Verifying Node Hardening
After performing the procedures in this article to harden a cluster node, test the configuration and hardening.
The number of daemons and services running on each of the nodes is significantly less after the hardening steps are completed. For the example configuration, our testing resulted in the following:
On the node where these recommendations were tested, the number of Solaris TCP services listed by netstat decreased from 31 to 7.
The number of UDP IPv4 services listed by netstat went from 57 to 6.
By reducing the number of services available, the exposure points of this system are significantly reduced and the security of the entire cluster is dramatically improved.
We recommend that you disable the failover before hardening any of the nodes. Re-enable failover only after each node has been hardened, rebooted, and tested. This practice avoids having the cluster software fail over to a hardened node before it has been fully hardened and before the hardened configuration has been validated.
After you complete the hardening process for a node, reboot the node and verify its configuration by having it assume the appropriate Sun Cluster 3.0 software role.
This step must be done before you harden any other nodes in the cluster.
Do not harden other Sun Cluster nodes before verifying that the hardened configuration of each node functions properly in your environment.
When the hardened node takes control of the cluster, verify the node's functionality.
After verifying that the node is functioning properly, perform the entire software installation and the hardening process on the next node.
Refer to "Securing Sun Cluster 3.0 Nodes" on page 15 for the procedure.
Do not harden all nodes simultaneously.