EntryDescriptionNo90 < Main

Tags: , view all tags
---+ OSG Security Drill
---++Description

   *  Find the suspicious process, based in its DN,  and kill them. 
<pre>
condor_q -l  userid
</pre>
also locate user processes:
<pre>
ps -u userid -U userid uwww
</pre>
doing it in our CE as in our WN. Find open files and ports:
<pre>
lsof -u userid -P
netstat -ap
</pre>
 After that kill jobs:
<pre>
condor_rm userid
</pre>
and kill process with =killall process= or =kill -9 process=

Remember to check =cron= and =at= as the infected user.
<pre>
crontab -l
</pre>


   * Ban the test user from submitting additional jobs.

As we are using Gums 1.2  (with gums 1.3 you can ban individual DNs) we can't ban a user based in its DN. What we can do is avoid her/him to submit jobs to our pool. In our condor master we added:
<pre>
vim /scratch/condor/condor_config.local
DENY_WRITE = userid@grid/*
</pre>
 Remember to do a =condor_reconfig -all= We also reconfigured our SE, removing its permission  to write in each gridFTP servers, commenting:
<pre>
vim /etc/grid-security/storage-authzdb
#authorize userid read-write 0  171 171 / /pnfs/sprace.org.br/data/ /pnfs/sprace.org.br/data/
</pre>

   *  Discover the incoming IP address of the malicious process.
Locate its IP address using our gatekeeper log:
<pre>
 tail -f /OSG/globus/var/globus-gatekeeper.log
</pre>
searching based in its DN. 
   *  Do an analysis of the network traffic 
After you found the aggressor IP monitor this traffic using =iptraf=
   * Do an analysis of submitted binaries
You can find the submitted binaries at
<pre>
condor_q -l userid|grep Cmd
</pre>
Also find open hidden files at =/tmp= and =/home/OSG_app= .  Do this step in CE and WN.




---++Updates
---+++Fulano em dd/mm/aaaa
Coloca o que fez.
---+++Ciclano em dd/mm/aaaa
Mais comentarios



-- Main.MarcoAndreFerreiraDias - 28 Sep 2009
Topic revision: r1 - 2009-09-28 - MarcoAndreFerreiraDias
antalya escort bursa escort eskisehir escort istanbul escort izmir escort