No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
OS Maintenance Suggestions

OS Maintenance Suggestions

Check and harden operating system (OS) security according to Table 14-10; otherwise, FusionInsight system cannot be used properly after configuration items are modified.

Table 14-10 OS security Hardening Information Overview

Check Item

Association Relationship

Operation Suggestion

Check the files that have the suid and sgid permission on each node.

The /bin/ping command is used in FusionInsight system.

It is recommended that the command permission remain the same on each node.

Check whether the root user remote login function is disabled on each node.

The FusionInsight installation, uninstallation, and capacity expansion require the root user remote login permission.

Enable the remote login by user root only when the root user is used to perform installation, uninstallation, expansion, or restoration operations.

Check the permission of key directories or files on each node.

The FusionInsight system internal running user omm requires the /etc directory access permission.

It is recommended that the /etc directory permission remain the same on each node.

Check whether the interactive system account login function is disabled on each node.

Nodes in the FusionInsight cluster need interactive login of users omm and root.

It is recommended that the interactive login permission be retained for omm and root on related nodes.

Check whether the NTP service is running on each node.

FusionInsight system depends on the NTP service.

It is recommended that the NTP service be running properly on each node. The involved services are as follows:

  • ntpd
  • ntpdate

Check whether the services that openldap depends on are running on each node.

FusionInsight system uses openldap and openldap depends on specific services.

It is recommended that the services that openldap depends on be running properly on each node. The involved services are as follows:

  • nscd/sssd
  • slapd

Check whether common OS users are allowed to perform cron scheduled tasks on each node.

The running user omm of FusionInsight system will perform cron scheduled tasks.

It is recommended that user omm in the OS be allowed to perform cron scheduled tasks on each node.

Check whether OS logs, such as the OS logs in the /var/log/messages and /var/log/secure directories, are archived and compressed periodically on each node.

Logs will be accumulated if they are not archived periodically until the disk space is insufficient. As a result, FusionInsight system will fail to record logs.

NOTE:

The openldap run log function is disabled by default on FusionInsight system to prevent a large number of OS logs being generated to affect the proper running of the Syslog service.

It is recommended that the logrotate service or the cron service of the OS are used to archive and compress OS logs and delete expired OS logs periodically on each node.

Check whether the password lock mechanism is set for the omm account and ommdba account created on FusionInsight Manager.

If the password lock mechanism is not set, all OS accounts (including the omm account and ommdba account) will be under security risks.

You are advised to set the password lock mechanism for all OS accounts on each node.

  • Modify the /etc/pam.d/system-auth file to set the password lock mechanism for the Red Hat OS accounts.
  • Modify the /etc/pam.d/login and /etc/pam.d/sshd files to set the password lock mechanism for the SUSE OS accounts.
Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6006

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next