrictions (f.e. with
> respect to the communication between the two Cluster nodes) which prevent
> the usage of the
> Solaris Security Toolkit (formerly known as JASS) to secure the whole
> thing?
As Alex N noted, using JASS (or any other automated system-hardening
tools) is a very bad idea on SunCluster systems. While the results of doing
this are entertaining in a lab environment, you don't want to try this on your
production clusters.
> Has anybody made experiences with securing a Sun Cluster and can tell me
> which ports, services,
> etc. can be deactivated without any problems?
I've not worked with SC 3.0, but I have extensive experience with SC 2.2.
Here are some of the things I've implemented on SC 2.2 clusters without
breaking anything, and without getting SunService bent out of shape:
* Compile and install the tcpwrappers package. Set up policies in hosts.allow
for in.telnetd, in.ftpd, in.rshd, and sshd. Pay especially close attention to the
private cluster networks for in.rshd access. Make sure hosts.deny is set
up to deny everything else by default.
* Compile and install OpenSSH. I strongly suggest doing the extra work
to use PAM for authentication, especially if you want to use BSM auditing.
(If you don't use PAM, then editing a crontab file via ssh login will result
in the crontab causing security violations and failing to run if BSM is
enabled.) However, do NOT try to replace 'rsh' with ssh -- SunService
gets very upset about that, even if it works fine. :)
* Clean out inetd.conf, and put the remaining tcp-based services under
tcpwrappers control, especially in.rshd. SC 2.2, particularly when run with
Veritas volume management to support OPS, does not depend on much
besides rsh services in inetd.conf.
* Install the fix-modes script, and make it standard procedure to run it after
every set of patches applied to the system, no matter how few patches
are applied.
* Install the 'nddconfig' script from the Blueprints archive into /etc/rc2.d.
* Install the noexec_user_stack mods into /etc/system.
* Only run the Veritas Java-based server when you need to actively manage
the storage subsystem. Shut it down when you're done. Even better, use
the command-line interface and never run the Java console.
Hope this helps.
-Trevor
-- Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/ Co-Founder, CSO SEVEN 510.967.4556 (work/mobile) 510.401.8054 (vmail/fax)
- Next in thread: Fabrice Bacchella: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Next in thread: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: Fabrice Bacchella: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: dbell: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Reply: David Foster: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
