OSG Security Drill

Description

  • Find the suspicious process, based in its DN, and kill them.
condor_q -l  userid
also locate user processes:
ps -u userid -U userid uwww
doing it in our CE as in our WN. Find open files and ports:
lsof -u userid -P
netstat -ap
After that kill jobs:
condor_rm userid
and kill process with killall process or kill -9 process

Remember to check cron and at as the infected user.

crontab -l

  • Ban the test user from submitting additional jobs.

As we are using Gums 1.2 (with gums 1.3 you can ban individual DNs) we can't ban a user based in its DN. What we can do is avoid her/him to submit jobs to our pool. In our condor master we added:

vim /scratch/condor/condor_config.local
DENY_WRITE = userid@grid/*
Remember to do a condor_reconfig -all We also reconfigured our SE, removing its permission to write in each gridFTP servers, commenting:
vim /etc/grid-security/storage-authzdb
#authorize userid read-write 0  171 171 / /pnfs/sprace.org.br/data/ /pnfs/sprace.org.br/data/

  • Discover the incoming IP address of the malicious process.
Locate its IP address using our gatekeeper log:
 tail -f /OSG/globus/var/globus-gatekeeper.log
searching based in its DN.
  • Do an analysis of the network traffic
After you found the aggressor IP monitor this traffic using iptraf
  • Do an analysis of submitted binaries
You can find the submitted binaries at
condor_q -l userid|grep Cmd
Also find open hidden files at /tmp and /home/OSG_app . Do this step in CE and WN.

Updates

Fulano em dd/mm/aaaa

Coloca o que fez.

Ciclano em dd/mm/aaaa

Mais comentarios

-- MarcoAndreFerreiraDias - 28 Sep 2009

Topic revision: r1 - 2009-09-28 - MarcoAndreFerreiraDias
 

This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback

antalya escort bursa escort eskisehir escort istanbul escort izmir escort