HP UX System Adstration manual Security Notes, Choosing a Synchronization Invocation Method

Page 36

#mkdir -p /var/opt/dsau/cfengine/inputs

#cd /var/opt/dsau/cfengine/inputs

#scp master_server:/var/opt/dsau/cfengine/inputs/update.conf

./update.conf

To allow this client to accept cfrun requests, do the following:

1.Edit /etc/rc.config.d/cfservd and set the CSYNC_CONFIGURED variable to "1" -- this will start cfservd at system boot time.

2.Start cfservd:

#/sbin/init.d/cfservd start

3.Test the configuration with cfagent (see cfagent(8)):

#cfagent --no-lock --verbose --no-splay

The verbose output will display the client, checking for updated copies of the master policy files, copying them down to /var/opt/cfengine/inputs if needed, and then executing the contents of cfagent.conf/cf.main.

For additional troubleshooting information, refer to the section “cfengine Troubleshooting” (page 39).

2.3.2.4 Choosing a Synchronization Invocation Method

As the administrator, you can push changes out to managed clients by using the cfrun command (see cfrun(8)). cfrun contacts the cfservd daemon on each managed client and cfservd invokes cfagent which does the actual synchronization work. You can also choose to have cfagent run at intervals on the client. There are two approaches:

Run cfagent from a cron job.

When running cfagent from cron, invoke it using cfexecd -F. An example crontab entry is shown below:

0 * * * * /var/opt/dsau/cfengine/bin/cfexecd -F

This crontab entry will cause cfagent to be run every hour.

In this example, cfexecd (see cfexecd(8)) acts a wrapper for cfagent and collects any output and places it in /var/opt/dsau/cfengine/outputs. cfexecd can also cause mail to be sent to the administrator if specified in the cfagent.conf file. For details, refer to the cfengine reference manual in /opt/dsau/doc/cfengine.

Note that the default cf.main has an example for automatically adding the above line to the crontab file of each managed client.

Run cfexecd in daemon mode.

cfexecd has cron-like features based on cfengine’s time classes and can be used instead of cron to run cfagent. cfexecd defaults to running cfengine every hour. When first getting started with cfengine, it is probably easiest to use cron for scheduling client side synchronization. For details on using cfexecd in daemon-mode, refer to the cfengine tutorial located in /opt/dsau/doc/cfengine/.

2.4Security Notes

cfengine has many security features that range from parameters that control denial-of-service attacks to access control lists that prevent managed clients from accessing reference file directories on the server. For details on cfengine security features, refer to the reference manual located in /opt/dsau/doc/cfengine/. The security topics discussed below include:

