文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Security Check and Hardening

Routine Antivirus Software Check

Periodically scan clusters and Spark components for viruses. This protects clusters from viruses, malicious code, spyware, and malicious programs, reducing risks such as system breakdown and information leakage. Mainstream antivirus software can be used for antivirus check.

Security Hardening

It is necessary to periodically perform security hardening on the OS. Security hardening actions include but are not limited to periodically fixing OS vulnerabilities, periodically fixing Spark vulnerabilities, and enabling the firewall.

Vulnerability Fixing

To ensure the security of the production environment and reduce the risk of attacks, enable the firewall and periodically fix the following vulnerabilities:

  • OS vulnerabilities
  • JDK vulnerabilities
  • Hadoop and Spark vulnerabilities
  • Kerberos vulnerabilities
  • openLooKeng vulnerabilities
  • Vulnerabilities in other components

    The following uses CVE-2021-37137 as an example.

    Vulnerability description:

    Netty 4.1.17 has two Content-Length HTTP headers that may be confused. The vulnerability ID is CVE-2021-37137.

    The system uses the hdfs-ceph (version 3.2.0) service as the storage object with decoupled storage and compute. This service depends on aws-java-sdk-bundle-1.11.375.jar and involves this vulnerability. You are advised to update the vulnerability patch in a timely manner to prevent hacker attacks.

    Impact:

    Netty 4.1.68 and earlier versions

    Handling suggestion:

    Currently, the vendor has released an upgrade patch to fix the vulnerability. For details, visit the following website:

    https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363

SSH Hardening

During the deployment and installation of OmniOperator, you need to connect to the server through SSH. The root user has all the operation permissions. Logging in to the server as the root user may pose security risks.

You are advised to log in to the server as a common user for installation and deployment and disable root user login using SSH to improve system security. Perform the following operations:

  1. Open the /etc/ssh/sshd_config file.
    vim /etc/ssh/sshd_config
  2. Check the PermitRootlogin configuration item.
    • If the value is no, root user login using SSH is disabled.
    • If the value is yes, press i to enter the insert mode and change PermitRootlogin to no.
  3. Press Esc, type :wq!, and press Enter to save the file and exit.
  4. Run service sshd restart to make the setting take effect.
Parent topic: OmniOperator User Guide