Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Security Check and Hardening

Routine Antivirus Software Check

Periodically scan clusters and Spark components for viruses. This protects clusters from viruses, malicious code, spyware, and malicious programs, reducing risks such as system breakdown and information leakage. Mainstream antivirus software can be used for antivirus check.

Communication Matrix

For details about the communication matrix, see Kunpeng BoostKit 22.0.0 OmniData Communication Matrix.

Log Control

Note the following:

  • Check whether the system can limit the size of a single log file.
  • Check whether there is a mechanism for clearing logs after the log space is used up.

Checking OmniData Logs

OmniData uses the log framework of Log4j. You can modify the logback.xml file in the etc directory to modify the log recording configuration.

  • Check whether the system can limit the size of a single log file.
  • Check whether the system can limit the number of log files or the total size of log files.
  • Check whether there is a mechanism for clearing logs after the log space is used up.

The log configuration is as follows:

<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<!--LOG FILE NAME-->
<FileNamePattern>${LOG_HOME}/omnidata-server.%d{yyyy-MM-dd}.%i.log.gz</FileNamePattern>
<!--LOG FILE RETENTION DAYS -->
<MaxHistory>30</MaxHistory>
<!-- LOG FILE MAX SIZE -->
<MaxFileSize>20MB</MaxFileSize>
<!-- LOG FILE TOTAL SIZE CAP -->
<TotalSizeCap>2GB</TotalSizeCap>
</rollingPolicy>

Checking HAF Logs

The log function of HAF is configured in configuration files. Logs are classified into audit logs and run logs. The configuration file of audit logs is LogAuditCfg.json, and the configuration file of run logs is LogServiceCfg.json.

You can modify the corresponding configuration in the /home/omm/omnidata-install/haf-offload/etc directory.

  • Check whether the system can limit the size of a single log file. logSize specifies the size of a log file. The value ranges from 1 MB to 100 MB.
  • Check whether the system can limit the number of log files or the total size of log files. backupCount specifies the number of backup logs. The value ranges from 0 to 100.
  • Check whether there is a mechanism for clearing logs after the log space is used up. You can overwrite backup logs.

The log configuration is as follows:

{
    "autoReload": false,
    "backupCount": 10,
    "logFile": "service.log",
    "logHeaderFormat": "%time%user%level%pid%tname%function%line",
    "logLevel": "INFO",
    "logPath": "/home/omm/haf-install/haf-target/logs/haf_user",
    "logSize": 10485760
}

Buffer Overflow Prevention

To prevent buffer overflow attacks, you are advised to use the address space layout randomization (ASLR) technology to randomize the layout of linear areas such as the heap, stack, and shared library mapping to make it more difficult for attackers to predict target addresses and locate code. This technology can be applied to heaps, stacks, and memory mapping areas (mmap base addresses, shared libraries, and vDSO pages).

How to enable ASLR:

echo 2 >/proc/sys/kernel/randomize_va_space

Vulnerability Fixing

To ensure the security of the production environment and reduce the risk of attacks, enable the firewall and periodically fix the following vulnerabilities:

  • OS vulnerabilities
  • JDK vulnerabilities
  • Hadoop and Spark vulnerabilities
  • ZooKeeper vulnerabilities
  • Kerberos vulnerabilities
  • openLooKeng vulnerabilities
  • OpenSSL vulnerabilities
  • Vulnerabilities in other components

    The following uses CVE-2021-37137 as an example.

    Vulnerability description:

    Netty 4.1.17 has two Content-Length HTTP headers that may be confused. The vulnerability ID is CVE-2021-37137.

    The system uses the hdfs-ceph (version 3.2.0) service as the storage object with decoupled storage and compute. This service depends on aws-java-sdk-bundle-1.11.375.jar and involves this vulnerability. You are advised to update the vulnerability patch in a timely manner to prevent hacker attacks.

    Impact:

    Netty 4.1.68 and earlier versions

    Handling suggestion:

    Currently, the vendor has released an upgrade patch to fix the vulnerability. For details, visit the following website:

    https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363

SSH Hardening

During the deployment and installation of the OmniData and HAF, you need to connect to the server through SSH. The root user has all the operation permissions. Logging in to the server as the root user may pose security risks.

You are advised to log in to the server as a common user for installation and deployment and disable root user login using SSH to improve system security. Perform the following operations:

  1. Open the /etc/ssh/sshd_config file.
    vim /etc/ssh/sshd_config
  2. Check the PermitRootlogin configuration item.
    • If the value is no, root user login using SSH is disabled.
    • If the value is yes, press i to enter the insert mode and change PermitRootlogin to no.
  3. Press Esc, type :wq!, and press Enter to save the file and exit.
  4. Run service sshd restart to make the setting take effect.
Parent topic: OmniData User Guide