Key exchange

Network port usage

36 Configuration Synchronization

Image 36
Contents Distributed Systems Administration Utilities Users Guide Copyright 2009 Hewlett-Packard Development Company, L.P Table of Contents HP-Supported Open Source pdsh Options Index Syslog-ngLog-Forwarding Configuration List of FiguresConsolidated Logging Commands Target Node Error MessagesList of Tables About this Document Intended AudienceTypographic Conventions Related InformationProduct Support HP Encourages Your Comments Introduction Distributed Systems Administration Utilities Commands Configuration Synchronization CommandConsolidated Logging Commands Command Fanout CommandsUtility Setup Command Open Source cfengine CommandsOpen Source pdsh Commands Open Source ComponentsDistributed Systems Administration Utilities Manual Pages Open Source syslog-ng CommandDsau Manual Page Sections Configuration Synchronization Cfengine OverviewCfengine Daemons and Commands Configuration SynchronizationCfengine Master Server Deployment Models Cfengine OverviewConfiguring cfengine Using the Configuration Synchronization WizardConfiguration Data for csyncwizard # /opt/dsau/sbin/csyncwizardWizard displays the following introductory screen Wizard proceeds to configure the system as a master server # /opt/dsau/sbin/csyncwizard Configuration Synchronization Configuring cfengine Would you like to manage clients? N Cluster Configuration Notes for cfengine Serviceguard Automation FeaturesVar/opt/dsau/cfengine/inputs directory Using the Wizard to Configure a Synchronization Client Opt/dsau/bin/csyncdispatcher Memberadded newhostManual Configuration When prompted, enter the name of the client to addManually Configuring a Standalone Synchronization Server Start by creating the directory# mkdir -p /var/opt/dsau/cfenginemaster/inputs # /opt/dsau/sbin/cfkey # /var/opt/dsau/cfengine/ppkeys # cp localhost.pub root-10.0.0.5.pub# /sbin/init.d/cfservd start # cfagent --no-lock --verbose --no-splay# cfrun -- --inform # cfrun -v -- --verboseInitial Serviceguard Package Preparation # mkdir -p /csync/dsau/cfenginemaster/masterfilesPolicyhost = csync.abc.xyz.com List Managed Clients in cfrun.hostsEdit the cfservd.conf File # /opt/dsau/sbin/cfkey# ccp /etc/rc.config.d/cfservd /etc/rc.config.d/cfservd # cp localhost.pub root-192.10.25.12.pub# ccp * /var/opt/dsau/cfengine/ppkeys # cexec /sbin/init.d/cfservd startTest the configuration by performing the following steps # ccp csync csync.conf /etc/cmcluster/csyncApply the package and start it # cmapplyconf -P csync.conf # cmmodpkg -e csyncConfiguring a Synchronization Managed Client On a managed client, use the commandSecurity Notes Choosing a Synchronization Invocation MethodKey Exchange Csync Network Port UsageEncryption Encryption Checksum alertsDisabling Use of cfengine Logging OptionsChecksum Alerts # /sbin/init.d/cfservd stopCfengine Troubleshooting Syntax error due to missing or superfluous spaces#cfagent -K Unable to connect to a cfengine client or masterCfagent -d, -d1, -d2, or -d3 cfservd Cfrun Consolidated Logging Introduction to syslogSyslog Message Format 2describes syslog Facilities MessagesLog Consolidation Overview Message FilteringImproved Log Consolidation Syslog Co-existence Etc/cmcluster/package-name/package-name.log Log Consolidation Configuration Syslog-ng Log Consolidator ConfigurationUsing the Log Consolidation Wizard Configuration Data for clogwizardOpt/dsau/sbin/clogwizard Where N is the expected number of clients Answer yes y or press Enter. The next question isAnswer yes y. The wizard then prompts If these choices are correct, continue Next prompt is Log files that reside on this cluster can be consolidated Consolidated package logs would be located here Cluster Configuration Notes for clog Minimizing Message Loss During Failover Configuring a Log Forwarding Client Using clogwizard Or press Enter. The next question isEnter the ssh port to be used for port forwarding Manually Configuring Log Consolidation Manually Configuring a Standalone Log Consolidation Server# /sbin/init.d/syslogd stop # /sbin/init.d/syslogd start Replace the %UDPLOOPBACKLOG% token withFor example, for TCP Create the following symbolic link Change the Clogconfigured line toIf using the TCP protocol, add Add the following linesLog Consolidation Configuration SYSLOGDOPTS=-D -N KEEPALIVE% tokens with appropriate values UDPLOOPBACKSOURCE% and %UDPLOOPBACKLOG% tokens If consolidating package logs of this cluster, add Creating the clog PackageIf using VxVM, comment out the LVM Volume Group line Testing and Starting the clog Package Distribute it cluster-wideThen use cmviewcl to make sure it is running Manually Configuring Log Forwarding Clients Using VxVM Instead of LVMManually Configuring a Standalone Log Forwarding Client Ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf # /sbin/init.d/syslog-ng start # cpp /etc/rc.config.d/syslogd /etc/rc.config.d Destination dsyslog%TYPE% %TYPE%%IP%port%PORT% If using the TCP protocol, add the following lines If using ssh port forwarding, addOtherwise, if using the UDP protocol, add Create the following symbolic link on each cluster memberStart syslog-ngon all cluster members using Forwarding Ascii Log DataFor the destination line For the filter lineConsolidating Package Logs on the Log Consolidation Server For the log linePerform the following steps to disable log consolidation Disabling Log ConsolidationDisabling a Standalone Log Consolidation System #/sbin/init.d/syslogd stopDisabling a Serviceguard Cluster Log Consolidation System Disabling a Standalone Log Forwarding Client#/sbin/init.d/syslogd start # /sbin/init.d/syslog-ng stopDisabling a Serviceguard Cluster Log Forwarding Client #/sbin/init.d/syslogd stop #/sbin/init.d/syslogd startSecuring Consolidated Logs Log File ProtectionsSsh Port Forwarding Using Bastille to Harden the System Clog Network Port Usage# cd /opt/ssh/etc # ccp sshhost* /opt/ssh/etc Using the System and Consolidated Log Viewer Viewing System and Consolidated LogsStarting System Management Homepage To log in to the System Management Homepage, navigate toViewing System and Consolidated Logs Page Command Fanout Parallel Distributed ShellPdsh Utility Wrappers All nodesSystems Cwall displays a wall1M broadcast message on multiple hostsSecurity Configuration Remote Shell Security SetupSsh Security Setup # csshsetup -r -f memberslist.txtCommand Fanout Troubleshooting Ssh Command MessagesRsh Command Messages Target Node Error MessagesHP-Supported Open Source pdsh Options Page Index CfanouthostsLVM UDP