Operating System - HP-UX
1833813 Members
3494 Online
110063 Solutions
New Discussion

ServiceGuard, rcp and vulnerability scans

 
SOLVED
Go to solution

ServiceGuard, rcp and vulnerability scans

Hey, guys. Our PCI compliance vulnerability scans have been putting a spotlight on the fact that I have the r services(rexec, rlogin, rsh) turned on for our servers that run ServiceGuard. As SG uses rcp to transfer the cluster binary config files across the node, it has to be turned on.

Has HP addressed moving away from rcp and over to scp for ServiceGuard? I guess I could technically turn off the r services and only turn them on when I plan on making cluster configuration changes that require the transfer of the config file to the other nodes, but I would rather not have to add another element to the cluster administration.
7 REPLIES 7
Steven E. Protter
Exalted Contributor
Solution

Re: ServiceGuard, rcp and vulnerability scans

Shalom,

Serviceguard 11.16 and above has an improved security model and can be used without rcp. It does not use openssh, but you can shut down the vulnerable r-type services and still use ServiceGuard.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
melvyn burnard
Honored Contributor

Re: ServiceGuard, rcp and vulnerability scans

Serviceguard itself does NOT use rcp etc. It has it's own built-in copy method. It is used when manually copying files around nodes IF you wish to use this.
Most customers I deal with these days use scp and ssh for the manual procedures.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!

Re: ServiceGuard, rcp and vulnerability scans

Ok, my enviroment contains several clusters which are all a minimum of 11.16. Are you telling me that as it is right now, they aren't using rcp when I do a cmapplyconf and I can disable the r services and still have the same functionality? Or do I need to do anything special to invoke the more secure internal method of transfer.

Thanks very much for your help.

John

Re: ServiceGuard, rcp and vulnerability scans

Another thing, does this built-in file transfer method go across a specific port? If so, do you know what port?

And by manual procedures I assume you mean transferring cluster.confs, cmclnodelist, package configuration files and whatnot. That is, everything except the cmclconfig.
Aneesh Mohan
Honored Contributor

Re: ServiceGuard, rcp and vulnerability scans

Hi,

ServiceGuard uses the below ports
-----------------------------------

clvm-cfg 1476/tcp HA LVM Configuration
hacl-qs 1238/tcp HA Quorum Server
hacl-hb 5300/tcp High Availability (HA) Cluster heartbeat
hacl-hb 5300/udp High Availability (HA) Cluster heartbeat
hacl-gs 5301/tcp HA Cluster General Services
hacl-cfg 5302/tcp HA Cluster TCP configuration
hacl-cfg 5302/udp HA Cluster UDP configuration
hacl-probe 5303/tcp HA Cluster TCP probe
hacl-probe 5303/udp HA Cluster UDP probe
hacl-local 5304/tcp HA Cluster commands
hacl-test 5305/tcp HA Cluster test
hacl-dlm 5408/tcp HA Cluster distributed lock manager


Aneesh
Steven E. Protter
Exalted Contributor

Re: ServiceGuard, rcp and vulnerability scans

Shalom,

The default cmquerycl method of setting up an 11.16 cluster, uses the cmnodelist security model, improving the previous security model.

As far as file transfer, scp can be used, but SG does not require password free file transfer to operate. SG communications and heartbeat do not use r-services.

I do not know what port it uses, but a look at netstat -an, will help. You can also use tcpdump to figure out what ports are in use. Probably someone will just tell you, but finding stuff out this way is fun and cool.

SG does run a daemon or two in /etc/inetd.conf but that is done with reasonable security.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
John Bigg
Esteemed Contributor

Re: ServiceGuard, rcp and vulnerability scans

Serviceguard has never used any of the r services, nor does it currently use ssh or scp. It has always used it's own code to transfer the binary file between nodes.

Old versions of Serviceguard (long before 11.16) did used to use .rhosts / hosts.equiv as an authentication method, but it has never actually used the r services themselves. These have always been able to be disabled. They were simply used as a conveniet method by admins to copy files such as the package files between nodes.

On Linux SG clusters I do not even have the r commands installed.