OSG Security Drill

Description

• Find the suspicious process, based in its DN, and kill them.

condor_q -l  userid

also locate user processes:

ps -u userid -U userid uwww

doing it in our CE as in our WN. Find open files and ports:

lsof -u userid -P
netstat -ap

After that kill jobs:

condor_rm userid

and kill process with killall process or kill -9 process

Remember to check cron and at as the infected user.

crontab -l

• Ban the test user from submitting additional jobs.

As we are using Gums 1.2 (with gums 1.3 you can ban individual DNs) we can't ban a user based in its DN. What we can do is avoid her/him to submit jobs to our pool. In our condor master we added:

vim /scratch/condor/condor_config.local
DENY_WRITE = userid@grid/*

Remember to do a condor_reconfig -all We also reconfigured our SE, removing its permission to write in each gridFTP servers, commenting:

vim /etc/grid-security/storage-authzdb
#authorize userid read-write 0  171 171 / /pnfs/sprace.org.br/data/ /pnfs/sprace.org.br/data/

• Discover the incoming IP address of the malicious process.

Locate its IP address using our gatekeeper log:

 tail -f /OSG/globus/var/globus-gatekeeper.log

searching based in its DN.

• Do an analysis of the network traffic

After you found the aggressor IP monitor this traffic using iptraf

• Do an analysis of submitted binaries

You can find the submitted binaries at

condor_q -l userid|grep Cmd

Also find open hidden files at /tmp and /home/OSG_app . Do this step in CE and WN.

Updates

Fulano em dd/mm/aaaa

Coloca o que fez.

Ciclano em dd/mm/aaaa

Mais comentarios

-- MarcoAndreFerreiraDias - 28 Sep 2009