terry's right. no crons. it's a mad idea!
On 2019-12-19 11:02, Terry Froy wrote:
> Hi Winnie,
>
> I would definitely say that disallowing user-created cron/at jobs on
> worker nodes is the right thing to do.
>
> No job (or output from a job), excepting admin-controlled logging,
> should persist on a worker node once the job has completed execution
> and any resulting output has been successfully transferred.
>
> Happy to be corrected by anyone or even Mr. UK Grid Security himself
> when he awakens from his Christmas slumber 😉
>
> Regards,
> Terry
>
> --
>
> Terry Froy
>
> Cluster Systems Manager, Particle Physics
>
> Queen Mary University of London
>
> Tel: +44 (0)207 882 6560
>
> E-mail: [log in to unmask]
>
> -------------------------
>
> From: Testbed Support for GridPP member institutes
> <[log in to unmask]> on behalf of Winnie Lacesso
> <[log in to unmask]>
> Sent: 19 December 2019 09:52
> To: [log in to unmask] <[log in to unmask]>
> Subject: WLCG WN security question
>
> Good morning!
>
> I asked this of UK Grid Security, but got an auto-reply that he's out
> of
> office till Jan 2020.
>
> Dr Yves Coppens (was BHAM, now long gone) built original Bristol WLCG
> site (2004), & as I inherited it from him, one of the things he'd
> configured in building WLCG WN was:
>
> # disallow malicious user jobs to create atjobs & crontabs
> touch /etc/cron.allow
> touch /etc/at.allow
>
> I assumed that was part of some WLCG security "best practice" in WN
> build/config. Does anyone know, is it still true (recommended if not
> required for WLCG WN)?
>
> If so, is there some WLCG WN build/config security "best practice"
> checklist? (We're building a batch of new WN so think to check all the
>
> things to-do)
>
> I took a look at
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.gridpp.ac.uk%2Fwiki%2FSecurity_Information&data=02%7C01%7C%7C8fff408c63784b8eefcd08d784692e2a%7C569df091b01340e386eebd9cb9e25814%7C0%7C0%7C637123459602668605&sdata=WqiXFco6YBF%2F3%2BMZ8Y%2BtC8%2BcF4yXryxukS69lT5sCVk%3D&reserved=0
> but didn't see anything (obvious) like this?
>
> Grateful for anyone's advice!
>
> ########################################################################
>
> To unsubscribe from the TB-SUPPORT list, click the following link:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DTB-SUPPORT%26A%3D1&data=02%7C01%7C%7C8fff408c63784b8eefcd08d784692e2a%7C569df091b01340e386eebd9cb9e25814%7C0%7C0%7C637123459602668605&sdata=eIuTFk9g0%2B2tQTmIcts5xJV5C3WnriTTQawnsZ%2BqD3k%3D&reserved=0
>
> -------------------------
>
> To unsubscribe from the TB-SUPPORT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1
########################################################################
To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1
|