OSG Security Drill
Description
- Find the suspicious process, based in its DN, and kill them.
condor_q -l userid
also locate user processes:
ps -u userid -U userid uwww
doing it in our CE as in our WN. Find open files and ports:
lsof -u userid -P
netstat -ap
After that kill jobs:
condor_rm userid
and kill process with
killall process
or
kill -9 process
Remember to check
cron
and
at
as the infected user.
crontab -l
- Ban the test user from submitting additional jobs.
As we are using Gums 1.2 (with gums 1.3 you can ban individual DNs) we can't ban a user based in its DN. What we can do is avoid her/him to submit jobs to our pool. In our condor master we added:
vim /scratch/condor/condor_config.local
DENY_WRITE = userid@grid/*
Remember to do a
condor_reconfig -all
We also reconfigured our SE, removing its permission to write in each gridFTP servers, commenting:
vim /etc/grid-security/storage-authzdb
#authorize userid read-write 0 171 171 / /pnfs/sprace.org.br/data/ /pnfs/sprace.org.br/data/
- Discover the incoming IP address of the malicious process.
Locate its IP address using our gatekeeper log:
tail -f /OSG/globus/var/globus-gatekeeper.log
searching based in its DN.
- Do an analysis of the network traffic
After you found the aggressor IP monitor this traffic using
iptraf
- Do an analysis of submitted binaries
You can find the submitted binaries at
condor_q -l userid|grep Cmd
Also find open hidden files at
/tmp
and
/home/OSG_app
. Do this step in CE and WN.
Updates
Fulano em dd/mm/aaaa
Coloca o que fez.
Ciclano em dd/mm/aaaa
Mais comentarios
--
MarcoAndreFerreiraDias - 28 Sep 2009