Secure the Tiebreaker host and database installation
For configurations running MetroCluster Tiebreaker 1.5 and later, you can secure and harden the host OS and the database.
Secure the host
The following guidelines show you how to secure the host where the Tiebreaker software is installed.
User management recommendations
-
Limit access of the "root" user.
-
You can use users that are able to elevate to root access to install and administer the Tiebreaker software.
-
You can use users that are not able to elevate to root access to administer Tiebreaker software.
-
During installation, you must create a group named "mcctbgrp". The host root user and the user created during the installation must both be members. Only members of this group can fully administer the Tiebreaker software.
Users who are not members of this group cannot access the Tiebreaker software or CLI. You can create additional users on the host and make them members of the group. These additional members cannot fully administer the Tiebreaker software. They have ReadOnly access and cannot add, change, or delete monitors. -
Do not run Tiebreaker as a root user. Use a dedicated, unprivileged service account to run Tiebreaker.
-
-
Change the default community string in the "/etc/snmp/snmpd.conf" file.
-
Allow minimal write privileges. The unprivileged Tiebreaker service account should not have access to overwrite its executable binary or any configuration files. Only directories and files for local Tiebreaker storage (eg., for integrated backend storage) or audit logs should be writable by the Tiebreaker user.
-
Do not permit anonymous users.
-
Set AllowTcpForwarding to "no" or use the Match directive to restrict anonymous users.
-
Baseline host security recommendations
-
Use disk encryption
-
You can enable disk encryption. This can be FullDiskEncryption (hardware), or encryption provided by the HostOS (software), or by the SVM host.
-
-
Disable unused services that allow incoming connections. You can disable any service that isn’t in use. The Tiebreaker software does not require a service for incoming connections because all connections from the Tiebreaker installation are outgoing. The services that might be enabled by default and can be disabled are:
-
HTTP/HTTPS server
-
FTP server
-
Telnet, RSH, rlogin
-
NFS, CIFS, and other protocol access
-
RDP (RemoteDesktopProtocol), X11 Server, VNC or other remote "desktop" service providers.
You must leave either serial console access (if supported) or at least one protocol enabled to administer the host remotely. If you disable all protocols, then you require physical access to the host for administration.
-
-
Secure the host using FIPS
-
You can install the host OS in FIPS-compliant mode and then install Tiebreaker.
OpenJDK 19 checks on startup whether the host is installed in FIPS mode. No manual changes should be required. -
If you secure the host, you must ensure that the host is able to boot without user intervention. If user intervention is required, Tiebreaker functionality might not be available if the host unexpectedly reboots. If this occurs, Tiebreaker functionality is only available after the manual intervention and when the host is fully booted.
-
-
Disable Shell Command History.
-
Upgrade frequently. Tiebreaker is actively developed, and updating frequently is important to incorporate security fixes and any changes in default settings such as key lengths or cipher suites.
-
Subscribe to the HashiCorp Announcement mailing list to receive announcements of new releases and visit the Tiebreaker CHANGELOG for details on recent updates for new releases.
-
Use the correct file permissions. Always ensure appropriate permissions are applied to files before starting the Tiebreaker software, especially those containing sensitive information.
-
Multifactor authentication (MFA) enhances your organization's security by requiring administrators to identify themselves by using more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties.
-
Red Hat Enterprise Linux 8 provides MFA that requires users to provide more than one piece of information to authenticate successfully to an account or Linux host. The additional information might be a one-time password sent to your cell phone via SMS or credentials from an app like Google Authenticator, Twilio Authy, or FreeOTP.
-
Secure the database installation
The following guidelines show how to secure and harden the MariaDB 10.x database installation.
-
Limit the access of the "root" user.
-
Tiebreaker uses a dedicated account. The account and tables for storing (configuration) data is created during the installation of Tiebreaker. The only time elevated access to the database is required is during installation.
-
-
During installation the following access and privileges are required:
-
The ability to create a database and tables
-
The ability to create global options
-
The ability to create a database user and set the password
-
The ability to associate the database user with the database and tables and assign access rights
The user account that you specify during the Tiebreaker installation must have all these privileges. Using multiple user accounts for the different tasks is not supported.
-
-
Use encryption of the database
-
Data-at-rest encryption is supported. Learn more about data-at-rest encryption
-
Data in flight is not encrypted. Data in flight uses a local "socks" file connection.
-
FIPS compliancy for MariaDB — you do not need to enable FIPS compliancy on the database. Installation of the host in FIPS-compliant mode is sufficient.
The encryption settings must be enabled before installation of the Tiebreaker software.
-
-
Database user management
-
Secure the database
-
Secure the Vault installation