Topic
  • 4 replies
  • Latest Post - ‏2013-10-04T18:35:14Z by renarg
renarg
renarg
123 Posts

Pinned topic GPFS Security

‏2013-08-14T15:45:58Z |

Hallo All,

i read the doku and can't find any hints how i implement the gpfs without the use of the user root. In our company we had the policy that in the sshd-config all permit rootlogins are rejected. Are there any documentations or other fielguides that can we use to install gpfs with an user other then root. What i also understand ' Requirements for administering a GPFS file system

Root authority is required to perform all GPFS administration tasks except those with a function limited

to listing certain GPFS operating characteristics or modifying individual user file attributes.' the root authority is only for administration. Are there any possibilities to establish a new user with the same permissions that root has. Platform is planed Power  AIX.

Thanks Renar

 

  • YannickBergeron
    YannickBergeron
    35 Posts

    Re: GPFS Security

    ‏2013-08-16T11:47:09Z  

    My answer is not about not using root but how to be more secure with using root.

    Be sure to use ssh as your "Remote shell command" and scp as your "Remote file copy command" and use SSH keys between your GPFS nodes
    If you're using OpenSSH as your SSH server, configure it so that PermitRootLogin is not set to yes. You can set it to "without-password", maybe even with "forced-commands-only" (I haven't tested that one however but it should work)
    If you're running on AIX, enable syslog to log facility "auth" (ex: auth.info). Linux is probably already logging these information by default.
    Root access on your nodes should be limited to people requiring it and through Sudo.
    In your root usedif .*rc script (.kshrc on AIX for example), configure the HISTFILE of root so that each SUDO_USER have their own root history file, with timestamp.

    If someone has other good practice, please share!
     

    Best regards,

    Yannick Bergeron

  • renarg
    renarg
    123 Posts

    Re: GPFS Security

    ‏2013-08-19T07:45:46Z  

    My answer is not about not using root but how to be more secure with using root.

    Be sure to use ssh as your "Remote shell command" and scp as your "Remote file copy command" and use SSH keys between your GPFS nodes
    If you're using OpenSSH as your SSH server, configure it so that PermitRootLogin is not set to yes. You can set it to "without-password", maybe even with "forced-commands-only" (I haven't tested that one however but it should work)
    If you're running on AIX, enable syslog to log facility "auth" (ex: auth.info). Linux is probably already logging these information by default.
    Root access on your nodes should be limited to people requiring it and through Sudo.
    In your root usedif .*rc script (.kshrc on AIX for example), configure the HISTFILE of root so that each SUDO_USER have their own root history file, with timestamp.

    If someone has other good practice, please share!
     

    Best regards,

    Yannick Bergeron

    Hallo Yannick,

    thanks for your Answers. Hopefully other can share experiences or best practises on that here.

    Regard Renar.

  • TheLastWilson
    TheLastWilson
    6 Posts

    Re: GPFS Security

    ‏2013-09-05T14:04:49Z  
    • renarg
    • ‏2013-08-19T07:45:46Z

    Hallo Yannick,

    thanks for your Answers. Hopefully other can share experiences or best practises on that here.

    Regard Renar.

    Another step could be to make use of "adminMode central", I believe current versions default to this setting, it is visible under mmlsconfig. The benefit to this is that only 1 node needs to have ssh key access to the rest of the cluster.

     

    So our implementation of this is to have a management node, This is not set anywhere within GPFS other then to set adminMode to central. We selected one of our quorum nodes in the cluster and remove any outside/user access to it and then distribute the SSH keys accordingly. 

    Two things to consider/reminder if you do this: Remember to have a backup of your SSH key and your management node is the only node where you can execute mm commands. 

     

    I hope that all made sense,

    Regards,

     

    Craig W.

  • renarg
    renarg
    123 Posts

    Re: GPFS Security

    ‏2013-10-04T18:35:14Z  

    Another step could be to make use of "adminMode central", I believe current versions default to this setting, it is visible under mmlsconfig. The benefit to this is that only 1 node needs to have ssh key access to the rest of the cluster.

     

    So our implementation of this is to have a management node, This is not set anywhere within GPFS other then to set adminMode to central. We selected one of our quorum nodes in the cluster and remove any outside/user access to it and then distribute the SSH keys accordingly. 

    Two things to consider/reminder if you do this: Remember to have a backup of your SSH key and your management node is the only node where you can execute mm commands. 

     

    I hope that all made sense,

    Regards,

     

    Craig W.

    Hallo Craig, hallo Yannick, hallo all,

    i found yesterday a pdf about a description of security of gpfs. Here is the link:

    http://www.ibm.com/developerworks/aix/library/au-aix-modifying-ssh-configuration/index.html?ca=drs-

    This is the article that i requested, thanks to Jose.

    Regards Renar.