We were asked about the NetOps installation account (Spectrum/PM at minimum). The following are the questions which would appreciate some responses to provide the security team.

What requirements do Spectrum and Performance Manager place on the Linux account used to run these applications?

• Are there naming requirements (value, length, etc.)?
• Are there nature requirements (local, LDAP, ...)?
• Are there any GECOS or configuration requirements (UID, GID, home directory, shell)?
• Are there any requirements on primary group (GID, group name)?
• Are there any requirements around secondary groups, or group membership?
• Are there any requirements around passwords, or around SSH keys?
• Are there storage requirements (local disk, NFS volume)?

All supported Network Observability DX NetOps Performance Management and Spectrum Fault Management releases

Internal security requirements need to be met to prevent tool shut down.

If there are additional questions not answered here, please open a support case referencing this article for additional information.

• Are there naming requirements (value, length, etc.)?
• Spectrum user(s):
• There will be a default spectrum install owner and along with the mysql user where MySql is installed.
• Spectrum has password complexity enabled out of the box.
• PM Portal: Mysql and install owner. No user limitations for naming.
• PM DA/DC: Install owner. No user limitations for naming.
• PM DR: Install owner and dradmin.
• No user limitations for naming.
• The dradmin name can be used, or it can be set with a custom name.
• Are there nature requirements (local, LDAP, ...)? Can it be an LDAP account (e.g. in OpenLDAP or freeipa or similar)? Can it be a local account (e.g. specified in /etc/passwd)? freeipa (Red Hat IdM) to be more specific.
• Users can be local but we still require it having an entry in passwd to appear local.
• Are there any GECOS or configuration requirements (UID, GID, home directory, shell)?
• The Spectrum install owner requires it be set with rawsockets and the ability to bind to ports under 1024 as non-root users. This is done using the Linux setcap command. This is done within the installer, not by an administrator.
• The bash shell is required for users in PM installs.
• DR dradmin user:
• Requires verticadba group as it's primary group/GID.
• The dradmin users home can be anywhere but must be set in drinstall.properties.
• Are there any requirements on the primary group (GID, group name)?
• DR dradmin requires verticadba group as it's primary group/GID.
• Are there any requirements around secondary groups, or group membership?
• DR dradmin requires verticadba group as it's primary group/GID.
• Are there any requirements around passwords, or around SSH keys?
• DR dradmin user:
• Requires passwordless-ssh keys shared round-robin among its cluster members.
• The dradmin passwordless-ssh is auto-setup during dr_install.sh run
• DR install, if performed with certain configurations, requires passwordless-ssh keys shared round-robin among it's cluster members.
• The install user keys are required during install and upgrade runs.
• The install user keys can be removed after the install or upgrade is completed successfully.
• Are there storage requirements (local disk, NFS volume)?
• Performance related requirements exist for Vertica.
• No requirements for local vs NFS requirements.
• Vertica recommends EXT4 or XFS
• Vertica highly recommends NOT using LVMs.
• LVM support exists for Vertica disks.
• There is an up to 40% performance hit using LVM instead of the recommended EXT types.
• Fault Tolerant DA requires shared storage location available to both DA’s for read and write access.