Ticket 9833

Summary: slurm account security questions
Product: Slurm Reporter: ruth.a.braun
Component: ConfigurationAssignee: Tim McMullan <mcmullan>
Status: RESOLVED INFOGIVEN QA Contact:
Severity: 4 - Minor Issue    
Priority: ---    
Version: 19.05.5   
Hardware: Linux   
OS: Linux   
Site: EM Alineos Sites: ---
Atos/Eviden Sites: --- Confidential Site: ---
Coreweave sites: --- Cray Sites: ---
DS9 clusters: --- HPCnow Sites: ---
HPE Sites: --- IBM Sites: ---
NOAA SIte: --- OCF Sites: ---
Recursion Pharma Sites: --- SFW Sites: ---
SNIC sites: --- Linux Distro: ---
Machine Name: CLE Version:
Version Fixed: Target Release: ---
DevPrio: --- Emory-Cloud Sites: ---

Description ruth.a.braun 2020-09-16 08:15:12 MDT 
Looking at security and controls, 
How should the username "slurm" service account be defined /secured 
we use RHEL7
should it have a /sbin/nologin default shell
should it be locked/how?

is the slurm account created by a script in one of the slurm packages?

i'd like a clear definition for how this account should be setup/maintained for documentation.
Comment 1 Tim McMullan 2020-09-16 10:11:37 MDT 
Hi!

(In reply to ruth.a.braun from comment #0)
> Looking at security and controls, 
> How should the username "slurm" service account be defined /secured 
> we use RHEL7
> should it have a /sbin/nologin default shell
> should it be locked/how?

I would suggest that you create the slurm account with /sbin/nologin for the default shell, no password set, and it does not require a home directory.  There is generally no reason to log in as the slurm user since administrative tasks within Slurm can be given to specific users, and interacting with the log files could be done either as root or with sudo -u slurm.

> is the slurm account created by a script in one of the slurm packages?

The Slurm account is not created by default by any of the packages built from our spec file.

Let me know if this helps, or if there is any further clarification I can provide!

Thanks!
--Tim
Comment 2 Tim McMullan 2020-09-23 06:47:03 MDT 
Hi!

Just wanted to check in and make sure this answered your question!

Thanks!
--Tim
Comment 3 Tim McMullan 2020-09-25 10:11:37 MDT 
Hi,

I'm going to resolve these for now, but please feel free to re-open if you need any more help related to this!

Thanks!
--Tim