7.11. Linux HA heartbeat

/sbin/lidsconf -A -o /usr/lib/heartbeat/heartbeat                -j READONLY
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                  -o CAP_NET_BIND_SERVICE -i -1                  -j GRANT
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                  -o CAP_SYS_RAWIO -i -1                         -j GRANT
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                  -o CAP_NET_BROADCAST -i -1                     -j GRANT
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                  -o CAP_NET_ADMIN -i -1                         -j GRANT
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                  -o CAP_NET_RAW -i -1                           -j GRANT
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                  -o CAP_SYS_ADMIN -i -1                         -j GRANT

# For sending Gratuitous Arps

/sbin/lidsconf -A -o /usr/lib/heartbeat/send_arp                 -j READONLY
/sbin/lidsconf -A -s /usr/lib/heartbeat/send_arp \
                  -o CAP_NET_RAW -i -1                           -j GRANT

# For modifying the routing table when the IP address changes

/sbin/lidsconf -A -o /sbin/route                                 -j READONLY
/sbin/lidsconf -A -s /sbin/route -o CAP_NET_ADMIN -i 0           -j GRANT

#
# Protect the heartbeat configuration and authentication key.
#
/sbin/lidsconf -A -o /etc/ha.d/ha.cf                             -j READONLY
/sbin/lidsconf -A -o /etc/ha.d/haresources                       -j READONLY
/sbin/lidsconf -A -o /etc/ha.d/authkeys                          -j DENY

#
# Only heartbeat can see the authkey
#
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                  -o /etc/ha.d/authkeys                          -j READONLY