On Wed, Feb 20, 2013 at 10:17 PM, Mario Penners <mario.penn...@gmail.com> wrote: > Hello, > > during a security audit, our customer was wondering about the files in > directory /var/lib/heartbeat/crm, for example: > > -rw-rw-rw- 1 hacluster root 32 Feb 13 18:59 cib-40.raw.sig > -rw------- 1 hacluster root 6716 Feb 13 18:59 cib-41.raw > -rw-rw-rw- 1 hacluster root 32 Feb 13 18:59 cib-41.raw.sig > -rw------- 1 hacluster root 6716 Feb 13 18:59 cib-42.raw > > > The files contain an XML section of the configs as applied by "crm > configure" (.raw) commands and some hash/checksum (.raw.sig). We are > running pacemaker with user permissions like this: > root 5610 1 0 Feb13 ? 00:11:40 corosync > 498 5616 5610 0 Feb13 ? 00:01:54 /usr/libexec/pacemaker/cib > root 5617 5610 0 Feb13 ? 00:01:02 /usr/libexec/pacemaker/stonithd > root 5618 5610 0 Feb13 ? 00:01:33 /usr/lib64/heartbeat/lrmd > 498 5619 5610 0 Feb13 ? 00:00:44 /usr/libexec/pacemaker/attrd > 498 5620 5610 0 Feb13 ? 00:00:25 /usr/libexec/pacemaker/pengine > 498 5621 5610 0 Feb13 ? 00:01:07 /usr/libexec/pacemaker/crmd > (mind: > hacluster:x:498:499:heartbeatuser:/var/lib/heartbeat/cores/hacluster:/sbin/nologin > ) > > > Our customer is asking, if we can remove the world-writeable bit for the > files in /var/lib/heartbeat/crm,
Yes. They shouldn't be set in the first place. I'll investigate. > and if/how they are used (i.e. what is > the long term result if we simply remove them) Not much. Normally they will never be needed. They're archive copies of previous configurations. The pacemaker will only read them if the primary copy is lost/corrupted, but admins could also reload them manually to undo a change. > > Can anyone easily answer this? > > Thanks & Cheers! > Mario > > pacemaker-cli-1.1.7-6.el6.x86_64 > pacemaker-1.1.7-6.el6.x86_64 > pacemaker-libs-1.1.7-6.el6.x86_64 > pacemaker-cluster-libs-1.1.7-6.el6.x86_64 > corosynclib-1.4.1-7.el6.x86_64 > corosync-1.4.1-7.el6.x86_64 > > > > _______________________________________________ > Pacemaker mailing list: Pacemaker@oss.clusterlabs.org > http://oss.clusterlabs.org/mailman/listinfo/pacemaker > > Project Home: http://www.clusterlabs.org > Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf > Bugs: http://bugs.clusterlabs.org _______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
