Mandatory Access Control for shared HPC clusters: Setup and performance evaluation

Protecting a HPC cluster against real world cyber threats is a critical task, with the increasing trend to open and share computing resources. As partners can upload data that is confidential regarding other partners, a company managing a shared cluster has to enforce strong security measures. It has to prevent both accidental data leakage and voluntary data stealing. When using an operating system based on Linux, the offered protections are difficult to set up in large scale environments. This article presents how to use the Mandatory Access Control feature of SELinux in order to guarantee strong security properties for HPC clusters. The proposed solution is based on the use of the Multi-Category System, the confinement of user profiles and the use of a dual SSH server. The issues encountered during the implementation and the most difficult technical points are presented. Finally, this paper shows experimental results about the performance of our solution and the impact on a large scale cluster.