security monitoring boxes andrew mcnab university of manchester

Security monitoring boxes

Andrew McNab

University of Manchester

2 June 2005 Security monitoring boxes

Outline

● Background● What we could do● Constraints● “The Idea”● Syslog / RSS / Management● Security Monitoring WG● Next Steps


The Background

● Sites get compromised already.

● We can reduce this a lot by keeping sites up to date with

OS patches etc.

● We can mitigate it further by watching for intrusions.● All of our sites use almost identical versions/configurations

● We're very vulnerable to repeat of an attack at many sites● The whole point of the Grid is to provide methods for cross-

institutional access

● Stolen credentials give “legitimate” access to more sites.


What we could do

● What can GridPP do about this?● Currently, we “encourage” site admins to keep up to date

and to look for intrusions.● To provide “centralised” Tier-2/Tier-1/??? assistance on top

of this, we need to have a monitoring mechanism.

● Ideally, something we can base automated alarms on.● Inter-site monitoring is also needed to detect “legitimate”

cross-site attacks, using stolen credentials.

● Need to look for unusual usage patterns (cf credit cards)


This is a bit like...

● ...monitoring the data from an HEP experiment● You have alarms/warnings generated by each

subdetector DAQ system● You have a central way of collecting, logging and

basing alerts on these messages● You also have higher level monitoring to spot data

quality issues like miscalibration

● “Is the distribution still flat in phi?” etc

● Only get that once you've collected things

centrally


Constraints

● Do something quickly – don't start writing lots of code● Don't over burden the site admins – want it everywhere● Keep it detached from site – avoid being compromised,

and provide a hardened “safe” for copies of log files

from attack● Use standard protocols – don't create an oddball system

that lives in it's own world● Interoperate with existing components on sites

● Kernel and OS daemons (sshd etc)

● Grid Middleware


So ... “The Idea”

● We provide site admins with an installation DVD that

installs a “Security Monitoring Box” ● Do not use RHEL/SLC to keep kernel / sshd / etc versions

different – Fedora Core probably different enough● Box gathers local messages via the syslog protocol● Command-line admin is done by local site, as root● Monitoring managed via web interface (using GridSite)● syslog messages are republished via RSS feeds● Tier-2/Tier-1/?? watch SecMonBox feeds for trigger signals


Inputs to syslog

● syslog is the default logging system on Unix boxes● syslog consists of a

● system call / command line tool for injecting

messages

● syslogd running on each machine records and/or

forwards messages based on filters and syslog.conf● sshd etc use syslog by default● Globus, Apache etc can use it too● Linux kernel can be made to log things like network

probes via syslog


RSS

● RSS is widely used to allow clients to pull

categorised, chronological data (like news headlines)

out of webservers, in a programmatic way● As such, it is also well matched to transporting syslog

type alert messages● We can offer multiple channels depending on syslog

service (“sshd”) and severity (“critical”) to provide

coarse filtering● Since RSS is XML text, can search for patterns with

XML or stream tools (like Perl or even grep)


Management

● Need to keep boxes themselves patched – use yum● Need to update our software on SecMonBox – yum again?● Provide management interface via GridSite

● Site admin + remote access by Tier-2/Tier-1/??? staff● But aim for minimal configuration: disk space management,

log file expiration, triggering updates, access rights, ...● Want to be able to rebuild a box rapidly – if site is attacked,

may want to give the SecMonBox hard drive to the police

● All choices stored in one config file + idempotent scripts?


Security Monitoring

WG

● Being organised by Romain Wartel at RAL● Aims to define:

● what to monitor at sites / on the wider Grid

● recommend what tools to install to monitor that

● how to use the results● “Security Monitoring Box” would provide one set of

local and central tools to base monitoring on● Romain is also using RSS to syndicate security

announcements to websites


Next steps

● Produce a prototype Fedora 3 / SecMonBox DVD

(image)

● Installs on “sensible” hardware

● Installs GridSite + RSS service + basic config● Deploy at some volunteer sites● Demonstrate central collection of logging messages● Co-ordinate with Security Monitoring WG

recommendations

● on what to log

● and on how to filter / pattern match for attacks

security monitoring boxes andrew mcnab university of manchester

Documents

security monitoring

security monitoring

security monitoring

monitoring mechanism

intersite monitoring

higher level monitoring

use syslog

site admins