EMI WN Service Reference Card

Daemons running

Init scripts and options (start|stop|restart|...)

Configuration files location with example or template

• /etc/profile.d/a1_grid_env.sh
• /etc/profile.d/grid-env.sh
• /etc/profile.d/grid-env.csh
• /etc/glite-wn-info/
• /etc/vomses/

Logfile locations (and management) and other useful audit information

• /var/log
• Batch system specific logfiles (varies)

Open ports

• gLite port table

Possible unit test of the service

Where is service state held (and can it be rebuilt)

Cron jobs

• cleanup-grid-accounts
• fetch-crl

Security information

Access control Mechanism description (authentication & authorization)

• Nothing reported

How to block/ban a user

• There is no way to block/ban a user on a single Worker Node. The access must be handled at the level of the CE, you can see here

Network Usage

• Worker Nodes should normally be configured to have outbound connectivity only to the world. There is no need for the WN to be reached from the outside.

Firewall configuration

• SCP access with HostBasedAuthentication must be granted to the Computing Element
• Ports used by the batch system server must be opened for access on the WN. ie:
  • 15001 - 15004 (TCP/UDP) for Torque

Security recommendations

• Disable all unneeded services and daemons.
• Use private IP addresses.
• Verify that all grid accounts are "cron" and "at" denied.
• Verify that fetch-crl and cleanup-grid-accounts cron scripts are in place and working.
• Consider to use some script to periodically check for processes escaping the batch system control (see Processes On Batch Nodes)

Security incompatibilities

List of externals packages that are not maintained by the supported OS.

Other security relevant comments

-- DoinaCristinaAiftimiei - 25-Apr-2011